The category was Intrusion.UserCompromise even when the connection had only AUTH TLS or similar (which is a command for STARTTLS).
Intrusion.UserCompromise
AUTH TLS
Now I have changed it to Recon.Scanning when no login attempt was present.
Recon.Scanning