The SWITCH-CERT Report is the result of merging and unifying the different notifications sent by SWITCH-CERT to its constituencies. The events contained in the report are generally related to IT security abuse, mostly to networked devices. For more information see the section regarding classification.

The report is sent to the most specific official abuse contacts for the given resource (system, domain, etc.). These are usually, but not limited to, abuse contacts of network operators, internet service providers (ISP), autonomous system (AS) or trusted partners and CERTs.

The data format allows us to include additonal information, while not breaking the parse-ability on the receivers side.

Where does this information come from?

The events contained in the report are based on events generated by monitoring the SWITCH network or on the many external reports and information sent to SWITCH-CERT by its community and many trusted partners.

The incoming reports and information is processed to a unified format and categorized, i.e. classification, before forwarding the information to the appropriate organization.

The report includes as much information SWITCH-CERT has and/or is able to disclose.

What does the classification mean?

There are many efforts trying to standardise the classification of IT security events, which is very difficult as there are many different use cases, points of view or even definitions for the same term, which results in equally many different 'standards'. 

SWITCH-CERT uses a european CERT community classification-type mapping based on the eCSIRT II Taxonomy.

These classification definitions might change over time as threats and the understaning is changing.

The resulting classification consists of up to three parts.

  • Taxonomy: Specified in the field classification.taxonomy. This field is mostly based on the European CSIRT Taxonomy.
  • Type: Specified in the field classification.type. This field specifies a general type for the event.
  • Identifier: Specified in the field classification.identifier. This field specifies an identifier. This identifier defines the actual software, service or malware name.

Classification Overview

The values in the report are all lower case to ensure case insensitivity.

Taxonomy Type
abusive content spam
availability ddos
fraud copyright
information content security dropzone
information gathering scanner
intrusion attempts brute-force
ids alert
intrusions backdoor
malicious code botnet drone
malware configuration


vulnerable service

other blacklist

Other Notifications (Domain Abuse)

Notifications related to abuse on .CH and .LI domains, which were reported to the registry are sent separately/individually. For more information, see https://www.switch.ch/saferinternet/