https://api.bitsighttech.com/sovereign/observations
The observations field that’s included with GET: National Cybersecurity Observations (/sovereign/observations) shows the details of observations. The details vary, depending on the risk type [risk_types].
This endpoint is only available for users with access to the National Cybersecurity app. It only returns information for countries you subscribe to.
- Botnet Infections
- Spam Propagation
- Malware Servers
- Unsolicited Communications
- Potentially Exploited
- TLS/SSL Certificates
- TLS/SSL Configurations
- Open Ports
- Web Application Headers
- Insecure Systems
- Server Software
- File Sharing
- Vulnerability
All other risk types are not compatible with this endpoint.
Botnet Infections
Slug Name: botnet_infections
Example Response
"infection": "RootSTV", "infection_id": 123, "source_port": 54264, "dest_port": 80, "cc_ip": "XXX.4.56.78", "detection_method": "Sinkhole", "request_method": "POST"
Response Attributes
| Field | Description |
|---|---|
infection String |
The name of the infection. |
infection_id Integer |
An identifier for the infection. |
source_port Integer |
The source port number. |
dest_port Integer |
The destination port number. |
cc_ip String |
The IP address of the malware’s command and control server (C&C or C2 Server). |
detection_method String |
The method used to detect this observation. See our data collection methods. |
request_method String |
The method used to communicate with the malware. |
Spam Propagation
Slug Name: spam_propagation
Example Response
"email_from_address": "<richard.kuga@saperix.com>", "email_sender_address": "<richard.kuga@saperix.com>", "email_subject": "Payment from your account.", "detection_method": "spam-trap", "infection": "Spam Bot"
Response Attributes
| Field | Description |
|---|---|
email_from_address String |
The “From” email address. |
email_sender_address String |
The “From” email address. |
email_subject String |
The Subject of the email. |
detection_method String |
The method used to detect this observation. See the data collection methods directory. |
infection String |
The infection type. |
Malware Servers
Slug Name: malware_servers
Example Response
"type": "Malware"
Response Attributes
| Field | Description |
|---|---|
type String |
Values:
|
Unsolicited Communications
Slug Name: unsolicited_comms
Example Response
"destination_port": 3306, "protocol": "tcp", "num_scans": 1 }
Response Attributes
| Field | Description |
|---|---|
destination_port Integer |
The destination port number. |
protocol String |
The protocol observed. |
num_scans Integer |
The number of scans. |
Potentially Exploited
Slug Name: potentially_exploited
Example Response
. "infection": "AMCleaner", "infection_id": 123, "source_port": 59186, "dest_port": 80, "cc_ip": "XXX.45.67.89", "request_method": "GET", "user_agent": "msphlpr/1.9 CFNetwork/811.11 Darwin/16.7.0 (x86_64)"
Response Attributes
| Field | Description |
|---|---|
infection String |
The name of the potentially unwanted application (PUA) or potentially unwanted program (PUP). |
infection_id Integer |
An identifier for the infection. |
source_port Integer |
The source port number. |
dest_port Integer |
The destination port number. |
cc_ip String |
The IP address of the malware’s command and control server (C&C or C2 Server). |
detection_method String |
The method used to detect this observation. |
request_method String |
The method used to communicate with the malware. |
TLS/SSL Certificates
Slug Name: ssl_certificates
Example Response
"grade": { "grade": "GOOD" }, "cert_chain": [ { "startDate": "2016-11-10", "endDate": "2041-11-11", "issuerName": "C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA", "startsubjectName": "C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA", "startkeyAlgorithm": "RSA", "startsignatureAlgorithm": "SHA1WITHRSA", "keyLength": 2048, "serialNumber": "1112223334445551112223334445551234567", "dnsName": [ "*.example.com" ] } ], "observed_ips": [ "123.123.12.12", "98.7.65.432" ]
Response Attributes
| Field | Description | ||
|---|---|---|---|
grade Object |
Finding grade details. | ||
grade String |
The finding grade. | ||
cert_chain Array |
Certificate chain details. | ||
| Object | The details of a certificate in the chain. | ||
