Help Center/ SecMaster/ Service Overview/ Experience Packages/ Preset Types
Updated on 2025-08-12 GMT+08:00
View PDF
Share

Preset Types

This section describes alert, incident, threat indicator, and vulnerability types preset in SecMaster.

Preset Alert Types

Table 1 Preset alert types

Type Name

Sub Type/Sub Type Tag

Description

DDoS attack

DNS protocol attacks

Tcp Dns

DNS protocol attacks

Unusual ports

Unusual Network Port

Unusual ports

Abnormal protocol attacks

Unusual Protocol

Abnormal protocol attacks

ACK Flood

ACK Flood

ACK Flood

BGP flood

BGP Flood Attack

BGP flood

DNS IP TTL

DNS IP TTL Check Fail

DNS IP TTL

DNS reply flood

DNS Reply Flood

DNS reply flood

DNS query flood

DNS Query Flood

DNS query flood

Abnormal DNS size

DNS Size Abnormal

Abnormal DNS size

DNS reflection

DNS Reflection

DNS reflection

Abnormal DNS response flow

DNS Reply Domain Flow Abnormal

Abnormal DNS response flow

Invalid DNS format

DNS Format Error

Invalid DNS format

DNS cache matching

DNS Cache Match

DNS cache matching

DNS cache poisoning

DNS Cache Poisoning

DNS cache poisoning

Abnormal DNS request flow

DNS Request Domain Flow Abnormal

Abnormal DNS request flow

DNS domain name errors

DNS No Such Name

DNS domain name errors

FIN/RST Flood

FIN/RST Flood

FIN/RST Flood

HTTPS Flood

HTTPS Flood

HTTPS Flood

HTTP slow attacks

HTTP Slow Attack

HTTP slow attacks

ICMP blocking

ICMP Protocol Block

ICMP blocking

IP reputation

IP Reputation

IP reputation

SIP Flood

SIP Flood

SIP Flood

Abnormal SIP source rate

SIP Source Rate Abnormity

Abnormal SIP source rate

SYN Flood

SYN Flood

SYN Flood

SYN-ACK Flood

SYN-ACK Flood

SYN-ACK Flood

TCP bandwidth overflow

TCP Bandwidth Overflow

TCP bandwidth overflow

TCP multi-connection attacks

TCP Connection Flood

TCP multi-connection attacks

TCP fragment bandwidth overflow

TCP Fragment Bandwidth Overflow

TCP fragment bandwidth overflow

TCP fragment attacks

TCP Fragment Flood

TCP fragment attacks

Malformed TCP packets

TCP Malformed

Malformed TCP packets

TCP/UDP attacks

TCP-authenticated UDP Attack

TCP/UDP attacks

TCP blocking

TCP Protocol Block

TCP blocking

UDP bandwidth overflow

UDP Bandwidth Overflow

UDP bandwidth overflow

UDP fragments

UDP Fragment Flood

UDP fragments

UDP fragment bandwidth overflow

UDP Fragment Bandwidth Overflow

UDP fragment bandwidth overflow

Malformed UDP packets

UDP Malformed

Malformed UDP packets

UDP blocking

UDP Protocol Block

UDP blocking

URI monitoring

URI Monitor

URI monitoring

Dark web IP addresses

Dark IP

Dark web IP addresses

Single EIP bandwidth overflow

Single IP Bandwidth Overflow

Single EIP bandwidth overflow

Current connection flood attacks

Concurrent Connections Flood

Current connection flood attacks

Port scan attacks

Port Scanning Attack

Port scan attacks

Malicious domain name attacks

Malicious Domains Attack

Malicious domain name attacks

Anti-malware

Anti-Malware

Anti-malware

DDoS attacks

DDOS

DDoS attacks

Partition bandwidth overflow

Zone Bandwidth Overflow

Partition bandwidth overflow

Filter attacks

Filter Attack

Filter attacks

Blacklist

Blacklist

Blacklist

Botnets/Trojans/Worms

Botnets/Trojan horses/Worms Attack

Botnets/Trojans/Worms

Destination IP new session rate limiting

Destination IP new session rate limiting

Destination IP new session rate limiting

Other flood attacks

Other Flood

Other flood attacks

Other bandwidth overflow

Other Bandwidth Overflow

Other bandwidth overflow

Other global exceptions

Global Other Abnormal

Other global exceptions

Other protocol blocking

Other Protocol Block

Other protocol blocking

Global ICMP exception

Global ICMP Abnormal

Global ICMP exception

Abnormal global TCP fragments

Global TCP Fragment Abnormal

Abnormal global TCP fragments

Global TCP exception

Global TCP Abnormal

Global TCP exception

Abnormal global UDP fragments

Global UDP Fragment Abnormal

Abnormal global UDP fragments

Global UDP exception

Global UDP Abnormal

Global UDP exception

Web attacks

Web Attack

Web attacks

Geolocation attacks

Location Attack

Geolocation attacks

Connection flood attack

New Connections Flood

Connection flood attack

Domain hijacking

Domain Hijacking

Domain hijacking

Abnormal source DNS response traffic

Source DNS Reply Flow Abnormal

Abnormal source DNS response traffic

Abnormal source DNS request traffic

Source DNS Request Flow Abnormal

Abnormal source DNS request traffic

Host traffic overflow

Host Traffic Over Flow

Host traffic overflow

HTTP Flood

HTTP Flood

HTTP Flood

ICMP Flood

ICMP Flood

ICMP Flood

SSL Flood

SSL Flood

SSL Flood

TCP Flood

TCP Flood

TCP Flood

UDP Flood

UDP Flood

UDP Flood

XML Flood

XML Flood

XML Flood

Amplification attacks

Amplification

Amplification attacks

Malicious code

Hidden link

Web Page Dark Link

