Flags

Flags are your go-to labels for quickly understanding domains and IP addresses during investigations. Whether it’s spotting a newly registered domain, identifying a Sinkholed domain, or tagging an IP as a VPN, these indicators help you assess threats fast.

Flags are colorful icons that display to highlight key details about observables, domains, or IP addresses you're analyzing. They include general indicators (such as Tranco Top 10k for domains) and specialized IP tags (such as Proxy Services for IPs). These flags only show up when specific conditions are met, keeping your view clean and relevant. You’ll find them all listed together at the top of the Total View screen for easy access.

Flags in the App

Flags appear in the Total View page or the observable details below the title and score.

Flags are categorized into three types: Domain Flags, IP Flags, and IP Context Flags, reflecting their respective roles in Total View.

Domain Flags

Flag Name	What it means	When it shows up	Description
Tranco Top 10k	Domain is in the top 10,000 sites according to Tranco.	When `domain_urls_.tranco_top10k` is true.	The domain is among the top 10,000 most visited websites, according to Tranco ratings.
DSL Dynamic	IP might be from a dynamic network.	When `is_dynamic_domain` is true.	Determines whether an IP address belongs to dynamic infrastructure, i.e., one that may be dynamically assigned by ISPs or used for residential purposes.
Part of DGA	Domain could be malware-generated.	When `dga_probability_score` is 100.	The algorithm assesses the likelihood that a domain name was randomly generated rather than derived from an English word. Detailed string probability metrics are available upon enrichment.
URL Shortener	Domain is a shortened URL service.	When `is_url_shortener` is true.	A URL shortening service that points to a longer domain.
Expired	Domain registration might have lapsed.	When `is_expired` is true.	The domain is using name servers that indicate a domain registration has expired.
Parked	Domain is registered but not active.	When `is_parked` is true.	The domain is registered, but not connected to any online service (e.g., a website or email server).
Sinkholed	A sinkhole blocks domain.	When `is_sinkholed` is true.	The domain points to an IP sinkhole, preventing DNS resolution.
New	Domain is newly seen.	When `is_new_score` is 100.	A domain that hasn’t previously been seen in any zone files.
Has Open S3 bucket	Domain has an open S3 bucket.	When `host_has_open_s3_bucket` is true.	The domain has an S3 bucket whose contents are publicly accessible without authentication.
Has Open Directories	Domain has an open web directory.	When `host_has_open_directory` is true.	The domain has a server directory whose contents are publicly accessible without authentication.
Has Expired Certificates	Domain has an expired certificate.	When `host_has_expired_certificate` is true.	The domain has an expired certificate.
Part of Threat Feed	Domain is listed on a threat feed.	When listed on a threat feed.	The domain is identified on a threat intelligence feed, which may include your organization’s custom research feeds or third-party sources like an ISAC, indicating potential malicious activity. This applies to any feed, including customer research feeds and ones ingested from third parties such as an ISAC.
Part of IOFA Feed	Domain is listed on an IOFA feed.	When `listing_score` is 100.	The domain is listed on an Indicator of Future Attack (IOFA) feed, signaling potential future malicious activity.

IP Flags

Flag Name	What it means	When it shows up	Description
Known Benign	IP is from a safe scanning service.	When `known_benign` is true.	The IP address has been identified as belonging to a benign internet scanning service or a similar non-malicious operator.
Sinkhole (IP)	IP blocks a domain’s DNS	When `known_sinkhole_ip` is true.	An IP address that prevents DNS servers from resolving a particular domain.
Dynamic IP Data	IP is from a dynamic network.	When `ip_is_dsl_dynamic` is true.	Determines if an IP address belongs to dynamic infrastructure, i.e., one that may be dynamically assigned by ISPs or for residential use.
Has Expired Certificates	IP has an expired certificate.	When `ip_has_expired_certificate` is true.	The IP address has an expired certificate.
Has Open Directories	IP has an open web directory.	When `ip_has_open_directory` is true.	The IP address has an open directory served by a web server.
Tor Exit Node	IP is a Tor traffic exit point.	When `ip_is_tor_exit_node`is true.	An exit gateway connecting Tor traffic to the internet.
IPFS Node	IP is an IPFS Network.	When `ip_is_ipfs_node` is true.	The IP address is an IPFS node.
Has Open S3 bucket	IP has an open S3 bucket.	When `ip_has_open_s3_bucket` is true.	The IP address has an S3 bucket whose contents are publicly accessible without authentication.
Part of Threat Feed	IP is listed on a threat feed.	When listed on a threat feed.	The IP address is identified on a threat intelligence feed, indicating potential malicious activity. This applies to any feed, including customer research feeds and ones ingested from third parties such as an ISAC.
Part of IOFA Feed	IP is listed on an IOFA feed.	When `listing_score` is 100.	The IP address is listed on an IOFA feed, signaling potential future malicious activity.

IP Context Flags

Flag Name	What it means	When it shows up	Example	Description
VPN	IP is linked to a VPN provider.	When detected in the IPv4 dataset.	[VPN: NordVPN]	For example, NordVPN and ExpressVPN (provider attribution). We track over 30 VPN providers, including those commonly exploited by cybercriminals.
Proxy Services	IP acts as a proxy service.	When detected in the IPv4 dataset.	[Proxy: SOCKS5]	Residential, Open, HTTP, SOCKS4/5, Authentication. We track over 30 proxy providers, including those commonly exploited by cybercriminals.
Sinkhole	IP is used to block malicious activity.	When detected in the IPv4 dataset.	[Sinkhole]	Researcher-operated, Defender-operated.

Our blog provides an excellent in-depth look at IP Context Data.