Tags

All tags

Updated: September 15, 2025

Tags

FireTail Tags

A comprehensive list of all FireTail tags. Tag colors indicate relevance to security posture.

Display NameDescriptionTag KeyColorGroup
API key authenticationRequest contains API key authenticationapi_key_authorangeweak_auth
Request contains aws authenticationRequest contains aws authenticationaws_authgreen
Request contains aws authenticationRequest contains aws authenticationaws4_hmac_sha256_authgreen
Request contains base64 encoded contentRequest contains base64 encoded contentb64_contentorange
Bad requestThe status code is between 400 and 499bad_requestred
Bad authentication requestThe status code is either 400 or 403bad_request_authred
Request contains basic authenticationRequest contains basic authenticationbasic_authredweak_auth
Request contains an AWS Bedrock API KeyThe request contains an AWS Bedrock API Keybedrock_api_keyredsecrets
Bot detectedBot detectedbotorange
The endpoint is a known bot requested endpointThe endpoint is a known bot requested endpointbot_endpointorange
User agent is from a botThe user agent is from a botbot_user_agentorange
Browser based user agentThe user agent is from a web browserbrowser_user_agentgreen
Contains cookie(s)Contains cookie(s)cookiegreen
Digest authenticationRequest contains digest authenticationdigest_authgreen
Request made from a public IP addressRequest was made from a public IP addressexternal_requestgreen
Request contains a Google API KeyTag if the request contains a Google API Keygoogle_api_keyredsecrets
Request contains a Google OAuth Access TokenTag if the request contains a Google OAuth Access Tokengoogle_oauth_access_tokenredsecrets
Request contains a Google OAuth TokenTag if the request contains a Google OAuth Tokengoogle_oauth_tokenredsecrets
GraphQL EndpointThis tag is used to identify requests with a GraphQL endpoint.graphql_endpointbluegraphql
GraphQL RequestThis tag is used to identify GraphQL requests.graphql_requestbluegraphql
SQL injection in GraphQLTags if SQL injection in GraphQLgraphql_sql_injectionredsql_injection
GraphQL variable with SQL injection presentA SQL injection exists in graphql variablegraphql_variable_sql_injectionredsql_injection
Request contains an authorization headerRequest contains an authorization headerhas_authgreen
Request has GraphQL metricsThis tag is used to identify requests which have GraphQL metrics.has_graphql_metricsbluegraphql
Request contains hawk authenticationRequest contains hawk authenticationhawk_authgreen
Health check requestRequest was made by a health check servicehealth_checkgreen
Request contains hoba authenticationRequest contains hoba authenticationhoba_authgreen
HTTP requestTags if there is http:// requesthttp_requestred
Request made from an internal IP addressRequest was made from a local IP addressinternal_requestorange
Request URI contains an IP addressThis tag is used to identify requests with an IP address in the request URI.ip_in_urired
Request path contains an IPv4 addressRequest path contains an IPv4 address, which is often associated with suspicious activity.ipv4_in_pathredsuspicious
Request URI contains an IPv4 addressRequest URI contains an IPv4 addressipv4_in_urired
Request URI contains an IPv6 addressRequest URI contains an IPv6 addressipv6_in_urired
Request contains a JWT TokenTag if the request contains a JWT Tokenjwt_tokenred
AfrikaansAfrikaans language detectedlanguage_afgreen
ArabicArabic language detectedlanguage_argreen
AssameseAssamese language detectedlanguage_asgreen
BulgarianBulgarian language detectedlanguage_bggreen
BengaliBengali language detectedlanguage_bngreen
CzechCzech language detectedlanguage_csgreen
DanishDanish language detectedlanguage_dagreen
GermanGerman language detectedlanguage_degreen
GreekGreek language detectedlanguage_elgreen
EnglishEnglish language detectedlanguage_engreen
Request contains English language in inputRequest contains English language in inputlanguage_en_inputorange
Request contains English language in outputRequest contains English language in outputlanguage_en_outputorange
SpanishSpanish language detectedlanguage_esgreen
EstonianEstonian language detectedlanguage_etgreen
FinnishFinnish language detectedlanguage_figreen
FrenchFrench language detectedlanguage_frgreen
IrishIrish language detectedlanguage_gagreen
GujaratiGujarati language detectedlanguage_gugreen
HebrewHebrew language detectedlanguage_hegreen
HindiHindi language detectedlanguage_higreen
CroatianCroatian language detectedlanguage_hrgreen
HungarianHungarian language detectedlanguage_hugreen
IndonesianIndonesian language detectedlanguage_idgreen
IcelandicIcelandic language detectedlanguage_isgreen
ItalianItalian language detectedlanguage_itgreen
JapaneseJapanese language detectedlanguage_jagreen
KannadaKannada language detectedlanguage_kngreen
KoreanKorean language detectedlanguage_kogreen
LithuanianLithuanian language detectedlanguage_ltgreen
LatvianLatvian language detectedlanguage_lvgreen
MalayalamMalayalam language detectedlanguage_mlgreen
MarathiMarathi language detectedlanguage_mrgreen
MalayMalay language detectedlanguage_msgreen