startDate String [ |
The date when this certificate started. | ||
endDate String [ |
The expiration date of this certificate. | ||
issuerName String |
The distinguished name of the certificate issuer, made up of attribute assertion values. | ||
startsubjectNam String |
The distinguished name of the owner of the certificate, made up of attribute assertion values. | ||
startkeyAlgorithm String |
The algorithm used to encrypt and decrypt messages. | ||
startsignatureAlgorithm String |
The signing algorithm used in this certificate. | ||
keyLength Integer |
The bit strength of this key. See the recommended TLS key length. | ||
serialNumber Integer |
The serial number of the certificate within this chain. | ||
dnsName Array |
The name of the Domain Name Server (DNS). | ||
observed_ips Array |
Observed IP addresses. | ||
TLS/SSL Configurations
Slug Name: ssl_configuration
Example Response
"message": [ "Allows insecure protocol: TLSv1.0", "Allows insecure protocol: TLSv1.1" ], "grade": { "grade": "BAD" }, "dh_length": 2048, "dh_prime": "ffffffffffffffffc90fdaa2{464 digits}8aacaa68ffffffffffffffff", "observed_ips": [ "123.456.789.000" ]
Response Attributes
| Field | Description | |
|---|---|---|
message Array |
A description of the finding. | |
grade Object |
Finding grade details. | |
grade String |
The finding grade. | |
dh_length Integer |
The configured key length. See the recommended TLS key length. | |
dh_prime String |
The Diffie-Hellman prime. | |
observed_ips Array |
Observed IP addresses. | |
Open Ports
Slug Name: open_ports
Example Response
"grade": { "grade": "GOOD" }, "response": "HTTP/1.1 403 Forbidden\r\nDate: Sun, 27 Jun 2021 23:41:08 GMT\r\nServer: Apache/2.4.7 (Ubuntu)\r\nContent-Length: 280\r\nContent-Type: text/html; charset=iso-8859-1", "service": "HTTPS", "message": [ "Detected service: HTTPS" ], "low_vulnerabilities": [ "CVE-2017-7679", "CVE-2016-8743" ]
Response Attributes
| Field | Description | ||
|---|---|---|---|
grade Object |
Finding grade details. | ||
| Object | A finding grade. | ||
grade String |
The finding grade. | ||
response String |
The response code that indicates if the server was able to process the request sent by the client. | ||
service String |
The service that’s running on this port. | ||
message Array |
The type of service running on this port. | ||
low_vulnerabilities Array |
Potential vulnerabilities for this finding, identified by its Common Vulnerabilities and Exposures ID (CVE ID). | ||
high_vulnerabilities Array |
Confirmed vulnerabilities for this finding, identified by its Common Vulnerabilities and Exposures ID (CVE ID). | ||
Web Application Headers
Slug Name: application_security
Example Response
"message": [ "hh_moved" ], "grade": { "grade": "NEUTRAL" }, "headers": [ "HTTP/1.1 301 Moved Permanently", "Date: Sun, 27 Jun 2021 21:43:21 GMT", "Server: Apache", "Cache-Control: no-cache", "Location: https://www.saperix.com", "X-Powered-By: Apache2", "MS-Author-Via: DAV", "Vary: Accept-Encoding", "Content-Length: 0", "Content-Type: text/html; charset=utf-8" ], "http_issues": { "general_issues": [ "hh_moved" ] }
Response Attributes
| Field | Description | |
|---|---|---|
message Array |
Descriptions of the finding. | |
grade Object |
Finding grade details. | |
grade String |
The finding grade. | |
headers Array |
Web application headers. | |
http_issues Object |
HTTP issue details. | |
general_issues Array |
General HTTP issues. | |
Insecure Systems
Slug Name: insecure_systems
Example Response
"grade": { "grade": "WARN" }, "message": [ "File sharing: Tracker" ], "category": "TorrentTracker", "sub_category": "torrent_tracker_expired", "source_port": "58107", "path_info": "/announce.php", "user_agent": "uTorrent/355(111915940)(45988)"
Response Attributes
| Field | Description | |
|---|---|---|
grade Object |
Finding grade details. | |
grade String |
The finding grade. | |
message Array |
A description of the finding. | |
category String |
||
sub_category String |
||
source_port Integer |
The source port number. | |
path_info String |
The file path information. | |
user_agent String |
The user’s form of communication with the malware. | |
Server Software
Slug Name: server_software
Example Responses
Apache
