LOW: Targeted Host Report

LAST UPDATED: 2026-06-23

DEFAULT SEVERITY LEVEL: LOW

This report identifies hosts that were observed targeted by attackers, either with exploits or dictionary password guessing attacks, etc. We typically share this report as part of larger incidents where successful compromises have been observed by the same attacker.

While we may not have been able to observe whether these attacks were successful or not, it is worth double checking the targets for any successful compromise.

On 2026-06-24 a one-off dataset was shared for FortiBleed related targets, with event timestamps set to 2026-06-23, thanks to collaboration with SOCRadar. In this particular case, we cross referenced the targeted list with a list of known compromised FortiBleed FortiGate instances, and in cases an IP appears on both lists, set the status field to compromised. Note in this case we will also share the compromised in one of our compromised website/iot/account reports.

Severity levels are described here.

Filename(s): targeted_host, targeted_host6

 

 

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the targeted device
  • protocol
    Protocol used (TCP/UDP)
  • port
    Port seen targeted
  • hostname
    DNS name of the targeted device (may also be derived in other ways)
  • tag
    Additional context, such as the general incident name
  • asn
    ASN of where the targed device resides
  • geo
    Country where the targeted device resides
  • region
    State / Province / Administrative region where the targeted device resides
  • city
    City in which the targeted device resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the targeted IP
  • device_vendor
    Vendor of the targted device
  • device_type
    Type of the targeted device
  • device_model
    Model of the targeted device
  • device_version
    Version of the targeted device
  • category
    Additional category information
  • family
    Additional information about malware family if any
  • status
    Additional information (for example, if a successful attack was observed)
  • detail
    Additional detail about the context of the data collected
  • public_source
    Public source (if any)
  • application
    Additional information on the application layer protocol used in the attack

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version","category","family","status","detail","public_source","application"
"2010-02-10 00:00:00",192.168.1.1,192.168.0.1,,,node01.example.com,,64512,ZZ,Region,City,0,ptr,,,,,,,,,,,
"2010-02-10 00:00:01",192.168.1.2,192.168.0.2,,,node02.example.com,,64512,ZZ,Region,City,0,ptr,,,,,,,,,,,
"2010-02-10 00:00:02",192.168.1.3,192.168.0.3,,,node03.example.com,,64512,ZZ,Region,City,0,ptr,,,,,,,,,,,

Our 145 Report Types

« Back to Network Reporting