MalteseMaltese language detectedlanguage_mtgreen
NepaliNepali language detectedlanguage_negreen
DutchDutch language detectedlanguage_nlgreen
NorwegianNorwegian language detectedlanguage_nogreen
Northern SothoNorthern Sotho language detectedlanguage_nsogreen
OdiaOdia language detectedlanguage_orgreen
PunjabiPunjabi language detectedlanguage_pagreen
PolishPolish language detectedlanguage_plgreen
PortuguesePortuguese language detectedlanguage_ptgreen
RomanianRomanian language detectedlanguage_rogreen
RussianRussian language detectedlanguage_rugreen
SlovakSlovak language detectedlanguage_skgreen
SlovenianSlovenian language detectedlanguage_slgreen
SerbianSerbian language detectedlanguage_srgreen
SwatiSwati language detectedlanguage_ssgreen
Southern SothoSouthern Sotho language detectedlanguage_stgreen
SwedishSwedish language detectedlanguage_svgreen
SwahiliSwahili language detectedlanguage_swgreen
TamilTamil language detectedlanguage_tagreen
TeluguTelugu language detectedlanguage_tegreen
ThaiThai language detectedlanguage_thgreen
TswanaTswana language detectedlanguage_tngreen
TurkishTurkish language detectedlanguage_trgreen
TsongaTsonga language detectedlanguage_tsgreen
UkrainianUkrainian language detectedlanguage_ukgreen
UrduUrdu language detectedlanguage_urgreen
VendaVenda language detectedlanguage_vegreen
VietnameseVietnamese language detectedlanguage_vigreen
XhosaXhosa language detectedlanguage_xhgreen
ChineseChinese language detectedlanguage_zhgreen
ZuluZulu language detectedlanguage_zugreen
Malformed PayloadThis tag is used to identify requests with malformed payloads.malformed_payloadredmalformed_payload
Request payload is malformed JSONTags if the request payload is malformed JSONmalformed_request_payloadyellow
Response payload is malformed JSONTags if the response payload is malformed JSONmalformed_response_payloadyellow
The request is maliciousThe request is maliciousmaliciousorangemalicious
Request made to a MCP endpointThis tag is used to identify requests to MCP endpoints.mcp_endpointyellowmcp
Request contains multiple languagesRequest contains multiple languagesmultilingualorange
GraphQL Mutation detectedGraphQL Mutation detectedmutationgreen
Request contains mutual authenticationRequest contains mutual authenticationmutual_authgreen
Request contains negotiate authenticationRequest contains negotiate authenticationnegotiate_authgreen
Missing referrerReferrer tag is missing on the API requestno_referrergrey
User agent is from a non standard browserThe user agent is from a non web browsernon_standard_browserorange
User agent is from a non standard OSThe user agent is from a non standard OSnon_standard_osorange
Request path contains non-standard charactersRequest path contains non-standard characters (e.g., emojis, special characters), which may indicate suspicious activity.nonstandard_characters_in_pathredsuspicious
Not API TrafficRequest does not look like an API request, request is most likely a file pathnot_api_trafficyellow
Request contains ntlm authenticationRequest contains ntlm authenticationntlm_authorange
OAuth authenticationRequest contains oauth authenticationoauth_authgreen
Request contains unrecognized authenticationRequest contains unrecognized authenticationother_authorange
PHP injection patterns detectedTags if any of the PHP injection patterns are present in the requestphp_injectionredphp_injection
PHP payload contains string base64_decodePHP payload contains string base64_decodephp_injection_base64_decodered
PHP payload contains string evalPHP payload contains string evalphp_injection_evalred
PHP payload contains string execPHP payload contains string execphp_injection_execred
PHP payload contains string passthruPHP payload contains string passthruphp_injection_passthrured
PHP payload contains string pcntl_execPHP payload contains string pcntl_execphp_injection_pcntl_execred
PHP payload contains string popenPHP payload contains string popenphp_injection_popenred
PHP payload contains string proc_openPHP payload contains string proc_openphp_injection_proc_openred
PHP payload contains string shell_execPHP payload contains string shell_execphp_injection_shell_execred
PHP payload contains string systemPHP payload contains string systemphp_injection_systemred
Request contains PII dataThis tag is used to identify requests with PII data.piiredpii
Request contains a banking IBAN numberTag if the request contains a banking IBAN numberpii_bank_account_numberredpii
PII: Credit Card NumberThis tag is used to identify credit card numbers.pii_credit_cardredpii
PII: Credit Card NumberThis tag is used to identify AMEX credit card numbers.pii_credit_card_amexredpii
PII: Credit Card NumberThis tag is used to identify BC Global credit card numbers.pii_credit_card_bcglobalredpii
PII: Credit Card NumberThis tag is used to identify Diners credit card numbers.pii_credit_card_dinersredpii
PII: Credit Card NumberThis tag is used to identify Discover credit card numbers.pii_credit_card_discoverredpii
PII: Credit Card NumberThis tag is used to identify JCB credit card numbers.pii_credit_card_jcbredpii
PII: Credit Card NumberThis tag is used to identify Maestro credit card numbers.pii_credit_card_maestroredpii