Hidden link

Web page Trojan

Web Page Trojan

Web page Trojan

Web attacks

Webshell

Webshell

Webshell

WAF robot

WAF Robot

WAF robot

IP address whitelist

White IP

IP address whitelist

Known attack source

Known Attack Source

Known attack source

IP address blacklist

Black IP

IP address blacklist

Vulnerability exploits

Vulnerability Attack

Vulnerability exploits

Data masking

Leakage

Data masking

Default

Default

Default

Scanners/Crawlers

Scanner & Crawler

Scanners/Crawlers

CC attacks

Challenge Collapsar

CC attacks

IP reputation database

IP Reputation

IP reputation database

SQL injection

SQL Injection

SQL injection

XSS

Cross-Site Scripting

XSS

Local file inclusion

Local Code Inclusion

Local file inclusion

Geolocation access control

Geo IP

Geolocation access control

Malicious crawlers

Malicious Web Crawlers

Malicious crawlers

Anti-crawler

Anticrawler

Anti-crawler

Web tampering protection

AntiTamper

Web tampering protection

Invalid requests

Illegal Access

Invalid requests

Blacklist or whitelist alarms

White or Black IP

Blacklist or whitelist alarms

Precise protection

Custom Rule

Precise protection

Command injection

Command Injection

Command injection

Path Traversal

Path Traversal

Path Traversal

Website Trojans

Website Trojan

Website Trojans

Website data leakage

Information Leakage

Website data leakage

Information leakage

Web Service Exfiltration

Information leakage

Remote code execution

Remote Code Execute

Remote code execution

Remote file inclusion

Remote Code Inclusion

Remote file inclusion

Malware

Encrypted currency mining

Cryptomining

Encrypted currency mining

Docker malicious program

Docker Malware

Docker malicious program

Fishing

Phishing

Fishing

Malicious adware

Adware

Malicious adware

Malware

Malicious Software

Malware

Hacker tool

Hacktool

Hacker tool

Grayware

Grayware

Grayware

Spyware

Spyware

Spyware

Spam

Spam

Spam

Rootkit

Rootkit

Rootkit

Webshell

Webshell

Webshell

Virus/Worm

Virus and Worm

Virus/Worm

Malicious file

Malicious File

Malicious file

Reverse shell

Reverse Shell

Reverse shell

Trojan

Backdoor Trojan

Trojan

Botnet

Botnet Program

Botnet

Ransomware

Ransomware

Ransomware

Bitcoin Miner

Bitcoin Miner

Bitcoin Miner

Mining software

Mining Software

Mining software

Risk Audit

Web-CMS Vulnerability

Webcms Vulnerability

Web-CMS Vulnerability

Windows OS vulnerabilities

Windows Vulnerability

Windows OS vulnerabilities

Local access vulnerability

Local Access Vulnerability

Local access vulnerability

Incorrect configuration policy

Mis-Configured Policy

Incorrect configuration policy

Other OS vulnerability

Other OS Vulnerability

Other OS vulnerability

Other vulnerability

Other Vulnerability

Other vulnerability

Application vulnerability

Application Vulnerability

Application vulnerability

Remote access vulnerability

Remote Access Vulnerability

Remote access vulnerability

Risk Audit

Weak Password

Weak Password

Weak Password

Risky system configuration

System Risk Configuration

Risky system configuration

Attacks

Fishing

Phishing

Fishing

Network topology

Map Network Topology

Network topology

Account and group information collection

Identify Groups/Roles

Account and group information collection

Fingerprint scan

Fingerprinting

Fingerprint scan

Host discovery

Determine IP Address

Host discovery

Vulnerability exploit

ActiveX vulnerability exploit

ActiveX Exploit

ActiveX vulnerability exploit

CGI attack

CGI Attack

CGI attack

DNS vulnerability exploit

DNS Exploit

DNS vulnerability exploit

FTP vulnerability exploit

FTP Exploit

FTP vulnerability exploit

Hadoop vulnerability exploit

Hadoop Vulnerability Exploit

Hadoop vulnerability exploit

Vulnerability exploit of hypervisor

Hypervisor Exploit

Vulnerability exploit of hypervisor

LDAP injection

LDAP Injection Attack

LDAP injection

MacOS vulnerability exploit

MacOS Exploit

MacOS vulnerability exploit

MySQL vulnerability exploit

MySQL Vulnerability Exploit

MySQL vulnerability exploit

Vulnerability exploit of Office software

Office Exploit

Vulnerability exploit of Office software

Redis vulnerability exploit

Redis Vulnerability Exploit

Redis vulnerability exploit

RPC vulnerability exploit

RPC Exploit

RPC vulnerability exploit

SQL injection

SQL Injection

SQL injection

SSH vulnerability exploit

SSH Exploit

SSH vulnerability exploit

SSI injection attack

SSI Injection Attack

SSI injection attack

Struts2 OGNL injection

Struts2 OGNL Injection

Struts2 OGNL injection

Telnet vulnerability exploit

TELNET Exploit

Telnet vulnerability exploit

Unix vulnerability exploit

Unix Exploit

Unix vulnerability exploit

Web vulnerability exploit

Web Exploit

Web vulnerability exploit

Cross site scripting (XSS)

Cross-Site Scripting

Cross site scripting (XSS)

