Push
The Event Push Service API includes several methods allowing the management of real-time sent notifications.
setPushEventSettings: configures which notifications should be pushed to the web service.getPushEventSettings: displays which events are sent to the web service.sendTestPushEvent: sends test event.getPushEventStats: displays various push event statistics and errors.resetPushEventStats: resets the push event statistics and errors.
API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push
setPushEventSettings
This method sets the push event settings.
Important
Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully.
The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and the SIEM/HTTP collector:
34.159.83.241
34.159.47.15
34.159.150.228
34.85.152.87
34.85.155.173
The HTTP collector must respond with the status
HTTP 200 OKto the push events received from the above-mentioned IP addresses if the messages are correctly received. Any other response or no response is considered an error.The SIEM and NodeJS connector receiving events from the event push require a Public IP assigned for the GravityZone Event Push server to forward events to.
Parameters
Parameter | Type | Optional | Description |
|---|---|---|---|
| Number | No | 0 - disabled, 1 - enabled |
| String | No | Type of the web service. Valid values: |
| Array | No | Specific settings for each service type. For information regarding the service settings, refer to Service Type Settings. |
| Array | No | List of event types to be sent to the web service. |
| Array | No | The list of companies under your management for which you want to receive the events. You need to mention your own company as well. The list cannot be empty. If the field is missing or has the null value, you will receive events for all companies you manage. |
Service Type Settings
Service Type | Service Settings |
|---|---|
|
|
|
|
|
|
|
|
|
|
Return value
This method returns a Boolean which is True when the settings were saved successfully.
Example
Request:
{
"params": {
"status": 1,
"serviceType": "jsonRPC",
"serviceSettings": {
"url": "http://example.com",
"authorization": "Bearer sfasdfw34243",
"requireValidSslCertificate": true
},
"subscribeToEventTypes": {
"modules": true,
"sva": true,
"registration": true,
"supa-update-status": true,
"av": true,
"aph": true,
"fw": true,
"avc": true,
"uc": true,
"dp": true,
"sva-load": true,
"task-status": true,
"exchange-malware": true,
"network-sandboxing": true,
"adcloud": true,
"exchange-user-credentials": true,
"endpoint-moved-out": true,
"endpoint-moved-in": true,
"troubleshooting-activity": true,
"uninstall": true,
"install": true,
"hwid-change": true,
"new-incident": true,
"antiexploit": true,
"network-monitor": true,
"ransomware-mitigation": true,
"security-container-update-available": true,
"partner-changed": true
}
"subscribeToCompanies": [
"54a295d8b1a43d7c4a7b23c6",
"54a295d8b1a43d7c4a7be321"
]
},
"jsonrpc": "2.0",
"method": "setPushEventSettings",
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
} Response:
{
"id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",
"jsonrpc":"2.0",
"result": true
} getPushEventSettings
This method gets the push event settings.
Parameters
No input parameters are required.
Return value
This method returns an Object containing the push event settings
Example
Request:
{
"params": {},
"jsonrpc": "2.0",
"method": "getPushEventSettings",
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
} Response:
{
"id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",
"jsonrpc":"2.0",
"result": {
"status": 1,
"serviceType": "jsonRPC",
"serviceSettings": {
"url": "http://example.com",
"authorization": "Bearer sfasdfw34243",
"requireValidSslCertificate": true
},
"subscribeToEventTypes": {
"modules": true,
"sva": true,
"registration": true,
"supa-update-status": true,
"av": true,
"aph": true,
"fw": true,
"avc": true,
"uc": true,
"dp": true,
"sva-load": true,
"task-status": true,
"exchange-malware": true,
"network-sandboxing": true,
"adcloud": true,
"exchange-user-credentials": true,
"endpoint-moved-out": true,
"endpoint-moved-in": true,
"troubleshooting-activity": true,
"uninstall": true,
"install": true,
"hwid-change": true,
"new-incident": true,
"antiexploit": true,
"network-monitor": true,
"ransomware-mitigation": true,
"security-container-update-available": true,
"partner-changed": true
},
"subscribeToCompanies": {
"54a295d8b1a43d7c4a7b23c6",
"54a295d8b1a43d7c4a7be321"
}
}
} sendTestPushEvent
This method sends a test event.
Test events always have the _testEvent_ property set to true.
