Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close

keyboard_arrow_left

Table of Contents Expand all

play_arrow What's New for Administrators
- What's New for Administrators
- New Features and Enhancements in JSA 7.4.2
- New Features and Enhancements in JSA 7.4.1
- New Features and Enhancements in JSA 7.4.0
play_arrow Overview of JSA Administration
- JSA Administration
- Capabilities in Your JSA Product
- Supported Web Browsers
play_arrow User Management
- User Management
- User Roles
- Security Profiles
- User Accounts
- User Authentication
- LDAP Authentication
- SAML Single Sign-on Authentication
play_arrow License Management
- License Management
- Event and Flow Processing Capacity
- Burst Handling
- Uploading a License Key
- Allocating a License Key to a Host
- Distributing Event and Flow Capacity
- Viewing License Details
- Deleting Expired Licenses
- Exporting License Information
play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
play_arrow Using Reference Data in JSA
- Using Reference Data in JSA
- Types Of Reference Data Collections
- Reference Sets Overview
- Creating Reference Data Collections by Using the Command Line
- Creating Reference Data Collections with the APIs
- Examples for Using Reference Data Collections
play_arrow User Information Source Configuration
- User Information Source Configuration
- User Information Source Overview
- Configuring the Tivoli Directory Integrator Server
- Creating and Managing User Information Source
- Collecting User Information
play_arrow Juniper Networks X-Force Integration
- Juniper Networks X-Force Integration
- Enabling the X-Force Threat Intelligence Feed
- Updating X-Force Data in a Proxy Server
- Preventing X-Force Data from Downloading Locally
- IBM QRadar Security Threat Monitoring Content Extension
- Juniper X-Force Exchange Plug-in for JSA
play_arrow Managing Authorized Services
- Managing Authorized Services
- Viewing Authorized Services
- Adding an Authorized Service
- Revoking Authorized Services
play_arrow Backup and Recovery
- Backup and Recovery
- Backup JSA Configurations and Data
- Manage Existing Backup Archives
- Restore JSA Configurations and Data
- Backup and Restore Applications
- Data Redundancy and Recovery in JSA Deployments
- Backup and Restore the QRadar Analyst Workflow
play_arrow Flow Sources Management
- Flow Sources
- Types of Flow Sources
- Adding or Editing a Flow Source
- Enabling and Disabling a Flow Source
- Deleting a Flow Source
- Flow Source Aliases Management
- Correcting Flow Time Stamps
play_arrow Remote Networks and Services Configuration
- Remote Networks and Services Configuration
- Default Remote Network Groups
- Default Remote Service Groups
- Guidelines for Network Resources
- Managing Remote Networks Objects
- Managing Remote Services Objects
- QID Map Overview
play_arrow Server Discovery
- Server Discovery
- Discovering Servers
play_arrow Domain Segmentation
- Domain Segmentation
- Overlapping IP Addresses
- Domain Definition and Tagging
- Creating Domains
- Creating Domains for VLAN Flows
- Domain Privileges That Are Derived from Security Profiles
- Domain-specific Rules and Offenses
- Example: Domain Privilege Assignments Based on Custom Properties
play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
play_arrow Asset Management
- Asset Management
- Sources Of Asset Data
- Incoming Asset Data Workflow
- Updates to Asset Data
- Identification Of Asset Growth Deviations
- Prevention Of Asset Growth Deviations
- Clean Up Asset Data After Growth Deviations
play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
play_arrow Event Store and Forward
- Event Store and Forward
- Store and Forward Overview
- Viewing the Store and Forward Schedule List
- Creating a Store and Forward Schedule
- Editing a Store and Forward Schedule
- Deleting a Store and Forward Schedule
play_arrow Security Content
- Security Content
- Types Of Security Content
- Methods Of Importing and Exporting Content
- Content Type Identifiers for Exporting Custom Content
- Content Management Script Parameters
play_arrow SNMP Trap Configuration
- SNMP Trap Configuration
- Adding a Custom SNMP Trap to JSA
- Sending SNMP Traps to a Specific Host
play_arrow Protect Sensitive Data
- Sensitive Data Protection
- How Does Data Obfuscation Work?
- Data Obfuscation Profiles
- Data Obfuscation Expressions
- Scenario: Obfuscating User Names
play_arrow Log Files
- Log Files
- Audit Logs
play_arrow Event Categories
- Event Categories
- High-level Event Categories
- Recon
- DoS
- Authentication
- Access
- Exploit
- Malware
- Suspicious Activity
- System
- Policy
- Unknown
- CRE
- Potential Exploit
- Flow
- User Defined
- SIM Audit
- VIS Host Discovery
- Application
- Audit
- Risk
- Risk Manager Audit
- Control
- Asset Profiler
- Sense
play_arrow Common Ports and Servers Used by JSA
- Common Ports and Servers Used by JSA
- JSA Port Usage
- Viewing IMQ Port Associations
- Searching for Ports in Use by JSA
- JSA Public Servers
- Docker Containers and Network Interfaces
play_arrow RESTful API
- RESTful API
- Accessing the Interactive API Documentation Page

list Table of Contents

English

keyboard_arrow_right

Recon

date_range 27-Mar-21

arrow_backward

arrow_forward

The Recon category contains events that are related to scanning and other techniques that are used to identify network resources.

The following table describes the low-level event categories and associated severity levels for the Recon category.

Table 1: Low-level Categories and Severity Levels for the Recon Events Category
Low-level event category	Category ID	Description	Severity level (0 - 10)
Unknown Form of Recon	1001	An unknown form of reconnaissance.	2
Application Query	1002	Reconnaissance to applications on your system.	3
Host Query	1003	Reconnaissance to a host in your network.	3
Network Sweep	1004	Reconnaissance on your network.	4
Mail Reconnaissance	1005	Reconnaissance on your mail system.	3
Windows Reconnaissance	1006	Reconnaissance for Windows operating system.	3
Portmap / RPC r\Request	1007	Reconnaissance on your portmap or RPC request.	3
Host Port Scan	1008	Indicates that a scan occurred on the host ports.	4
RPC Dump	1009	Indicates that Remote Procedure Call (RPC) information is removed.	3
DNS Reconnaissance	1010	Reconnaissance on the DNS server.	3
Misc Reconnaissance Event	1011	Miscellaneous reconnaissance event.	2
Web Reconnaissance	1012	Web reconnaissance on your network.	3
Database Reconnaissance	1013	Database reconnaissance on your network.	3
ICMP Reconnaissance	1014	Reconnaissance on ICMP traffic.	3
UDP Reconnaissance	1015	Reconnaissance on UDP traffic.	3
SNMP Reconnaissance	1016	Reconnaissance on SNMP traffic.	3
ICMP Host Query	1017	Indicates an ICMP host query.	3
UDP Host Query	1018	Indicates a UDP host query.	3
NMAP Reconnaissance	1019	Indicates NMAP reconnaissance.	3
TCP Reconnaissance	1020	Indicates TCP reconnaissance on your network.	3
UNIX Reconnaissance	1021	Reconnaissance on your UNIX network.	3
FTP Reconnaissance	1022	Indicates FTP reconnaissance.	3

arrow_backward PREVIOUS High-level Event Categories

NEXT arrow_forward DoS

footer-navigation