Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Compromised System Findings

Ingrid

The Compromised Systems risk category indicates the presence of malware or unwanted software, which is evidence of security controls failing to prevent malicious or unwanted software from running within an organization.

SPM App: Findings ➔ Finding Table

CM App: Vendor Risk ➔ Findings

Insurance App: Client Risk ➔ Findings

National Cybersecurity: Vendor Risk ➔ Findings

Bitsight API: GET /v1/companies/entity_guid/findings

Details and forensics data vary depending on the risk vector. See findings for:

Finding Details

Field Description Filters
Compromised System Duration The duration when the system was compromised.  
Forensic Forensic details. If your company purchased the Forensics add-on package, the forensic details will be included with the findings.  
IP Address Compromised system activity from this observed IP address (IPV4).  
Location Country where the IP address of this compromised system resides.  
Representative Timestamp When the finding was observed, in UTC time.  
Risk Vector The name of the risk vector. Yes
Vulnerability Findings related to a particular vulnerability, group of vulnerabilities or all vulnerabilities that are either potentially or confirmed to be vulnerable. See vulnerability classification.
Vulnerability Severity Findings related to vulnerabilities of a particular severity. See Bitsight severity.

Forensics

Additional information is available with the Forensics add-on package.

Field Description
Destination Domain

A device with evidence as being part of a botnet was seen communicating with this server, which indicates it’s likely the C&C server or is a sinkhole.

  • For HTTP-based bots, this is taken from the HTTP Host header, which is sometimes an IP address instead of a domain.
  • To evade firewall filtering, this field occasionally lists a non-malicious domain.
Destination IP The destination IP address, which is an identified C&C server or sinkhole.
Email Subject The subject of emails sent from a compromised mail server or email account within the company’s network.
GeoIP Location The country of origin, where the IP address involved in the finding resides.
Malware Type The type of exploit the server is hosting.
Number of Scans The number of times a device attempted to communicate with a server (unsolicited communications) or the server was not hosting any useful services in one 24-hour period.
Observation Count The number of times a finding was observed to have occurred within a 24-hour period, between midnight UTC one day and midnight UTC the next day.
Protocol The network protocol used in the finding.
Remediation Instructions Instructions to resolve a negative finding.
Representative Event Timestamp The time when the finding was observed.
Request Method The HTTP request method (e.g., POST, GET) used by the infected device to communicate with the C&C server.
Trusted Proxy Address The trusted proxy address where botnet communication traffic is redirected. It includes x-forwarded-for (XFF) details on the original source IP address.
  • October 28, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu.
  • April 6, 2021: Forensics integrated into Findings.

Related articles

Feedback

0 comments

Please sign in to leave a comment.