Skip to content

Bitsight SPM

Overview

Bitsight Security Performance Management enables organizations to continuously monitor, measure, and improve their cybersecurity performance by providing actionable insights and metrics on security posture and risk.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Supported events

This integration supports the following events:

  • Findings (with vulnerability detail and asset detail)

The following Sekoia.io built-in rules match the intake Bitsight SPM [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Bitsight SPM [BETA] on ATT&CK Navigator

Bazar Loader DGA (Domain Generation Algorithm)

Detects Bazar Loader domains based on the Bazar Loader DGA

  • Effort: elementary
Bitsight SPM Material Vulnerability

Bitsight SPM has raised a material vulnerability finding

  • Effort: master
Bitsight SPM Minor Vulnerability

Bitsight SPM has raised a minor vulnerability finding

  • Effort: master
Bitsight SPM Moderate Vulnerability

Bitsight SPM has raised a moderate vulnerability finding

  • Effort: master
Bitsight SPM Severe Vulnerability

Bitsight SPM has raised a severe vulnerability finding

  • Effort: master
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Application logs None
Process monitoring None
Web logs None

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category vulnerability
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"temporary_id\":\"11111111111111\",\"affects_rating\":true,\"details\":{\"cvss\":{\"base\":[]},\"check_pass\":\"\",\"diligence_annotations\":{\"modal_data\":{\"type\":\"overridden\",\"reason\":\"Software version in extended support\"},\"modal_tags\":{\"Type\":\"MS IIS\",\"Version\":\"7.5\"},\"server\":\"MS IIS\",\"version\":\"7.5\"},\"geo_ip_location\":\"test\",\"country\":\"test country\",\"grade\":\"BAD\",\"observed_ips\":[\"1.2.3.4\"],\"port_list\":[80,81,8443,8880],\"remediations\":[{\"message\":\"Software version in extended support\",\"help_text\":\"The software version is outside mainstream support and is currently in extended support.\",\"remediation_tip\":\"Ensure the latest version of the software is installed. See <a href=\\\"https://help.bitsight.com/hc/en-us/articles/360010346733-Supported-Server-Software\\\">supported versions</a>.\"}],\"sample_timestamp\":\"2024-06-29T21:02:18Z\",\"dest_port\":80,\"rollup_end_date\":\"2024-06-29\",\"rollup_start_date\":\"2023-10-04\",\"searchable_details\":\"Software version in extended support,MS IIS,7.5\"},\"evidence_key\":\"1.2.3.4\",\"first_seen\":\"2023-10-04\",\"last_seen\":\"2024-06-29\",\"related_findings\":[],\"risk_category\":\"Diligence\",\"risk_vector\":\"server_software\",\"risk_vector_label\":\"Server Software\",\"rolledup_observation_id\":\"11111111111\",\"severity\":8.0,\"severity_category\":\"material\",\"tags\":[],\"remediation_history\":{\"last_requested_refresh_date\":null,\"last_refresh_status_date\":null,\"last_refresh_status_label\":null,\"last_refresh_reason_code\":null},\"asset_overrides\":[],\"duration\":null,\"comments\":\"User from Test, Inc. said: \\\"Test assignments\\\" at 2023-11-28 12:27 UTC\",\"remaining_decay\":57,\"remediated\":null,\"impacts_risk_vector_details\":\"AFFECTS_RATING\",\"company_uuid\":\"111111111111111\",\"asset\":{\"asset\":\"1.2.3.4\",\"identifier\":null,\"category\":\"critical\",\"importance\":0.49,\"is_ip\":true,\"asset_type\":\"IP\"}}",
    "event": {
        "category": "vulnerability",
        "end": "2024-06-29T00:00:00Z",
        "start": "2023-10-04T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2024-06-29T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "AFFECTS_RATING",
            "risk_category": "Diligence",
            "risk_vector": "server_software",
            "risk_vector_label": "Server Software",
