Generally, when they aren't generated by inferred alerts/rules, they are generated by devices that have a little more insight into the network and what's "normal", like a firewall or more commonly IPS/IDS. The "Suspicious" ones are not conclusively bad, while the "Attack" stuff tends to be fired from the firewall/IPS/et al as a match to something that we assume they already know IS bad.
↧