Tags
All tags
Updated: October 30, 2025
FireTail Tags
A comprehensive list of all FireTail tags. Tag colors indicate relevance to security posture.
| Display Name | Description | Tag Key | Color | Group |
|---|---|---|---|---|
| AI Browser Extension | This tag is used to identify requests captured by the AI browser extension. | ai_browser_extension | blue | ai |
| AI Completion | This tag is used to identify requests made to AI providers for completions. | ai_completion | blue | ai |
| AI Consumption of AI21 | This tag is used to identify requests made to AI providers using AI21. | ai_consumption_ai21 | blue | ai |
| AI Consumption of Anthropic | This tag is used to identify requests made to AI providers using Anthropic. | ai_consumption_anthropic | blue | ai |
| AI Consumption of Azure | This tag is used to identify requests made to AI providers using Azure. | ai_consumption_azure | blue | ai |
| AI Consumption of ChatGPT | This tag is used to identify requests made to AI providers using ChatGPT. | ai_consumption_chatgpt | blue | ai |
| AI Consumption of Claude | This tag is used to identify requests made to AI providers using Claude. | ai_consumption_claude | blue | ai |
| AI Consumption of Cohere | This tag is used to identify requests made to AI providers using Cohere. | ai_consumption_cohere | blue | ai |
| AI Consumption of Cursor | This tag is used to identify requests made to AI providers using Cursor. | ai_consumption_cursor | blue | ai |
| AI Consumption of DeepSeek | This tag is used to identify requests made to AI providers using DeepSeek. | ai_consumption_deepseek | blue | ai |
| AI Consumption of Gemini | This tag is used to identify requests made to AI providers using Gemini. | ai_consumption_gemini | blue | ai |
| AI Consumption of HuggingFace | This tag is used to identify requests made to AI providers using HuggingFace. | ai_consumption_huggingface | blue | ai |
| AI Consumption of Mistral | This tag is used to identify requests made to AI providers using Mistral. | ai_consumption_mistral | blue | ai |
| AI Consumption of OpenAI | This tag is used to identify requests made to AI providers using OpenAI. | ai_consumption_openai | blue | ai |
| AI Consumption of Perplexity | This tag is used to identify requests made to AI providers using Perplexity. | ai_consumption_perplexity | blue | ai |
| AI Consumption of Unknown | This tag is used to identify requests made to AI providers using Unknown. | ai_consumption_unknown | blue | ai |
| AI File Upload | This tag is used to identify requests made to AI providers in which files were uploaded. | ai_file_upload | blue | ai |
| API key authentication | Request contains API key authentication | api_key_auth | orange | weak_auth |
| Request contains aws authentication | Request contains aws authentication | aws_auth | green | |
| Request contains aws authentication | Request contains aws authentication | aws4_hmac_sha256_auth | green | |
| Request contains base64 encoded content | Request contains base64 encoded content | b64_content | orange | |
| Bad request | The status code is between 400 and 499 | bad_request | red | |
| Bad authentication request | The status code is either 400 or 403 | bad_request_auth | red | |
| Request contains basic authentication | Request contains basic authentication | basic_auth | red | weak_auth |
| Request contains an AWS Bedrock API Key | The request contains an AWS Bedrock API Key | bedrock_api_key | red | secrets |
| Bot detected | Bot detected | bot | orange | |
| The endpoint is a known bot requested endpoint | The endpoint is a known bot requested endpoint | bot_endpoint | orange | |
| User agent is from a bot | The user agent is from a bot | bot_user_agent | orange | |
| Browser based user agent | The user agent is from a web browser | browser_user_agent | green | |
| Contains cookie(s) | Contains cookie(s) | cookie | green | |
| Digest authentication | Request contains digest authentication | digest_auth | green | |
| Request made from a public IP address | Request was made from a public IP address | external_request | green | |
| Request contains a Google API Key | Tag if the request contains a Google API Key | google_api_key | red | secrets |
| Request contains a Google OAuth Access Token | Tag if the request contains a Google OAuth Access Token | google_oauth_access_token | red | secrets |
| Request contains a Google OAuth Token | Tag if the request contains a Google OAuth Token | google_oauth_token | red | secrets |
| GraphQL Endpoint | This tag is used to identify requests with a GraphQL endpoint. | graphql_endpoint | blue | graphql |
| GraphQL Request | This tag is used to identify GraphQL requests. | graphql_request | blue | graphql |
| SQL injection in GraphQL | Tags if SQL injection in GraphQL | graphql_sql_injection | red | sql_injection |
| GraphQL variable with SQL injection present | A SQL injection exists in graphql variable | graphql_variable_sql_injection | red | sql_injection |
| Request contains an authorization header | Request contains an authorization header | has_auth | green | |