Parameters
Parameter | Type | Optional | Description |
|---|---|---|---|
| String | No | Event type |
| Object | Yes | Test events are created from templates. This parameter can be used to replace data in the event template. |
Return value
This method returns an Object containing the details of the sent event and a Boolean that marks the event as a test.
Example
Request:
{
"params": {
"eventType": "av",
"data": {
"malware_name": "Test malware name"
}
},
"jsonrpc": "2.0",
"method": "sendTestPushEvent",
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
} Response:
{
"id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",
"jsonrpc":"2.0",
"result": {
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "Test malware name",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"module": "av",
"_testEvent_": true
}
}getPushEventStats
This method gets the push event statistics and errors.
The configuration error occurs when the HTTP collector does not use an SSL certificate, or the setPushEventSettings method is not using an authorization header generated by the HTTP collector. You must meet these prerequisites to successfully use Event Push Service.
Warning
Event Push Service automatically stops in the following scenarios:
The field
errorMessagescan count only 100 messages that are not sent via Event Push Service due to communication errors. Once the counter exceeds 100 such events, Event Push Service will automatically stop sending events, and it will resetserviceSettings.statusfield fromgetPushEventsSettingsmethod to 0.A specific time (10800 seconds) passes since the last error was received without another valid status (
HTTP 200 OK).
In both situations, you have to reactivate the Event Push Service using a new setPushEventSettings API call.
Parameters
No input parameters are required.
Return value
This method returns an Object containing the push event statistics.
Example
Request:
{
"params": {},
"jsonrpc": "2.0",
"method": "getPushEventStats",
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
} Response:
{
"id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",
"jsonrpc":"2.0",
"result": {
"count": {
"events": 6945,
"testEvents": 8,
"sentMessages": 8,
"errorMessages": 0
},
"error": {
"configurationError": 0,
"connectionError": 0,
"serviceError": 0,
"statusCode2xx": 0,
"statusCode300": 0,
"statusCode400": 0,
"statusCode500": 0,
"timeout": 0,
"serviceError": 0
},
"lastUpdateTime": "2017-10-13T18:45:28"
}
} resetPushEventStats
This method resets the push event statistics and errors.
Parameters
No input parameters are required.
Return value
This method returns a Boolean which is True when the statistics were reset successfully.
Example
Request:
{
"params": {},
"jsonrpc": "2.0",'
"method": "resetPushEventStats",
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
} Response:
{
"id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",
"jsonrpc":"2.0",
"result": true
} Event Types
This table displays types of events based on modules, types of tasks or actions, or status indicators. For each type of event you can view the common category name and the JSON variable used in API. Click the category name to view the details sent for such events.
Event category in GravityZone | Event identifier in API |
|---|---|
adcloud | |
aph | |
av | |
avc | |
dp | |
exchange-malware | |
exchange-organization-info | |
exchange-user-credentials | |
fw | |
hd | |
modules | |
network-sandboxing | |
registration | |
supa-update-status | |
sva-load | |
sva | |
antiexploit | |
network-monitor | |
task-status | |
uc | |
storage-antimalware | |
install | |
uninstall | |
hwid-change | |
endpoint-moved-in | |
endpoint-moved-out | |
troubleshooting-activity | |
device-control | |
ransomware-mitigation | |
new-incident | |
partner-changed |
Push event JSON RPC messages
Events are submitted in calls to the "addEvents" function. This function takes one parameter: "events", which is an array of event objects documented below.
