Suspicious Activity
The suspicious category contains events that are related to viruses, trojans, back door attacks, and other forms of hostile software.
The following table describes the low-level event categories and associated severity levels for the suspicious activity category.
Low-level event category | Category ID | Description | Severity level (0 - 10) |
---|---|---|---|
Unknown Suspicious Event | 7001 | Indicates an unknown suspicious event. | 3 |
Suspicious Pattern Detected | 7002 | Indicates that a suspicious pattern was detected. | 3 |
Content Modified By Firewall | 7003 | Indicates that content was modified by the firewall. | 3 |
Invalid Command or Data | 7004 | Indicates an invalid command or data. | 3 |
Suspicious Packet | 7005 | Indicates a suspicious packet. | 3 |
Suspicious Activity | 7006 | Indicates suspicious activity. | 3 |
Suspicious File Name | 7007 | Indicates a suspicious file name. | 3 |
Suspicious Port Activity | 7008 | Indicates suspicious port activity. | 3 |
Suspicious Routing | 7009 | Indicates suspicious routing. | 3 |
Potential Web Vulnerability | 7010 | Indicates potential web vulnerability. | 3 |
Unknown Evasion Event | 7011 | Indicates an unknown evasion event. | 5 |
IP Spoof | 7012 | Indicates an IP spoof. | 5 |
IP Fragmentation | 7013 | Indicates IP fragmentation. | 3 |
Overlapping IP Fragments | 7014 | Indicates overlapping IP fragments. | 5 |
IDS Evasion | 7015 | Indicates an IDS evasion. | 5 |
DNS Protocol Anomaly | 7016 | Indicates a DNS protocol anomaly. | 3 |
FTP Protocol Anomaly | 7017 | Indicates an FTP protocol anomaly. | 3 |
Mail Protocol Anomaly | 7018 | Indicates a mail protocol anomaly. | 3 |
Routing Protocol Anomaly | 7019 | Indicates a routing protocol anomaly. | 3 |
Web Protocol Anomaly | 7020 | Indicates a web protocol anomaly. | 3 |
SQL Protocol Anomaly | 7021 | Indicates an SQL protocol anomaly. | 3 |
Executable Code Detected | 7022 | Indicates that an executable code was detected. | 5 |
Misc Suspicious Event | 7023 | Indicates a miscellaneous suspicious event. | 3 |
Information Leak | 7024 | Indicates an information leak. | 1 |
Potential Mail Vulnerability | 7025 | Indicates a potential vulnerability in the mail server. | 4 |
Potential Version Vulnerability | 7026 | Indicates a potential vulnerability in the IBM® QRadar® version. | 4 |
Potential FTP Vulnerability | 7027 | Indicates a potential FTP vulnerability. | 4 |
Potential SSH Vulnerability | 7028 | Indicates a potential SSH vulnerability. | 4 |
Potential DNS Vulnerability | 7029 | Indicates a potential vulnerability in the DNS server. | 4 |
Potential SMB Vulnerability | 7030 | Indicates a potential SMB (Samba) vulnerability. | 4 |
Potential Database Vulnerability | 7031 | Indicates a potential vulnerability in the database. | 4 |
IP Protocol Anomaly | 7032 | Indicates a potential IP protocol anomaly | 3 |
Suspicious IP Address | 7033 | Indicates that a suspicious IP address was detected. | 2 |
Invalid IP Protocol Usage | 7034 | Indicates an invalid IP protocol. | 2 |
Invalid Protocol | 7035 | Indicates an invalid protocol. | 4 |
Suspicious Window Events | 7036 | Indicates a suspicious event with a screen on your desktop. | 2 |
Suspicious ICMP Activity | 7037 | Indicates suspicious ICMP activity. | 2 |
Potential NFS Vulnerability | 7038 | Indicates a potential network file system (NFS) vulnerability. | 4 |
Potential NNTP Vulnerability | 7039 | Indicates a potential Network News Transfer Protocol (NNTP) vulnerability. | 4 |
Potential RPC Vulnerability | 7040 | Indicates a potential RPC vulnerability. | 4 |
Potential Telnet Vulnerability | 7041 | Indicates a potential Telnet vulnerability on your system. | 4 |
Potential SNMP Vulnerability | 7042 | Indicates a potential SNMP vulnerability. | 4 |
Illegal TCP Flag Combination | 7043 | Indicates that an invalid TCP flag combination was detected. | 5 |
Suspicious TCP Flag Combination | 7044 | Indicates that a potentially invalid TCP flag combination was detected. | 4 |
Illegal ICMP Protocol Usage | 7045 | Indicates that an invalid use of the ICMP protocol was detected. | 5 |
Suspicious ICMP Protocol Usage | 7046 | Indicates that a potentially invalid use of the ICMP protocol was detected. | 4 |
Illegal ICMP Type | 7047 | Indicates that an invalid ICMP type was detected. | 5 |
Illegal ICMP Code | 7048 | Indicates that an invalid ICMP code was detected. | 5 |
Suspicious ICMP Type | 7049 | Indicates that a potentially invalid ICMP type was detected. | 4 |
Suspicious ICMP Code | 7050 | Indicates that a potentially invalid ICMP code was detected. | 4 |
TCP port 0 | 7051 | Indicates a TCP packet uses a reserved port (0) for source or destination. | 4 |
UDP port 0 | 7052 | Indicates a UDP packet uses a reserved port (0) for source or destination. | 4 |
Hostile IP | 7053 | Indicates the use of a known hostile IP address. | 4 |
Watch list IP | 7054 | Indicates the use of an IP address from a watch list of IP addresses. | 4 |
Known offender IP | 7055 | Indicates the use of an IP address of a known offender. | 4 |
RFC 1918 (private) IP | 7056 | Indicates the use of an IP address from a private IP address range. | 4 |
Potential VoIP Vulnerability | 7057 | Indicates a potential VoIP vulnerability. | 4 |
Blacklist Address | 7058 | Indicates that an IP address is on the block list. | 8 |
Watchlist Address | 7059 | Indicates that the IP address is on the list of IP addresses being monitored. | 7 |
Darknet Address | 7060 | Indicates that the IP address is part of a darknet. | 5 |
Botnet Address | 7061 | Indicates that the address is part of a botnet. | 7 |
Suspicious Address | 7062 | Indicates that the IP address must be monitored. | 5 |
Bad Content | 7063 | Indicates that bad content was detected. | 7 |
Invalid Cert | 7064 | Indicates that an invalid certificate was detected. | 7 |
User Activity | 7065 | Indicates that user activity was detected. | 7 |
Suspicious Protocol Usage | 7066 | Indicates that suspicious protocol usage was detected. | 5 |
Suspicious BGP Activity | 7067 | Indicates that suspicious Border Gateway Protocol (BGP) usage was detected. | 5 |
Route Poisoning | 7068 | Indicates that route corruption was detected. | 5 |
ARP Poisoning | 7069 | Indicates that ARP-cache poisoning was detected. | 5 |
Rogue Device Detected | 7070 | Indicates that a rogue device was detected. | 5 |
Government Agency Address | 7071 | Indicates that a government agency address was detected. | 3 |