Local file inclusion

Local File Inclusion

Local file inclusion

Malicious file delivery

Malicious File Delivery

Malicious file delivery

Malicious file execution

Malicious File Execution

Malicious file execution

Buffer overflow attack

Buffer Overflow

Buffer overflow attack

Session hijacking

Session Hijack

Session hijacking

Password guessing

Password Cracking

Password guessing

Browser vulnerability exploit

Browser Exploit

Browser vulnerability exploit

Weak password access

Weak Password Access

Weak password access

Database vulnerability exploit

Database Exploit

Database vulnerability exploit

Unknown vulnerability exploit

Unknown Exploit

Unknown vulnerability exploit

Hidden link access

Hide Link Access

Hidden link access

Email vulnerability exploit

Mail Exploit

Email vulnerability exploit

Remote code execution

Remote Code Execution

Remote code execution

Remote access vulnerability exploit

Remote Access Exploit

Remote access vulnerability exploit

Remote file inclusion prevention

Remote File Inclusion

Remote file inclusion prevention

Remote file injection

Remote File Injection

Remote file injection

Combined vulnerability exploit

Misc Exploit

Combined vulnerability exploit

CMS vulnerability

CMS Exploit

CMS vulnerability

CSRF attack

CSRF Attack

CSRF attack

JNDI injection

JNDI Injection Attack

JNDI injection

Linux vulnerability

Linux Exploit

Linux vulnerability

SMB vulnerability

SMB Exploit

SMB vulnerability

Windows vulnerability

Windows Exploit

Windows vulnerability

XML injection

XML Injection

XML injection

Code Injection

Code Injection

Code Injection

Vulnerability escape

Vulnerability Escape Attack

Vulnerability escape

Command execution

Command Execution

Command execution

Command injection

Command Injection

Command injection

File escape

File Escape Attack

File escape

VM escape

VM Escape Attack

VM escape

Common vulnerability exploit

General Exploit

Common vulnerability exploit

Command and control

Message sent from current ECS IP address to high-risk network

Command Control Activity

Message sent from current ECS IP address to high-risk network

Dynamic resolution

Dynamic Resolution

Dynamic resolution

Other suspicious connection

Abnormal Connection

Other suspicious connection

Other suspicious behavior

Abnormal Behaviour

Other suspicious behavior

Malicious DNS connection

Malicious Domain Query

Malicious DNS connection

Malicious IP address connection

Malicious Ip Address Query

Malicious IP address connection

Covert tunnel

Protocol Tunneling

Covert tunnel

Mining pool communication

Mining Pool Communication

Mining pool communication

Other

Public_Opinion

Public_Opinion

Public_Opinion

Cloud firewall attack

CFW_RISK

Cloud firewall attack

Data leakage

Data theft

Steal Data

Data theft

Unauthorized data transfer

Transfer Data Abnormal

Unauthorized data transfer

Abnormal network behavior

Abnormal access frequency of IP addresses

IP Access Frequency Abnormal

Abnormal access frequency of IP addresses

Abnormal IP address switch

IP Switch Abnormal

Abnormal IP address switch

First login from an IP address

IP First Access

First login from an IP address

Sinkhole attack IP address access

Sink Hole

Sinkhole attack IP address access

Proxy IP address access

Proxy

Proxy IP address access

Malicious resource access

Resource Permissions

Malicious resource access

Fraudulent payment website IP address/domain name access

Payment

Fraudulent payment website IP address/domain name access

Onion website IP access

Tor

Onion website IP access

C&C abnormal communication

C&C Abnormal Communication

C&C abnormal communication

Blacklisted IP address access

IP Blacklist Access

Blacklisted IP address access

URL blacklist access

URL Blacklist Access

URL blacklist access

Malicious URL access

Malicious URL Access

Malicious URL access

Malicious domain name access

Malicious Domain Name Access

Malicious domain name access

Unauthorized access attempt

Unauthorized Access Attempt

Unauthorized access attempt

Suspicious network traffic

Suspicious Network Traffic

Suspicious network traffic

Container-network external connection

Container Network Connect

Container-network external connection

Unknown network access

Unknown Abnormal Network Access

Unknown network access

File MD5 blacklist access

File MD5 Blacklist Access

File MD5 blacklist access

Abnormal external connection

Abnormal External Behavior

Abnormal external connection

Domain name blacklist access

Domain Name Blacklist Access

Domain name blacklist access

Periodic external communication

Periodic Outreach

Periodic external communication

Suspicious port forwarding

Suspicious Port Forward

Suspicious port forwarding

Fileless attacks

VDSO hijacking

VDSO Hijacking

VDSO hijacking

Dynamic library injection

Dynamic Library Inject Process

Dynamic library injection

Key configuration change

Critical File Change

Key configuration change

Environment variable change

Environment Change

Environment variable change

Process injection

Process Inject

Process injection

Memory file process

Memfd Process

Memory file process

File manipulation

File Manipulation

File manipulation

Abnormal system behavior

Suspicious crontab task

Crontab Suspicious Task

Suspicious crontab task

Socket connection error

Abnormal Socket Connection

Socket connection error

Backup deletion

Backup Deletion

Backup deletion

Unauthorized database access

Unauthorized Database Access

Unauthorized database access

Abnormal permission access

