Recon

The Recon category contains events that are related to scanning and other techniques that are used to identify network resources.

The following table describes the low-level event categories and associated severity levels for the Recon category.

Table 1: Low-level Categories and Severity Levels for the Recon Events Category
Low-level event category	Category ID	Description	Severity level (0 - 10)
Unknown Form of Recon	1001	An unknown form of reconnaissance.	2
Application Query	1002	Reconnaissance to applications on your system.	3
Host Query	1003	Reconnaissance to a host in your network.	3
Network Sweep	1004	Reconnaissance on your network.	4
Mail Reconnaissance	1005	Reconnaissance on your mail system.	3
Windows Reconnaissance	1006	Reconnaissance for Windows operating system.	3
Portmap / RPC r\Request	1007	Reconnaissance on your portmap or RPC request.	3
Host Port Scan	1008	Indicates that a scan occurred on the host ports.	4
RPC Dump	1009	Indicates that Remote Procedure Call (RPC) information is removed.	3
DNS Reconnaissance	1010	Reconnaissance on the DNS server.	3
Misc Reconnaissance Event	1011	Miscellaneous reconnaissance event.	2
Web Reconnaissance	1012	Web reconnaissance on your network.	3
Database Reconnaissance	1013	Database reconnaissance on your network.	3
ICMP Reconnaissance	1014	Reconnaissance on ICMP traffic.	3
UDP Reconnaissance	1015	Reconnaissance on UDP traffic.	3
SNMP Reconnaissance	1016	Reconnaissance on SNMP traffic.	3
ICMP Host Query	1017	Indicates an ICMP host query.	3
UDP Host Query	1018	Indicates a UDP host query.	3
NMAP Reconnaissance	1019	Indicates NMAP reconnaissance.	3
TCP Reconnaissance	1020	Indicates TCP reconnaissance on your network.	3
UNIX Reconnaissance	1021	Reconnaissance on your UNIX network.	3
FTP Reconnaissance	1022	Indicates FTP reconnaissance.	3