GET: Potentially Exploited Finding Details – Bitsight Knowledge Base

https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=potentially_exploited

Get an organization’s Potentially Exploited finding details.

Parameters

For details specific to Potentially Exploited, use the ?risk_vector=potentially_exploited parameter. Other query parameters are listed in GET: Finding Details.

Example Request

curl https://api.bitsighttech.com/ratings/v1/companies/a940bb61-33c4-42c9-9231-c8194c305db3/findings?risk_vector=potentially_exploited -u api_token:

Example Response

{
  "links":{
    "next":null,
    "previous":null
  },
  "count":10,
  "results":[
    […]
    {
      "temporary_id":"A9Jq47BBjedd32b22a968d7e535252a5a931d8a8c7",
      "pcap_id":"UENBUHBjYXBQQ0FQcGNhcI5SJvT_85YqKfT6aSGksbyTPbrc5jsEaJ3_hAoFJiFZ_Jp6pbTnD1yR6BgY5WKhr_RorfG106x46uWToiD1icQ=",
      "affects_rating":false,
      "assets":[
        {
          "asset":"213.215.200.98",
          "identifier":null,
          "category":"low",
          "importance":0.0,
          "is_ip":true
        }
      ],
      "details":{
        "check_pass":" ",
        "geo_ip_location":"IT",
        "country":"Italy",
        "infection":{
          "family":"AMCleaner",
          "description":"This potentially unwanted application (PUA) shows adds and provides misleading information about issues on the computer.",
          "references":[
            "https://www.threatonmac.com/application-mac-osx-amcleaner-pua-removal/"
          ],
          "data_exfiltration":false,
          "unauthorized_access":false,
          "implies_other_infections":false,
          "resource_abuse":true,
          "target_platforms":[
            "MacOSX"
          ],
          "aliases":[
            "Maftask"
          ],
          },
          "remediations":[ ],
          "sample_timestamp":"2021-05-03T12:57:40Z",
          "server_name":"bgtc.mac-autofixer.com",
          "user_agent":"maftask/1.0 CFNetwork/978.0.7 Darwin/18.6.0 (x86_64)",
          "vulnerabilities":[ ],
          "count":6,
          "dest_port":80,
          "detection_method":"Sinkhole",
          "request_method":"GET",
          "rollup_end_date":"2021-05-03",
          "rollup_start_date":"2021-05-03",
          "sinkhole_ip":"72.26.218.86",
          "sinkhole_ip_masked":"XXX.26.218.86",
          "src_port":54333
        },
        "evidence_key":"213.215.200.98",
        "first_seen":"2021-05-03",
        "last_seen":"2021-05-03",
        "related_findings":[
          {
            "temporary_id":"A9Jq47BBjedd32b22a968d7e535252a5a931d8a8c7",
            "pcap_id":"UENBUHBjYXBQQ0FQcGNhcI5SJvT_85YqKfT6aSGksbyTPbrc5jsEaJ3_hAoFJiFZ_Jp6pbTnD1yR6BgY5WKhr_RorfG106x46uWToiD1icQ=",
            "affects_rating":false,
            "assets":[
              {
                "asset":"213.215.200.98",
                "identifier":null,
                "category":"low",
                "importance":0.0,
                "is_ip":true
              }
            ],
            "details":{
              "check_pass":" ",
              "geo_ip_location":"IT",
              "country":"Italy",
              "infection":{
                "family":"AMCleaner",
                "description":"This potentially unwanted application (PUA) shows adds and provides misleading information about issues on the computer.",
                "references":[
                  "https://www.threatonmac.com/application-mac-osx-amcleaner-pua-removal/"
                ],
                "data_exfiltration":false,
                "unauthorized_access":false,
                "implies_other_infections":false,
                "resource_abuse":true,
                "target_platforms":[
                  "MacOSX"
                ],
                "aliases":[
                  "Maftask"
                ]
              },
              "remediations":[ ],
              "sample_timestamp":"2021-05-03T12:57:40Z",
              "server_name":"bgtc.mac-autofixer.com",
              "user_agent":"maftask/1.0 CFNetwork/978.0.7 Darwin/18.6.0 (x86_64)",
              "vulnerabilities":[ ],
              "count":6,
              "dest_port":80,
              "detection_method":"Sinkhole",
              "request_method":"GET",
              "rollup_end_date":"2021-05-03",
              "rollup_start_date":"2021-05-03",
              "sinkhole_ip":"72.26.218.86",
              "sinkhole_ip_masked":"XXX.26.218.86",
              "src_port":54333
            },
            "evidence_key":"213.215.200.98",
            "first_seen":"2021-05-03T08:06:59Z",
            "last_seen":"2021-05-03T12:57:40Z",
            "risk_category":"Compromised Systems",
            "risk_vector":"potentially_exploited",
            "risk_vector_label":"Potentially Exploited",
            "rolledup_observation_id":"ESY_FRtviE-lZl43RWuyTw==",
            "severity":8.0,
            "severity_category":"material",
            "tags":[ ],
            "remediation_history":{
              "last_requested_refresh_date":"2024-06-19",
                "last_refresh_status_date":"2024-06-23",
                "last_refresh_status_label":"failed",
              "last_refresh_status_reason": "asset_not_found",
                "last_refresh_reason_code":"asset unreachable",
                "last_refresh_requester": "1e10564d-fawa-4331-0000-6f7588b55a98",
              "result_finding_date": null
            },
            "asset_overrides":[ ],
            "duration":"1 day",
            "comments":null,
            "attributed_companies":[ ],
            "pinned":null,
            "pinned_by_user":null
          }
        ],
        "risk_category":"Compromised Systems",
        "risk_vector":"potentially_exploited",
        "risk_vector_label":"Potentially Exploited",
        "rolledup_observation_id":"ESY_FRtviE-lZl43RWuyTw==",
        "severity":8.0,
        "severity_category":"material",
        "tags":[ ],
        "remediation_history":{
          "last_requested_refresh_date":null,
          "last_refresh_status_date":null,
          "last_refresh_status_label":null,
          "last_refresh_reason_code":null
        },
        "asset_overrides":[ ],
        "duration":"1 day",
        "comments":null,
        "remaining_decay":null
      }
  ]
}