Privilege Abnormal Access

Abnormal permission access

Abnormal log change

Unexpected Log Change

Abnormal log change

Exit the container process

Container Process Exist

Exit the container process

Abnormal behavior of unknown server

Unknown Host Abnormal Activity

Abnormal behavior of unknown server

File blacklist access

File blocklist access

File blacklist access

Abnormal change of file permission

Unexpected File Permission Change

Abnormal change of file permission

System protection disabled

System Security Protection disabled

System protection disabled

System account change

System Account Change

System account change

Suspicious registry operation

Abnormal Registry Operation

Suspicious registry operation

Crontab script privilege escalation

Crontab Script Privilege Escalation

Crontab script privilege escalation

Crontab script modification

Crontab Script Change

Crontab script modification

High-risk command execution

High-risk Command Execution

High-risk command execution

High-risk system call

High-Risk Syscall

High-risk system call

Important file/directory change

File/Directory Change

Important file/directory change

Critical file change

Key File Change

Critical file change

Process privilege escalation

Process Privilege Escalation

Process privilege escalation

Abnormal process behavior

Process Abnormal Activity

Abnormal process behavior

Sensitive file access

Sensitive File Access

Sensitive file access

Abnormal container process

Container Abnormal Process

Abnormal container process

Abnormal container startup

Container Abnormal Start

Abnormal container startup

Abnormal database connection

Abnormal Database Connection

Abnormal database connection

NIC in promiscuous mode

Network Adapter Promiscuous Mode

NIC in promiscuous mode

File privilege escalation

File Privilege Escalation

File privilege escalation

Abnormal file deletion

File Abnormal Delete

Abnormal file deletion

System startup script modification

System Start Script Change

System startup script modification

Abnormal shell

Abnormal Shell

Abnormal shell

Abnormal command execution

Abnormal Command Execution

Abnormal command execution

Data damage

Information tampering

Information Tampering

Information tampering

Information loss

Information Loss

Information loss

Information counterfeiting

Information Masquerading

Information counterfeiting

Information theft

Information Interception

Information theft

Information leakage

Information Disclosure

Information leakage

Linux web tampering

Linux Web Page Tampering

Linux web tampering

Windows web tampering

Windows Web Page Tampering

Windows web tampering

Path Traversal

Directory Traversal

Path Traversal

Abnormal user behavior

Malicious use of token

Token Leakage

Malicious use of token

Malicious token exploit success

Token Leakage Success

Malicious token exploit success

First login by an abnormal user

User First Cross Domain Access

First login by an abnormal user

Abnormal user access frequency

User Access Frequency Abnormal

Abnormal user access frequency

Abnormal time segment

User Hour Level Access Abnormal

Abnormal time segment

Abnormal user download behavior through a specific IP address

User IP Download Abnormal

Abnormal user download behavior through a specific IP address

First access to an object

Client First Access

First access to an object

Abnormal user download behavior

User Download Abnormal

Abnormal user download behavior

Brute-force attack

Brute Force Cracking

Brute-force attack

Illegal login

Illegal Login

Illegal login

Abnormal behavior of unknown users

Unknown User Abnormal Activity

Abnormal behavior of unknown users

Abnormal login

Abnormal Login

Abnormal login

Login attempt

User Login Attempt

Login attempt

Password theft

User Password Theft

Password theft

Successful user privilege escalation

User Privilege Escalation Succeeded

Successful user privilege escalation

Failed to elevate user rights

User Privilege Escalation Failed

Failed to elevate user rights

First login

User First login

First login

Account deletion

User Account Removed

Account deletion

Account creation

User Account Added

Account creation

User group change

User Group Changed

User group change

User group deletion

User Group Removed

User group deletion

User group addition

User Group Added

User group addition

Account spoofing

Account Forgery

Account spoofing

Suspicious ECS account creation

Suspicious Ecs User Create

Suspicious ECS account creation

ECS account permission escalation

ECS User Escalate Privilege

ECS account permission escalation

Suspicious IAM account creation

Suspicious IAM Account Create

Suspicious IAM account creation

IAM permission escalation

IAM Permissions Escalation

IAM permission escalation

ECS login through brute-force attack

ECS BruteForce Login

ECS login through brute-force attack

IAM login through brute-force attack

IAM BruteForce Login

IAM login through brute-force attack

Invalid account

Invalid System Account

Invalid account

Unsafe account

Risky Account

Unsafe account

ECS login from suspicious IP address

Suspicious IP Address Login

ECS login from suspicious IP address

Suspicious IP address login to IAM

Suspicious IP Address Login

Suspicious IP address login to IAM

Abnormal login to IAM

IAM Abnormal Login

Abnormal login to IAM

Remote login to ECS

Instance Credential Exfiltration

Remote login to ECS

User login success

User Login Success

User login success

User login denial

User Login Denied

User login denial

