Push event JSON RPC messages
Events are submitted in calls to the "addEvents" function. This function takes one parameter: "events", which is an array of event objects documented below.
HTTP requests can be verified using the Event-Push-Service-Md5 header. The header is obtained by hashing the Api Key and the message body as follows: header_value = md5(api_key, md5(message_body))
$gzapikey = "a247bf167a48d899b7a64aced0d6cebdbd5d474578c26cd023505b2c26******";
$message = file_get_contents('php://input');
$servermd5 = $_SERVER['HTTP_EVENT_PUSH_SERVICE_MD5'];
$resultmd5 = md5($apikey.md5($message));Cloud AD Integration
This event is generated when Control Center is synchronizing with an Active Directory domain.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
syncerId | string | yes | AD Integrator identifier |
issueType | integer | yes | AD Synchronization issue type |
isProtectedEntityId | integer | no | Is protected entity ID (only for uninstall) |
lastAdReportDate | timestamp | no | Last AD synchronization date |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"syncerId": "59b7d9bfa849af3a1465b7e3",
"issueType": 0,
"lastAdReportDate": "2017-09-14T08:03:49.671Z",
"module": "adcloud"
}
]
},
"id": 1505376232077
} Antiphishing
This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
aph_type | string | yes | Values: phishing, fraud, untrust |
url | string | yes | Malware url |
status | string | yes | Values: aph_blocked, reportOnly |
last_blocked | timestamp | yes | Last timestamp this malware was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"aph_type": "phishing",
"url": "http://example.com/account/support/",
"status": "aph_blocked",
"last_blocked": "2017-09-14T08:49:43.000Z",
"count": 1,
"module": "aph"
}
]
},
"id": 1505378984190
}Antimalware
This event generated each time Bitdefender detects malware on an endpoint in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
timestamp | timestamp | yes | Timestamp when the malware was detected |
signaturesNumber | string | no | signatures Number |
taskScanType | integer | no | taskScanType |
scanEngineType | integer | no | scanEngineType |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"module": "av"
}
]
},
"id": 1504872097787
}Advanced Threat Control (ATC)
This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
exploit_type | string | yes | Values: IDS APP, AVC APP, AVC Exploit |
exploit_path | string | yes | Exploit file path |
process_command_line | string | no | The command line parameters of the detected process |
parent_process_id | integer | no | The pid of the parent of the detected process |
parent_process_path | string | no | The path of the parent process of the detection |
status | string | yes | Values: avc_blocked, avc_allowed, avc_disinfected |
last_blocked | timestamp | yes | Last timestamp this application/exploit was blocked |
count | integer | yes | How many times this application/exploit was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"exploit_type": "AVC Blocked Exploit",
"exploit_path": "C:\\Users\\admin\\Desktop\\Tools\\avcsim\\win32\\avcsim32.exe",
"status": "avc_blocked",
"last_blocked": "2017-09-14T07:56:33.000Z",
"count": 1,
"module": "avc"
}
]
},
"id": 1505375801845
}Data Protection
This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
target_type | string | yes | Malware type: mail, http |
blocking_rule_name | string | yes | Data protection rule name |
url | string | yes | Url |
status | string | yes | Always "data_protection_blocked" |
last_blocked | timestamp | yes | Last timestamp this email/url was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"target_type": "http",
"blocking_rule_name": "dv",
"url": "http://example.com/",
"status": "data_protection_blocked",
"last_blocked": "2017-09-11T10:23:43.000Z",
"count": 1,
"module": "dp"
}
]
},
"id": 1505125464691
}Exchange Malware Detection
This event is created when Bitdefender detects malware on an Exchange server in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
serverName | string | yes | Server name |
sender | string | yes | Email sender |
recipients | array | yes | List of email recipients (array of strings) |
subject | string | yes | Email subject |
detectionTime | timestamp | yes | Detection time |
malware | array | yes | List of detected malware (array of {"malwareName": string, "malwareType": string, "actionTaken": string, "infectedObject": string}) |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- EXCHANGE - 01",
"computer_fqdn": "fc- exchange - 01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"serverName": "FC- EXCHANGE - 01",
"sender": "fc_test01@fc.dom",
"recipients": [
"fc_test02@fc.dom"
],
"subject": "Emailing Sending.. WL - cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0",
"detectionTime": "2017- 09 - 13T14: 20:37.000Z",
"malware": [
{
"malwareName": "Trojan.Generic.KD.874127",
"malwareType": "virus",
"actionTaken": "quarantine",
"infectedObject": "WL- cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0"
}
],
"module": "exchange-malware"
}
]
},
"id": 1505312459584
}Exchange License Usage Limit Has Been Reached
This event is generated when Exchange License limit has been reached
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-organization-info",
"mailboxes":8,
"license_limit":5,
"license_key":"5IMI111"
}
]
},
"id": 1505387661508
} Exchange User Credentials
This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-user-credentials"
}
]
},
"id": 1505387661508
} Firewall
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | string | yes | Status |
local_port | string | no | Local port |
protocol_id | string | no | The identifier of the malware attack protocol as defined by Protocol Number |
application_path | string | no | Application path |
source_ip | string | no | Source IP address |
last_blocked | timestamp | yes | Last timestamp this connection was blocked |
count | integer | yes | How many times this connection was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": "portscan_blocked",
"protocol_id": "6",
"source_ip": "192.168.0.2",
"last_blocked": "2017-09-08T12:52:03.000Z",
"count": 1,
"module": "fw"
}
]
},
"id": 1504875129648
}Hyper Detect event
Event generated when a malware is detected by the Hyper Detect module.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
attack_type | string | no | Values: targeted attack, grayware, exploits, ransomware, suspicious files and network traffic |
detection_level | string | no | Values: permissive, normal, aggressive |
is_fileless_attack | string | no | True for fileless attack |
command_line_parameters | string | no | Command line parameters |
process_info_path | string | no | Process path |
process_info_command_line | string | no | Process command line parameters |
parent_process_id | integer | no | Parent process ID |
parent_process_path | string | no | Parent process path |
hwid | string | yes | Hardware identifier |
date | timestamp | yes | Timestamp when the malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hd",
"product_installed": "EPS",
"user": {
"name": "admin",
"sid": "BF410F3B-5F3A-41E1-BF8F-28DE6948A355
"
},
"computer_name": "DHMSI",
"computer_fqdn": "dhmsi",
"computer_ip": "10.10.18.226",
"computer_id": "5c4999491ddfad7177316f80",
"malware_type": "file",
"malware_name": "",
"hash": "hash_3",
"final_status": "quarantined",
"file_path": "44e695d9ed259aea10e5b57145d0d0dc.b
ender",
"attack_type": "suspicious files and network tra
ffic",
"detection_level": "normal",
"is_fileless_attack": 1,
"command_line_parameters": "a b c",
"process_info_path": "C:\\a.exe",
"process_info_command_line": "c:\\a.exe -testParam",
"parent_process_id": 1716,
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"hwid": "00000000-0000-0000-0000-406186b5****",
"companyId": "5c497704f9bf8d0b1b4df***",
"date": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
} Product Modules Status
This event is generated when a security module of the installed agent gets enabled or disabled.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computerId | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
malware_status | boolean | no | Antimalware module |
aph_status | boolean | no | Antiphishing module |
firewall_status | boolean | no | Firewall module |
avc_status | boolean | no | Active Threat Control module |
ids_status | boolean | no | Intrusion detection system module |
uc_web_filtering | boolean | no | Content Control Web Access Control module |
uc_categ_filtering | boolean | no | Content Control Web Categories Filtering module |
uc_application_status | boolean | no | Content Control Application Blacklisting module |
dp_status | boolean | no | Content Control Data Protection module |
pu_status | boolean | no | Power User module |
dlp_status | boolean | no | Device Control module |
exchange_av_status | boolean | no | Exchange Protection Antimalware module |
exchange_as_status | boolean | no | Exchange Protection Antispam module |
exchange_at_status | boolean | no | Exchange Protection Attachment filtering module |
exchange_cf_status | boolean | no | Exchange Protection Content filtering module |
exchange_od_status | boolean | no | Exchange Protection On demand scan module |
volume_encryption | boolean | no | Encryption module |
patch_management | boolean | no | Patch management module |
container_protection_status | boolean | no | Container Protection module |
network_monitor_status | boolean | no | Network Attack Defense module |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- WIN7 - X64 - 01",
"computer_fqdn": "fc- win7 - x64 - 01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_status": 1,
"aph_status": 1,
"firewall_status": 1,
"avc_status": 1,
"uc_web_filtering": 0,
"uc_categ_filtering": 0,
"uc_application_status": 0,
"dp_status": 0,
"pu_status": 1,
"dlp_status": 0,
"module": "modules"
}
]
},
"id": 1504871857671
}Sandbox Analyzer Detection
This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
deviceExternalId | string | no | Unique endpoint identifier in the GravityZone database |
submissionId | string | no | GravityZone network sandbox submission ID |
computerName | string | yes | Computer name |
computerIp | string | yes | Computer IP address |
detectionTime | integer | yes | Detection time |
threatType | string | yes | Threat type |
filePaths | array | yes | File paths (array of strings) |
fileSizes | array | yes | File sizes (array of strings) |
remediationActions | array | yes | Remediation actions (array of strings). Possible values:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "FC-WIN7-X64-01",
"computerIp": "192.168.0.1",
"detectionTime": 1505386969,
"threatType": "RANSOMWARE",
"filePaths": [
"C:\\Users\\Administrator\\Documents\\installer.xml",
"D:\\opt\\bitdefender\\installer2.xml",
"D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml"
],
"fileSizes": [
"2614",
"2615",
"2616"
],
"remediationActions": [
"1",
"",
"1"
],
"module": "network-sandboxing"
}
]
},
"id": 1505386971126
} Product Registration
This event is generated when the registration status of an agent installed in your network has changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
product_registration | string | yes | Values: registered, unregistered |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"product_registration": "registered",
"module": "registration"
}
]
},
"id": 1505221060168
}Outdated Update Server
This event is generated when an update server has outdated malware signatures.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
fromSupa | boolean | yes | Identifies events sent from Relays (always true) |
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | boolean | yes | Update status |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": 0,
"fromSupa": 1,
"module": "supa-update-status"
}
]
},
"id": 1505379714808
}Overloaded Security Server
This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
loadAverage | integer | yes | Load average |
cpuUsage | integer | yes | Cpu usage |
memoryUsage | integer | yes | Memory usage |
networkUsage | integer | yes | Network usage |
overallUsage | integer | yes | Overall usage |
svaLoad | string | no | SVA load |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"loadAverage": 1,
"cpuUsage": 48,
"memoryUsage": 32,
"networkUsage": 0,
"overallUsage": 48,
"svaLoad": "Normal",
"module": "sva-load"
}
]
},
"id": 1505293227782
} Security Server Status
This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
powered_off | boolean | yes | Powered off |
product_update_available | boolean | no | Product update available |
signature_update | timestamp | no | Last signatures update timestamp |
product_reboot_required | boolean | no | True if a reboot is required |
lastupdate | string | no | Last update |
lastupdateerror | string | no | Last update error |
updatesigam | string | no | Security Server engines version |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"powered_off": 0,
"product_update_available": 1,
"product_reboot_required": 0,
"lastupdate": "0",
"updatesigam": "7.72479",
"module": "sva"
}
]
},
"id": 1505293227782
} Antiexploit Event
This event is generated when Advanced Anti-Exploit triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
detection_action | string | yes | The action that was taken upon the detection |
detection_threatName | string | no | Threat type |
detection_pid | string | yes | The pid of the detection |
detection_exploitTechnique | string | yes | The technique employed in the detection |
detection_parentPid | string | no | The pid of the parent of the detected process |
detection_path | string | yes | The path of the detection |