| Request has GraphQL metrics | This tag is used to identify requests which have GraphQL metrics. | has_graphql_metrics | blue | graphql |
| Request contains hawk authentication | Request contains hawk authentication | hawk_auth | green | |
| Health check request | Request was made by a health check service | health_check | green | |
| Request contains hoba authentication | Request contains hoba authentication | hoba_auth | green | |
| HTTP request | Tags if there is http:// request | http_request | red | |
| Request made from an internal IP address | Request was made from a local IP address | internal_request | orange | |
| Request URI contains an IP address | This tag is used to identify requests with an IP address in the request URI. | ip_in_uri | red | |
| Request path contains an IPv4 address | Request path contains an IPv4 address, which is often associated with suspicious activity. | ipv4_in_path | red | suspicious |
| Request URI contains an IPv4 address | Request URI contains an IPv4 address | ipv4_in_uri | red | |
| Request URI contains an IPv6 address | Request URI contains an IPv6 address | ipv6_in_uri | red | |
| Request contains a JWT Token | Tag if the request contains a JWT Token | jwt_token | red | |
| Afrikaans | Afrikaans language detected | language_af | green | |
| Arabic | Arabic language detected | language_ar | green | |
| Assamese | Assamese language detected | language_as | green | |
| Bulgarian | Bulgarian language detected | language_bg | green | |
| Bengali | Bengali language detected | language_bn | green | |
| Czech | Czech language detected | language_cs | green | |
| Danish | Danish language detected | language_da | green | |
| German | German language detected | language_de | green | |
| Greek | Greek language detected | language_el | green | |
| English | English language detected | language_en | green | |
| Request contains English language in input | Request contains English language in input | language_en_input | orange | |
| Request contains English language in output | Request contains English language in output | language_en_output | orange | |
| Spanish | Spanish language detected | language_es | green | |
| Estonian | Estonian language detected | language_et | green | |
| Finnish | Finnish language detected | language_fi | green | |
| French | French language detected | language_fr | green | |
| Irish | Irish language detected | language_ga | green | |
| Gujarati | Gujarati language detected | language_gu | green | |
| Hebrew | Hebrew language detected | language_he | green | |
| Hindi | Hindi language detected | language_hi | green | |
| Croatian | Croatian language detected | language_hr | green | |
| Hungarian | Hungarian language detected | language_hu | green | |
| Indonesian | Indonesian language detected | language_id | green | |
| Icelandic | Icelandic language detected | language_is | green | |
| Italian | Italian language detected | language_it | green | |
| Japanese | Japanese language detected | language_ja | green | |
| Kannada | Kannada language detected | language_kn | green | |
| Korean | Korean language detected | language_ko | green | |
| Lithuanian | Lithuanian language detected | language_lt | green | |
| Latvian | Latvian language detected | language_lv | green | |
| Malayalam | Malayalam language detected | language_ml | green | |
| Marathi | Marathi language detected | language_mr | green | |
| Malay | Malay language detected | language_ms | green | |
| Maltese | Maltese language detected | language_mt | green | |
| Nepali | Nepali language detected | language_ne | green | |
| Dutch | Dutch language detected | language_nl | green | |
| Norwegian | Norwegian language detected | language_no | green | |
| Northern Sotho | Northern Sotho language detected | language_nso | green | |
| Odia | Odia language detected | language_or | green | |
| Punjabi | Punjabi language detected | language_pa | green | |
| Polish | Polish language detected | language_pl | green | |
| Portuguese | Portuguese language detected | language_pt | green | |
| Romanian | Romanian language detected | language_ro | green | |
| Russian | Russian language detected | language_ru | green | |
| Slovak | Slovak language detected | language_sk | green | |
| Slovenian | Slovenian language detected | language_sl | green | |
| Serbian | Serbian language detected | language_sr | green | |
| Swati | Swati language detected | language_ss | green | |
| Southern Sotho | Southern Sotho language detected | language_st | green | |
| Swedish | Swedish language detected | language_sv | green | |
| Swahili | Swahili language detected | language_sw | green | |
| Tamil | Tamil language detected | language_ta | green | |
| Telugu | Telugu language detected | language_te | green | |
| Thai | Thai language detected | language_th | green | |
| Tswana | Tswana language detected | language_tn | green | |
| Turkish | Turkish language detected | language_tr | green | |
| Tsonga | Tsonga language detected | language_ts | green | |
| Ukrainian | Ukrainian language detected | language_uk | green | |
| Urdu | Urdu language detected | language_ur | green | |
