Syslog event messages
Antiphishing
This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Indicates if the event is phishing or fraud detection. Possible values: |
| String | yes | Malware URL |
| String | yes | Possible values: |
| Timestamp | yes | A timestamp of the last time this malware was blocked |
| Integer | yes | How many times this malware was detected |
{
"module": "aph",
"product_installed": "BEST",
"user": {
"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
"name": "bdvm"
},
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"aph_type": "fraud",
"url": "bdtest.tibeica.com\/ot\/fraud_red.html",
"status": "reportOnly",
"last_blocked": "2022-05-12T09:35:08.000Z",
"count": 1
}
Application Control
Event generated when an application is blocked by the Application Control module.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | Virtual machine name |
| String | no | Virtual machine identifier |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| integer | yes | The mode in which the event occurred. Value:
|
| String | yes | Values: |
| String | yes | Malware file path |
| String | no | The version of the file |
| String | no | The name of the product |
| String | no | The version of the product |
| String | no | The name of the product publisher |
| String | no | The process fingerprint of the application |
| Array | no | Thumbprints (array of strings) |
| String | no | Application Control rule name |
| Timestamp | yes | The date when the application was detected |
| integer | yes | How many times this application was detected |
{
"module": "application-control",
"product_installed": "BEST",
"user": {
"id": "S-11-22-33",
"name": "[email protected]"
},
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "31.41.59.265",
"computer_id": "625c19913a58151e63702862",
"mode": 1,
"scanMode": "production",
"filePath": "C:\\Program Files\\Microsoft\\Skype\\Skype.exe",
"fileVersion": "10.0.0.9999",
"productName": "Skype VoIP Service",
"productVersion": "10.2",
"publisher": "Microsoft",
"fingerprint": "b6bf7bc8d96f3ea9d132c83b3da8e7760e420138485657372db4d6a981d3fd9e",
"thumbprints": ["03d66dd08835c1ca3f128cceacd1f31ac94163096b20f445ae84285bc0832d72"],
"ruleName": "",
"date": "2022-04-17T13:44:29.485Z",
"count": 1
}
Application Inventory
This notification informs you when new applications have been discovered and added to Application Inventory.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The user involved with the event source |
| String | no | Virtual machine name |
| String | no | Virtual machine identifier |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Timestamp | yes | Date of application discovery |
{
"applications": [{
"name": "Firefox",
"version": "0"
}],
"module": "application-inventory",
"product_installed": "BEST",
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"discoveredOn": "2022-04-17T11:35:33.000Z"
}
Antimalware
This event generated each time Bitdefender detects malware on an endpoint in your network.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | yes | The data of the previous event |
| String | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | The unique identifier of the virtual machine |
| String | no | The bios UUID for VMware machines |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values: |
| String | yes | Name of the malware as defined by Bitdefender |
| String | no | The SHA256 hash of the infected object. |
| String | yes | Final status of the action taken on the file: |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | The path of the infected object as reported by the product. The path references a local file on the machine that reported the event. |
| Timestamp | yes | Timestamp when the malware was detected |
| String | no | signatures Number |
| Integer | no | taskScanType |
| Integer | no | scanEngineType |
{
"module": "av",
"product_installed": "BEST",
"user": {
"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
"name": "bdvm"
},
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"malware_type": "file",
"malware_name": "Gen:Trojan.Heur.LShot.1",
"hash": "ca52142291d765efa6b69543c25ca13cb2179ae62a0cb5d2f4a19877244cc3cd",
"final_status": "still present",
"container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"file_path": "C:\\Users\\bdvm\\Desktop\\script.ps1",
"timestamp": "2022-05-12T09:34:46.000Z",
"signaturesNumber": "7.89727",
"scanEngineType": 1
}Advanced Threat Control (ATC)
This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | no | Identifier for the installed GravityZone component |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | The unique identifier of the virtual machine |
| String | no | The bios UUID for VMware machines |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Shows the reported types that are application (APP) and exploit (Exploit). Possible values: |
