CRITICAL: Initial Access Broker Report

DESCRIPTION LAST UPDATED: 2026-06-11

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies compromised hosts that are likely under the control of intial access brokers (IAB).

Specifically, the report contains observed connections to identified attacker controlled infrastructure after initial compromise of a host. It may also contain warnings about possible ransomware deployment or risk of such, for example if the compromised host is a computer or a corporate device that is identified as belonging to an organisation (that is, the host is for example Active Directory or Entra ID domain joined etc). Such entries will be additionally marked as org-joined.

Note that any passwords stored on the reported compromised hosts have also likely been stolen as part of the IAB activity.

Severity levels are described here.

Filename(s): event4_initial_access_broker

Fields

timestamp

Timestamp when the IP was seen in UTC+0
protocol

Packet type of the connection traffic (UDP/TCP)
src_ip

The IP of the device in question
src_port

Source port of the IP connection
src_asn

ASN of the source IP
src_geo

Country of the source IP
src_region

Region of the source IP
src_city

City of the source IP
src_hostname

Reverse DNS of the source IP
src_naics

North American Industry Classification System Code
src_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
device_vendor

Source device vendor
device_type

Source device type
device_model

Source device model
severity

Severity level
dst_ip

Destination IP
dst_port

Destination port of the IP connection
dst_asn

ASN of the destination IP
dst_geo

Country of the destination IP
dst_region

Region of the destination IP
dst_city

City of the destination IP
dst_hostname

Reverse DNS of, or domain used to contact the destination IP
dst_naics

North American Industry Classification System Code
dst_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
public_source

Source of the event data
infection

Description of the malware/infection
family

Malware family or campaign associated with the event
tag

Event attributes
application

Application name associated with the event
version

Software version associated with the event
event_id

Unique identifier assigned to the source IP, event or infected host
account

Any account involved
detail

Detail of the intrusion being reported
org_domain

If the host reported is joined to a domain (like Active Directory, Entra ID, etc), that domain is included in this field if the data is available. This field is also used for filtering
machine_name

Name of the infected host

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","account","detail","org_domain","machine_name"
"2010-02-10 00:00:00",tcp,192.168.0.1,,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.1,80,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,malwarefoo,malwarefoo,,http,,,,,,node01
"2010-02-10 00:00:01",tcp,192.168.0.2,,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.2,80,65534,ZZ,Region,City,node02.example.net,0,"Communications, Service Provider, and Hosting Service",,malwarefoo,malwarefoo,,http,,,,,,node02
"2010-02-10 00:00:02",tcp,192.168.0.3,,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.3,80,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,malwarefoo,malwarefoo,,http,,,,,,node03

Our 142 Report Types

« Back to Network Reporting