HTTP requests can be verified using the Event-Push-Service-Md5 header. The header is obtained by hashing the Api Key and the message body as follows: header_value = md5(api_key, md5(message_body))
$gzapikey = "a247bf167a48d899b7a64aced0d6cebdbd5d474578c26cd023505b2c26******";
$message = file_get_contents('php://input');
$servermd5 = $_SERVER['HTTP_EVENT_PUSH_SERVICE_MD5'];
$resultmd5 = md5($apikey.md5($message));Cloud AD Integration
This event is generated when Control Center is synchronizing with an Active Directory domain.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
syncerId | string | yes | AD Integrator identifier |
issueType | integer | yes | AD Synchronization issue type |
isProtectedEntityId | integer | no | Is protected entity ID (only for uninstall) |
lastAdReportDate | timestamp | no | Last AD synchronization date |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"syncerId": "59b7d9bfa849af3a1465b7e3",
"issueType": 0,
"lastAdReportDate": "2017-09-14T08:03:49.671Z",
"module": "adcloud"
}
]
},
"id": 1505376232077
} Antiphishing
This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
aph_type | string | yes | Values: phishing, fraud, untrust |
url | string | yes | Malware url |
status | string | yes | Values: aph_blocked, reportOnly |
last_blocked | timestamp | yes | Last timestamp this malware was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"aph_type": "phishing",
"url": "http://example.com/account/support/",
"status": "aph_blocked",
"last_blocked": "2017-09-14T08:49:43.000Z",
"count": 1,
"module": "aph"
}
]
},
"id": 1505378984190
}Antimalware
This event generated each time Bitdefender detects malware on an endpoint in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
timestamp | timestamp | yes | Timestamp when the malware was detected |
signaturesNumber | string | no | signatures Number |
taskScanType | integer | no | taskScanType |
scanEngineType | integer | no | scanEngineType |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"module": "av"
}
]
},
"id": 1504872097787
}Advanced Threat Control (ATC)
This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
exploit_type | string | yes | Values: IDS APP, AVC APP, AVC Exploit |
exploit_path | string | yes | Exploit file path |
process_command_line | string | no | The command line parameters of the detected process |
parent_process_id | integer | no | The pid of the parent of the detected process |
parent_process_path | string | no | The path of the parent process of the detection |
status | string | yes | Values: avc_blocked, avc_allowed, avc_disinfected |
last_blocked | timestamp | yes | Last timestamp this application/exploit was blocked |
count | integer | yes | How many times this application/exploit was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"exploit_type": "AVC Blocked Exploit",
"exploit_path": "C:\\Users\\admin\\Desktop\\Tools\\avcsim\\win32\\avcsim32.exe",
"status": "avc_blocked",
"last_blocked": "2017-09-14T07:56:33.000Z",
"count": 1,
"module": "avc"
}
]
},
"id": 1505375801845
}Data Protection
This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
target_type | string | yes | Malware type: mail, http |
blocking_rule_name | string | yes | Data protection rule name |
url | string | yes | Url |
status | string | yes | Always "data_protection_blocked" |
last_blocked | timestamp | yes | Last timestamp this email/url was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"target_type": "http",
"blocking_rule_name": "dv",
"url": "http://example.com/",
"status": "data_protection_blocked",
"last_blocked": "2017-09-11T10:23:43.000Z",
"count": 1,
"module": "dp"
}
]
},
"id": 1505125464691
}Exchange Malware Detection
This event is created when Bitdefender detects malware on an Exchange server in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
serverName | string | yes | Server name |
sender | string | yes | Email sender |
recipients | array | yes | List of email recipients (array of strings) |
subject | string | yes | Email subject |
detectionTime | timestamp | yes | Detection time |
malware | array | yes | List of detected malware (array of {"malwareName": string, "malwareType": string, "actionTaken": string, "infectedObject": string}) |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- EXCHANGE - 01",
"computer_fqdn": "fc- exchange - 01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"serverName": "FC- EXCHANGE - 01",
"sender": "fc_test01@fc.dom",
"recipients": [
"fc_test02@fc.dom"
],
"subject": "Emailing Sending.. WL - cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0",
"detectionTime": "2017- 09 - 13T14: 20:37.000Z",
"malware": [
{
"malwareName": "Trojan.Generic.KD.874127",
"malwareType": "virus",
"actionTaken": "quarantine",
"infectedObject": "WL- cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0"
}
],
"module": "exchange-malware"
}
]
},
"id": 1505312459584
}Exchange License Usage Limit Has Been Reached
This event is generated when Exchange License limit has been reached
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-organization-info",
"mailboxes":8,
"license_limit":5,
"license_key":"5IMI111"
}
]
},
"id": 1505387661508
} Exchange User Credentials
This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-user-credentials"
}
]
},
"id": 1505387661508
} Firewall
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | string | yes | Status |
local_port | string | no | Local port |
protocol_id | string | no | The identifier of the malware attack protocol as defined by Protocol Number |
application_path | string | no | Application path |
source_ip | string | no | Source IP address |
last_blocked | timestamp | yes | Last timestamp this connection was blocked |
count | integer | yes | How many times this connection was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": "portscan_blocked",
"protocol_id": "6",
"source_ip": "192.168.0.2",
"last_blocked": "2017-09-08T12:52:03.000Z",
"count": 1,
"module": "fw"
}
]
},
"id": 1504875129648
}Hyper Detect event
Event generated when a malware is detected by the Hyper Detect module.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
attack_type | string | no | Values: targeted attack, grayware, exploits, ransomware, suspicious files and network traffic |
detection_level | string | no | Values: permissive, normal, aggressive |
is_fileless_attack | string | no | True for fileless attack |
command_line_parameters | string | no | Command line parameters |
process_info_path | string | no | Process path |
process_info_command_line | string | no | Process command line parameters |
parent_process_id | integer | no | Parent process ID |
parent_process_path | string | no | Parent process path |
hwid | string | yes | Hardware identifier |
date | timestamp | yes | Timestamp when the malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hd",
"product_installed": "EPS",
"user": {
"name": "admin",
"sid": "BF410F3B-5F3A-41E1-BF8F-28DE6948A355
"
},
"computer_name": "DHMSI",
"computer_fqdn": "dhmsi",
"computer_ip": "10.10.18.226",
"computer_id": "5c4999491ddfad7177316f80",
"malware_type": "file",
"malware_name": "",
"hash": "hash_3",
"final_status": "quarantined",
"file_path": "44e695d9ed259aea10e5b57145d0d0dc.b
ender",
"attack_type": "suspicious files and network tra
ffic",
"detection_level": "normal",
"is_fileless_attack": 1,
"command_line_parameters": "a b c",
"process_info_path": "C:\\a.exe",
"process_info_command_line": "c:\\a.exe -testParam",
"parent_process_id": 1716,
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"hwid": "00000000-0000-0000-0000-406186b5****",
"companyId": "5c497704f9bf8d0b1b4df***",
"date": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
} Product Modules Status
This event is generated when a security module of the installed agent gets enabled or disabled.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computerId | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
malware_status | boolean | no | Antimalware module |
aph_status | boolean | no | Antiphishing module |
firewall_status | boolean | no | Firewall module |
avc_status | boolean | no | Active Threat Control module |
ids_status | boolean | no | Intrusion detection system module |
uc_web_filtering | boolean | no | Content Control Web Access Control module |
uc_categ_filtering | boolean | no | Content Control Web Categories Filtering module |
uc_application_status | boolean | no | Content Control Application Blacklisting module |
dp_status | boolean | no | Content Control Data Protection module |
pu_status | boolean | no | Power User module |
dlp_status | boolean | no | Device Control module |
exchange_av_status | boolean | no | Exchange Protection Antimalware module |
exchange_as_status | boolean | no | Exchange Protection Antispam module |
exchange_at_status | boolean | no | Exchange Protection Attachment filtering module |
exchange_cf_status | boolean | no | Exchange Protection Content filtering module |
exchange_od_status | boolean | no | Exchange Protection On demand scan module |
volume_encryption | boolean | no | Encryption module |
patch_management | boolean | no | Patch management module |
container_protection_status | boolean | no | Container Protection module |
network_monitor_status | boolean | no | Network Attack Defense module |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- WIN7 - X64 - 01",
"computer_fqdn": "fc- win7 - x64 - 01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_status": 1,
"aph_status": 1,
"firewall_status": 1,
"avc_status": 1,
"uc_web_filtering": 0,
"uc_categ_filtering": 0,
"uc_application_status": 0,
"dp_status": 0,
"pu_status": 1,
"dlp_status": 0,
"module": "modules"
}
]
},
"id": 1504871857671
}Sandbox Analyzer Detection
This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
deviceExternalId | string | no | Unique endpoint identifier in the GravityZone database |
submissionId | string | no | GravityZone network sandbox submission ID |
computerName | string | yes | Computer name |
computerIp | string | yes | Computer IP address |
detectionTime | integer | yes | Detection time |
threatType | string | yes | Threat type |
filePaths | array | yes | File paths (array of strings) |
fileSizes | array | yes | File sizes (array of strings) |
remediationActions | array | yes | Remediation actions (array of strings). Possible values:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "FC-WIN7-X64-01",
"computerIp": "192.168.0.1",
"detectionTime": 1505386969,
"threatType": "RANSOMWARE",
"filePaths": [
"C:\\Users\\Administrator\\Documents\\installer.xml",
"D:\\opt\\bitdefender\\installer2.xml",
"D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml"
],
"fileSizes": [
"2614",
"2615",
"2616"
],
"remediationActions": [
"1",
"",
"1"
],
"module": "network-sandboxing"
}
]
},
"id": 1505386971126
} Product Registration
This event is generated when the registration status of an agent installed in your network has changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
product_registration | string | yes | Values: registered, unregistered |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"product_registration": "registered",
