Recon
The Recon category contains events that are related to scanning and other techniques that are used to identify network resources.
The following table describes the low-level event categories and associated severity levels for the Recon category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Form of Recon | 1001 | An unknown form of reconnaissance. | 2 |
| Application Query | 1002 | Reconnaissance to applications on your system. | 3 |
| Host Query | 1003 | Reconnaissance to a host in your network. | 3 |
| Network Sweep | 1004 | Reconnaissance on your network. | 4 |
| Mail Reconnaissance | 1005 | Reconnaissance on your mail system. | 3 |
| Windows Reconnaissance | 1006 | Reconnaissance for Windows operating system. | 3 |
| Portmap / RPC r\Request | 1007 | Reconnaissance on your portmap or RPC request. | 3 |
| Host Port Scan | 1008 | Indicates that a scan occurred on the host ports. | 4 |
| RPC Dump | 1009 | Indicates that Remote Procedure Call (RPC) information is removed. | 3 |
| DNS Reconnaissance | 1010 | Reconnaissance on the DNS server. | 3 |
| Misc Reconnaissance Event | 1011 | Miscellaneous reconnaissance event. | 2 |
| Web Reconnaissance | 1012 | Web reconnaissance on your network. | 3 |
| Database Reconnaissance | 1013 | Database reconnaissance on your network. | 3 |
| ICMP Reconnaissance | 1014 | Reconnaissance on ICMP traffic. | 3 |
| UDP Reconnaissance | 1015 | Reconnaissance on UDP traffic. | 3 |
| SNMP Reconnaissance | 1016 | Reconnaissance on SNMP traffic. | 3 |
| ICMP Host Query | 1017 | Indicates an ICMP host query. | 3 |
| UDP Host Query | 1018 | Indicates a UDP host query. | 3 |
| NMAP Reconnaissance | 1019 | Indicates NMAP reconnaissance. | 3 |
| TCP Reconnaissance | 1020 | Indicates TCP reconnaissance on your network. | 3 |
| UNIX Reconnaissance | 1021 | Reconnaissance on your UNIX network. | 3 |
| FTP Reconnaissance | 1022 | Indicates FTP reconnaissance. | 3 |