Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Intelligence tags

Tags are short labels ELLIO attaches to an IP based on what it was observed doing. They are the most useful filter in the platform - they let you pick out “every IP exploiting CVE-X”, “every Censys scanner”, or “every IP brute-forcing RDP” with a single field.

The full, live catalogue is at platform.ellio.tech/dashboard/cti/tags.

Every tag entry in the catalogue carries:

  • Name - human-readable label (e.g. Apache Path Traversal).
  • Description - what behaviour earns this tag.
  • Classification - Malicious, Promiscuous, Benign, or Unknown.
  • Trend - sparkline of new tagged IPs over time.
  • Search IPs - one-click pivot to a search filtered by tag: "...".

Each tag carries one of four classifications. A tag’s classification rolls up to the IP’s classification field - an IP tagged with any malicious tag is classified malicious.

Classification Meaning Example tags
Malicious Active exploitation or attack - block by default. Apache Path Traversal, Apache OFBiz Exploit, AWS secrets scanner, CCTV DVR RCE Exploit, Cisco ASA/FTD WebVPN Exploit, Docker API Exploit, Eir WAN Side RCE Exploit, TBK DVR4104 authentication bypass
Promiscuous Indiscriminate scanning, crawling, or probing - usually research infrastructure. Adminer Detector, Academy for Internet Research, Apache Tomcat Detector, Apache Druid Detector, Backup File Scanner, BinaryEdge, Buffercover, Bytespider, Camera Scanner, Censys, CERT FR, CGI Login Scanner, ChatGPT bot, Cloudflare Proxy Detector, Config File Scanner, DIRB Scanner, Domain Tools, DriftNet, Driftnet (sensors), Expanse, Fast Scanner (i.e. Masscan / ZMap), Favicon Scanner, Sangoma FreePBX Detector
Benign Legitimate, well-known traffic - generally safe to allow. Adobe, Apple, ArchiveOrg, Baidu Bot, Bing Bot, Cloudflare DNS, DHS Vuln Management, DuckDuckGo Bot
Unknown Activity observed but not yet classified. Akamai Cloud, AWS Cloud, Azure Cloud, Cloudflare

The simplest pattern. From the Tags catalogue, click Search IPs on any tag to pivot into a results list. Or write the query yourself:

tag: "Apache Path Traversal" AND spoofable: false

Many ELLIO Threat Lists and RECON Lists are themselves derived from tag groupings. For example, the Censys Scanner IPs RECON list is the set of IPs tagged Censys. To block (or allow) a category, include the matching RECON list in your EDL Deployment instead of writing per-IP rules. See ELLIO Threat Lists.

The TAXII feed exposes tags as STIX labels on each indicator. Filter, group, and alert on them in KQL, SPL, or whichever query language your SIEM speaks. See KQL examples.

A few tag families show up repeatedly. Knowing them speeds up triage.

Commercial scanners. Censys, Shodan, BinaryEdge, BufferOver, InfraWatch, LeakIX, NetScout, Nokia Deepfield, Rapid7, Stretchoid. Operate at internet scale; classification is Promiscuous. Usually allow them unless you specifically don’t want to be in their dataset.

Research organisations. Academy for Internet Research, Internet Census, InternetTL, Driftnet, Shadowserver Foundation, CERT FR, Cortex Xpanse (Palo Alto). Operate similarly to commercial scanners.

Search-engine crawlers. Google, Bing, Baidu Bot, DuckDuckGo Bot, Bytespider, Apple (with their own SaaS / crawler ranges in Common Business Services). Usually Benign - block at your peril.

Targeted exploit attempts. Apache Path Traversal, Apache OFBiz Exploit, Cisco ASA/FTD WebVPN Exploit, Docker API Exploit, D-Link DIR-878 Detector, Eir WAN Side RCE Exploit, Sangoma FreePBX Detector, TBK DVR4104 series detector, Tenda HG9 Exploit, TP-Link Archer AX21 (AX1800) vulnerability exploit, GPON devices authentication bypass, Apache Druid Detector. Almost always actionable - block on sight.

Reconnaissance tooling. Fast Scanner (i.e. Masscan / ZMap), Camera Scanner, Config File Scanner, Backup File Scanner, AWS secrets scanner, Favicon Scanner, CGI Login Scanner, Adminer Detector, Apache Tomcat Detector, Domain Tools. High-volume indiscriminate probing.

LLM crawlers. ChatGPT bot is in the catalogue today, with more on the way. Useful if you’re managing crawl budget for AI training scrapers.

ELLIO accepts requests for new tags via Support Center → Request New Tag. The form takes a CVE, a tag name, or an actor. Validated requests ship as new tags within a release window.