            "severity": "8.0",
            "severity_category": "material",
            "temporary_id": "11111111111111"
        }
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "111111111111111"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "{\n  \"temporary_id\": \"11111111111111111\",\n  \"affects_rating\": true,\n  \"details\": {\n    \"cvss\": {\n      \"base\": [\n        \n      ]\n    },\n    \"check_pass\": \"\",\n    \"diligence_annotations\": {\n      \"message\": \"Detected service: HTTP\",\n      \"CPE\": [\n        \"a:amazon:amazon_cloudfront\"\n      ],\n      \"Tags\": [\n        \n      ],\n      \"Product\": \"CloudFront httpd\",\n      \"Title\": \"ERROR: The request could not be satisfied\",\n      \"transport\": \"tcp\",\n      \"Status\": \"HTTP/1.1 400 Bad Request\",\n      \"Server\": \"CloudFront\"\n    },\n    \"final_location\": \"http://1.2.3.4:12/\",\n    \"geo_ip_location\": \"Location\",\n    \"country\": \"Country\",\n    \"grade\": \"NEUTRAL\",\n    \"remediations\": [\n      {\n        \"message\": \"Detected service: HTTP\",\n        \"help_text\": \"This port was observed running HTTP, which used for sending and receiving Internet traffic.\",\n        \"remediation_tip\": \"\"\n      }\n    ],\n    \"sample_timestamp\": \"2024-06-29T08:37:25Z\",\n    \"dest_port\": 443,\n    \"rollup_end_date\": \"2024-06-29\",\n    \"rollup_start_date\": \"2024-02-13\",\n    \"searchable_details\": \"Detected service: HTTP,tcp,CloudFront httpd\"\n  },\n  \"evidence_key\": \"143.204.213.175:443\",\n  \"first_seen\": \"2024-02-13\",\n  \"last_seen\": \"2024-06-29\",\n  \"related_findings\": [\n    \n  ],\n  \"risk_category\": \"Diligence\",\n  \"risk_vector\": \"open_ports\",\n  \"risk_vector_label\": \"Open Ports\",\n  \"rolledup_observation_id\": \"1222222222222\",\n  \"severity\": 1.0,\n  \"severity_category\": \"minor\",\n  \"tags\": [\n    \n  ],\n  \"remediation_history\": {\n    \"last_requested_refresh_date\": null,\n    \"last_refresh_status_date\": null,\n    \"last_refresh_status_label\": null,\n    \"last_refresh_reason_code\": null\n  },\n  \"asset_overrides\": [\n    \n  ],\n  \"duration\": null,\n  \"comments\": null,\n  \"remaining_decay\": 57,\n  \"remediated\": null,\n  \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n  \"company_uuid\": \"1111111111111111111111111111\",\n  \"asset\": {\n    \"asset\": \"1.2.3.4\",\n    \"identifier\": null,\n    \"category\": \"low\",\n    \"importance\": 0.0,\n    \"is_ip\": true,\n    \"asset_type\": \"IP\"\n  }\n}",
    "event": {
        "category": "vulnerability",
        "end": "2024-06-29T00:00:00Z",
        "start": "2024-02-13T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2024-06-29T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "AFFECTS_RATING",
            "risk_category": "Diligence",
            "risk_vector": "open_ports",
            "risk_vector_label": "Open Ports",
            "severity": "1.0",
            "severity_category": "minor",
            "temporary_id": "11111111111111111"
        }
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "1111111111111111111111111111"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "{\n  \"temporary_id\": \"11111111111111\",\n  \"affects_rating\": true,\n  \"details\": {\n    \"cvss\": {\n      \"base\": [\n        \n      ]\n    },\n    \"check_pass\": \"\",\n    \"diligence_annotations\": {\n      \"message\": \"Allows insecure protocol: TLSv1.0, Allows insecure protocol: TLSv1.1\",\n      \"certchain\": [\n        {\n          \"dnsName\": [\n            \"*.test.test\",\n            \"test.test\"\n          ],\n          \"endDate\": \"2025-05-15 23:59:59\",\n          \"issuerName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\",\n          \"keyAlgorithm\": \"RSA\",\n          \"keyLength\": 2048,\n          \"serialNumber\": \"111111111111111111111111\",\n          \"signatureAlgorithm\": \"SHA384WITHRSA\",\n          \"startDate\": \"2024-05-07 00:00:00\",\n          \"subjectName\": \"CN=*.test.test\"\n        },\n        {\n          \"dnsName\": [\n            \n          ],\n          \"endDate\": \"2033-08-01 23:59:59\",\n          \"issuerName\": \"C=TestC,ST=TestST,L=TestL,O=TestO,CN=TestCN RSA Certification Authority\",\n          \"keyAlgorithm\": \"RSA\",\n          \"keyLength\": 3072,\n          \"serialNumber\": \"1111111111111111111111111111\",\n          \"signatureAlgorithm\": \"SHA384WITHRSA\",\n          \"startDate\": \"2023-08-02 00:00:00\",\n          \"subjectName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\"\n        }\n      ]\n    },\n    \"final_location\": \"https://1.2.3.4/\",\n    \"geo_ip_location\": \"Test\",\n    \"country\": \"Test country\",\n    \"grade\": \"BAD\",\n    \"observed_ips\": [\n      \"1.2.3.4:443\"\n    ],\n    \"remediations\": [\n      {\n        \"message\": \"Allows insecure protocol: TLSv1.0\",\n        \"help_text\": \"TLS version 1.0 has been deprecated.\",\n        \"remediation_tip\": \"Disable TLS 1.0. See our <a href=\\\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\\\">guide for remediating TLS/SSL Configuration findings</a>.\"\n      },\n      {\n        \"message\": \"Allows insecure protocol: TLSv1.1\",\n        \"help_text\": \"TLS version 1.1 has been deprecated.\",\n        \"remediation_tip\": \"Disable TLS 1.1. See our <a href=\\\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\\\">guide on verifying TLS is disabled</a>.\"\n      }\n    ],\n    \"sample_timestamp\": \"2024-06-29T00:49:11Z\",\n    \"dest_port\": 443,\n    \"rollup_end_date\": \"2024-06-29\",\n    \"rollup_start_date\": \"2024-06-20\",\n    \"searchable_details\": \"test details\"\n  },\n  \"evidence_key\": \"18.134.200.62:443\",\n  \"first_seen\": \"2024-06-20\",\n  \"last_seen\": \"2024-06-29\",\n  \"related_findings\": [\n    \n  ],\n  \"risk_category\": \"Diligence\",\n  \"risk_vector\": \"ssl_configurations\",\n  \"risk_vector_label\": \"SSL Configurations\",\n  \"rolledup_observation_id\": \"122222222222222222\",\n  \"severity\": 10.0,\n  \"severity_category\": \"severe\",\n  \"tags\": [\n    \n  ],\n  \"remediation_history\": {\n    \"last_requested_refresh_date\": null,\n    \"last_refresh_status_date\": null,\n    \"last_refresh_status_label\": null,\n    \"last_refresh_reason_code\": null\n  },\n  \"asset_overrides\": [\n    \n  ],\n  \"duration\": null,\n  \"comments\": null,\n  \"remaining_decay\": 57,\n  \"remediated\": null,\n  \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n  \"company_uuid\": \"11111111111111111111111111111\",\n  \"asset\": {\n    \"asset\": \"1.2.3.4\",\n    \"identifier\": null,\n    \"category\": \"low\",\n    \"importance\": 0.0,\n    \"is_ip\": true,\n    \"asset_type\": \"IP\"\n  }\n}",
    "event": {
        "category": "vulnerability",
        "end": "2024-06-29T00:00:00Z",
        "start": "2024-06-20T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2024-06-29T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "AFFECTS_RATING",
            "risk_category": "Diligence",
            "risk_vector": "ssl_configurations",
            "risk_vector_label": "SSL Configurations",
            "severity": "10.0",
            "severity_category": "severe",
            "temporary_id": "11111111111111"
        }
