Tags
A tag is a label we add to scan data to help you quickly identify areas within your network that might require attention. We add tags to:
-
IP addresses and domains we suspect are private and not intended for the public internet. For example, if we find a domain with a term like laptop, we add a personal device tag.
-
Services when we identify that they’re potentially vulnerable, such as those that could enable remote access into your networks.
-
Origins to help you understand how a network connects to the internet.
-
Vulnerabilities to help you identify which pose the highest threats to your organization.
IP address and domain tags
To determine whether IP addresses and their domains are likely meant to be private, we use forward and reverse DNS lookups, compare domain names against keywords, and then assign tags as appropriate:
| Tag | Description |
|---|---|
| Personal device | Likely associated with a device for a specific individual, because the domain includes terms such as iphone, Macbook, or laptop. |
| Dev environment | Likely used for development, staging, or testing purposes. |
| Code repository | Likely associated with source code, because the domain includes terms such as git, repo, or bitbucket. |
| Internal node | IP address without a domain. |
To filter by tag for IP addresses, navigate to the IP addresses page and select Filters from the IP addresses table. Next, choose IP address tags and the tag to use as a filter.
For domains, navigate to the Attack surface page, select Filters from the Domain table. Next choose Domain tags and the tag to use as a filter.
Origin category tags
An origin is an organization that holds the rights to an IP address and connects it to the internet. Typically, it is the organization associated with the Autonomous System Number (ASN) for the network the IP address is in.
To determine the type of organization that connects an IP addresses to the internet, we compare the ASN of network the IP address is in against a list of predetermined ASNs, ASNs for cloud providers, and names of organizations from your hierarchy. Next we assign the a category:
| Category | Description |
|---|---|
| Cloud | Connect through a cloud service provider such as Amazon or Digital Ocean. |
| In-house | Connect through the root organization or one of its descendant organizations. |
| Other | Connect through a vendor or other provider. |
To filter by origin categories, navigate to the Networks page and select Filters from the Networks table. Next, select Origin category tag and the category to use as a filter.
Service tags
To determine whether services are potentially vulnerable, we compare the service and product names against keywords, and then assign tags as appropriate:
| Tag | Description |
|---|---|
| Database | Likely a database because the name includes terms such as Postgres, Sql, or Redis. |
| Branded services | Published by a high-value brand, company, or vendor, such as Microsoft or Oracle, making it highly visible to attackers and more likely for them to target. |
| Remote access | Enables remote access to its host or other hosts in the network, such as rdp and ssh. |
| Known active exploit | Includes a vulnerability in the U.S. Cybersecurity & Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog. The catalog lists vulnerabilities your organization should immediately address because they meet specific criteria, including being exploited by threat actors and causing damages to victims, or on highly available and highly distributed systems like Microsoft Internet Information Services or a Remote Authentication Dial-In User Service (RADIUS) server. |
To filter by tag for services, navigate to the Services page and select Filters from the Services table. Next, choose Service tags and the tag to use as a filter.
Vulnerability intel tags
To determine the type of threats associated with the vulnerabilities found for service, product, and version combinations in your networks, we use industry measures such as the Known Exploited Vulnerabilities (KEV) catalog, Exploit Prediction Scoring System (EPSS), and the Common Vulnerability Scoring System (CVSS).
For more information about the industry measures we reference, see CVE program.
| Tag | Description |
|---|---|
| Known active exploit | Listed in the KEV catalog. The catalog lists vulnerabilities your organization should immediately address because they meet specific criteria, including being exploited by threat actors and causing damages to victims or on highly available and highly distributed systems like Microsoft Internet Information Services or a Remote Authentication Dial-In User Service (RADIUS) server. |
| Predicted exploit | Has an EPSS score greater than 0. The EPSS score, ranging from 0 to 1 (0 to 100% exploitation chances), estimates the probability that a threat actor will exploit a vulnerability within the next 30 days. |
| Imminent threat | Has an EPSS score greater than 0.9. For more information, see Exploit Prediction Scoring System (EPSS). |
| Remote exploit | Is remotely exploitable according to the metrics used to determine its CVSS score. The CVSS assesses the severity of vulnerabilities and assigns scores to them using a formula that measures the ease and impact of exploitation. |
To filter by tag for vulnerabilities, navigate to the Vulnerabilities page and select Filters from the Vulnerabilities table. Next, select Vulnerability tags and the tag to use as a filter.