| Venda | Venda language detected | language_ve | green | |
| Vietnamese | Vietnamese language detected | language_vi | green | |
| Xhosa | Xhosa language detected | language_xh | green | |
| Chinese | Chinese language detected | language_zh | green | |
| Zulu | Zulu language detected | language_zu | green | |
| Malformed Payload | This tag is used to identify requests with malformed payloads. | malformed_payload | red | malformed_payload |
| Request payload is malformed JSON | Tags if the request payload is malformed JSON | malformed_request_payload | yellow | |
| Response payload is malformed JSON | Tags if the response payload is malformed JSON | malformed_response_payload | yellow | |
| The request is malicious | The request is malicious | malicious | orange | malicious |
| Request made to a MCP endpoint | This tag is used to identify requests to MCP endpoints. | mcp_endpoint | yellow | mcp |
| Request contains multiple languages | Request contains multiple languages | multilingual | orange | |
| GraphQL Mutation detected | GraphQL Mutation detected | mutation | green | |
| Request contains mutual authentication | Request contains mutual authentication | mutual_auth | green | |
| Request contains negotiate authentication | Request contains negotiate authentication | negotiate_auth | green | |
| Missing referrer | Referrer tag is missing on the API request | no_referrer | grey | |
| User agent is from a non standard browser | The user agent is from a non web browser | non_standard_browser | orange | |
| User agent is from a non standard OS | The user agent is from a non standard OS | non_standard_os | orange | |
| Request path contains non-standard characters | Request path contains non-standard characters (e.g., emojis, special characters), which may indicate suspicious activity. | nonstandard_characters_in_path | red | suspicious |
| Not API Traffic | Request does not look like an API request, request is most likely a file path | not_api_traffic | yellow | |
| Request contains ntlm authentication | Request contains ntlm authentication | ntlm_auth | orange | |
| OAuth authentication | Request contains oauth authentication | oauth_auth | green | |
| Request contains unrecognized authentication | Request contains unrecognized authentication | other_auth | orange | |
| PHP injection patterns detected | Tags if any of the PHP injection patterns are present in the request | php_injection | red | php_injection |
| PHP payload contains string base64_decode | PHP payload contains string base64_decode | php_injection_base64_decode | red | |
| PHP payload contains string eval | PHP payload contains string eval | php_injection_eval | red | |
| PHP payload contains string exec | PHP payload contains string exec | php_injection_exec | red | |
| PHP payload contains string passthru | PHP payload contains string passthru | php_injection_passthru | red | |
| PHP payload contains string pcntl_exec | PHP payload contains string pcntl_exec | php_injection_pcntl_exec | red | |
| PHP payload contains string popen | PHP payload contains string popen | php_injection_popen | red | |
| PHP payload contains string proc_open | PHP payload contains string proc_open | php_injection_proc_open | red | |
| PHP payload contains string shell_exec | PHP payload contains string shell_exec | php_injection_shell_exec | red | |
| PHP payload contains string system | PHP payload contains string system | php_injection_system | red | |
| Request contains PII data | This tag is used to identify requests with PII data. | pii | red | pii |
| Request contains a banking IBAN number | Tag if the request contains a banking IBAN number | pii_bank_account_number | red | pii |
| PII: Credit Card Number | This tag is used to identify credit card numbers. | pii_credit_card | red | pii |
| AMEX Credit Card Number | This tag is used to identify AMEX credit card numbers. | pii_credit_card_amex | red | pii |
| BC Global Credit Card Number | This tag is used to identify BC Global credit card numbers. | pii_credit_card_bcglobal | red | pii |
| Diners Credit Card Number | This tag is used to identify Diners credit card numbers. | pii_credit_card_diners | red | pii |
| Discover Credit Card Number | This tag is used to identify Discover credit card numbers. | pii_credit_card_discover | red | pii |
| JCB Credit Card Number | This tag is used to identify JCB credit card numbers. | pii_credit_card_jcb | red | pii |
| Maestro Credit Card Number | This tag is used to identify Maestro credit card numbers. | pii_credit_card_maestro | red | pii |
| MasterCard Credit Card Number | This tag is used to identify MasterCard credit card numbers. | pii_credit_card_mastercard | red | pii |
| Union Pay Credit Card Number | This tag is used to identify Union Pay credit card numbers. | pii_credit_card_union_pay | red | pii |
| Visa Credit Card Number | This tag is used to identify VISA credit card numbers. | pii_credit_card_visa | red | pii |
| PII: Email address present | An email address is present in request | pii_email_address | red | pii |
| PII: Email address present in input | An email address is present in message input | pii_email_address_in_input | red | pii |