Response Attributes

Field							Description
links Object							Navigation for multiple pages of results. See pagination.
	next String						The URL to navigate to the next page of results.
	previous String						The URL to navigate to the previous page of results.
count Integer							The number of findings.
results Array							Findings and their details.
	Object						A finding.
		temporary_id String					A temporary identifier for this finding.
		pcap_id String					The packet capture (PCAP or libpcap) ID.
		affects_rating Boolean					`true` = This finding impacts the risk vector letter grade.
		assets Array					Asset (IP address or domain) details.
			Object				An asset.
				asset String			The asset associated with this finding.
				identifier Null			For internal Bitsight use.
				category String			The Bitsight-calculated asset importance.
				importance Decimal			The Bitsight-calculated asset importance.
				is_ip Boolean			`true` = This asset is an IP address.
		details Object					Finding details.
			check_pass String				For internal Bitsight use.
			geo_ip_location String				This finding’s country of origin in a 2-letter ISO country code format.
			country String				This finding’s country of origin.
			infection Object				Infection details.
				family String			This infection’s malware family.
				description String			An overview of this infection.
				references Array			Information source URLs.
				data_exfiltration Boolean			`true` = This infection allows any unauthorized transfers of sensitive information.
				unauthorized_access Boolean			`true` = This infection allows attackers to connect and then log in as a legitimate user.
				implies_other_infections Boolean			`true` = This infection could lead to other infections.
				resource_abuse Boolean			`true` = This infection is misusing assets.
				target_platforms Array			Platforms targeted by this infection.
				aliases Array			Alternative names for this infection.
			remediations Array				This is not applicable to Potentially Exploited findings.
			sample_timestamp String [`YYYY-MM-DDTHH:MM:SSZ`]				The date and time when this finding was observed.
			server_name String				The domain name of the affected server. It is known to be a command and control server, sinkhole, or is hosting adware.
			user_agent String				The `user-agent` string in the header, which identifies end-user interactions with web content. The details include the application, operating system, browser, and software version.
			vulnerabilities Array				Vulnerability details.
			count Integer				The number of observations for this finding.
			dest_port Integer				A compromised device was observed to be sending traffic from this port.
			detection_method String				The method used to detect the infection. See the data collection methods.
			request_method String				The request method used to communicate with the malware.
			rollup_end_date String [`YYYY-MM-DD`]				The date when this finding was last observed.
			rollup_start_date String [`YYYY-MM-DD`]				The date when this finding was first observed.
			sinkhole_ip String				The full sinkhole IP address.
			sinkhole_ip_masked String				The masked sinkhole IP address.
			src_port Integer				The port where traffic from a compromised device was observed.
		evidence_key String					The asset (domain or IP address) that’s attributed to this finding.
		first_seen String [`YYYY-MM-DD`]					The date when this finding was first observed.
		last_seen String [`YYYY-MM-DD`]					The date when this finding was last observed.
		related_findings Array					Findings and their details.
			Object				A finding.
				temporary_id String			The temporary identifier for this finding.
				pcap_id String			The packet capture (PCAP or libpcap) identifier.
				affects_rating Boolean			`true` = This finding impacts the risk vector letter grade.
				assets Array			Asset (IP or domain) details.
					Object		An asset.
						asset String	The asset associated with this finding.
						identifier Null	For internal Bitsight use.
						category String	The Bitsight-calculated asset importance slug name.
						importance Decimal	The Bitsight-calculated asset importance.
						is_ip Boolean	`true` = This asset is an IP address.
				details Object			Finding details.
					check_pass String		For internal Bitsight use.
					geo_ip_location String		This finding’s country of origin in a 2-letter ISO country code format.
					country String		This finding’s country of origin.
					infection Object		Infection details.
						family String	This infection’s malware family.
						description String	An overview of this infection.
						references Array	Infection information sources.
						data_exfiltration Boolean	`true` = This infection allows any unauthorized transfers of sensitive information.
						unauthorized_access Boolean	`true` = This infection allows attackers to connect and then log in as a legitimate user.
implies_other_infections Boolean						`true` = This infection may lead to other infections.
