Infection Alerts Integration Guide Ingrid Table of Contents 1 About 1.1 Software Requirements 1.1.1 Installation 1.2 Hardware Requirements 1.3 Required Knowledge 2 Script Configuration 2.1 Configurable Variables (config.py) 2.2 Execution 3 Field Mapping 3.1 JSON to CEF 3.2 JSON to LEEF 1 About 1.1 Software Requirements UNIX based machine Python 2.7 Bitsight json2cefleef conversion script 1.1.1 Installation python setup.py install 1.2 Hardware Requirements Under normal network performance, and using common grade processors and memory: Events Per Second CPU RAM 100 2 2 GBs 200 2 2 GBs 500 2 2 GBs 1.000 4 2 - 3 GBs 2.500 4 2 - 4 GBs 5.000 4 2 - 4 GBs 10.000 8 4 - 8 GBs 20.000 8 4 - 8 GBs 1.3 Required Knowledge Common Event Format (CEF) Log Event Extended Format (LEEF) Bitsight Infection Alerts API 2 Script Configuration The script will get Infections Alerts events from Bitsight and convert the JSON data into CEF or LEEF formats. 2.1 Configurable Variables (config.py) Variable Details OUTPUT_FORMAT Defines the output format of the data. Can be one of: OUTPUT_FORMAT = 'CEF' OUTPUT_FORMAT = 'LEEF' SYSLOG_DST_IP IP address of the Syslog server. SYSLOG_DST_PORT Port of the Syslog server. APIKEY Infections Alerts API token. Provided by Bitsight. ENDPOINT Provided by Bitsight. This defaults to:https://alerts.api.bitsighttech.com FILTERS Add filters to the API request. Example: For the “maxbytes=1” filter('maxbytes', '1') DEBUG No output:OFF Output the queue size:DEBUG_JSON_QUEUE Output CEF/LEEF:DEBUG_OUT Output Syslog messages to a file:DEBUG_SYSLOG Set pyCurl to VERBOSE mode:VERBOSE 2.2 Execution $ python json2cefleef.py 3 Field Mapping 3.1 JSON to CEF Fields Key Name Full Name Data Type Size env.remote_addr src sourceAddress IPV4 Address env.remote_port spt sourcePort sourcePort env.server_name dhost destinationHostName String 1023 env.server_addr dst destinationAddress IPv4 Address env.server_port dpt destinationPort Integer env.request_method requestMethod requestMethod String 1023 _ts rt receiptTime Time Stamp trojanfamily cs1 deviceCustomString1 String 1023 _geo_env_remote_addr.country_name cs3 deviceCustomString3 String 1023 Key Name Full Name Label cs1Label deviceCustomString1Label trojanFamily cs3Label deviceCustomString3Label geoEnvRemoteAddrCountry Name 3.2 JSON to LEEF Fields Key Name Data Type Size env.remote_addr src IPV4 Address env.remote_port srcPort sourcePort env.server_name dhost String 1023 env.server_addr dst IPv4 Address env.server_port dstPort Integer env.request_method requestMethod String 1023 _ts devTime Time Stamp trojanfamily trojanFamily String 1023 _geo_env_remote_addr.country_name geoEnvRemoteAddrCountryName String 1023 Download the package: json2cefleef_v0.11.0.tar.gz September 23, 2020: Updated the 0.10.0 package to the 0.11.0 version. Related articles Infection Alerts API API Documentation Overview GET: Risk Vectors Summary Slack Integration Microsoft Power BI Integration Feedback 0 comments Please sign in to leave a comment.