Intelligence tags
Tags are short labels ELLIO attaches to an IP based on what it was observed doing. They are the most useful filter in the platform - they let you pick out "every IP exploiting CVE-X", "every Censys scanner", or "every IP brute-forcing RDP" with a single field.
The full, live catalogue is at platform.ellio.tech/dashboard/cti/tags.
Anatomy of a tag
Every tag entry in the catalogue carries:
- Name - human-readable label (e.g.
Apache Path Traversal). - Description - what behaviour earns this tag.
- Classification -
Malicious,Promiscuous,Benign, orUnknown. - Trend - sparkline of new tagged IPs over time.
- Search IPs - one-click pivot to a search filtered by
tag: "...".
Classifications
Each tag carries one of four classifications. A tag's classification rolls up
to the IP's classification field - an IP tagged with any malicious tag is
classified malicious.
| Classification | Meaning | Example tags |
|---|---|---|
| Malicious | Active exploitation or attack - block by default. | Apache Path Traversal, Apache OFBiz Exploit, AWS secrets scanner, CCTV DVR RCE Exploit, Cisco ASA/FTD WebVPN Exploit, Docker API Exploit, Eir WAN Side RCE Exploit, TBK DVR4104 authentication bypass |
| Promiscuous | Indiscriminate scanning, crawling, or probing - usually research-grade infrastructure. | Adminer Detector, Academy for Internet Research, Apache Tomcat Detector, Apache Druid Detector, Backup File Scanner, BinaryEdge, Buffercover, Bytespider, Camera Scanner, Censys, CERT FR, CGI Login Scanner, ChatGPT bot, Cloudflare Proxy Detector, Config File Scanner, DIRB Scanner, Domain Tools, DriftNet, Driftnet (sensors), Expanse, Fast Scanner (i.e. Masscan / ZMap), Favicon Scanner, Sangoma FreePBX Detector |
| Benign | Legitimate, well-known traffic - generally safe to allow. | Adobe, Apple, ArchiveOrg, Baidu Bot, Bing Bot, Cloudflare DNS, DHS Vuln Management, DuckDuckGo Bot |
| Unknown | Activity observed but not yet classified. | Akamai Cloud, AWS Cloud, Azure Cloud, Cloudflare |
Three ways to use tags
1. Filter searches in the UI
The simplest pattern. From the Tags catalogue, click Search IPs on any tag to pivot into a results list. Or write the query yourself:
tag: "Apache Path Traversal" AND spoofable: false
2. Build blocklist sources
Many ELLIO Threat Lists and RECON Lists are themselves derived from tag
groupings. For example, the Censys Scanner IPs RECON list is the set of
IPs tagged Censys. To block (or allow) a category, include the matching
RECON list in your EDL Deployment instead of writing per-IP rules. See
ELLIO Threat Lists.
3. Drive automated detection in your SIEM
The TAXII feed exposes tags as STIX labels on each indicator. Filter, group,
and alert on them in KQL, SPL, or whichever query language your SIEM speaks.
See KQL examples.
Tag families to know
A few tag families show up repeatedly. Knowing them speeds up triage.
Commercial scanners. Censys, Shodan, BinaryEdge, BufferOver,
InfraWatch, LeakIX, NetScout, Nokia Deepfield, Rapid7, Stretchoid.
Operate at internet scale; classification is Promiscuous. Usually allow them
unless you specifically don't want to be in their dataset.
Research organisations. Academy for Internet Research, Internet Census,
InternetTL, Driftnet, Shadowserver Foundation, CERT FR, Cortex Xpanse
(Palo Alto). Operate similarly to commercial scanners.
Search-engine crawlers. Google, Bing, Baidu Bot, DuckDuckGo Bot,
Bytespider, Apple (with their own SaaS / crawler ranges in
Common Business Services).
Usually Benign - block at your peril.
Targeted exploit attempts. Apache Path Traversal, Apache OFBiz Exploit,
Cisco ASA/FTD WebVPN Exploit, Docker API Exploit, D-Link DIR-878 Detector,
Eir WAN Side RCE Exploit, Sangoma FreePBX Detector, TBK DVR4104 series detector, Tenda HG9 Exploit, TP-Link Archer AX21 (AX1800) vulnerability exploit, GPON devices authentication bypass, Apache Druid Detector. Almost
always actionable - block on sight.
Reconnaissance tooling. Fast Scanner (i.e. Masscan / ZMap),
Camera Scanner, Config File Scanner, Backup File Scanner,
AWS secrets scanner, Favicon Scanner, CGI Login Scanner,
Adminer Detector, Apache Tomcat Detector, Domain Tools. High-volume
indiscriminate probing.
LLM crawlers. ChatGPT bot is in the catalogue today, with more on the
way. Useful if you're managing crawl budget for AI training scrapers.
Requesting a new tag
ELLIO accepts requests for new tags via Support Center → Request New Tag. The form takes a CVE, a tag name, or an actor. Validated requests ship as new tags within a release window.