Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

Client performs a direct request to the Elasticsearch /_cat/indices endpoint and retrieves a successful response without preceding generic web discovery or multi-protocol probing. This behavior indicates targeted Elasticsearch reconnaissance focused on enumerating available indices, document counts, and storage size to assess data exposure. Unlike broad internet scanners, the interaction is Elasticsearch-aware from the start, suggesting tooling or operators specifically searching for open clusters rather than conducting general service fingerprinting.

Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration