Bitdefender B2B Help Center

SIEMs

IBM QRadar

Prerequisites
  • IBM QRadar On-premises version 7.3.3 (Patch 6).

  • Bitdefender GravityZone On-premises minimum version 6.23.x with Syslog protocol enabled using either TCP or UDP.

GravityZone Integration with IBM QRadar

This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. Bitdefender App for QRadar is a device support module (DSM) that provides the categorization of events according to QRadar high and low level threat categories allowing a QRadar administrator to perform complex searches, cross-correlations across multiple event types and sources and perform threat-hunting activities that include in-depth information reported by GravityZone technology layers.

To allow GravityZone to send notifications to the QRadar instance using the Syslog protocol:

  1. Connect to the GravityZone Control Center.

  2. Go to the Configuration page and click Miscellaneous.

  3. Select the Enable Syslog check box.

  4. Enter the IP address of the QRadar instance, the preferred protocol and the port Syslog listens to.

  5. Select the format Common Event Format (CEF) to send the data to the Syslog server.

  6. Click the Add button from the Action column.

    Enable_Syslog.png

    Enable Syslog

To select the events you want to receive on the QRadar instance:

  1. Connect to the GravityZone Control Center.

  2. Click the Notification button at the right side of the menu bar and then click the Settings icon.

  3. Under Enable Notification section, choose the type of notifications you want to receive from GravityZone and select the Log to server checkbox.

For more information, refer to Notification Types.

Application Deployment in QRadar

To install the Bitdefender App for QRadar in IBM QRadar:

  1. Log in to IBM QRadar.

    QRadar.png

    QRadar login

  2. Click the Admin tab.

  3. Under the System Configuration section, click Extensions Management. A new window will open.

  4. Click the Add button from the right side and then Browsefor the installation kit.

  5. Select Install immediately, and then click Add.

  6. Click Install.

You can find the application in the Extensions Management window after the installation is complete.

Installed_application.png

Bitdefender App for QRadar

Log Sources Configuration

To receive the security events in the QRadar instance follow these steps:

  1. Click the Admin tab.

  2. Under the Data Sources > Events section, click Log Sources.

  3. Double click the Bitdefender CEF Syslog log source. A configuration window will open.

  4. In the Log Source Identifier field, type the hostname of the GravityZone appliance. The default hostname is: gzva

    Log_Source_Configuration.PNG

    Log Source Configuration

  5. Click Save and close the window.

  6. Click Deploy Changes on the upper left side of the page to activate your new log source.

Saved Searches

To help you in identifying the security events Bitdefender App for QRadar stores two saved searches:

  • BitdefenderMalware - Still Infected Hostscentralizes events from Antimalware and HyperDetect modules. You can view the events in which the item scanned by the corresponding technology is ignored, restored, or still present. The events provide you with details like the IP address, username, computer name, malware type, malware name, and action state.

  • BitdefenderThreats Overview centralizes events from the following modules: Antimalware, Antiphishing, Advanced Threat Control, Security for Exchange, HyperDetect, Hypervisor Memory Introspection (HVI), Sandbox Analyzer, Advanced Anti-Exploit, Content Control, Security for Storage and Ransomware Mitigation. The events provide you with details such as IP address, username, computer name and action state.

To use these searches follow the steps below:

  1. Click the Log Activity tab.

  2. Click Quick Searches from the upper left side of the page. You should see a list with all the saved searches, custom and predefined.

    Quick_Searches.png

    Bitdefender Saved Searches

    If the two searches are unlisted, follow these steps:

    1. Click the Search button from the upper left side of the page and select New Search.

    2. Type the name of the search in the text box or select it from the Available Saved Searches.

    3. Click the Load button.

    4. Once loaded, select the Include in my Quick Searches checkbox.

    5. Click the Search button from the lower right side of the page. Once completed you can view the search in the Quick Searches list.

  3. Select the search of interest to list out all the matching events.

View Events and Explore Data

The integration provides you with the possibility to view events in real-time and investigate them properly using customizable queries.

To investigate an event:

  1. Access the Log Activity tab.

  2. Click Quick Searches.

  3. Select Bitdefender “Malware - Still infected hosts” or Bitdefender “Threats Overview”.

  4. Customize or use the default query.

    Default query for Bitdefender “Malware - Still infected hosts”

    SELECT QIDNAME(qid) FROM events WHERE LOGSOURCETYPENAME(devicetype) =
    'Bitdefender CEF Syslog' and QIDNAME(qid) IN('AntiMalware','HyperDetect
    Activity') and "Malware Type" IN ('file', 'http', 'cookie', 'pop3', 'smtp',
    'process', 'boot', 'registry', 'stream') and "Action State" IN('still
    present', 'ignored', 'restored')

    Default query for Bitdefender “Threats Overview”:

    SELECT QIDNAME(qid) FROM events WHERE LOGSOURCETYPENAME(devicetype) =
    'Bitdefender CEF Syslog' and QIDNAME(qid)
    IN('Antiphishing','AntiMalware','Behavioral scanning','Exchange Malware
    Detected', 'HyperDetect Activity', 'HVI', 'Sandbox Analyzer Detection',
    'Exploit Mitigation', 'Web Control', 'Storage Antimalware', 'Ransomware
    Detection') and ("Event Type" NOT IN (NULL,'N/A','None') OR "Malware Type"
    NOT IN (NULL,'N/A','None') OR "Exploit Type" NOT IN (NULL,'N/A','None') OR
    "Threat Name" NOT IN (NULL,'N/A','None') OR "Attack Type" NOT IN
    (NULL,'N/A','None') OR "Application Control Block Type" NOT IN
    (NULL,'N/A','None'))
  5. Click Search.

    View_Events.png

    View Events

  6. Double click the event of your interest. You can view the details in the Event Information widow.

    View_Events_Q.png

    Event Information

    In the same window, you can also view the event in CEF format.

    View_Events_CEF.png

    CEF events

Splunk

To set up the link between Splunk and GravityZone follow the steps below.

The Bitdefender Gravityzone for Splunk App provides a Dashboard where you can view all the information received from GravityZone, organized into multiple sections and widgets. Using the app you can also search for information or generate reports.

To install the app, follow these steps:

  1. Download the Bitdefender Gravityzone for Splunk App installation package from here.

  2. Log in to Splunk Enterprise.

  3. From the home page, click the Manage Apps button on the upper left side of the screen:

    171284_1.png
  4. Click the Install app from file button on the right side of the screen.

  5. Click Browse....

  6. Select the package downloaded from step 1.

  7. Click Upload.

The Bitdefender Gravityzone Add-on for Splunk supports the Bitdefender Gravityzone App for Splunk by providing source mapping, data extractions and transformations. It acts like a parser, converting all data gathered from various Bitdefender sources into a CIM format, which is compatible with Splunk.

To install the app, follow these steps:

  1. Download the Bitdefender Gravityzone Add-on for Splunk installation package from here.

  2. Log in to Splunk Enterprise.

  3. From the home page, click the Manage Apps button on the upper left side of the screen:

    171284_1.png
  4. Click the Install app from file button on the right side of the screen.

  5. Click Browse....

  6. Select the package downloaded from step 1.

  7. Click Upload.

  1. Connect to the GravityZone Control Center.

  2. Go to the Configuration page and click Miscellaneous.

  3. Select the Enable Syslog check box.

  4. Enter the IP address of the Splunk instance, the preferred protocol and the port Syslog listens to.

  5. Select the format json to send the data to the Syslog server.

  6. Click the Add button from the Action column.

    Enable_Syslog.png

To select the events you want to receive on the Splunk instance:

  1. Connect to the GravityZone Control Center.

  2. Click the Notification button at the right side of the menu bar and then click the Settings icon.

  3. Under Enable Notification section, choose the type of notifications you want to receive from GravityZone and select the Log to server checkbox.

  1. Log in to Splunk Enterprise.

  2. On the upper right side of the screen click Settings and select Data Inputs.

  3. Select TCP or UDP under the Local inputs section.

  4. Click the New local TCP or the New local TCP button from the upper right side of the screen.

  5. Select either a TCP or a UDP port.

  6. Fill in the Port field and, optionally, the Source name overwrite and Only accept connection from fields.

  7. Click Next.

  8. Under Source type, click Select, and choose the bitdefender:gz option.

  9. Under App context, select TA-bitdefender-gravityzone.

  10. Under Host, enter the appropriate IP, DNS or type in a custom host value.

  11. Under Index, select the one where you want to store your data.

  12. Click the Review button on the upper side of the screen and verify the information.

  13. Click Submit.

  1. Log in to GravityZoneControl Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.

    14099_1.png
  5. Click Save to preserve the changes made in My Account page.

  1. Log in to Splunk.

  2. Go to Settings > Data Inputs > HTTP Event Colector.

    14099_2.png
  3. Click New Token.

  4. In the Add Data screen, fill in the Name field, as suggested in the image below, and click Next.

    14099_3.png
  5. For Source type, click Select and choose choose bitdefender:gz as the source.

    14099_5.png
  6. At Index, select a default index or create a new one. The events received by HTTP Event Collector will be inserted in the selected index.

  7. Click Review.

  8. Verify the data you entered and click Submit.

    The token has been created successfully. Copy the token value and save it. You will need it later to enable the integration.

