Botnet Infections indicates that devices on a company’s network are participating in a botnet (combination of “robot” and “network”), either as bots or as a command and control (C&C or C2) server.
Data Structure Diagram
Data Solutions data feeds are optimized for relational databases. Refer to the structure conveyed in the following diagram to make the best use of entity relationships within the Botnet Infections Intelligence data feed:
Schema
Botnet Infections data available in Compromised Systems Intelligence:
Field | Description |
---|---|
temporary_finding_id String [ |
The temporary unique identifier for this finding. |
entity_guid String [ |
The unique identifier of the company. |
event_date String [ |
When the finding was first observed. |
affects_rating Boolean |
true = This finding affects the rating. |
country String |
The country where the asset attributed with this finding is located. |
country_code String |
The country code where the asset attributed with this finding is located. |
decay_date String [ |
The date when this finding stops impacting the rating if nothing else changes. |
event_grade String |
The finding grade. |
evidence_key String |
The source of evidence for the finding. It may be from an IP address, domain, IP/domain combination, or port. |
first_seen String [ |
The first time the finding was observed. |
impacts_risk_vector_code String |
A reason code for why the finding does not impact on the rating. |
last_seen String [ |
The most recent time the finding was observed. |
observation_id String |
The unique identifier of this observation. |
remediation_duration Integer |
The number of days it took to remediate the finding. |
risk_category String |
The risk category. |
risk_vector String |
The risk vector slug name. |
risk_vector_label String |
The risk vector name. |
rollup_start_date String [ |
The date when this finding was first observed, which is used for determining the number of Compromised Systems events. |
rollup_end_date String [ |
The date when the infection was last observed, which is used for determining the number of Compromised Systems events. |
rolledup_observation_id String |
A stable and randomized identifier for findings. It is assigned to a finding when one or more observations with largely similar key properties occur in close succession. |
severity Decimal |
This finding’s Bitsight severity. |
severity_category String |
This finding’s Bitsight severity. |
count Integer |
The number of events. See event count considerations for Compromised Systems events. |
dest_port Integer |
A compromised device was observed to be sending traffic from this port. |
detection_method String |
The method used to detect the infection. See the data collection methods. |
infection_id Integer |
An identifier for the infection. |
sinkhole_ip String |
The masked destination IP address of the sinkhole. |
src_port Integer |
The port where traffic from a compromised device was observed. |
request_method String |
The HTTP request method used to communicate with the malware. |
server_name String |
The domain name of the affected server. It is known to be a command and control server, sinkhole, or is hosting adware. |
trusted_proxy String |
CIDR:Trusted Proxy |
user_agent String |
The user-agent header details, which identifies end-user interactions with web content. The details include the application, operating system, browser, and software version. |
- September 11, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.