resource_abuse Boolean	`true` = This infection is misusing assets.
target_platforms Array	Platforms targeted by this infection.
aliases Array	Alternative names for this infection.
remediations Array					This is not applicable to Potentially Exploited findings.
sample_timestamp String [`YYYY-MM-DDTHH:MM:SSZ`]					The date and time when this finding was observed.
server_name String					The domain name of the affected server. It is known to be a command and control server, sinkhole, or is hosting adware.
user_agent String					The `user-agent` string in the header, which identifies end-user interactions with web content. The details include the application, operating system, browser, and software version.
vulnerabilities Array					Vulnerability details.
count Integer					The number of observations for this finding.
dest_port Integer					A compromised device was observed to be sending traffic from this port.
detection_method String					The method used to detect the infection. See the data collection methods.
request_method String					The request method used to communicate with the malware.
rollup_end_date String [`YYYY-MM-DD`]					The date when this finding was last observed.
rollup_start_date String [`YYYY-MM-DD`]					The date when this finding was first observed.
sinkhole_ip String					The full sinkhole IP address.
sinkhole_ip_masked String					The masked sinkhole IP address.
src_port Integer					The port where traffic from a compromised device was observed.
evidence_key String				The asset attributed to this finding.
first_seen String [`YYYY-MM-DDTHH:MM:SSZ`]				The date and time when this finding was first observed.
last_seen String [`YYYY-MM-DDTHH:MM:SSZ`]				The date and time when this finding was last observed.
risk_category String				The risk category.
risk_vector String				The risk vector slug name.
risk_vector_label String				The risk vector display name.
rolledup_observation_id String				A stable and randomized identifier for findings. It is assigned to a finding when one or more observations with largely similar key properties occur in close succession.
severity Decimal				This finding’s Bitsight severity.
severity_category String				This finding’s Bitsight severity.
tags Array				Infrastructure tags identifying the asset.
remediation_history Object				If `?expand=remediation_history` parameter is set, the remediation history of the finding is included.
	last_requested_refresh_date String [`YYYY‑MM‑DD`]			The date when a finding rescan that included this finding was last requested.
				last_refresh_status_date String [`YYYY‑MM‑DD`]	The date when a rescan of the remediation status of this finding was last requested.
				last_refresh_status_label String	The current rescan status of this finding.
	last_refresh_status_reason String			The rescan status.
				last_refresh_reason_code String	The reason code for the rescan status.
				last_refresh_requester String [`user_guid`]	The unique identifier of the user who requested the rescan.
	result_finding_date String [`YYYY-MM-DD`]			The first seen date of the finding that resulted from the rescan, if applicable.
asset_overrides Array				User-assigned asset importance.
duration String				This finding’s duration.
comments String				This finding’s comments.
attributed_companies Array				Companies in the Ratings Tree that are attributed to this finding.
pinned Null				For internal Bitsight use.
pinned_by_user Null				For internal Bitsight use.
risk_category String					The risk category.
risk_vector String					The risk vector slug name.
risk_vector_label String					The risk vector display name.
rolledup_observation_id String					A stable and randomized identifier for findings. It is assigned to a finding when one or more observations with largely similar key properties occur in close succession.
severity Decimal					This finding’s Bitsight severity.
severity_category String					This finding’s Bitsight severity.
tags Array					Infrastructure tags identifying the asset.
remediation_history Object					If the `expand=remediation_history` parameter is set, this remediation history is included. This is not applicable to Potentially Exploited findings.
	last_requested_refresh_date Null				This is not applicable to Potentially Exploited findings.
	last_refresh_status_date Null				This is not applicable to Potentially Exploited findings.
	last_refresh_status_label Null				This is not applicable to Potentially Exploited findings.
	last_refresh_reason_code Null				This is not applicable to Potentially Exploited findings.
asset_overrides Array					User-assigned asset importance.
duration String					This finding’s duration.
comments String					This finding’s comments.
remaining_decay Integer					This finding’s remaining lifetime.

February 28, 2025: Added last_refresh_status_reason, last_refresh_reason_code, last_refresh_requester, and result_finding_date response attributes.
April 20, 2022: Published.

Parameters

Example Request

Example Response

Response Attributes

Related articles