"module": "registration"
}
]
},
"id": 1505221060168
}Outdated Update Server
This event is generated when an update server has outdated malware signatures.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
fromSupa | boolean | yes | Identifies events sent from Relays (always true) |
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | boolean | yes | Update status |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": 0,
"fromSupa": 1,
"module": "supa-update-status"
}
]
},
"id": 1505379714808
}Overloaded Security Server
This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
loadAverage | integer | yes | Load average |
cpuUsage | integer | yes | Cpu usage |
memoryUsage | integer | yes | Memory usage |
networkUsage | integer | yes | Network usage |
overallUsage | integer | yes | Overall usage |
svaLoad | string | no | SVA load |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"loadAverage": 1,
"cpuUsage": 48,
"memoryUsage": 32,
"networkUsage": 0,
"overallUsage": 48,
"svaLoad": "Normal",
"module": "sva-load"
}
]
},
"id": 1505293227782
} Security Server Status
This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
powered_off | boolean | yes | Powered off |
product_update_available | boolean | no | Product update available |
signature_update | timestamp | no | Last signatures update timestamp |
product_reboot_required | boolean | no | True if a reboot is required |
lastupdate | string | no | Last update |
lastupdateerror | string | no | Last update error |
updatesigam | string | no | Security Server engines version |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"powered_off": 0,
"product_update_available": 1,
"product_reboot_required": 0,
"lastupdate": "0",
"updatesigam": "7.72479",
"module": "sva"
}
]
},
"id": 1505293227782
} Antiexploit Event
This event is generated when Advanced Anti-Exploit triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
detection_action | string | yes | The action that was taken upon the detection |
detection_threatName | string | no | Threat type |
detection_pid | string | yes | The pid of the detection |
detection_exploitTechnique | string | yes | The technique employed in the detection |
detection_parentPid | string | no | The pid of the parent of the detected process |
detection_path | string | yes | The path of the detection |
detection_parentPath | string | no | The path of the parent process of the detection |
detection_cve | string | no | Detection CVE |
detection_payload | string | no | Detection payload |
detection_username | string | no | The user that was logged when the detection was found |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "antiexploit",
"product_installed": "BEST",
"companyId": "5cf10c8af23f73097377c924",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"endpointId": "5cf51ba5e8ee8c5b1852a9d6",
"detection_action": "kill",
"detection_threatName": "EICAR-Test-File (not a
virus)",
"detection_pid": "2000",
"detection_exploitTechnique": "Flash/Generic",
"detection_parentPid": "4000",
"detection_path": "C:\\file15c8ba8b90ea1de127962
f464.exe",
"detection_parentPath": "C:\\file25c8ba8b90ea1de
127962f464.exe",
"detection_username": "user@domain.com",
"detection_time": "2019-06-03T13:58:30.000Z"
}
]
},
"id": 1547719287349
}Network Attack Defense Event
This event is generated when the Network Attack Defense module triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Endpoint identifier |
label | string | no | The label set in the Network grid by the Admin |
actionTaken | string | yes | The action that was taken upon the detection |
detection_name | string | yes | The name of the detection as received from BEST |
detection_attackTechnique | string | yes | Name of the attack technique as set in the Network Attack Defense policy |
source_ip | string | yes | IP of the attack source |
victim_ip | string | yes | IP of the victim's endpoint |
local_port | string | yes | The port on which the attack occurred |
timestamp | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "network-monitor",
"product_installed": "BEST",
"user": {
"userName": "user1@domain.com",
"userSid": "S-1-2-3-4"
},
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5d639e8f48ac2f04f6e00b1c",
"actionTaken": "reportOnly",
"detection_name": "PrivacyThreat.PasswordStealer
.HTTP",
"detection_attackTechnique": "discovery",
"source_ip": "10.17.134.4",
"victim_ip": "213.211.198.58",
"local_port": "80",
"timestamp": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
}Task Status
This event is generated each time a task status changes.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
userId | string | yes | User identifier |
taskId | string | yes | Task identifier |
taskName | string | yes | Task name |
taskType | integer | yes | Task type |
targetName | string | yes | Task name |
isSuccessful | boolean | yes | True if the task was executed successfully |
status | integer | yes | Task status |
errorMessage | string | yes | Error message |
errorCode | integer | yes | Error code |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"userId": "59a14b2b1da197c6108b4568",
"taskId": "59b28dc81da19711058b4568",
"taskName": "Quick Scan 2017-09-08(sub-task)",
"taskType": 272,
"targetName": "FC-WIN7-X64-01",
"isSuccessful": 1,
"status": 3,
"errorMessage": "",
"errorCode": 0,
"module": "task-status"
}
]
},
"id": 1504874269032
}User Control/Content Control
This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.