detection_parentPath | string | no | The path of the parent process of the detection |
detection_cve | string | no | Detection CVE |
detection_payload | string | no | Detection payload |
detection_username | string | no | The user that was logged when the detection was found |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "antiexploit",
"product_installed": "BEST",
"companyId": "5cf10c8af23f73097377c924",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"endpointId": "5cf51ba5e8ee8c5b1852a9d6",
"detection_action": "kill",
"detection_threatName": "EICAR-Test-File (not a
virus)",
"detection_pid": "2000",
"detection_exploitTechnique": "Flash/Generic",
"detection_parentPid": "4000",
"detection_path": "C:\\file15c8ba8b90ea1de127962
f464.exe",
"detection_parentPath": "C:\\file25c8ba8b90ea1de
127962f464.exe",
"detection_username": "user@domain.com",
"detection_time": "2019-06-03T13:58:30.000Z"
}
]
},
"id": 1547719287349
}Network Attack Defense Event
This event is generated when the Network Attack Defense module triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Endpoint identifier |
label | string | no | The label set in the Network grid by the Admin |
actionTaken | string | yes | The action that was taken upon the detection |
detection_name | string | yes | The name of the detection as received from BEST |
detection_attackTechnique | string | yes | Name of the attack technique as set in the Network Attack Defense policy |
source_ip | string | yes | IP of the attack source |
victim_ip | string | yes | IP of the victim's endpoint |
local_port | string | yes | The port on which the attack occurred |
timestamp | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "network-monitor",
"product_installed": "BEST",
"user": {
"userName": "user1@domain.com",
"userSid": "S-1-2-3-4"
},
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5d639e8f48ac2f04f6e00b1c",
"actionTaken": "reportOnly",
"detection_name": "PrivacyThreat.PasswordStealer
.HTTP",
"detection_attackTechnique": "discovery",
"source_ip": "10.17.134.4",
"victim_ip": "213.211.198.58",
"local_port": "80",
"timestamp": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
}Task Status
This event is generated each time a task status changes.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
userId | string | yes | User identifier |
taskId | string | yes | Task identifier |
taskName | string | yes | Task name |
taskType | integer | yes | Task type |
targetName | string | yes | Task name |
isSuccessful | boolean | yes | True if the task was executed successfully |
status | integer | yes | Task status |
errorMessage | string | yes | Error message |
errorCode | integer | yes | Error code |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"userId": "59a14b2b1da197c6108b4568",
"taskId": "59b28dc81da19711058b4568",
"taskName": "Quick Scan 2017-09-08(sub-task)",
"taskType": 272,
"targetName": "FC-WIN7-X64-01",
"isSuccessful": 1,
"status": 3,
"errorMessage": "",
"errorCode": 0,
"module": "task-status"
}
]
},
"id": 1504874269032
}User Control/Content Control
This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
uc_type | string | no | Values: application, http |
url | string | no | Url |
block_type | string | no | Values: application, http_timelimiter, http_blacklist, http_categories, http_bogus, http_antimalware |
categories | string | no | Values: WebProxy, Games, Tabloids, Hate, Gambling, Drugs, Illegal, Shopping, OnlinePay, Video, SocialNetwork, OnlineDating, IM, SearchEngines, RegionalTLDS, News, Pornography, MatureContent, Blog, FileSharing, Narcotics, VideoOnline, Religious, Suicide, Health, ViolentCartoons, Weapons, Hacking, Scams, CasualGames, OnlineGames, ComputerGames, PhotosOnline, Ads, Advice, Bank, Business, ComputerAndSoftware, Education, Entertainment, Government, Hobbies, Hosting, JobSearch, Portals, RadioMusic, Sports, TimeWasters, Travel, WebMail |
application_path | string | no | Application path |
status | string | no | Values: uc_application_blocked, uc_site_blocked |
last_blocked | timestamp | no | Last timestamp this malware was blocked |
count | integer | no | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"uc_type": "http",
"url": "http://192.168.0.1:2869/upnphost/udhisapi.dll",
"block_type": "http_timelimiter",
"categories": "",
"status": "uc_site_blocked",
"last_blocked": "2017-09-08T12:46:30.000Z",
"count": 1,
"module": "uc"
}
]
},
"id": 1504874799367
}Storage Antimalware Event
This event is generated each time SVA detects a new threat among the protected storage (NAS).
