Compromised Systems Intelligence: Malware Servers

Malware Servers indicates that a system is engaging in malicious activity, such as phishing, fraud, or scams.

Data Structure Diagram

Data Solutions data feeds are optimized for relational databases. Refer to the structure conveyed in the following diagram to make the best use of entity relationships within the Malware Servers Intelligence data feed:

Schema

Malware Servers data available in Compromised Systems Intelligence:

temporary_finding_id

The temporary unique identifier for this finding.

String [temp_finding_guid]

company_guid

The unique identifier of the company.

String [entity_guid]

event_date

When the finding was first observed.

String [YYYY-MM-DD]

affects_rating

true = This finding affects the rating.

Boolean

count

The number of events. See event count considerations for Compromised Systems events.

Integer

country

The country where the asset attributed with this finding is located.

String

country_code

The country code where the asset attributed with this finding is located.

String

decay_date

The date when this finding stops impacting the rating if nothing else changes.

String [YYYY-MM-DD]

dest_port

A compromised device was observed to be sending traffic from this port.

Integer

detection_method

The method used to detect the infection. See the data collection methods.

String

event_grade

The finding grade.

String

evidence_key

The source of evidence for the finding. It may be from an IP address, domain, IP/domain combination, or port.

String

first_seen

The first time the finding was observed.

String [YYYY-MM-DD HH:MM:SS]

impacts_risk_vector_code

A reason code for why the finding does not impact on the rating.

String

impacts_risk_vector_label

The reason why the finding no longer impacts the rating.

String

infection_id

An identifier for the infection.

Integer

last_seen

The most recent time the finding was observed.

String [YYYY-MM-DD HH:MM:SS]

observation_id

The unique identifier of this observation.

String

portal_type

The type of event.

Values:

• malicious = The event involves a malicious server.
• malware = The event involves specific malware.

String

remediation_duration

The number of days it took to remediate the finding.

Integer

risk_category

The risk category.

String

risk_vector

The risk vector slug name.

String

risk_vector_label

The risk vector name.

String

rolledup_observation_id

A stable and randomized identifier for findings. It is assigned to a finding when one or more observations with largely similar key properties occur in close succession.

String

rollup_end_date

The date when the infection was last observed, which is used for determining the number of Compromised Systems events.

String [YYYY-MM-DD]

rollup_start_date

The date when this finding was first observed, which is used for determining the number of Compromised Systems events.

String [YYYY-MM-DD]

sample_timestamp

The date and time when this finding was observed.

String [YYYY-MM-DD HH:MM:SS]

server_name

The domain name of the affected server. It is known to be a command and control server, sinkhole, or is hosting adware.

String

severity

This finding’s Bitsight severity.

Decimal

severity_category

This finding’s Bitsight severity.

String

sinkhole_ip

The masked destination IP address of the sinkhole.

String

src_port

The port where traffic from a compromised device was observed.

Integer