Compromised System Findings Ingrid The Compromised Systems risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization. Navigation Options SPM App: Findings ➔ Finding Table CM App: Vendor Risk ➔ Findings Insurance App: Client Risk ➔ Findings National Cybersecurity: Vendor Risk ➔ Findings Bitsight API: GET /v1/companies/entity_guid/findings Details and forensics data vary depending on the risk vector. See findings for: Botnet Infections Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited Finding Details Field Description Filters Compromised System Duration The duration when the system was compromised. Forensic Forensic details. If your company purchased the Forensics add-on package, the forensic details will be included with the findings. IP Address Compromised system activity from this observed IP address (IPV4). Location Country where the IP address of this compromised system resides. Representative Timestamp When the finding was observed, in UTC time. Risk Vector The name of the risk vector. Yes Vulnerability Findings related to a particular vulnerability, group of vulnerabilities or all vulnerabilities that are either potentially or confirmed to be vulnerable. See vulnerability classification. Vulnerability Severity Findings related to vulnerabilities of a particular severity. See Bitsight severity. Forensics Additional information is available with the Forensics add-on package. Field Description Destination Domain A device with evidence as being part of a botnet was seen communicating with this server, which indicates it’s likely the C&C server or is a sinkhole. For HTTP-based bots, this is taken from the HTTP Host header, which is sometimes an IP address instead of a domain. To evade firewall filtering, this field occasionally lists a non-malicious domain. Destination IP The destination IP address, which is an identified C&C server or sinkhole. Email Subject The subject of emails sent from a compromised mail server or email account within the company’s network. GeoIP Location The country of origin, where the IP address involved in the finding resides. Malware Type The type of exploit the server is hosting. Number of Scans The number of times a device attempted to communicate with a server (unsolicited communications) or the server was not hosting any useful services in one 24-hour period. Observation Count The number of times a finding was observed to have occurred within a 24-hour period, between midnight UTC one day and midnight UTC the next day. Protocol The network protocol used in the finding. Remediation Instructions Instructions to resolve a negative finding. Representative Event Timestamp The time when the finding was observed. Request Method The HTTP request method (e.g., POST, GET) used by the infected device to communicate with the C&C server. Trusted Proxy Address The trusted proxy address where botnet communication traffic is redirected. It includes x-forwarded-for (XFF) details on the original source IP address. October 28, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu. April 6, 2021: Forensics integrated into Findings. Related articles Botnet Infection Findings Potentially Exploited Findings Finding Behavior Risk Categories: Overview Rating Details Feedback 0 comments Please sign in to leave a comment.