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "11111111111111111111111111111"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "{\n  \"temporary_id\": \"11111111111111111111111111111111\",\n  \"affects_rating\": true,\n  \"details\": {\n    \"cvss\": {\n      \"base\": [\n        \n      ]\n    },\n    \"check_pass\": \"\",\n    \"diligence_annotations\": {\n      \"message\": \"Detected service: HTTPS\",\n      \"CPE\": [\n        \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\"\n      ],\n      \"Tags\": [\n        \n      ],\n      \"Title\": \"Service\",\n      \"transport\": \"tcp\",\n      \"Status\": \"HTTP/1.1 200 OK\",\n      \"Server\": \"Microsoft-HTTPAPI/2.0\"\n    },\n    \"final_location\": \"https://1.2.3.4:8086/\",\n    \"geo_ip_location\": \"Test\",\n    \"country\": \"TestCountry\",\n    \"grade\": \"GOOD\",\n    \"remediations\": [\n      {\n        \"message\": \"Detected service: HTTPS\",\n        \"help_text\": \"This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.\",\n        \"remediation_tip\": \"\"\n      }\n    ],\n    \"sample_timestamp\": \"2024-06-29T11:52:03Z\",\n    \"dest_port\": 8086,\n    \"rollup_end_date\": \"2024-06-29\",\n    \"rollup_start_date\": \"2023-05-13\",\n    \"searchable_details\": \"Detected service: HTTPS,tcp\"\n  },\n  \"evidence_key\": \"1.2.3.4:8086\",\n  \"first_seen\": \"2023-05-13\",\n  \"last_seen\": \"2024-06-29\",\n  \"related_findings\": [\n    \n  ],\n  \"risk_category\": \"Diligence\",\n  \"risk_vector\": \"open_ports\",\n  \"risk_vector_label\": \"Open Ports\",\n  \"rolledup_observation_id\": \"1123123123123123123\",\n  \"severity\": 1.0,\n  \"severity_category\": \"minor\",\n  \"tags\": [\n    \n  ],\n  \"remediation_history\": {\n    \"last_requested_refresh_date\": null,\n    \"last_refresh_status_date\": null,\n    \"last_refresh_status_label\": null,\n    \"last_refresh_reason_code\": null\n  },\n  \"asset_overrides\": [\n    \n  ],\n  \"duration\": null,\n  \"comments\": null,\n  \"remaining_decay\": 57,\n  \"remediated\": null,\n  \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n  \"company_uuid\": \"1111111111111111111111111\",\n  \"asset\": {\n    \"asset\": \"1.2.3.4\",\n    \"identifier\": null,\n    \"category\": \"low\",\n    \"importance\": 0.0,\n    \"is_ip\": true,\n    \"asset_type\": \"IP\"\n  }\n}",
    "event": {
        "category": "vulnerability",
        "end": "2024-06-29T00:00:00Z",
        "start": "2023-05-13T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2024-06-29T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "AFFECTS_RATING",
            "risk_category": "Diligence",
            "risk_vector": "open_ports",
            "risk_vector_label": "Open Ports",
            "severity": "1.0",
            "severity_category": "minor",
            "temporary_id": "11111111111111111111111111111111"
        }
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "1111111111111111111111111"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "{\n  \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n  \"affects_rating\": false,\n  \"asset\": {\n      \"asset\": \"1.2.3.4\",\n      \"identifier\": null,\n      \"category\": \"low\",\n      \"importance\": 0,\n      \"is_ip\": true,\n      \"asset_type\": \"Domain\"\n  },\n  \"vulnerability\": {\n    \"name\": \"CVE-2014-3566\",\n    \"alias\": \"POODLE\",\n    \"display_name\": \"POODLE\",\n    \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n    \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\",\n    \"confidence\": \"HIGH\",\n    \"cvss\": {\n      \"base\": 3.4\n    },\n    \"severity\": \"Minor\"\n  },\n  \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n  \"details\": {\n    \"cvss\": {\n      \"base\": [\n        3.4\n      ]\n    },\n    \"check_pass\": \"\",\n    \"diligence_annotations\": {\n      \"remediation_dates\": [\n        {\n          \"first\": \"2022-08-14 21:04:42\",\n          \"last\": \"2022-08-14 21:04:42\"\n        }\n      ],\n      \"is_remediated\": true\n    },\n    \"remediations\": [\n      {\n        \"message\": \"CVE-2014-3566 (POODLE)\",\n        \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n        \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\"\n      }\n    ],\n    \"rollup_end_date\": \"2022-08-14\",\n    \"rollup_start_date\": \"2022-08-14\",\n    \"searchable_details\": \"CVE-2014-3566\"\n  },\n  \"evidence_key\": \"1.2.3.4:443\",\n  \"first_seen\": \"2022-08-14\",\n  \"last_seen\": \"2022-08-14\",\n  \"related_findings\": [],\n  \"risk_category\": \"Diligence\",\n  \"risk_vector\": \"patching_cadence\",\n  \"risk_vector_label\": \"Patching Cadence\",\n  \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n  \"severity\": 4.3,\n  \"severity_category\": \"moderate\",\n  \"tags\": [],\n  \"remediation_history\": {\n    \"last_requested_refresh_date\": null,\n    \"last_refresh_status_date\": null,\n    \"last_refresh_status_label\": null,\n    \"last_refresh_reason_code\": null\n  },\n  \"asset_overrides\": [],\n  \"duration\": \"1 day\",\n  \"comments\": null,\n  \"remaining_decay\": null,\n  \"remediated\": true,\n  \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}",
    "event": {
        "category": "vulnerability",
        "end": "2022-08-14T00:00:00Z",
        "start": "2022-08-14T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2022-08-14T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "LIFETIME_EXPIRED",
            "remediated": true,
            "risk_category": "Diligence",
            "risk_vector": "patching_cadence",
            "risk_vector_label": "Patching Cadence",
            "severity": "4.3",
            "severity_category": "moderate",
            "temporary_id": "1111111111111111111111111111111111111111111111111111&",
            "vulnerability_confidence": "HIGH"
        }
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ]
    },
    "url": {
        "domain": "1.2.3.4"
    },
    "vulnerability": {
        "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
        "id": "CVE-2014-3566",
        "score": {
            "base": 3.4
        },
        "severity": "Minor"
    }
}
{
    "message": "{\n  \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n  \"affects_rating\": false,\n  \"asset\": {\n      \"asset\": \"1.2.3.4\",\n      \"identifier\": null,\n      \"category\": \"low\",\n      \"importance\": 0,\n      \"is_ip\": true,\n      \"asset_type\": \"IP\"\n  },\n  \"vulnerability\": {\n    \"name\": \"CVE-2014-3566\",\n    \"alias\": \"POODLE\",\n    \"display_name\": \"POODLE\",\n    \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n    \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\",\n    \"confidence\": \"HIGH\",\n    \"cvss\": {\n      \"base\": 3.4\n    },\n    \"severity\": \"Minor\"\n  },\n  \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n  \"details\": {\n    \"cvss\": {\n      \"base\": [\n        3.4\n      ]\n    },\n    \"check_pass\": \"\",\n    \"diligence_annotations\": {\n      \"remediation_dates\": [\n        {\n          \"first\": \"2022-08-14 21:04:42\",\n          \"last\": \"2022-08-14 21:04:42\"\n        }\n      ],\n      \"is_remediated\": true\n    },\n    \"remediations\": [\n      {\n        \"message\": \"CVE-2014-3566 (POODLE)\",\n        \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n        \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\"\n      }\n    ],\n    \"rollup_end_date\": \"2022-08-14\",\n    \"rollup_start_date\": \"2022-08-14\",\n    \"searchable_details\": \"CVE-2014-3566\"\n  },\n  \"evidence_key\": \"1.2.3.4:443\",\n  \"first_seen\": \"2022-08-14\",\n  \"last_seen\": \"2022-08-14\",\n  \"related_findings\": [],\n  \"risk_category\": \"Diligence\",\n  \"risk_vector\": \"patching_cadence\",\n  \"risk_vector_label\": \"Patching Cadence\",\n  \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n  \"severity\": 4.3,\n  \"severity_category\": \"moderate\",\n  \"tags\": [],\n  \"remediation_history\": {\n    \"last_requested_refresh_date\": null,\n    \"last_refresh_status_date\": null,\n    \"last_refresh_status_label\": null,\n    \"last_refresh_reason_code\": null\n  },\n  \"asset_overrides\": [],\n  \"duration\": \"1 day\",\n  \"comments\": null,\n  \"remaining_decay\": null,\n  \"remediated\": true,\n  \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}",