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
computer_name | string | yes | Computer name |
storage_name | string | yes | The name of the storage unit |
storage_ip | string | yes | The IP address of the storage unit |
storage_type | string | yes | The type of the storage unit.(E.g., Nutanix, Citrix etc.) |
file_path | string | yes | File path |
file_hash | string | yes | File hash |
malware_type | string | yes | Describes the type of malware as defined by Bitdefender. Possible values are: 'file', 'http', 'cookie', 'pop3', 'smtp', 'process', 'boot', 'registry' and 'stream' |
malware_name | string | yes | Name of the malware as defined by Bitdefender |
status | string | yes | Final status for the detected objects. Possible values are: |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "SVA_WITH_ICAP",
"storage_name": "fileserver001",
"storage_ip": "192.168.0.1",
"storage_type": "Nutanix",
"file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
"file_hash": "04d7cff845e23111633cc0a268634f5e6c18145d0a9b5a38dedd8a58a422001c",
"malware_type": "1",
"malware_name": "BAT.Trojan.FormatC.Z",
"status": "5",
"detection_time": "2018-05-07T10:23:43.000Z",
"module": "storage-antimalware"
}
]
},
"id": 1505386971126
} Install Agent
This event is generated when the agent is installed on endpoints.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"module": "install",
"endpointId": "5e2085febf255a545e52276b",
"hwid": "00000000-0000-0000-0000-406186b5bdbd50"
}
]
},
"id": 1547719287350
}Uninstall Agent
This event is generated when an agent is uninstalled from an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
reason | integer | yes | Uninstalling method. Available options:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"reason": 1,
"module": "uninstall"
}
]
},
"id": 1505221060168
}Hardware ID Change
This event is generated when the hardware ID of an endpoint from your network is changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
old_hwid | string | yes | The old hardware ID of the machine |
new_hwid | string | yes | The new hardware ID of the machine |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hwid-change",
"product_installed": "BEST",
"companyId": "5e207bc354060806ed24a132",
"computer_name": "A",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.526",
"computer_id": "5e284ff5b7e43d387ba54a96",
"old_hwid": "00000000-0000-0000-0000-406186b5bde
7",
"new_hwid": "00000000-0000-0000-0000-406186b5bde
6",
"endpointId": "5e284ff5b7e43d387ba54a95"
}
]
},
"id": 1547719287349
}Endpoint moved in
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the destination company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4568",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e3",
"endpointId": "5e2085febf255a545e52276a",
"module": "endpoint-moved-in",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060169
}Endpoint moved out
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the source company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"module": "endpoint-moved-out",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060170
}Troubleshooting activity
The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
taskId | string | yes | The ID of the current Troubleshooting task. |
taskType | string | yes | The type of the task |
errorCode | integer | yes | Integer representing the error code if the task has failed |
username | string | no | Name of the user account who started the Troubleshooting task |
localPath | string | no | The path on the target machine where the Troubleshooting archive is placed |
networkSharePath | string | no | The path on network share where the Troubleshooting archive is placed |
saveToBitdefenderCloud | boolean | no | The option to also upload to Bitdefender Cloud the Troubleshooting archive |
status | integer | yes | The status with which the task has finished |
stopReason | integer | no | The reason for which the Troubleshooting activity was stopped |
failedStorageType | integer | no | In case some delivery methods succeeded and some not, which one has failed |
startDate | timestamp | no | Timestamp of when the event has started |
endDate | timestamp | no | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT_WINDOWS_10",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.0.101",
"computer_id": "5ee30e2b29a4e218489442b6",
"module": "troubleshooting-activity",
"taskId": "5eea0105f23f731302405833",
"taskType": "Debug Session",
"errorCode": 3,
"username": "test@test.com",
"localPath": "/test/dir",
"networkSharePath": "//1.2.3.4/dir",
"saveToBitdefenderCloud": 0,
"status": 3,
"stopReason": 2,
"failedStorageType": 1,
"startDate": "2020-06-24T06:06:48.000Z",
"endDate": "2020-06-24T06:09:28.000Z"
}
]
},
"id": 1505221060169
}Device Control
Every time the Device Control module detects a device inserted into a client system, an event is generated.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
username | string | no | The user that was logged in when the incident was found |
silentAgentVersion | string | no | Agent version |
action | string | yes | Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added. |
deviceName | string | no | A descriptive name for the device |
deviceClass | integer | yes | Device class |
deviceId | string | no | Device ID |
productId | integer | no | Product ID of the device |
vendorId | integer | no | ID of the vendor |
date | timestamp | yes | The date when the device was blocked |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "device-control",
"product_installed": "BEST",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.207",