    14099_6.png
  9. Go to Settings > Data Inputs > HTTP Event Collector and click Global Settings.

    14099_7.png
  10. In the new window, under All Tokens section, select Enabled.

    14099_8.png
  11. Click Save.

After you created the Event Push Service key in GravityZoneControl Center and enabled HTTP Event Collector in Splunk, you need to enable the integration. That means you have to start sending events from GravityZone to Splunk.

  1. Get the information needed to configure Event Push Service settings from your favorite terminal emulator on Linux or Mac:

    • GravityZone API URL.

      You find it in MyAccount > Control Center API and it should be similar to https://cloudgz.gravityzone.bitdefender.com/api.

    • The authorization header of the API key generated in GravityZone.

      The header value is Basic base64 encode. To obtain the authorization header, run the echo command followed by API key with colon (":").

      > echo –n '604821e87e4c7de3aa15d0e6a97f5ab362281dbf0763746671da2caf4b5cccd1:' | base64 –w 0

      The result should be something like this:

      NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=
    • Splunk URL.

      You find it in your Splunk Cloud platform and it should be something like this: https://prd-p-xlpxkqpw84k2.cloud.splunk.com. If you use Splunk on-premises, the URL is already in place.

    • HTTP Event Collector token.

  2. Run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://input-prd-p-r2rmnllpzv4n.cloud.splunk.com:8088/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk EA900DEB-22C8-402B-A7F9-A926C1633E7A"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true,}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'

    Note

    GravityZone starts sending events to Splunk after the Event Push Service settings are reloaded. This happens every 10 minutes.

    To start sending events immediately, run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'

The return should be similar to:

{"id":"1","jsonrpc":"2.0","result":true}

Test the Splunk integration

To test the integration, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

You can also start sending events from GravityZone to Splunk by running a script created by Bitdefender. You can do this in your favorite terminal emulator on Linux or Mac.

  1. Download the script from here.

  2. Make the script executable by running the command:

    chmod +x bdpusheventconfig.sh
  3. Run the script with the command:

    ./bdpusheventconfig.sh -g [console_url] -k [api_key] -t [service_type] -u [service_url] -a [splunk_auth_token] -v -d [events]

The script includes the following options:

Option

Description

-g [console url]

GravityZone API url

-k [api_key]

GravityZone API key

-t [service_type]

Service type: splunk or jsonRPC

-u [service_url]

Splunk or RPC url

-a [splunk_auth_token]

Splunk authorization token

-v

Verify service SSL certificate

-c

Connect to Splunk Cloud free trials. Adds 'input-' to the service host and uses port 8088 (if port is not specified).

-d

Connect to Splunk Cloud instances. Adds 'http-inputs-' to the service host and uses port 443 (if port is not specified).

-h, --help

Help

These options are similar to the ones used when enabling the integration manually.

The [events] list refers to one or more space-separated events that are to be sent from GravityZone to Splunk. These events are described in the table below:

Event type identifier

Description

modules

Product Modules event

sva

Security Server Status event

registration

Product Registration event

supa-update-status

Outdated Update Server event (where the Update Server is a Relay)

av

Antimalware event

aph

Antiphishing event

fw

Firewall event

avc

ATC/IDS event

uc

User Control event

dp

Data Protection event

hd

HyperDetect event

sva-load

Overloaded Security Server event

task-status

Task Status event

exchange-malware

Exchange Malware Detection event

network-sandboxing

Sandbox Analyzer Detection

adcloud

Active Directory Integration Issue

exchange-user-credentials

Exchange User Credentials

antiexploit

Antiexploit Event

network-monitor

Network Attack Defense Event

endpoint-moved-in

Endpoint moved in (used for moving endpoints from one company to another)

endpoint-moved-out

Endpoint moved out (used for moving endpoints from one company to another)

hwid-change

Hardware ID change

install

Install agent

new-incident

New incident

ransomware-mitigation

Ransomware activity detection

security-container-update-available

Security Container update available

troubleshooting-activity

Troubleshooting activity

uninstall

Uninstall agent

To subscribe to all events, use the value all or specify each one of them. If the events list is empty (no event types specified) then the integration is disabled.

Examples

Enable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -d 
modules sva registration supa-update-status av aph fw avc uc dp sva-load
 task-status exchange-malware network-sandboxing adcloud 
exchange-user-credentials
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c 
all

Configure a json RPC service

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t jsonRPC -u 
https://rpc.example.com modules sva registration supa-update-status av 
aph fw avc uc dp sva-load task-status exchange-malware 
network-sandboxing adcloud exchange-user-credentials

Disable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 –c

For details about Push Events Service, refer to the Push section.