| String | yes | The path of the object as reported by the product. The path references a local file on the endpoint that reported the event. |
| String | no | The command line parameters of the detected process |
| String | no | The pid of the parent of the detected process |
| String | no | Retrieving data. Wait a few seconds and try to cut or copy again. |
| String | yes | Retrieving data. Wait a few seconds and try to cut or copy again. |
| Timestamp | yes | A timestamp of the last time this application/exploit was blocked |
| Integer | yes | How many times this application/exploit was detected |
{
"module": "avc",
"product_installed": "BEST",
"user": {
"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
"name": "bdvm"
},
"VM_NAME": "btoma-windows-10-onPrem",
"VM_ID": "vm-4193",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "btoma-windows-10-onPrem",
"computer_fqdn": "cmocanu-automation-win64",
"computer_ip": "10.18.155.211",
"computer_id": "6257cf1130015b2201bf4a00",
"exploit_type": "AVC APP",
"exploit_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe",
"process_command_line": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe -test parameter \\ for 0",
"parent_process_id": 1160,
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"status": "avc_disinfected",
"last_blocked": "2022-04-17T10:18:25.000Z",
"count": 1
}Data Protection
This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Specifies the blocked traffic type based on the data protection rule:
|
| String | yes | Data protection rule name |
| String | yes | The blocked traffic. Possible values are:
|
| String | yes | Always |
| Timestamp | yes | A timestamp of the last time this email/url was blocked |
| Integer | yes | A timestamp of the last time this email/url was blocked |
{
"module": "dp",
"product_installed": "BEST",
"user": {
"id": "S-1-5-21-3569875631-4240938805-1797204764-1001",
"name": "Admin1"
},
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "31.41.59.265",
"computer_id": "625c19913a58151e63702862",
"target_type": "http",
"blocking_rule_name": "asdf",
"url": "http:\/\/www.zf.ro\/search",
"status": "data_protection_blocked",
"last_blocked": "2018-05-25T08:56:42.000Z",
"count": 1
}Exchange Malware Detection
This event is created when Bitdefender detects malware on an Exchange server in your network.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Server name where the malware was detected |
| String | yes | Email sender |
| Array | yes | List of email recipients (array of strings) |
| String | yes | Email subject |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
| Array | yes | List of detected malware (array of { |
{
"name": "Exchange Malware Detected",
"created": "2022-04-18T10:52:14+03:00",
"company_name": "root",
"user_name": "root",
"endpoint_id": "625d18aa9f69720ddfaee9c7",
"server_name": "TEST_ENDPOINT-email",
"installed_agent": "BEST",
"sender": "[email protected]",
"recipients": ["[email protected]", "[email protected]"],
"subject": "test",
"detection_time": "2014-10-29T16:14:51.000Z",
"detected_malware": [{
"malwareName": "EICAR-Test-File (not a virus)",
"malwareType": "virus",
"infectedObject": "someFile.txt",
"actionTaken": "ignore"
}, {
"malwareName": "EICAR-Test-File (not a virus)",
"malwareType": "virus",
"infectedObject": "someFile.txt",
"actionTaken": "disinfect"
}]
}Exchange License Usage Limit Has Been Reached
This event is generated when Exchange License limit has been reached
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Company's license limit reached |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
{ "name": "Exchange License Usage Limit Has Been Reached",
"created": "2019-01-18T13:01:15+00:00",
"company_name": "nebula_CO",
"user_name": "root",
"mailboxes": 8,
"license_limit": 5,
"license_key": "5IMICR5",
"recv_for_his_company": true,
"recv_for_partner_company": false
}Exchange User Credentials
This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Managed enpoint name |
| String | yes | Name of the policy applied on the endpoint |
{
"name": "Invalid Exchange user credentials",
"created": "2022-04-14T09:58:26+00:00",
"company_name": "root",
"user_name": "sacumen\\administrator",
"endpoint_id": "6256a3b130015b2201bf496b",
"target_name": "WIN-LFK7I9VSLR2",
"policy_name": "no_update"
}Firewall
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The action that was taken upon the detection |
| String | no | The port of the malware attack |
| String | no | The identifier of the malware attack protocol as defined by Protocol Number |
| String | no | The path to the image file for the process that was just blocked from doing any traffic on the reported port and protocol. |
| Timestamp | yes | A timestamp of the last time this connection was blocked |