Important
Depending on your designated server, you might not have this event type activated by default. Log in to your console and check your URL: if you are using https://cloud.gravityzone.bitdefender.com, you need to contact support and request them to activate the event type.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
uc_type | string | no | Values: application, http |
url | string | no | Url |
block_type | string | no | Values: application, http_timelimiter, http_blacklist, http_categories, http_bogus, http_antimalware |
categories | string | no | Values: WebProxy, Games, Tabloids, Hate, Gambling, Drugs, Illegal, Shopping, OnlinePay, Video, SocialNetwork, OnlineDating, IM, SearchEngines, RegionalTLDS, News, Pornography, MatureContent, Blog, FileSharing, Narcotics, VideoOnline, Religious, Suicide, Health, ViolentCartoons, Weapons, Hacking, Scams, CasualGames, OnlineGames, ComputerGames, PhotosOnline, Ads, Advice, Bank, Business, ComputerAndSoftware, Education, Entertainment, Government, Hobbies, Hosting, JobSearch, Portals, RadioMusic, Sports, TimeWasters, Travel, WebMail |
application_path | string | no | Application path |
status | string | no | Values: uc_application_blocked, uc_site_blocked |
last_blocked | timestamp | no | Last timestamp this malware was blocked |
count | integer | no | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"uc_type": "http",
"url": "http://192.168.0.1:2869/upnphost/udhisapi.dll",
"block_type": "http_timelimiter",
"categories": "",
"status": "uc_site_blocked",
"last_blocked": "2017-09-08T12:46:30.000Z",
"count": 1,
"module": "uc"
}
]
},
"id": 1504874799367
}Storage Antimalware Event
This event is generated each time SVA detects a new threat among the protected storage (NAS).
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
computer_name | string | yes | Computer name |
storage_name | string | yes | The name of the storage unit |
storage_ip | string | yes | The IP address of the storage unit |
storage_type | string | yes | The type of the storage unit.(E.g., Nutanix, Citrix etc.) |
file_path | string | yes | File path |
file_hash | string | yes | File hash |
malware_type | string | yes | Describes the type of malware as defined by Bitdefender. Possible values are: 'file', 'http', 'cookie', 'pop3', 'smtp', 'process', 'boot', 'registry' and 'stream' |
malware_name | string | yes | Name of the malware as defined by Bitdefender |
status | string | yes | Final status for the detected objects. Possible values are: |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "SVA_WITH_ICAP",
"storage_name": "fileserver001",
"storage_ip": "192.168.0.1",
"storage_type": "Nutanix",
"file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
"file_hash": "04d7cff845e23111633cc0a268634f5e6c18145d0a9b5a38dedd8a58a422001c",
"malware_type": "1",
"malware_name": "BAT.Trojan.FormatC.Z",
"status": "5",
"detection_time": "2018-05-07T10:23:43.000Z",
"module": "storage-antimalware"
}
]
},
"id": 1505386971126
} Install Agent
This event is generated when the agent is installed on endpoints.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"module": "install",
"endpointId": "5e2085febf255a545e52276b",
"hwid": "00000000-0000-0000-0000-406186b5bdbd50"
}
]
},
"id": 1547719287350
}Uninstall Agent
This event is generated when an agent is uninstalled from an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
reason | integer | yes | Uninstalling method. Available options:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"reason": 1,
"module": "uninstall"
}
]
},
"id": 1505221060168
}Hardware ID Change
This event is generated when the hardware ID of an endpoint from your network is changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
old_hwid | string | yes | The old hardware ID of the machine |
new_hwid | string | yes | The new hardware ID of the machine |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hwid-change",
"product_installed": "BEST",
"companyId": "5e207bc354060806ed24a132",
"computer_name": "A",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.526",
"computer_id": "5e284ff5b7e43d387ba54a96",
"old_hwid": "00000000-0000-0000-0000-406186b5bde
7",
"new_hwid": "00000000-0000-0000-0000-406186b5bde
6",
"endpointId": "5e284ff5b7e43d387ba54a95"
}
]
},
"id": 1547719287349
}Endpoint moved in
