Available for Security Performance Management with the Infection Alerts Forensics package.
- The information needed for identifying infections is generally available within minutes of any occurrences. Otherwise, it could take at least 24 hours after the event occurs to appear as a finding in the platform.
Infections Data
- Not all entries have an associated finding and vice versa:
- As a real-time service, Infections solely rely on real-time data sources. There may be events that are observed and generated, but without any corresponding entries. This is because the data source used for the observation was not real-time.
- Observations are verified based on all collected data before they can be considered as an “event.” Learn more about the considerations for Compromised Systems findings.
- Up to 30 days of entries are displayed at once. To focus on the most pressing issues, older entries are truncated from Infections.
- Entries are not sampled, though entries from the same IP address and malware family that occur within a minute are combined into one entry.
- Infections are limited to 1,000 entries for each unique infection type. This may occur under certain circumstances, such as large service providers that are facing advanced and persistent threats where observed infections may generate more entries than the system can display at once.
- The requested time period is the minimum time between email alerts. It can be set from the Account page. During high-volume times, emails may be delayed by a few minutes.
Email Alerts Setup
To manage email alerts and distribution list configurations:
Email Alerts
Infections can be used to generate email reports when new infections are detected. This includes information about the infected machine(s) and type(s) of malware that are present.
To set up email alerts, refer to your User Preferences.
Distribution List
Set your Distribution List preferences to send email alerts to a mailing list (distribution list). The frequency of distribution alerts is different than the alerts you set for your individual account.
Notes on Email Alerts
Email Alerts are sensitive to time. In some circumstances, the reported infections count in the email may differ from what is shown in the platform.
- The infection count is lower in the email: In limited circumstances, entries for a time period may be processed after the alert email is sent. These can cause higher infection counts.
- The infection count is higher in the email: Some entries in high-volume situations are still included in the email, but have been truncated from the Infections page. This is because the system shows the most recent 1,000 entries.
- The email indicates infections, but none were found in Infections: Some or all infections may no longer be available in older emails since entries older than 30 days are truncated.
Infections Alerts API
The Infection Alerts API is an API separate from the Bitsight API, available for all customers using Infection Alerts. This provides a live stream of infection event data through a portion of the Cyberfeed API from AnubisNetworks, a Bitsight company. This allows developers to integrate new infection data into existing systems or build new applications around the data.
- October 28, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu; Infection Alerts renamed to Infections.
- January 19, 2024: Findings Table navigation by application.
- January 12, 2021: View forensics data from the Findings Table.
Feedback
0 comments
Please sign in to leave a comment.