"grade": { "grade": "NEUTRAL" }, "typeColumnText": "Apache", "detailsColumnText": "Software version is incomplete", "modalData": { "type": "incomplete-version" }, "modalTags": { "Type": "Apache", "OS family": "Unknown", "Upstream version": "", "HTTP Server header": "Apache" }
NGINX
"grade": { "grade": "NEUTRAL" }, "typeColumnText": "nginx", "versionColumnText": "1.12.1", "detailsColumnText": "OS-specific software version is unknown", "modalData": { "type": "possible-backports" }, "modalTags": { "Type": "nginx", "Version": "1.12.1" }
OpenSSH
"grade": { "grade": "BAD" }, "typeColumnText": "OpenSSH", "versionColumnText": "7.2p2", "detailsColumnText": "OS-specific software version is unsupported", "modalData": { "name": "openssh-server", "osRelease": { "name": "Ubuntu 16.04 LTS", "familyName": "Ubuntu", "version": "16.04 LTS", "url": "https://wiki.ubuntu.com/XenialXerus/ReleaseNotes" }, "obsoletedOn": "2018-01-22", "version": "1:7.2p2-4ubuntu2.2", "latestPackageVersion": "1:7.2p2-4ubuntu2.8", "type": "obsolete-package" }, "modalTags": { "Type": "OpenSSH", "Banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2", "Upstream version": "7.2p2" }
PHP
"grade": { "grade": "NEUTRAL" }, "typeColumnText": "PHP", "versionColumnText": "7.1.18", "detailsColumnText": "Support status is unknown", "modalData": { "type": "unknown" }, "modalTags": { "Type": "PHP", "Upstream version": "7.1.18", "HTTP Server header": "Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.18", "HTTP X-Powered-By header": "PHP/7.1.18" }
Response Attributes
| Field | Description | ||
|---|---|---|---|
grade Object |
Finding grade details. | ||
grade String |
The finding grade. | ||
typeColumnText String |
The type of server software package. | ||
versionColumnText String |
The software version. | ||
detailsColumnText String |
Software support details. | ||
modalData Object |
Software type details. | ||
name String |
The name of the server. | ||
osRelease Object |
Released OS details. | ||
name String |
The full name of the server type. | ||
familyName String |
The server type. | ||
version String |
The latest software version. | ||
url String |
The release notes URL. | ||
obsoletedOn String [ |
The date when the software became obsolete. | ||
version String |
The current software version. | ||
latestPackageVersion String |
The latest package version. | ||
type String |
The software status. | ||
modalTags Object |
Server software details. | ||
Type String |
The type of server software package. | ||
Banner String |
The software and package name. | ||
OS family String |
The operating system family. | ||
Upstream version String |
The upstream software version. | ||
HTTP Server header String |
The HTTP server header. | ||
HTTP X-Powered-By header String |
The HTTP X-Powered-By header. | ||
Version String |
The software version. | ||
File Sharing
Slug Name: file_sharing
Example Response
"category": "Movies", "node": "88.88.88.888"
Response Attributes
| Field | Description |
|---|---|
category String |
File Sharing categories, which is the Bitsight category for the type of torrent. |
node String |
The IP address of the endpoint device. |
Vulnerability
Slug Name: vulnerability
Example Response
"vulnerabilities": [ "CVE-2019-17059" ], "status": "vulnerable", "annotation": [], "high_vulnerabilities": [ "CVE-2019-17059" ]
Response Attributes
| Field | Description |
|---|---|
vulnerabilities Array |
Confirmed vulnerabilities for this finding, identified by its Common Vulnerabilities and Exposures ID (CVE ID). |
status String |
The status of the vulnerability. |
annotation Array |
|
high_vulnerabilities Array |
Confirmed vulnerabilities for this finding, identified by its Common Vulnerabilities and Exposures ID (CVE ID). |
low_vulnerabilities Array |
Potential vulnerabilities for this finding, identified by its Common Vulnerabilities and Exposures ID (CVE ID). |
-
December 16, 2021: Added
low_vulnerabilitiesfield forvulnerabilityrisk type. -
November 8, 2021: Added
dnsnameto TLS/SSL Certificate observations; Added Server Software example responses based on server (e.g., Apache, PHP, etc.) to show varying response fields; Added Server SoftwaremodalDatadetails; Added Server SoftwaremodalTags:Banner&modalTags:Version. - July 7, 2021: Published.
Feedback
0 comments
Please sign in to leave a comment.