Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Infection Alerts Integration Guide

Ingrid

Table of Contents

1 About

1.1 Software Requirements

  • UNIX based machine
  • Python 2.7
  • Bitsight json2cefleef conversion script

1.1.1 Installation

python setup.py install

1.2 Hardware Requirements

Under normal network performance, and using common grade processors and memory:

Events Per Second CPU RAM
100 2 2 GBs
200 2 2 GBs
500 2 2 GBs
1.000 4 2 - 3 GBs
2.500 4 2 - 4 GBs
5.000 4 2 - 4 GBs
10.000 8 4 - 8 GBs
20.000 8 4 - 8 GBs

1.3 Required Knowledge

2 Script Configuration

The script will get Infections Alerts events from Bitsight and convert the JSON data into CEF or LEEF formats.

2.1 Configurable Variables (config.py)

Variable Details
OUTPUT_FORMAT Defines the output format of the data. Can be one of:
  • OUTPUT_FORMAT = 'CEF'
  • OUTPUT_FORMAT = 'LEEF'
SYSLOG_DST_IP IP address of the Syslog server.
SYSLOG_DST_PORT Port of the Syslog server.
APIKEY Infections Alerts API token. Provided by Bitsight.
ENDPOINT Provided by Bitsight. This defaults to:
https://alerts.api.bitsighttech.com
FILTERS Add filters to the API request.
Example: For the “maxbytes=1” filter
('maxbytes', '1')
DEBUG
  • No output:
    OFF
  • Output the queue size:
    DEBUG_JSON_QUEUE
  • Output CEF/LEEF:
    DEBUG_OUT
  • Output Syslog messages to a file:
    DEBUG_SYSLOG
  • Set pyCurl to VERBOSE mode:
    VERBOSE

2.2 Execution

$ python json2cefleef.py

3 Field Mapping

3.1 JSON to CEF

Fields Key Name Full Name Data Type Size
env.remote_addr src sourceAddress IPV4 Address  
env.remote_port spt sourcePort sourcePort  
env.server_name dhost destinationHostName String 1023
env.server_addr dst destinationAddress IPv4 Address  
env.server_port dpt destinationPort Integer  
env.request_method requestMethod requestMethod String 1023
_ts rt receiptTime Time Stamp  
trojanfamily cs1 deviceCustomString1 String 1023
_geo_env_remote_addr.country_name cs3 deviceCustomString3 String 1023
Key Name Full Name Label
cs1Label deviceCustomString1Label trojanFamily
cs3Label deviceCustomString3Label geoEnvRemoteAddrCountry Name

3.2 JSON to LEEF

Fields Key Name Data Type Size
env.remote_addr src IPV4 Address  
env.remote_port srcPort sourcePort  
env.server_name dhost String 1023
env.server_addr dst IPv4 Address  
env.server_port dstPort Integer  
env.request_method requestMethod String 1023
_ts devTime Time Stamp  
trojanfamily trojanFamily String 1023
_geo_env_remote_addr.country_name geoEnvRemoteAddrCountryName String 1023

Download the package:

json2cefleef_v0.11.0.tar.gz

  • September 23, 2020: Updated the 0.10.0 package to the 0.11.0 version.

Related articles

Feedback

0 comments

Please sign in to leave a comment.