For details about creating reports based on data from GravityZone in Splunk, refer to Create reports in Splunk based on GravityZone data.

Sumo Logic

Configure Bitdefender GravityZone source for Sumo Logic

You can view Bitdefender GravityZone data in Sumo Logic. To collect this type of data, you need to add a source to a Hosted Collector in Sumo Logic and configure the Bitdefender GravityZone APIs.

Prerequisites
  • Sumo Logic account

  • Bitdefender GravityZone (cloud) account

  • Hosted Collector set up on a machine in your Sumo Logic environment

To collect Bitdefender GravityZone data via its APIs, follow these steps:

Add source to a Hosted Collector
  1. Log in to Sumo Logic.

  2. Navigate to Manage Data > Collection.

  3. Click Add Source next to a Hosted Collector.

  4. Select HTTP Logs & Metrics.

  5. Enter a Name for the source.

  6. Configure Source details and advanced options for logs.

    For more information, refer to the following Sumo Logic help article.

  7. Click Save to add the source.

    This source has a unique URL. Bitdefender GravityZone will send its data to this URL after you configure Event Push Service API.

Access source URL
  1. Navigate to Manage Data > Collection.

  2. Find the Hosted Collector by name and click Show URL.

  3. Copy the HTTP source address.

Generate Bitdefender GravityZone API key
  1. Log in to GravityZone Control Center.

  2. Click the username at the upper-right corner and choose My Account.

  3. Go to the API keys section and click Add at in this table.

  4. Enable Event Push Service API.

    You can enable other APIs to source more information from Bitdefender GravityZone.

  5. Click Save.

    To prevent the leaking of sensitive information, do not share or distribute your own generated API keys.

  6. Copy the Access URL from the Control Center API section.

    You need this key to configure Event Push Service API.

Configure Event Push Service API

Follow this procedure to set up the subscription for GravityZone Control Center events that you want to see in Sumo Logic.

  1. Open a MAC or Linux terminal.

  2. Run the echo command followed by the Bitdefender GravityZone API key with a colon (":")

    • For Linux terminal:

      > echo –n 'Ge9HCYqdU7jIDR90wN0eE1zbB5Snc5HN:' | base64 –w 0
    • For MAC terminal:

      > echo –n 'Ge9HCYqdU7jIDR90wN0eE1zbB5Snc5HN:' | base64 –b 0

    This encodes the API key in a base64 string.

    Return value example:

    R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46 
    4oCTbiBhY2M1ZGY2ODU2YTdiZWUwODE3MmJlM2I2NDQ3YjMyNTg2OWIzM2M2ZjU2ZGJjNGNjMmRkYjJmZmM0OWFkYzRjOgo=

    You will use this encoded string as a token for POST authorization.

    Note

    Sumo Logic does not currently support authentication via the authentication header used in setPushEventSettings method. The header is still needed for the event push forwarding mechanism to work but the header itself can contain any random string as the Sumo Logic https collector will ignore it.

  3. Run the following curl commands and edit the bolded settings:

    curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {"status": 1,"serviceType": "jsonRPC","serviceSettings": {"url": "SumoLogic URL","requireValidSslCertificate": false, "authorization":"auth header value"},"subscribeToEventTypes": {"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"hd": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"adcloud": true,"exchange-user-credentials": true}},"jsonrpc": "2.0","method": "setPushEventSettings","id": "1"}'
    

    Return value example:

    {"id":"1","jsonrpc":"2.0","result":true}
    

    GravityZone starts sending events to Sumo Logic after the Event Push Service settings are reloaded. This happens every 10 minutes.

    This table indicates the event types that GravityZone can send to Sumo Logic.

    Event type identifier

    Description

    modules

    Product Modules event

    sva

    Security Server Status event

    registration

    Product Registration event

    supa-update-status

    Outdated Update Server event (where the Update Server is a Relay)

    av

    Antimalware event

    aph

    Antiphishing event

    fw

    Firewall event

    avc

    ATC/IDS event

    uc

    User Control event

    dp

    Data Protection event

    hd

    HyperDetect event

    sva-load

    Overloaded Security Server event

    task-status

    Task Status event

    exchange-malware

    Exchange Malware Detection event

    network-sandboxing

    Sandbox Analyzer Detection

    adcloud

    Active Directory Integration Issue

    exchange-user-credentials

    Exchange User Credentials

  4. To start sending events immediately, run the following command and edit the emphasized settings:

    curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}' 
    
  5. To test the integration, run the following command and edit the emphasized settings:

    curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'
    

    You can now see Bitdefender GravityZone data in Manage Data > Collection.

    For details about Push Events Service, refer to the GravityZone Cloud API Documentation guide, the chapter "Push".