Security Intelligence Categories
Security Intelligence categories are determined by the system-provided feeds described in Security Intelligence.
These categories are used in the following locations:
-
The Networks sub-tab on the Security Intelligence tab of an access control policy
-
The URLs sub-tab beside the Networks tab on the Security Intelligence tab of an access control policy
-
In a DNS policy on the DNS tab in the DNS rule configuration page
-
In events generated when traffic matches Block or Monitor configurations in the above locations
Note | If your organization is using Secure Firewall threat intelligence director: When viewing events, you may see categories that indicate that the action was taken by TID, such as TID URL Block. |
Categories are updated by Talos from the cloud, and this list may change independently of Firepower releases.
| Security Intelligence Category | Description | ||
|---|---|---|---|
|
Attackers |
Active scanners and hosts known for outbound malicious activity |
||
|
Banking_fraud |
Sites that engage in fraudulent activities that relate to electronic banking |
||
|
Bogon |
Bogon networks and unallocated IP addresses |
||
|
Bots |
Sites that host binary malware droppers |
||
|
CnC |
Sites that host command-and-control servers for botnets |
||
|
Cryptomining |
Hosts providing remote access to pools and wallets for the purpose of mining cryptocurrency |
||
|
Dga |
Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command-and-control servers |
||
|
Exploitkit |
Software kits designed to identify software vulnerabilities in clients |
||
|
High_risk |
Domains and hostnames that match against the OpenDNS predictive security algorithms from security graph |
||
|
Ioc |
Hosts that have been observed to engage in Indicators of Compromise (IOC) |
||
|
Link_sharing |
Websites that share copyrighted files without permission |
||
|
Malicious |
Sites exhibiting malicious behavior that do not necessarily fit into another, more granular, threat category |
||
|
Malware |
Sites that host malware binaries or exploit kits |
||
|
Newly_seen |
Domains that have recently been registered, or not yet seen via telemetry.
|
||
|
Open_proxy |
Open proxies that allow anonymous web browsing |
||
|
Open_relay |
Open mail relays that are known to be used for spam |
||
|
Phishing |
Sites that host phishing pages |
||
|
Response |
IP addresses and URLs that are actively participating in malicious or suspicious activity |
||
|
Spam |
Mail hosts that are known for sending spam |
||
|
Spyware |
Sites that are known to contain, serve, or support spyware and adware activities |
||
|
Suspicious |
Files that appear to be suspicious and have characteristics that resemble known malware |
||
|
Tor_exit_node |
Hosts known to offer exit node services for the Tor Anonymizer network |