Skip to main content

Integrate GravityZone Cloud with Splunk

As a Bitdefender partner, you can integrate GravityZone with Splunk by using GravityZone APIs and Splunk HTTP Event Collector. With this service, you are able to send data from GravityZoneControl Center directly to Splunk Enterprise or Splunk Cloud.

Prerequisites

To integrate GravityZone with Splunk, you must have at hand:

  1. Credentials for your GravityZone Cloud account.

  2. Credentials for your Splunk account (cloud or on-premises).

Optionally, you can use a script to automatically enable the integration.

For Bitdefender Splunk App to correlate data coming from GravityZone, you must install Bitdefender Splunk Add-on.

Integration steps

To use the GravityZone integration with Splunk you need to follow these steps:

  1. Log in to GravityZoneControl Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.

    14099_1.png
  5. Click Save to preserve the changes made in My Account page.

  1. Log in to Splunk.

  2. Go to Settings > Data Inputs > HTTP Event Colector.

    14099_2.png
  3. Click New Token.

  4. In the Add Data screen, fill in the Name field, as suggested in the image below, and click Next.

    14099_3.png
  5. For Source type, click Select and choose _json.

    14099_4.png

    When using Bitdefender Splunk App, after installing BitdefenderSplunk Add-on, click Select and choose bitdefender:gz as the source.

    14099_5.png
  6. At Index, select a default index or create a new one. The events received by HTTP Event Collector will be inserted in the selected index.

  7. Click Review.

  8. Verify the data you entered and click Submit.

    The token has been created successfully. Copy the token value and save it. You will need it later to enable the integration.

    14099_6.png
  9. Go to Settings > Data Inputs > HTTP Event Collector and click Global Settings.

    14099_7.png
  10. In the new window, under All Tokens section, select Enabled.

    14099_8.png
  11. Click Save.

After you created the Event Push Service key in GravityZoneControl Center and enabled HTTP Event Collector in Splunk, you need to enable the integration. That means you have to start sending events from GravityZone to Splunk.

  1. Get the information needed to configure Event Push Service settings from your favorite terminal emulator on Linux or Mac:

    • GravityZone API URL.

      You find it in MyAccount > Control Center API and it should be similar to https://cloudgz.gravityzone.bitdefender.com/api.

    • The authorization header of the API key generated in GravityZone.

      The header value is Basic base64 encode.

      Important

      To obtain the authorization header, run the echo command followed by API key with colon (:).

      > echo -n '604821e87e4c7de3aa15d0e6a97f5ab362281dbf0763746671da2caf4b5cccd1:' | base64 -w 0

      The result should be something like this:

      NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=
    • Splunk URL.

      You find it in your Splunk Cloud platform and it should be something like this: https://prd-p-xlpxkqpw84k2.cloud.splunk.com. If you use Splunk on-premises, the URL is already in place.

    • HTTP Event Collector token.

  2. Run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://input-prd-p-r2rmnllpzv4n.cloud.splunk.com:8088/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk EA900DEB-22C8-402B-A7F9-A926C1633E7A"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true}}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'

    Note

    GravityZone starts sending events to Splunk after the Event Push Service settings are reloaded. This happens every 10 minutes.

    To start sending events immediately, run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'

The return should be similar to:

{"id":"1","jsonrpc":"2.0","result":true}

Test the Splunk integration

To test the integration, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

You can also start sending events from GravityZone to Splunk by running a script created by Bitdefender. You can do this in your favorite terminal emulator on Linux or Mac.

  1. Download the script from here.

  2. Make the script executable by running the command:

    chmod +x bdpusheventconfig.sh
  3. Run the script with the command:

    ./bdpusheventconfig.sh -g [console_url] -k [api_key] -t [service_type] -u [service_url] -a [splunk_auth_token] -v -d [events]

The script includes the following options:

Option

Description

-g [console url]

GravityZone API url

-k [api_key]

GravityZone API key

-t [service_type]

Service type: splunk or jsonRPC

-u [service_url]

Splunk or RPC url

-a [splunk_auth_token]

Splunk authorization token

-v

Verify service SSL certificate

-c

Connect to Splunk Cloud free trials. Adds 'input-' to the service host and uses port 8088 (if port is not specified).

-d

Connect to Splunk Cloud instances. Adds 'http-inputs-' to the service host and uses port 443 (if port is not specified).

-h, --help

Help

These options are similar to the ones used when enabling the integration manually.

The [events] list refers to one or more space-separated events that are to be sent from GravityZone to Splunk. These events are described in the table below:

Event type identifier

Description

modules

Product Modules event

sva

Security Server Status event

registration

Product Registration event

supa-update-status

Outdated Update Server event (where the Update Server is a Relay)

av

Antimalware event

aph

Antiphishing event

fw

Firewall event

avc

ATC/IDS event

uc

User Control event

dp

Data Protection event

hd

HyperDetect event

sva-load

Overloaded Security Server event

task-status

Task Status event

exchange-malware

Exchange Malware Detection event

network-sandboxing

Sandbox Analyzer Detection

adcloud

Active Directory Integration Issue

exchange-user-credentials

Exchange User Credentials

antiexploit

Antiexploit Event

network-monitor

Network Attack Defense Event

endpoint-moved-in

Endpoint moved in (used for moving endpoints from one company to another)

endpoint-moved-out

Endpoint moved out (used for moving endpoints from one company to another)

hwid-change

Hardware ID change

install

Install agent

new-incident

New incident

ransomware-mitigation

Ransomware activity detection

security-container-update-available

Security Container update available

troubleshooting-activity

Troubleshooting activity

uninstall

Uninstall agent

To subscribe to all events, use the value all or specify each one of them. If the events list is empty (no event types specified) then the integration is disabled.

Examples

Enable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -d 
modules sva registration supa-update-status av aph fw avc uc dp sva-load
 task-status exchange-malware network-sandboxing adcloud 
exchange-user-credentials
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c 
all

Configure a json RPC service

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t jsonRPC -u 
https://rpc.example.com modules sva registration supa-update-status av 
aph fw avc uc dp sva-load task-status exchange-malware 
network-sandboxing adcloud exchange-user-credentials

Disable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 –c

For details about Push Events Service, refer to the Push section.

For details about creating reports based on data from GravityZone in Splunk, refer to Create reports in Splunk based on GravityZone data.