- January 12, 2021: View forensics data from the Findings page.
Infection Alerts reports on Botnet Infection events that occur within a company's infrastructure. Use Infection Alerts to identify infections as they occur, maintain business continuity, and better prioritize threats.
With Infection Alerts, the information needed for identifying infections is available within minutes of any occurrences. Without Infection Alerts, it could take at least 24 hours after the event occurs to appear as a finding in the platform.
Detect and respond early. It could take at least 24 hours after the event occurs for observations detected by the Infections Alerts system to fully impact an organization's security rating. Once available, the findings can be accessed in the Findings page.
This add-on is available only for Security Performance Management who have purchased the Infection Alerts Forensics package.
Infection Alerts Data
Notes on Infection Alerts data:
- Not all Infection Alerts entries will have an associated finding and vice versa:
- As a real-time service, Infection Alerts solely rely on real-time data sources. There may be events that are observed and generated, but with no corresponding Infection Alerts entry available. This is because the data source used for the observation was not real-time.
- Observations are verified based on all collected data before they can be considered as an “event.” Learn more about the considerations for Compromised Systems findings.
- Up to 30 days of entries are displayed at once. To focus on the most pressing issues, older entries are truncated from Infection Alerts.
- Infection Alerts entries are not sampled, though entries from the same IP address and malware family that occur within a minute are combined into one entry.
- Infection Alerts is limited to 1,000 entries for each unique infection type. This may occur under certain circumstances, such as large service providers that are facing advanced and persistent threats, where observed infections may generate more entries than the Infection Alerts system can display at once.
- The requested time period is the minimum time between email alerts. It can be set from the Account page. During high-volume times, emails may be delayed by a few minutes.
Email Alerts Setup
To manage email alerts and distribution list configurations:
Infection Alerts can be used to generate email reports when new infections are detected. This includes information about the infected machine(s) and type(s) of malware that are present.
To set up email alerts, refer to your User Preferences.
Set your Distribution List preferences to send email alerts to a mailing list (distribution list). The frequency of distribution alerts is different than the alerts you set for your individual account.
Notes on Email Alerts
Email Alerts are sensitive to time. In some circumstances, the reported infections count in the email may differ from what is shown in the platform.
- Infections count is lower in the email: In limited circumstances, entries for a time period may be processed after the alert email is sent. These will cause higher counts on the Infection Alerts page.
- Infections count is higher in the email: Because the system shows the most recent 1,000 entries, some entries in high-volume situations will still be included in the email but have been truncated from the Infection Alerts page.
- Email indicates infections, but none were found in the Infection Alerts page: Because of the 30-day truncation of older entries, some or all infections may no longer be available in older emails.
Infections Alerts API
The Infection Alerts API is an API separate from the Bitsight API, available for all customers using Infection Alerts. This provides a live stream of infection event data through a portion of the Cyberfeed API from AnubisNetworks, a Bitsight company. This allows developers to integrate new infection data into existing systems or build new applications around the data.