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the destination company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4568",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e3",
"endpointId": "5e2085febf255a545e52276a",
"module": "endpoint-moved-in",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060169
}Endpoint moved out
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the source company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"module": "endpoint-moved-out",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060170
}Troubleshooting activity
The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
taskId | string | yes | The ID of the current Troubleshooting task. |
taskType | string | yes | The type of the task |
errorCode | integer | yes | Integer representing the error code if the task has failed |
username | string | no | Name of the user account who started the Troubleshooting task |
localPath | string | no | The path on the target machine where the Troubleshooting archive is placed |
networkSharePath | string | no | The path on network share where the Troubleshooting archive is placed |
saveToBitdefenderCloud | boolean | no | The option to also upload to Bitdefender Cloud the Troubleshooting archive |
status | integer | yes | The status with which the task has finished |
stopReason | integer | no | The reason for which the Troubleshooting activity was stopped |
failedStorageType | integer | no | In case some delivery methods succeeded and some not, which one has failed |
startDate | timestamp | no | Timestamp of when the event has started |
endDate | timestamp | no | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT_WINDOWS_10",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.0.101",
"computer_id": "5ee30e2b29a4e218489442b6",
"module": "troubleshooting-activity",
"taskId": "5eea0105f23f731302405833",
"taskType": "Debug Session",
"errorCode": 3,
"username": "test@test.com",
"localPath": "/test/dir",
"networkSharePath": "//1.2.3.4/dir",
"saveToBitdefenderCloud": 0,
"status": 3,
"stopReason": 2,
"failedStorageType": 1,
"startDate": "2020-06-24T06:06:48.000Z",
"endDate": "2020-06-24T06:09:28.000Z"
}
]
},
"id": 1505221060169
}Device Control
Every time the Device Control module detects a device inserted into a client system, an event is generated.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
username | string | no | The user that was logged in when the incident was found |
silentAgentVersion | string | no | Agent version |
action | string | yes | Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added. |
deviceName | string | no | A descriptive name for the device |
deviceClass | integer | yes | Device class |
deviceId | string | no | Device ID |
productId | integer | no | Product ID of the device |
vendorId | integer | no | ID of the vendor |
date | timestamp | yes | The date when the device was blocked |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "device-control",
"product_installed": "BEST",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.207",
"computer_id": "5d529fb7008739443adb4003",
"username": "Admin",
"action": "blocked",
"deviceName": "CD-ROM Drive",
"deviceClass": 2,
"deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10
_______________1.00____\\5&3A794E10&0&1.0.0",
"productId": 0,
"vendorId": 0,
"date": "2019-08-13T11:33:18.000Z"
}
]
},
"id": 1565697106257
}Ransomware activity detection
This event occurs when the endpoint agent blocks ransomware attack.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
company_name | string | yes | The company in which the attack was detected. |
endpoint_id | string | yes | Managed endpoint identifier in the GravityZone database |
attack_type | string | yes | Ransomware attack type |
item_count | string | yes | The number of files encrypted during the attack |
detected_on | integer | yes | The date and time when the attack was detected |
attack_source | string | yes | The remote IP in case of a remote attack respectively the process path in case of a local attack |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "ransomware-mitigation",
"companyId": "5dad6f685f627d42cb3cd434",
"product_installed": "SVA",
"user": {
"name": "user",
"sid": "S-11-22-33"
},
"company_name": "Bitdefender",
"computer_name": "DC-Nebula",