User account change

User Account Changed

User account change

Resource manipulation

Malicious logic insertion

Malicious Logic Insertion

Malicious logic insertion

Infrastructure manipulation

Infrastructure Manipulation

Infrastructure manipulation

Configuration/environment manipulation

Configuration/Environment Manipulation

Configuration/environment manipulation

Container escape

Container Escape

Container escape

Container resource manipulation

Container Resource Manipulation

Container resource manipulation

Software integrity

Software Integrity Attack

Software integrity

Resource scanning

Abnormal number of detected ports

Port Detection

Abnormal number of detected ports

ARP scan

ARP Scan

ARP scan

DNS test

DNS Recon

DNS test

Hypervisor detection

Hypervisor Recon

Hypervisor detection

ICMP detection

ICMP Recon

ICMP detection

Linux detection

Linux Recon

Linux detection

MacOS detection

MacOS Recon

MacOS detection

Nmap scan

NMAP Scan

Nmap scan

RPC request detection

RPC Recon

RPC request detection

SNMP scan

SNMP Recon

SNMP scan

TCP scan

TCP Recon

TCP scan

UDP scan

UDP Recon

UDP scan

Unix detection

Unix Recon

Unix detection

Web detection

Web Recon

Web detection

Windows probing

Windows Recon

Windows probing

Encrypted penetration scan

Encrypted Penetration Scan

Encrypted penetration scan

Common scan event

General Scanner

Common scan event

Database detection

Database Recon

Database detection

Mail detection

Mail Recon

Mail detection

Server scan

Host Scan

Server scan

Combined detection

Misc Recon

Combined detection

Port scan

Port Scan

Port scan

Operations Related to Alert Types

Preset Incident Types

Table 2 Preset incident types

Type Name

Sub Type/Sub Type Tag

Description

DDoS attack

DNS protocol attacks

Tcp Dns

DNS protocol attacks

Unusual ports

Unusual Network Port

Unusual ports

Abnormal protocol attacks

Unusual Protocol

Abnormal protocol attacks

ACK Flood

ACK Flood

ACK Flood

BGP flood

BGP Flood Attack

BGP flood

DNS IP TTL

DNS IP TTL Check Fail

DNS IP TTL

DNS reply flood

DNS Reply Flood

DNS reply flood

DNS query flood

DNS Query Flood

DNS query flood

Abnormal DNS size

DNS Size Abnormal

Abnormal DNS size

DNS reflection

DNS Reflection

DNS reflection

Abnormal DNS response flow

DNS Reply Domain Flow Abnormal

Abnormal DNS response flow

Invalid DNS format

DNS Format Error

Invalid DNS format

DNS cache matching

DNS Cache Match

DNS cache matching

DNS cache poisoning

DNS Cache Poisoning

DNS cache poisoning

Abnormal DNS request flow

DNS Request Domain Flow Abnormal

Abnormal DNS request flow

DNS domain name errors

DNS No Such Name

DNS domain name errors

FIN/RST Flood

FIN/RST Flood

FIN/RST Flood

HTTPS Flood

HTTPS Flood

HTTPS Flood

HTTP slow attacks

HTTP Slow Attack

HTTP slow attacks

ICMP blocking

ICMP Protocol Block

ICMP blocking

IP reputation

IP Reputation

IP reputation

SIP Flood

SIP Flood

SIP Flood

Abnormal SIP source rate

SIP Source Rate Abnormity

Abnormal SIP source rate

SYN Flood

SYN Flood

SYN Flood

SYN-ACK Flood

SYN-ACK Flood

SYN-ACK Flood

TCP bandwidth overflow

TCP Bandwidth Overflow

TCP bandwidth overflow

TCP multi-connection attacks

TCP Connection Flood

TCP multi-connection attacks

TCP fragment bandwidth overflow

TCP Fragment Bandwidth Overflow

TCP fragment bandwidth overflow

TCP fragment attacks

TCP Fragment Flood

TCP fragment attacks

Malformed TCP packets

TCP Malformed

Malformed TCP packets

TCP/UDP attacks

TCP-authenticated UDP Attack

TCP/UDP attacks

TCP blocking

TCP Protocol Block

TCP blocking

UDP bandwidth overflow

UDP Bandwidth Overflow

UDP bandwidth overflow

UDP fragments

UDP Fragment Flood

UDP fragments

UDP fragment bandwidth overflow

UDP Fragment Bandwidth Overflow

UDP fragment bandwidth overflow

Malformed UDP packets

UDP Malformed

Malformed UDP packets

UDP blocking

UDP Protocol Block

UDP blocking

URI monitoring

URI Monitor

URI monitoring

Dark web IP addresses

Dark IP

Dark web IP addresses

Single EIP bandwidth overflow

Single IP Bandwidth Overflow

Single EIP bandwidth overflow

Current connection flood attacks

Concurrent Connections Flood

Current connection flood attacks

Port scan attacks

Port Scanning Attack

Port scan attacks

Malicious domain name attacks

Malicious Domains Attack

Malicious domain name attacks

Anti-malware

Anti-Malware

Anti-malware

DDoS attacks

DDOS

DDoS attacks

Partition bandwidth overflow

Zone Bandwidth Overflow

Partition bandwidth overflow

Filter attacks

Filter Attack

Filter attacks

Blacklist

Blacklist

Blacklist

Botnets/Trojans/Worms

Botnets/Trojan horses/Worms Attack

Botnets/Trojans/Worms

Destination IP new session rate limiting

Destination IP new session rate limiting

Destination IP new session rate limiting

Other flood attacks

Other Flood

Other flood attacks

Other bandwidth overflow

Other Bandwidth Overflow

Other bandwidth overflow

Other global exceptions

Global Other Abnormal

Other global exceptions

Other protocol blocking

Other Protocol Block

Other protocol blocking

Global ICMP exception

Global ICMP Abnormal

Global ICMP exception

Abnormal global TCP fragments

Global TCP Fragment Abnormal

Abnormal global TCP fragments

Global TCP exception

Global TCP Abnormal

Global TCP exception

Abnormal global UDP fragments

Global UDP Fragment Abnormal

Abnormal global UDP fragments

Global UDP exception

Global UDP Abnormal

Global UDP exception

Web attacks

Web Attack

Web attacks

Geolocation attacks

Location Attack

Geolocation attacks

Connection flood attack