| Integer | yes | How many times this connection was detected |
{
"module": "fw",
"product_installed": "BEST",
"user": {
"id": "S-1-5-18",
"name": "SYSTEM"
},
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"status": "traffic_blocked",
"local_port": "445",
"protocol_id": "6",
"application_path": "System",
"last_blocked": "2022-04-17T11:34:59.000Z",
"count": 1
}Hyper Detect event
Event generated when a malware is detected by the Hyper Detect module.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Name of the malware as defined by Bitdefender |
| String | no | Malware file: |
| String | yes | Final status of the action taken on the file: |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | Malware file path |
| String | no | Values: |
| String | no | Values: |
| Boolean | no |
|
| String | no | The parameters of the command line |
| String | no | The path of the process |
| String | no | The command line of the parent process |
| Integer | no | The identifier of the parent process |
| String | no | The path of the parent process |
| String | yes | The hardware identifier |
| Timestamp | yes | Timestamp when the malware was detected |
{
"module": "hd",
"product_installed": "BEST",
"user": {
"name": "bdvm",
"sid": "S-1-5-21-2018264366-2484004464-1617746128-1001"
},
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"malware_type": "file",
"malware_name": "Gen:Illusion.Jazz.1.2010103",
"hash": "",
"final_status": "still present",
"container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"file_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe",
"attack_type": "Ransomware",
"detection_level": "Normal",
"is_fileless_attack": "false",
"process_info_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe",
"process_info_command_line": "-test parameter \\ for 3",
"parent_process_id": 12432,
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"hwid": "01d51642-c536-ed22-de02-0e4da0badb7a-00505696d1c3",
"date": "2022-04-15T08:06:27.000Z"
}Product Modules Status
This event is generated when a security module of the installed agent gets enabled or disabled.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| Boolean | no | Whether the machine is container host or not |
{
"module": "modules",
"product_installed": "BEST",
"VM_NAME": "btoma-exchange-onPrem-1",
"VM_ID": "vm-4306",
"UUID_INSTANCE": "5016fdf7-03ea-023f-35d0-0ec397f011ba",
"UUID_BIOS": "4216e16b-0341-2783-16c4-b353301c2a73",
"computer_name": "btoma-exchange-onPrem-1",
"computer_fqdn": "win-lfk7i9vslr2.sacumen.local",
"computer_ip": "10.18.154.115",
"computer_id": "625c06b42dc02c725f5f1942",
"container_id": "4216e16b-0341-2783-16c4-b353301c2a73",
"malware_status": 1,
"avc_status": 1,
"pu_status": 0,
"dlp_status": 1,
"exchange_av_status": 1,
"exchange_as_status": 1,
"exchange_at_status": 0,
"exchange_cf_status": 0,
"exchange_od_status": 1,
"patch_management": 1,
"app_control_status": 1
}Sandbox Analyzer Detection
This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Company identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The IP of the computer which submitted the file for analysis |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Integer | yes | Time of the event as reported by the product, already formatted in a string representation |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values are: |
| String | no | GravityZone network sandbox submission ID |
| Array | yes | File paths (array of strings) |
| Array | yes | File sizes (array of strings) |
| Array | yes | Remediation actions (array of strings). |
{
"name": "Sandbox Analyzer Detection",
"created": "2022-05-03T12:34:00+03:00",
"company_name": "root",
"user_name": "test",
"computer_name": "TEST_ENDPOINT-sbx",
"computer_ip": "31.41.59.265",
"detection_time": "07 Jul 2016, 15:11:54",
"threat_type": "Ransomware",
"file_info": [{
"file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
"file_size": "2.55 KB",
"remediation_action": "Quarantined"
}, {
"file_path": "D:\\opt\\bitdefender\\installer2.xml",
"file_size": "2.55 KB",
"remediation_action": "Deleted"
}, {
"file_path": "D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml",
"file_size": "2.55 KB",
"remediation_action": "Quarantined"
}]
}Product Registration
This event is generated when the registration status of an agent installed in your network has changed.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | yes | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| Boolean | no | Whether the machine is container host or not |
| String | yes | Values: |
{
"module": "registration",
"product_installed": "BEST",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "31.41.59.265",
"computer_id": "625c19913a58151e63702862",
"product_registration": "registered"
}Outdated Update Server
This event is generated when an update server has outdated malware signatures.