PII: Credit Card NumberThis tag is used to identify MasterCard credit card numbers.pii_credit_card_mastercardredpii
PII: Credit Card NumberThis tag is used to identify Union Pay credit card numbers.pii_credit_card_union_payredpii
PII: Credit Card NumberThis tag is used to identify VISA credit card numbers.pii_credit_card_visaredpii
PII: Email address presentAn email address is present in requestpii_email_addressredpii
PII: Email address present in inputAn email address is present in message inputpii_email_address_in_inputredpii
PII: Email address present in outputAn email address is present in message outputpii_email_address_in_outputredpii
GraphQL Query detectedGraphQL Query detectedquerygreen
Request body is invalid JSONThis tag is used to identify requests with invalid JSON payloads.request_body_invalid_jsonredmalformed_payload
Request Content-Type is JSONThis tag is used to identify requests with a Content-Type header indicating JSON.request_content_type_jsongreen
Invalid requestInvalid request maderequest_errorred
Request redirected successfullyRequest redirected successfullyrequest_redirectorange
Request successfulRequest was made successfullyrequest_successgreen
Response body is invalid JSONThis tag is used to identify responses with invalid JSON payloads.response_body_invalid_jsonredmalformed_payload
Response Content-Type is JSONThis tag is used to identify responses with a Content-Type header indicating JSON.response_content_type_jsongreen
Request contains scram authenticationRequest contains scram authenticationscram_authgreen
Request contains an AWS Secret Access KeyTag if the request contains an AWS Secret Access Keysecret_aws_keyredsecrets
Request contains an AWS MWS Auth TokenTag if the request contains an AWS MWS Auth Tokensecret_aws_mws_auth_tokenredsecrets
Request contains an AWS Secret Access Key IDTag if the request contains an AWS Secret Access Key IDsecret_aws_secret_key_idred
Request contains a Meta (Facebook) Access TokenTag if the request contains a Meta (Facebook) Access Tokensecret_facebook_access_tokenredsecrets
Request contains a Github Personal Access TokenTag if the request contains a Github Personal Access Tokensecret_gitlab_patredsecrets
Request contains a Gitlab Runner Registration TokenTag if the request contains a Gitlab Runner Registration Tokensecret_gitlab_runner_registration_tokenredsecrets
Request contains a Gitlab Trigger TokenTag if the request contains a Gitlab Trigger Tokensecret_gitlab_trigger_tokenredsecrets
Request contains a MailChimp API KeynTag if the request contains a MailChimp API Keysecret_mailchimp_api_keyredsecrets
Request contains a MailGun API KeynTag if the request contains a MailGun API Keysecret_mailgun_api_keyredsecrets
Request contains a PayPal Braintree Access TokenTag if the request contains a PayPal Braintree Access Tokensecret_paypal_braintree_access_tokenredsecrets
Request contains a Picatic API KeyTag if the request contains a Picatic API Keysecret_picatic_api_keyredsecrets
Request contains a SendGrid API KeyTag if the request contains a SendGrid API Keysecret_sendgrid_api_keyredsecrets
Request contains a Slack TokenTag if the request contains a Slack Tokensecret_slack_tokenredsecrets
Request contains a Slack WebhookTag if the request contains a Slack Webhooksecret_slack_webhookredsecrets
Request contains a Square Access TokenTag if the request contains a Square Access Tokensecret_square_access_tokenredsecrets
Internal server errorInternal server errorserver_errorred
SQL injection presentTags if a SQL injection is presentsql_injectionredsql_injection
SQL injection present in bodyA SQL injection is present in bodysql_injection_bodyredsql_injection
SQL injection present in headerSQL injection present in headersql_injection_headerredsql_injection
SQL injection present in headerSQL injection present in headersql_injection_headersredsql_injection
Request contains a Stripe API KeyTag if the request contains a Stripe API Keystripe_api_keyredsecrets
GraphQL Subscription detectedGraphQL Subscription detectedsubscriptiongreen
The request is suspiciousThe request is suspicioussuspiciousredsuspicious
Temporary email domain usedEmail in request and its from a one time email domaintemporary_email_domainred
Request contains a Twilio API KeyTag if the request contains a Twilio API Keytwilio_api_keyredsecrets
Request contains vapid authenticationRequest contains vapid authenticationvapid_authgreen
Has referrerReferrer tag is present on the API requestwith_referrergrey
Potential XSS in either the request body or headersTags if either the request body or headers contains potential XSSxssredxss
Request body contains the potential XSSTag if the request body contains potential XSSxss_bodyredxss
Request headers contains the potential XSSTag if the request headers contains potential XSSxss_headersredxss
Request path contains 'zhttpd'Request path contains 'zhttpd', which is often associated with suspicious activity.zhttpd_in_pathredsuspicious

Need help?

Contact FireTail support

Previous (Posture Management - Resource Policy)
Resource policies
Next (Tags)
Tag groups