New Connections Flood

Connection flood attack

Domain hijacking

Domain Hijacking

Domain hijacking

Abnormal source DNS response traffic

Source DNS Reply Flow Abnormal

Abnormal source DNS response traffic

Abnormal source DNS request traffic

Source DNS Request Flow Abnormal

Abnormal source DNS request traffic

Host traffic overflow

Host Traffic Over Flow

Host traffic overflow

HTTP Flood

HTTP Flood

HTTP Flood

ICMP Flood

ICMP Flood

ICMP Flood

SSL Flood

SSL Flood

SSL Flood

TCP Flood

TCP Flood

TCP Flood

UDP Flood

UDP Flood

UDP Flood

XML Flood

XML Flood

XML Flood

Amplification attacks

Amplification

Amplification attacks

Malicious code

Hidden link

Web Page Dark Link

Hidden link

Web page Trojan

Web Page Trojan

Web page Trojan

Web attacks

Webshell

Webshell

Webshell

WAF robot

WAF Robot

WAF robot

IP address whitelist

White IP

IP address whitelist

Known attack source

Known Attack Source

Known attack source

IP address blacklist

Black IP

IP address blacklist

Vulnerability exploits

Vulnerability Attack

Vulnerability exploits

Data masking

Leakage

Data masking

Default

Default

Default

Scanners/Crawlers

Scanner & Crawler

Scanners/Crawlers

CC attacks

Challenge Collapsar

CC attacks

IP reputation database

IP Reputation

IP reputation database

SQL injection

SQL Injection

SQL injection

XSS

Cross-Site Scripting

XSS

Local file inclusion

Local Code Inclusion

Local file inclusion

Geolocation access control

Geo IP

Geolocation access control

Malicious crawlers

Malicious Web Crawlers

Malicious crawlers

Anti-crawler

Anticrawler

Anti-crawler

Web tampering protection

AntiTamper

Web tampering protection

Invalid requests

Illegal Access

Invalid requests

Blacklist or whitelist alarms

White or Black IP

Blacklist or whitelist alarms

Precise protection

Custom Rule

Precise protection

Command injection

Command Injection

Command injection

Path Traversal

Path Traversal

Path Traversal

Website Trojans

Website Trojan

Website Trojans

Website data leakage

Information Leakage

Website data leakage

Information leakage

Web Service Exfiltration

Information leakage

Remote code execution

Remote Code Execute

Remote code execution

Remote file inclusion

Remote Code Inclusion

Remote file inclusion

Malware

Encrypted currency mining

Cryptomining

Encrypted currency mining

Docker malicious program

Docker Malware

Docker malicious program

Fishing

Phishing

Fishing

Malicious adware

Adware

Malicious adware

Malware

Malicious Software

Malware

Hacker tool

Hacktool

Hacker tool

Grayware

Grayware

Grayware

Spyware

Spyware

Spyware

Spam

Spam

Spam

Rootkit

Rootkit

Rootkit

Webshell

Webshell

Webshell

Virus/Worm

Virus and Worm

Virus/Worm

Malicious file

Malicious File

Malicious file

Reverse shell

Reverse Shell

Reverse shell

Trojan

Backdoor Trojan

Trojan

Botnet

Botnet Program

Botnet

Ransomware

Ransomware

Ransomware

Bitcoin Miner

Bitcoin Miner

Bitcoin Miner

Mining software

Mining Software

Mining software

Risk Audit

Web-CMS Vulnerability

Webcms Vulnerability

Web-CMS Vulnerability

Windows OS vulnerabilities

Windows Vulnerability

Windows OS vulnerabilities

Local access vulnerability

Local Access Vulnerability

Local access vulnerability

Incorrect configuration policy

Mis-Configured Policy

Incorrect configuration policy

Other OS vulnerability

Other OS Vulnerability

Other OS vulnerability

Other vulnerability

Other Vulnerability

Other vulnerability

Application vulnerability

Application Vulnerability

Application vulnerability

Remote access vulnerability

Remote Access Vulnerability

Remote access vulnerability

Risk Audit

Weak Password

Weak Password

Weak Password

Risky system configuration

System Risk Configuration

Risky system configuration

Attacks

Fishing

Phishing

Fishing

Network topology

Map Network Topology

Network topology

Account and group information collection

Identify Groups/Roles

Account and group information collection

Fingerprint scan

Fingerprinting

Fingerprint scan

Host discovery

Determine IP Address

Host discovery

Vulnerability exploit

ActiveX vulnerability exploit

ActiveX Exploit

ActiveX vulnerability exploit

CGI attack

CGI Attack

CGI attack

DNS vulnerability exploit

DNS Exploit

DNS vulnerability exploit

FTP vulnerability exploit

FTP Exploit

FTP vulnerability exploit

Hadoop vulnerability exploit

Hadoop Vulnerability Exploit

Hadoop vulnerability exploit

Vulnerability exploit of hypervisor

Hypervisor Exploit

Vulnerability exploit of hypervisor

LDAP injection

LDAP Injection Attack

LDAP injection

MacOS vulnerability exploit

MacOS Exploit

MacOS vulnerability exploit

MySQL vulnerability exploit

MySQL Vulnerability Exploit

MySQL vulnerability exploit

Vulnerability exploit of Office software

Office Exploit

Vulnerability exploit of Office software

Redis vulnerability exploit

Redis Vulnerability Exploit

Redis vulnerability exploit

RPC vulnerability exploit

RPC Exploit

RPC vulnerability exploit

SQL injection

SQL Injection

SQL injection

SSH vulnerability exploit

SSH Exploit

SSH vulnerability exploit

SSI injection attack

SSI Injection Attack

SSI injection attack

Struts2 OGNL injection

Struts2 OGNL Injection

Struts2 OGNL injection

Telnet vulnerability exploit

TELNET Exploit

Telnet vulnerability exploit

Unix vulnerability exploit

Unix Exploit

Unix vulnerability exploit

Web vulnerability exploit

Web Exploit

Web vulnerability exploit

Cross site scripting (XSS)

Cross-Site Scripting

Cross site scripting (XSS)

