Infection Alerts Integration Guide

September 23, 2020: Updated the 0.10.0 package to the 0.11.0 version.

1 About
2 Script Configuration
- 2.1 Configurable Variables (config.py)
- 2.2 Execution
3 Field Mapping
- 3.1 JSON to CEF
- 3.2 JSON to LEEF

1 About

1.1 Software Requirements

UNIX based machine
Python 2.7
Bitsight json2cefleef conversion script

1.1.1 Installation

python setup.py install

1.2 Hardware Requirements

Under normal network performance, and using common grade processors and memory:

Events Per Second	CPU	RAM
100	2	2 GBs
200	2	2 GBs
500	2	2 GBs
1.000	4	2 - 3 GBs
2.500	4	2 - 4 GBs
5.000	4	2 - 4 GBs
10.000	8	4 - 8 GBs
20.000	8	4 - 8 GBs

1.3 Required Knowledge

Common Event Format (CEF)
Log Event Extended Format (LEEF)
Bitsight Infection Alerts API

2 Script Configuration

The script will get Infections Alerts events from Bitsight and convert the JSON data into CEF or LEEF formats.

2.1 Configurable Variables (config.py)

Variable	Details
`OUTPUT_FORMAT`	Defines the output format of the data. Can be one of: `OUTPUT_FORMAT = 'CEF'` `OUTPUT_FORMAT = 'LEEF'`
`SYSLOG_DST_IP`	IP address of the Syslog server.
`SYSLOG_DST_PORT`	Port of the Syslog server.
`APIKEY`	Infections Alerts API token. Provided by Bitsight.
`ENDPOINT`	Provided by Bitsight. This defaults to: `https://alerts.api.bitsighttech.com`
`FILTERS`	Add filters to the API request. Example: For the “`maxbytes=1`” filter `('maxbytes', '1')`
`DEBUG`	No output: `OFF` Output the queue size: `DEBUG_JSON_QUEUE` Output CEF/LEEF: `DEBUG_OUT` Output Syslog messages to a file: `DEBUG_SYSLOG` Set pyCurl to VERBOSE mode: `VERBOSE`

2.2 Execution

$ python json2cefleef.py

3 Field Mapping

3.1 JSON to CEF

Fields	Key Name	Full Name	Data Type	Size
env.remote_addr	src	sourceAddress	IPV4 Address
env.remote_port	spt	sourcePort	sourcePort
env.server_name	dhost	destinationHostName	String	1023
env.server_addr	dst	destinationAddress	IPv4 Address
env.server_port	dpt	destinationPort	Integer
env.request_method	requestMethod	requestMethod	String	1023
_ts	rt	receiptTime	Time Stamp
trojanfamily	cs1	deviceCustomString1	String	1023
_geo_env_remote_addr.country_name	cs3	deviceCustomString3	String	1023

Key Name	Full Name	Label
cs1Label	deviceCustomString1Label	trojanFamily
cs3Label	deviceCustomString3Label	geoEnvRemoteAddrCountry Name

3.2 JSON to LEEF

Fields	Key Name	Data Type	Size
env.remote_addr	src	IPV4 Address
env.remote_port	srcPort	sourcePort
env.server_name	dhost	String	1023
env.server_addr	dst	IPv4 Address
env.server_port	dstPort	Integer
env.request_method	requestMethod	String	1023
_ts	devTime	Time Stamp
trojanfamily	trojanFamily	String	1023
_geo_env_remote_addr.country_name	geoEnvRemoteAddrCountryName	String	1023

Download the package:

json2cefleef_v0.11.0.tar.gz

json2cefleef_v0.11.0.tar.gz
10 KB Download

Articles in this section

Table of Contents

1 About

1.1 Software Requirements

1.1.1 Installation

1.2 Hardware Requirements

1.3 Required Knowledge

2 Script Configuration

2.1 Configurable Variables (config.py)

2.2 Execution

3 Field Mapping

3.1 JSON to CEF

3.2 JSON to LEEF

Download the package:

Articles in this section

Table of Contents

1 About

1.1 Software Requirements

1.1.1 Installation

1.2 Hardware Requirements

1.3 Required Knowledge

2 Script Configuration

2.1 Configurable Variables (config.py)

2.2 Execution

3 Field Mapping

3.1 JSON to CEF

3.2 JSON to LEEF

Download the package:

Related articles