Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

Infections Detection Data feed

Avatar
Ingrid
Follow

Disclaimer: The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation.

This documentation is intended for the use of Bitsight customers and partners only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Bitsight.

The documentation has been prepared to be used by professional personnel, and the customer assumes full responsibility when using it.

The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given “as is” and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Bitsight and the customer. Bitsight has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions.

Bitsight will explain, if necessary, issues that may not be covered by the document.

Bitsight welcomes customer comments as part of the process of continuous development and improvement of the documentation.

Bitsight will correct errors in this documentation as soon as possible.

IN NO EVENT WILL BITSIGHT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT.

This documentation and the product it describes are considered protected by copyrights and other intellectual property rights according to the applicable laws.

Bitsight brand and logo are trademarks of Bitsight.

Other product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only.

Copyright © Bitsight 2019. All rights reserved.

Table of Contents

About this document

This document describes the Infection Detection threat intelligence Data feed.

This document is only distributed under a Non-Disclosure agreement between Bitsight and the reader.

1. Audience

This guide is destined to Authorized personnel within Bitsight’s customer.

Audience must possess adequate knowledge on Threat Intelligence, Datafeeds, JSON, Network security.

Note: For legal and ethical reasons, please ensure the readers of this document are under a signed, in place Non-Disclosure Agreement with Bitsight before proceeding with viewing this document.

2. Infections Detection data feed description

The Infections Detection API allows users to:

  1. Detect compromised machines from customer networks;
  2. Prevent users from engaging in sensible transactions (e.g., banking operations) when they have been identified as having installed an information stealing Trojan;
  3. Understand level of infection per malware family, on a company, network, local, country and worldwide;
  4. Track botnet behavior, growth, dispersion and live time;
  5. Aid in botnet takedown operations;

The feed served by the API contains metadata from real time communications between machines compromised with Trojans such as Zeus, Spyeye, XtremeRat, Conficker, etc., as seen when the given IP addresses try to request commands from their Command and Control centers operated by AnubisNetworks as sinkholes;

Visibility over sinkhole events, by looking at DNS traffic, thereby making it possible to detect potential compromises on scenarios where strict policy controls on a company blocks the C2 connection from actually reaching the C2s.

3. Structure

For the purpose of this document, each feed available on the Cyberfeed service is represented as a table, where dots (.) are used as a separator for the multi-level JSON structure and available attributes inside each event.

A JSON event such as: {"a":1,"b":{"c":"example”}}

Is therefore represented on a table using the following readable format:

JSON Event vs. Table (Example)
Attribute path/name Attribute type Description Examples
a Integer Example A 1
b.c String Example B.C example

Table 3-1 API example

4. Fields Description

Infection Attribute Path/Name Description Attribute Type
_origin The name of the feed. String
_ts Unix timestamp in seconds when the event was generated. Long
malw.family The common family name for the malware. String
malw.categories A list of categories the malware fits in. List (String)
malw.variant Malware variant (including version). String
malw.severity A simple categorization based on the malware being unknown (0), greyware (1) and other types, and being Trojan or Spyware (2), also coming from the Bitsight MALWARE DB. Integer
botnet.id Internal ID that refers to a Botnet, allowing permalinking to the internal Bitsight MALWARE and BOTNET knowledge bases. Integer
botnet.metadata Metadata with other data the malware may have. Map
tracking The tracking of the same infected machine. Map
tracking.tr The unique identifier of this infection machine. String
tracking.id The unique identifier of this infection machine. String
tracking.checkins The number of times it knocks the door. Integer
tracking.days The number of days the infection has been observed. Integer
tracking.changes The number of times the IP has changed. Integer
tracking.last_ip The IP of the last request, if different from current one. IPv4/IPv6
tracking.same_ip This value is “true” if the last_ip is the same as the current one. Boolean
tracking.first ? timestamp? Long
src.ip The source IP of the transport layer. IPv4/IPv6
src.port The source port of the transport layer. Port
comm.method Sinkhole, spamtrap, DNS. String
comm.proto The transport layer protocol. String
comm.http Indicates if the connection is http. Map
comm.http.method HTTP method. String
comm.http.path The HTTP path, without the query-string. String
comm.http.host The HTTP host header. String
comm.http.cookies Cookie headers. String
comm.http.user_agent The User-Agent header, as-is. String
comm.http.x_forwarded_for The IP addresses from X-Forwarded-For and Via header, if present. List (String)
comm.http.more_headers Other headers, if relevant. List (String)
comm.http.verified_domain if present, indicates the domain is not a registered domain. Boolean
comm.dns Indicates if the connection is DNS. Map
comm.dns.qtype Qtype. String
comm.dns.name The DNS name field. String
_geo_src_ip.longitude Longitude. Float
_geo_src_ip.latitude Latitude. Float
_geo_src_ip.country_name The country name. String
_geo_src_ip.country_code The country code. String
_geo_src_ip.ip The IP address. String
_geo_src_ip.region The region in the country. String
_geo_src_ip.region_code The region code. Integer
_geo_src_ip.path The source IP. String
_geo_src_ip.asn_name The ASN name. String
_geo_src_ip.asn The ASN number. Integer
_geo_src_ip.city The city name. String
_geo_tracking_last_ip.longitude Longitude. Float
_geo_tracking_last_ip.latitude Latitude. Float
_geo_tracking_last_ip.country_name The country name. String
_geo_tracking_last_ip.country_code The country code. String
_geo_tracking_last_ip.ip The IP address. String
_geo_tracking_last_ip.region The region in the country. String
_geo_tracking_last_ip.region_code The region code. Integer
_geo_tracking_last_ip.path tracking.last_ip String
_geo_tracking_last_ip.asn_name The ASN name. String
_geo_tracking_last_ip.asn The ASN number. Integer
_geo_tracking_last_ip.city The city name. String

Table 4-2 Infection Attributes

Related articles