Local file inclusion

Local File Inclusion

Local file inclusion

Malicious file delivery

Malicious File Delivery

Malicious file delivery

Malicious file execution

Malicious File Execution

Malicious file execution

Buffer overflow attack

Buffer Overflow

Buffer overflow attack

Session hijacking

Session Hijack

Session hijacking

Password guessing

Password Cracking

Password guessing

Browser vulnerability exploit

Browser Exploit

Browser vulnerability exploit

Weak password access

Weak Password Access

Weak password access

Database vulnerability exploit

Database Exploit

Database vulnerability exploit

Unknown vulnerability exploit

Unknown Exploit

Unknown vulnerability exploit

Hidden link access

Hide Link Access

Hidden link access

Email vulnerability exploit

Mail Exploit

Email vulnerability exploit

Remote code execution

Remote Code Execution

Remote code execution

Remote access vulnerability exploit

Remote Access Exploit

Remote access vulnerability exploit

Remote file inclusion prevention

Remote File Inclusion

Remote file inclusion prevention

Remote file injection

Remote File Injection

Remote file injection

Combined vulnerability exploit

Misc Exploit

Combined vulnerability exploit

CMS vulnerability

CMS Exploit

CMS vulnerability

CSRF attack

CSRF Attack

CSRF attack

JNDI injection

JNDI Injection Attack

JNDI injection

Linux vulnerability

Linux Exploit

Linux vulnerability

SMB vulnerability

SMB Exploit

SMB vulnerability

Windows vulnerability

Windows Exploit

Windows vulnerability

XML injection

XML Injection

XML injection

Code Injection

Code Injection

Code Injection

Vulnerability escape

Vulnerability Escape Attack

Vulnerability escape

Command execution

Command Execution

Command execution

Command injection

Command Injection

Command injection

File escape

File Escape Attack

File escape

VM escape

VM Escape Attack

VM escape

Common vulnerability exploit

General Exploit

Common vulnerability exploit

Command and control

Message sent from current ECS IP address to high-risk network

Command Control Activity

Message sent from current ECS IP address to high-risk network

Dynamic resolution

Dynamic Resolution

Dynamic resolution

Other suspicious connection

Abnormal Connection

Other suspicious connection

Other suspicious behavior

Abnormal Behaviour

Other suspicious behavior

Malicious DNS connection

Malicious Domain Query

Malicious DNS connection

Malicious IP address connection

Malicious Ip Address Query

Malicious IP address connection

Covert tunnel

Protocol Tunneling

Covert tunnel

Mining pool communication

Mining Pool Communication

Mining pool communication

Other

Public_Opinion

Public_Opinion

Public_Opinion

Cloud firewall attack

CFW_RISK

Cloud firewall attack

Data leakage

Data theft

Steal Data

Data theft

Unauthorized data transfer

Transfer Data Abnormal

Unauthorized data transfer

Abnormal network behavior

Abnormal access frequency of IP addresses

IP Access Frequency Abnormal

Abnormal access frequency of IP addresses

Abnormal IP address switch

IP Switch Abnormal

Abnormal IP address switch

First login from an IP address

IP First Access

First login from an IP address

Sinkhole attack IP address access

Sink Hole

Sinkhole attack IP address access

Proxy IP address access

Proxy

Proxy IP address access

Malicious resource access

Resource Permissions

Malicious resource access

Fraudulent payment website IP address/domain name access

Payment

Fraudulent payment website IP address/domain name access

Onion website IP access

Tor

Onion website IP access

C&C abnormal communication

C&C Abnormal Communication

C&C abnormal communication

Blacklisted IP address Access

IP Blacklist Access

Blacklisted IP address Access

URL blacklist access

URL Blacklist Access

URL blacklist access

Malicious URL access

Malicious URL Access

Malicious URL access

Malicious domain name access

Malicious Domain Name Access

Malicious domain name access

Unauthorized access attempt

Unauthorized Access Attempt

Unauthorized access attempt

Suspicious network traffic

Suspicious Network Traffic

Suspicious network traffic

Container-network external connection

Container Network Connect

Container-network external connection

Unknown network access

Unknown Abnormal Network Access

Unknown network access

File MD5 blacklist access

File MD5 Blacklist Access

File MD5 blacklist access

Abnormal external connection

Abnormal External Behavior

Abnormal external connection

Domain name blacklist access

Domain Name Blacklist Access

Domain name blacklist access

Periodic external communication

Periodic Outreach

Periodic external communication

Suspicious port forwarding

Suspicious Port Forward

Suspicious port forwarding

Fileless attacks

VDSO hijacking

VDSO Hijacking

VDSO hijacking

Dynamic library injection

Dynamic Library Inject Process

Dynamic library injection

Key configuration change

Critical File Change

Key configuration change

Environment variable change

Environment Change

Environment variable change

Process injection

Process Inject

Process injection

Memory file process

Memfd Process

Memory file process

File manipulation

File Manipulation

File manipulation

Abnormal system behavior

Suspicious crontab task

Crontab Suspicious Task

Suspicious crontab task

Socket connection error

Abnormal Socket Connection

Socket connection error

Backup deletion

Backup Deletion

Backup deletion

Unauthorized database access

Unauthorized Database Access

Unauthorized database access

Abnormal permission access

Privilege Abnormal Access

Abnormal permission access

Abnormal log change

Unexpected Log Change

Abnormal log change

Exit the container process

Container Process Exist

Exit the container process

Abnormal behavior of unknown server

Unknown Host Abnormal Activity

Abnormal behavior of unknown server

File blacklist access

File blocklist access

File blacklist access

Abnormal change of file permission

Unexpected File Permission Change

Abnormal change of file permission

System protection disabled

System Security Protection disabled

System protection disabled

System account change

System Account Change

System account change

Suspicious registry operation

Abnormal Registry Operation

Suspicious registry operation

Crontab script privilege escalation

Crontab Script Privilege Escalation

Crontab script privilege escalation

Crontab script modification

Crontab Script Change

Crontab script modification

High-risk command execution

High-risk Command Execution

High-risk command execution

High-risk system call

High-Risk Syscall

High-risk system call

Important file/directory change

File/Directory Change

Important file/directory change

Critical file change

Key File Change

Critical file change

Process privilege escalation