Name | Type | Mandatory | Description |
|---|---|---|---|
| Boolean | yes | Event type identifier. Value: |
| Integer | yes | The status of the server update. Possible values:
|
| Integer | yes | The ID of the Update Server. |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
{
"fromSupa": 1,
"module": "supa-update-status",
"product_installed": "BEST",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "31.41.59.265",
"computer_id": "625c19913a58151e63702862",
"status": 0
}Overloaded Security Server
This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | no | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Integer | yes | The load average of the Security Server |
| Integer | yes | The CPU usage of the Security Server |
| Integer | yes | The memory usage of the Security Server |
| Integer | yes | The network usage of the Security Server |
| Integer | yes | The overall usage of the Security Server |
| String | no | The load of the Security Server |
{
"module": "sva-load",
"product_installed": "SVA",
"VM_NAME": "btoma-SVA-outdated-onPrem",
"VM_ID": "vm-4191",
"UUID_INSTANCE": "5016cfec-c7fd-7531-fa29-9185931879c4",
"UUID_BIOS": "4216a8ee-3cef-46f9-9925-d588eee65766",
"computer_name": "btoma-SVA-outdated-onPrem",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "10.18.159.8",
"computer_id": "6256984b601b8b21f976ad88",
"loadAverage": 1,
"cpuUsage": 8,
"memoryUsage": 45,
"networkUsage": 0,
"overallUsage": 8,
"svaLoad": "Overloaded"
}Security Server Status
This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Boolean | yes | True if the Security Server is powered off |
| Boolean | no | The Security Server update availability status |
| Timestamp | no | Timestamp when the last signatures update of the Security Server was finished |
| Boolean | no | True if a reboot is required |
| Timestamp | no | Timestamp when the last update of the Security Server was finished |
| String | no | The error of the last Security Server update |
| String | no | The engines version of the Security Server |
{
"module": "sva",
"product_installed": "SVA",
"VM_NAME": "Bitdefender SVE SVA (dell-xen2)",
"VM_ID": "OpaqueRef:5bfc190d-2c54-d3da-e104-2b899b59d039",
"UUID_INSTANCE": "eab611f7-3f7b-8a01-88e0-a78f2e35373b",
"computer_name": "Bitdefender SVE SVA (dell-xen2)",
"computer_fqdn": "sva-xen2",
"computer_ip": "10.17.12.194",
"computer_id": "6258082f6437b27cd93926e5",
"powered_off": 1
}Antiexploit Event
This event is generated when Advanced Anti-Exploit triggers a detection.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The action that was taken upon the detection |
| String | no | Detection threat name |
| String | yes | The pid of the detection |
| String | yes | The technique employed in the detection |
| String | no | Detection parent pid |
| String | yes | The path of the detection |
| String | no | The path of the parent process of the detection |
| String | no | Detection CVE |
| String | no | Detection payload |
| String | no | The user that was logged when the detection was found |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
{
"module": "antiexploit",
"product_installed": "BEST",
"VM_NAME": "btoma-exchange-onPrem",
"VM_ID": "vm-4190",
"UUID_INSTANCE": "501606d3-c8b0-1127-920a-1edc7d3a76b0",
"UUID_BIOS": "42166a12-1437-7e14-db35-8f100b85041b",
"computer_name": "btoma-exchange-onPrem",
"computer_fqdn": "win-lfk7i9vslr2.sacumen.local",
"computer_ip": "10.18.159.13",
"computer_id": "6256a3b130015b2201bf496d",
"container_id": "42166a12-1437-7e14-db35-8f100b85041b",
"detection_action": "kill",
"detection_pid": "46856",
"detection_exploitTechnique": "ProcessCreation\/ObsoleteChildProcessCreation",
"detection_parentPid": "48508",
"detection_path": "C:\\Users\\Administrator\\Desktop\\samples\\samples\\bd_anti-exploit-test\\test-gemma-alert\\opera64.exe",
"detection_parentPath": "C:\\Windows\\System32\\cmd.exe",
"detection_username": "[email protected]",
"detection_time": "2022-04-17T11:52:30.000Z",
