We are in the process of creating a new daily report based on the previous loop-dos special report:
https://www.shadowserver.org/what-we-do/network-reporting/loop-dos-special-r...
I would like to propose the following constant_fields:
classification.taxonomy = vulnerable classification.type = vulnerable-system protocol.application = application
Where the application would be tftp or dns for example.