"computer_fqdn": "dc-nebula.nebula.local",
"computer_ip": "10.17.16.10",
"computer_id": "5ed4d2fef23f7325715dbb22",
"attack_type": "remote",
"item_count": "23",
"detected_on": 1591007594,
"attack_source": "10.10.20.120"
}
]
},
"id": 1505221060169
} New Incident
This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | Computer IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
incident_id | string | yes | Incident identifier |
severity_score | integer | yes | Severity score |
attack_entry | integer | yes | Attack entry |
main_action | string | yes | Main action |
detection_name | string | no | Detection name |
file_name | string | no | File name |
file_path | string | no | File path |
file_hash_md5 | string | no | MD5 file hash |
file_hash_sha256 | string | no | SHA-256 file hash |
url | string | no | Domain URL |
port | integer | no | Domain port |
protocol | string | no | Application protocol |
source_ip | string | no | Source IP address |
process_pid | integer | no | Process pid |
process_path | string | no | Process path |
parent_process_pid | integer | no | Parent process PID |
parent_process_path | string | no | Parent process path |
attack_types | array | no | Attack types |
att_ck_id | array | no | The IDs of MITRE ATT&CK |
process_command_line | string | no | Process parameters in command line |
severity | string | yes | The severity of the produced event |
companyId | string | yes | Company identifier |
endpointId | string | yes | Endpoint identifier |
username | string | no | The user that was logged in when the incident was found |
user_sid | string | no | The SID of the user involved with the event source |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "new-incident",
"created": "2020-07-20T09:36:23.485Z",
"computer_id": "5efb3a520075db7384dfa286",
"computer_fqdn": "desktop-jac14gs",
"computer_name": "DESKTOP-JAC14GS",
"detection_name": "ATC.Malicious",
"attack_types": [
"Other"
],
"computer_ip": "10.17.23.30",
"severityScore": 90,
"incident_id": "5f1557cbe7b2584f3959ee19",
"attack_entry": 1688239188,
"parent_process_path": "c:\\windows\\system32\\cmd.exe",
"parent_process_pid": 9636,
"process_path": "c:\\users\\bdadmin\\desktop\\atcsim\\atcsim32.exe",
"process_pid": 10324,
"username": "DESKTOP-JAC14GS\\bdadmin",
"user_sid": "S-1-5-21-3349207704-443292085-2237656896-1003",
"process_command_line": "detect",
"file_hash_md5": "ccb1b07bdf330627f02b3c832663a489",
"file_hash_sha256": "d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55",
"att_ck_id": [
"T1036",
"T1059",
"T1002",
"T1012"
],
"severity": "high",
"main_action": "no action",
"endpointId": "5efb3a520075db7384dfa285",
"companyId": "5efb2f7154060876cb4a13d2"
}
]
},
"id": 1505221060171
} Partner change
This event is generated every time a client company has joined or left your management.
Name | Type | Mandatory | Description |
|---|---|---|---|
moved_company_id | string | yes | The ID of the company that has changed its partner. |
moved_company_name | string | yes | The name of the company that has changed its partner. |
action | string | yes | The action taken by the partner. Possible values:
|
license_type | string | no | The license type of the company. |
end_subscription_date | timestamp | no | The company's subscription end date. |
auto_renew_period | string | no | The number of months with which the subscription validity will be automatically extended. |
minimal_commitment_usage_endpoints | integer | no | The minimum number of endpoints that this company has committed to use on a monthly basis. |
enabled_services | array | no | What services are enabled for the company. |
id | integer | yes | The ID of the event. |
name | string | yes | The name of the event. |
severity | integer | yes | The severity of the event. Possible values: |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [{
"module": "partner-changed",
"companyId": "638f118f6b82bec40d0976df",
"moved_company_id": "628f107f6b82bec40d0976af",
"moved_company_name": "Bitdefender",
"action": "joined",
"license_type": "Monthly",
"end_subscription_date": "2022-12-30T23:59:00",
"auto_renew_period": 12,
"minimal_commitment_usage_endpoints": 2,
"enabled_services": [
"Email Security",
"Full Disk Encryption",
"Patch Management",
"HyperDetect",
"Sandbox Analyzer"
]
}]
},
"id": 1505221060171
}