IP Reputation category values
As flows are ingested into the system, lookups are done on both source IP and destination IP so that their reputation is determined at the time the flow happened.
Every flow record contains an array of categories for both source and destination IP that represents what's known about the IP, if anything. An empty array simply means there was
no information found about that particular IP (not that it was "good").
IP Reputation Categories
Category
Flow key (NQL)
srciprep.categories ==
Description
BotNets
botnets
Botnet category includes Botnet C&C channels and infected zombie machine controlled by Bot master.
Denial of Service
dos
Denial of Services category includes DOS, DDOS, anomalous syn flood, anomalous traffic detection.
Mobile Threats
mobilethreats
IP addresses used by malicious mobile apps.
Phishing
phishing
Phishing category includes IP addresses hosting phishing sites, other kind of fraud activities such as Ad Click Fraud or Gaming fraud.
Proxy
proxy
Proxy category includes IP addresses providing proxy and anonymization services.
IP Reputation
reputation
Deny access from IP addresses currently known to be infected with malware.
Scanners
scanners
Scanners category includes all reconnaissance such as probes, host scan, domain scan and password brute force.
Spam Sources
spamsources
Spam Sources includes Tunneling Spam messages through proxy, anomalous SMTP activities, Forum Spam activities.
TOR Proxy
torproxy
TOR anonymizer IP addresses.
Web Attacks
webattacks
Web attacks category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force.
Windows Exploits
windowsexploits
Windows exploit category includes active IP Address offering or distributing malware, shell code, rootkits, worms or viruses.
Updated 7 months ago