Process Privilege Escalation

Process privilege escalation

Abnormal process behavior

Process Abnormal Activity

Abnormal process behavior

Sensitive file access

Sensitive File Access

Sensitive file access

Abnormal container process

Container Abnormal Process

Abnormal container process

Abnormal container startup

Container Abnormal Start

Abnormal container startup

Abnormal database connection

Abnormal Database Connection

Abnormal database connection

NIC in promiscuous mode

Network Adapter Promiscuous Mode

NIC in promiscuous mode

File privilege escalation

File Privilege Escalation

File privilege escalation

Abnormal file deletion

File Abnormal Delete

Abnormal file deletion

System startup script modification

System Start Script Change

System startup script modification

Abnormal shell

Abnormal Shell

Abnormal shell

Abnormal command execution

Abnormal Command Execution

Abnormal command execution

Data damage

Information tampering

Information Tampering

Information tampering

Information loss

Information Loss

Information loss

Information counterfeiting

Information Masquerading

Information counterfeiting

Information theft

Information Interception

Information theft

Information leakage

Information Disclosure

Information leakage

Linux web tampering

Linux Web Page Tampering

Linux web tampering

Windows web tampering

Windows Web Page Tampering

Windows web tampering

Path Traversal

Directory Traversal

Path Traversal

Abnormal user behavior

Malicious use of token

Token Leakage

Malicious use of token

Malicious token exploit success

Token Leakage Success

Malicious token exploit success

First login by an abnormal user

User First Cross Domain Access

First login by an abnormal user

Abnormal user access frequency

User Access Frequency Abnormal

Abnormal user access frequency

Abnormal time segment

User Hour Level Access Abnormal

Abnormal time segment

Abnormal user download behavior through a specific IP address

User IP Download Abnormal

Abnormal user download behavior through a specific IP address

First access to an object

Client First Access

First access to an object

Abnormal user download behavior

User Download Abnormal

Abnormal user download behavior

Brute-force attacks

Brute Force Cracking

Brute-force attacks

Illegal login

Illegal Login

Illegal login

Abnormal behavior of unknown users

Unknown User Abnormal Activity

Abnormal behavior of unknown users

Abnormal login

Abnormal Login

Abnormal login

Login attempt

User Login Attempt

Login attempt

Password theft

User Password Theft

Password theft

Successful user privilege escalation

User Privilege Escalation Succeeded

Successful user privilege escalation

Failed to elevate user rights

User Privilege Escalation Failed

Failed to elevate user rights

First login

User First login

First login

Account deletion

User Account Removed

Account deletion

Account creation

User Account Added

Account creation

User group change

User Group Changed

User group change

User group deletion

User Group Removed

User group deletion

User group addition

User Group Added

User group addition

Account spoofing

Account Forgery

Account spoofing

Suspicious ECS account creation

Suspicious Ecs User Create

Suspicious ECS account creation

ECS account permission escalation

ECS User Escalate Privilege

ECS account permission escalation

Suspicious IAM account creation

Suspicious IAM Account Create

Suspicious IAM account creation

IAM permission escalation

IAM Permissions Escalation

IAM permission escalation

ECS login through brute-force attack

ECS BruteForce Login

ECS login through brute-force attack

IAM login through brute-force attack

IAM BruteForce Login

IAM login through brute-force attack

Invalid account

Invalid System Account

Invalid account

Unsafe account

Risky Account

Unsafe account

ECS login from suspicious IP address

Suspicious IP Address Login

ECS login from suspicious IP address

Suspicious IP address login to IAM

Suspicious IP Address Login

Suspicious IP address login to IAM

Abnormal login to IAM

IAM Abnormal Login

Abnormal login to IAM

Remote login to ECS

Instance Credential Exfiltration

Remote login to ECS

User login success

User Login Success

User login success

User login denial

User Login Denied

User login denial

User account change

User Account Changed

User account change

Resource manipulation

Malicious logic insertion

Malicious Logic Insertion

Malicious logic insertion

Infrastructure manipulation

Infrastructure Manipulation

Infrastructure manipulation

Configuration/environment manipulation

Configuration/Environment Manipulation

Configuration/environment manipulation

Container escape

Container Escape

Container escape

Container resource manipulation

Container Resource Manipulation

Container resource manipulation

Software integrity

Software Integrity Attack

Software integrity

Resource scanning

Abnormal number of detected ports

Port Detection

Abnormal number of detected ports

ARP scan

ARP Scan

ARP scan

DNS test

DNS Recon

DNS test

Hypervisor detection

Hypervisor Recon

Hypervisor detection

ICMP detection

ICMP Recon

ICMP detection

Linux detection

Linux Recon

Linux detection

MacOS detection

MacOS Recon

MacOS detection

Nmap scan

NMAP Scan

Nmap scan

RPC request detection

RPC Recon

RPC request detection

SNMP scan

SNMP Recon

SNMP scan

TCP scan

TCP Recon

TCP scan

UDP scan

UDP Recon

UDP scan

Unix detection

Unix Recon

Unix detection

Web detection

Web Recon

Web detection

Windows probing

Windows Recon

Windows probing

Encrypted penetration scan

Encrypted Penetration Scan

Encrypted penetration scan

Common scan event

General Scanner

Common scan event

Database detection

Database Recon

Database detection

Mail detection

Mail Recon

Mail detection

Server scan

Host Scan

Server scan

Combined detection

Misc Recon

Combined detection

Port scan

Port Scan

Port scan

Operations Related to Incident Types

Preset Threat Indicator Types

Table 3 Preset threat indicator types

Type Name/Type Tag

Description

IPv4

IPv4

IPv4

IPv6

IPv6

IPv6

Email

Email

Email

Domain name

domain

Domain name

URL

URL

URL

Other

Unclassified

Other

Operations Related to Indicator Types

Preset Vulnerability Types

Table 4 Preset vulnerability types

Type Name/Type Tag

Description

Website vulnerabilities

Website Vulnerabilities

Website vulnerabilities

Linux vulnerabilities

Linux Vulnerabilities

Linux vulnerabilities

Web-CMS vulnerabilities

Web-CMS Vulnerabilities

Web-CMS vulnerabilities

Windows vulnerabilities

Windows Vulnerabilities

Windows vulnerabilities

Application vulnerabilities

Application Vulnerabilities

Application vulnerabilities

Operations Related to Vulnerability Types

Parent topic: Experience Packages