- April 6, 2021: Forensics integrated into Findings.
The Compromised Systems risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization.
Details and forensics data vary depending on the risk vector. See findings for:
|Compromised System Duration||The duration when the system was compromised.|
|Forensic||Forensic details. If your company purchased the Forensics add-on package, the forensic details will be included with the findings.|
|IP Address||Compromised system activity from this observed IP address (IPV4).|
|Location||Country where the IP address of this compromised system resides.|
|Representative Timestamp||When the finding was observed, in UTC time.|
|Risk Vector||The name of the risk vector.||Yes|
|Vulnerability||Findings related to a particular vulnerability, group of vulnerabilities or all vulnerabilities that are either potentially or confirmed to be vulnerable.||See vulnerability classification.|
|Vulnerability Severity||Findings related to vulnerabilities of a particular severity.||See Bitsight severity.|
Additional information is available with the Forensics add-on package.
A device with evidence as being part of a botnet was seen communicating with this server, which indicates it’s likely the C&C server or is a sinkhole.
|Destination IP||The destination IP address, which is an identified C&C server or sinkhole.|
|Email Subject||The subject of emails sent from a compromised mail server or email account within the company’s network.|
|GeoIP Location||The country of origin, where the IP address involved in the finding resides.|
|Malware Type||The type of exploit the server is hosting.|
|Number of Scans||The number of times a device attempted to communicate with a server (unsolicited communications) or the server was not hosting any useful services in one 24-hour period.|
|Observation Count||The number of times a finding was observed to have occurred within a 24-hour period, between midnight UTC one day and midnight UTC the next day.|
|Protocol||The network protocol used in the finding.|
|Remediation Instructions||Instructions to resolve a negative finding.|
|Representative Event Timestamp||The time when the finding was observed.|
|Request Method||The HTTP request method (e.g., POST, GET) used by the infected device to communicate with the C&C server.|
|Trusted Proxy Address||The trusted proxy address where botnet communication traffic is redirected. It includes x-forwarded-for (XFF) details on the original source IP address.|