    "event": {
        "category": "vulnerability",
        "end": "2022-08-14T00:00:00Z",
        "start": "2022-08-14T00:00:00Z",
        "type": "info"
    },
    "@timestamp": "2022-08-14T00:00:00Z",
    "bitsight": {
        "spm": {
            "impacts_risk_vector_details": "LIFETIME_EXPIRED",
            "remediated": true,
            "risk_category": "Diligence",
            "risk_vector": "patching_cadence",
            "risk_vector_label": "Patching Cadence",
            "severity": "4.3",
            "severity_category": "moderate",
            "temporary_id": "1111111111111111111111111111111111111111111111111111&",
            "vulnerability_confidence": "HIGH"
        }
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "observer": {
        "product": "Security Performance Management",
        "vendor": "BitSight"
    },
    "organization": {
        "id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "vulnerability": {
        "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
        "id": "CVE-2014-3566",
        "score": {
            "base": 3.4
        },
        "severity": "Minor"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
bitsight.spm.impacts_risk_vector_details keyword The details of the risk vector.
bitsight.spm.remediated boolean Whether the vulnerability has been remediated.
bitsight.spm.risk_category keyword The category of the risk.
bitsight.spm.risk_vector keyword The vector of the risk.
bitsight.spm.risk_vector_label keyword The vector label of the risk.
bitsight.spm.severity keyword The severity of the event.
bitsight.spm.severity_category keyword The category of the severity.
bitsight.spm.temporary_id keyword A temporary ID.
bitsight.spm.vulnerability_confidence keyword The confidence score of the vulnerability.
event.category keyword Event category. The second categorization field in the hierarchy.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.
host.ip ip Host ip addresses.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
organization.id keyword Unique identifier for the organization.
url.domain keyword Domain of the url.
vulnerability.description keyword Description of the vulnerability.
vulnerability.id keyword ID of the vulnerability.
vulnerability.score.base float Vulnerability Base score.
vulnerability.severity keyword Severity of the vulnerability.

Configure

This setup guide will show you how to provide an integration between Bitsight SPM and Sekoia.io.

Generate the API token

To collect the events from the Cato Networks platform, an API token is required:

  1. Make sure the Bitsight user used for the integration has at least Reader permissions.
  2. Log in to Bitsight Security Ratings Platform
  3. Go to Settings -> Account -> API Token -> Generate New Token (API Key)
  4. Create new API Token

    Personal settings

Create an intake

Go to the intake page and create a new intake from the format Bitsight SPM. Copy the intake key.

Pull events

To start to pull events, you have to:

  1. Go to the playbooks page and create a new playbook with the Bitsight SPM trigger
  2. Set up the module configuration with the Api Token and Company UUIds. Set up the trigger configuration with the intake key
  3. Start the playbook and enjoy your events

Further readings