| PII: Email address present in output | An email address is present in message output | pii_email_address_in_output | red | pii |
| GraphQL Query detected | GraphQL Query detected | query | green | |
| Request body is invalid JSON | This tag is used to identify requests with invalid JSON payloads. | request_body_invalid_json | red | malformed_payload |
| Request Content-Type is JSON | This tag is used to identify requests with a Content-Type header indicating JSON. | request_content_type_json | green | |
| Invalid request | Invalid request made | request_error | red | |
| Request redirected successfully | Request redirected successfully | request_redirect | orange | |
| Request successful | Request was made successfully | request_success | green | |
| Response body is invalid JSON | This tag is used to identify responses with invalid JSON payloads. | response_body_invalid_json | red | malformed_payload |
| Response Content-Type is JSON | This tag is used to identify responses with a Content-Type header indicating JSON. | response_content_type_json | green | |
| Request contains scram authentication | Request contains scram authentication | scram_auth | green | |
| Request contains an AWS Secret Access Key | Tag if the request contains an AWS Secret Access Key | secret_aws_key | red | secrets |
| Request contains an AWS MWS Auth Token | Tag if the request contains an AWS MWS Auth Token | secret_aws_mws_auth_token | red | secrets |
| Request contains an AWS Secret Access Key ID | Tag if the request contains an AWS Secret Access Key ID | secret_aws_secret_key_id | red | |
| Request contains a Meta (Facebook) Access Token | Tag if the request contains a Meta (Facebook) Access Token | secret_facebook_access_token | red | secrets |
| Request contains a Github Personal Access Token | Tag if the request contains a Github Personal Access Token | secret_gitlab_pat | red | secrets |
| Request contains a Gitlab Runner Registration Token | Tag if the request contains a Gitlab Runner Registration Token | secret_gitlab_runner_registration_token | red | secrets |
| Request contains a Gitlab Trigger Token | Tag if the request contains a Gitlab Trigger Token | secret_gitlab_trigger_token | red | secrets |
| Request contains a MailChimp API Keyn | Tag if the request contains a MailChimp API Key | secret_mailchimp_api_key | red | secrets |
| Request contains a MailGun API Keyn | Tag if the request contains a MailGun API Key | secret_mailgun_api_key | red | secrets |
| Request contains a PayPal Braintree Access Token | Tag if the request contains a PayPal Braintree Access Token | secret_paypal_braintree_access_token | red | secrets |
| Request contains a Picatic API Key | Tag if the request contains a Picatic API Key | secret_picatic_api_key | red | secrets |
| Request contains a SendGrid API Key | Tag if the request contains a SendGrid API Key | secret_sendgrid_api_key | red | secrets |
| Request contains a Slack Token | Tag if the request contains a Slack Token | secret_slack_token | red | secrets |
| Request contains a Slack Webhook | Tag if the request contains a Slack Webhook | secret_slack_webhook | red | secrets |
| Request contains a Square Access Token | Tag if the request contains a Square Access Token | secret_square_access_token | red | secrets |
| Internal server error | Internal server error | server_error | red | |
| SQL injection present | Tags if a SQL injection is present | sql_injection | red | sql_injection |
| SQL injection present in body | A SQL injection is present in body | sql_injection_body | red | sql_injection |
| SQL injection present in header | SQL injection present in header | sql_injection_header | red | sql_injection |
| SQL injection present in header | SQL injection present in header | sql_injection_headers | red | sql_injection |
| Request contains a Stripe API Key | Tag if the request contains a Stripe API Key | stripe_api_key | red | secrets |
| GraphQL Subscription detected | GraphQL Subscription detected | subscription | green | |
| The request is suspicious | The request is suspicious | suspicious | red | suspicious |
| Temporary email domain used | Email in request and its from a one time email domain | temporary_email_domain | red | |
| Request contains a Twilio API Key | Tag if the request contains a Twilio API Key | twilio_api_key | red | secrets |
| Request contains vapid authentication | Request contains vapid authentication | vapid_auth | green | |
| Has referrer | Referrer tag is present on the API request | with_referrer | grey | |
| Potential XSS in either the request body or headers | Tags if either the request body or headers contains potential XSS | xss | red | xss |
| Request body contains the potential XSS | Tag if the request body contains potential XSS | xss_body | red | xss |
| Request headers contains the potential XSS | Tag if the request headers contains potential XSS | xss_headers | red | xss |
| Request path contains 'zhttpd' | Request path contains 'zhttpd', which is often associated with suspicious activity. | zhttpd_in_path | red | suspicious |