"computer_id": "5d529fb7008739443adb4003",
"username": "Admin",
"action": "blocked",
"deviceName": "CD-ROM Drive",
"deviceClass": 2,
"deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10
_______________1.00____\\5&3A794E10&0&1.0.0",
"productId": 0,
"vendorId": 0,
"date": "2019-08-13T11:33:18.000Z"
}
]
},
"id": 1565697106257
}Ransomware activity detection
This event occurs when the endpoint agent blocks ransomware attack.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
company_name | string | yes | The company in which the attack was detected. |
endpoint_id | string | yes | Managed endpoint identifier in the GravityZone database |
attack_type | string | yes | Ransomware attack type |
item_count | string | yes | The number of files encrypted during the attack |
detected_on | integer | yes | The date and time when the attack was detected |
attack_source | string | yes | The remote IP in case of a remote attack respectively the process path in case of a local attack |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "ransomware-mitigation",
"companyId": "5dad6f685f627d42cb3cd434",
"product_installed": "SVA",
"user": {
"name": "user",
"sid": "S-11-22-33"
},
"company_name": "Bitdefender",
"computer_name": "DC-Nebula",
"computer_fqdn": "dc-nebula.nebula.local",
"computer_ip": "10.17.16.10",
"computer_id": "5ed4d2fef23f7325715dbb22",
"attack_type": "remote",
"item_count": "23",
"detected_on": 1591007594,
"attack_source": "10.10.20.120"
}
]
},
"id": 1505221060169
} New Incident
This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | Computer IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
incident_id | string | yes | Incident identifier |
severity_score | integer | yes | Severity score |
attack_entry | integer | yes | Attack entry |
main_action | string | yes | Main action |
detection_name | string | no | Detection name |
file_name | string | no | File name |
file_path | string | no | File path |
file_hash_md5 | string | no | MD5 file hash |
file_hash_sha256 | string | no | SHA-256 file hash |
url | string | no | Domain URL |
port | integer | no | Domain port |
protocol | string | no | Application protocol |
source_ip | string | no | Source IP address |
process_pid | integer | no | Process pid |
process_path | string | no | Process path |
parent_process_pid | integer | no | Parent process PID |
parent_process_path | string | no | Parent process path |
attack_types | array | no | Attack types |
att_ck_id | array | no | The IDs of MITRE ATT&CK |
process_command_line | string | no | Process parameters in command line |
severity | string | yes | The severity of the produced event |
companyId | string | yes | Company identifier |
endpointId | string | yes | Endpoint identifier |
username | string | no | The user that was logged in when the incident was found |
user_sid | string | no | The SID of the user involved with the event source |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "new-incident",
"created": "2020-07-20T09:36:23.485Z",
"computer_id": "5efb3a520075db7384dfa286",
"computer_fqdn": "desktop-jac14gs",
"computer_name": "DESKTOP-JAC14GS",
"detection_name": "ATC.Malicious",
"attack_types": [
"Other"
],
"computer_ip": "10.17.23.30",
"severityScore": 90,
"incident_id": "5f1557cbe7b2584f3959ee19",
"attack_entry": 1688239188,
"parent_process_path": "c:\\windows\\system32\\cmd.exe",
"parent_process_pid": 9636,
"process_path": "c:\\users\\bdadmin\\desktop\\atcsim\\atcsim32.exe",
"process_pid": 10324,
"username": "DESKTOP-JAC14GS\\bdadmin",
"user_sid": "S-1-5-21-3349207704-443292085-2237656896-1003",
"process_command_line": "detect",
"file_hash_md5": "ccb1b07bdf330627f02b3c832663a489",
"file_hash_sha256": "d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55",
"att_ck_id": [
"T1036",
"T1059",
"T1002",
"T1012"
],
"severity": "high",
"main_action": "no action",
"endpointId": "5efb3a520075db7384dfa285",
"companyId": "5efb2f7154060876cb4a13d2"
}
]
},
"id": 1505221060171
} Partner change
This event is generated every time a client company has joined or left your management.
Name | Type | Mandatory | Description |
|---|---|---|---|
moved_company_id | string | yes | The ID of the company that has changed its partner. |
moved_company_name | string | yes | The name of the company that has changed its partner. |
action | string | yes | The action taken by the partner. Possible values:
|
license_type | string | no | The license type of the company. |
end_subscription_date | timestamp | no | The company's subscription end date. |
auto_renew_period | string | no | The number of months with which the subscription validity will be automatically extended. |
minimal_commitment_usage_endpoints | integer | no | The minimum number of endpoints that this company has committed to use on a monthly basis. |
enabled_services | array | no | What services are enabled for the company. |
id | integer | yes | The ID of the event. |
name | string | yes | The name of the event. |
severity | integer | yes | The severity of the event. Possible values: |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [{
"module": "partner-changed",
"companyId": "638f118f6b82bec40d0976df",
"moved_company_id": "628f107f6b82bec40d0976af",
"moved_company_name": "Bitdefender",
"action": "joined",
"license_type": "Monthly",
"end_subscription_date": "2022-12-30T23:59:00",
"auto_renew_period": 12,
"minimal_commitment_usage_endpoints": 2,
"enabled_services": [
"Email Security",
"Full Disk Encryption",
"Patch Management",
"HyperDetect",
"Sandbox Analyzer"
]
}]
},
"id": 1505221060171
}