"endpoint_id": "6256a3b130015b2201bf496b"
}
Network Attack Defense Event
This event is generated when the Network Attack Defense module triggers a detection.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the container entity |
| String | yes | The name of the host that manages the container entity |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | no | The label set in the Network grid by the Admin |
| String | yes | The action that was taken upon the detection |
| String | yes | The name of the detection as received from BEST |
| String | yes | Name of the attack technique as set in the Network Attack Defense policy |
| String | yes | IP of the attack source |
| String | yes | IP of the victim's endpoint |
| String | yes | The port on which the attack occurred |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
{
"name": "Network Incidents event",
"created": "2022-04-26T09:49:18+03:00",
"company_name": "root",
"user_name": "[email protected]",
"computer_id": "625c19913a58151e63702862",
"computer_name": "TEST_ENDPOINT",
"computer_ip": "31.41.59.265",
"computer_fqdn": "test-endpoint.dsd.ro",
"action_taken": "block",
"attack_technique": "discovery",
"detection_name": "Eicar.NetworkMonitor.DiscoveryThreat",
"source_ip": "213.211.198.58",
"victim_ip": "10.17.134.4",
"local_port": "80",
"date": "2015-02-02T13:34:54.000Z"
}Task Status
This event is generated each time a task status changes.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the user that created the task |
| String | yes | The identifier of the task |
| String | yes | The name of the task |
| Integer | yes | The type of the task |
| String | yes | The name of the task |
| Boolean | yes | True if the task was executed successfully |
| Integer | yes | The status of the task |
| String | yes | The error message of the failed task |
| Integer | yes | The error code of the failed task |
{
"module": "task-status",
"product_installed": "BEST",
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"userId": "6177f2319908e641be7b8eda",
"taskId": "627cd4a6c9f8cd6efe672e74",
"taskName": "Restore Quarantine Item Task 2022-05-12(sub-task)",
"taskType": 280,
"targetName": "Pi-machine",
"isSuccessful": true,
"status": 3,
"errorMessage": "",
"errorCode": 0,
"errorMessageParams": []
}User Control/Content Control
This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | Values: |
| String | no | Malware url |
| String | no | Values: |
| String | no | Values: |
| String | no | Malware file path |
| String | no | Values: |
| Timestamp | no | Last timestamp this malware was blocked |
| Integer | no | How many times this malware was detected |
{
"module": "uc",
"product_installed": "SVA",
"user": {
"id": "S-1-5-21-2807410960-349943591-4067985531-1001",
"name": "admin"
},
"computer_name": "AD-ONPREM-2019A 1",
"computer_fqdn": "ad-onprem-2019a",
"computer_ip": "10.18.156.47",
"computer_id": "627cd5854e604906f22aa6ed",
"uc_type": "http",
"url": "http:\/\/block_type_4.com",
"block_type": "http_categories",
"categories": "Illegal,Shopping,OnlinePay,IM",
"status": "uc_site_blocked",
"last_blocked": "2015-02-25T12:21:54.000Z",
"count": 2
}Storage Antimalware Event
This event is generated each time SVA detects a new threat among the protected storage (NAS).
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The name of the storage unit |
| String | yes | The IP address of the storage unit |
| String | yes | The type of the storage unit.(E.g., Nutanix, Citrix etc.) |
| String | yes | The path of the infected object as reported by the product. The path references a local file on the machine that reported the event |
| String | yes | The SHA256 hash of the infected object |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values are: |
| String | yes | Name of the malware as defined by Bitdefender |
| String | yes | Final status for the detected objects. Possible values are: |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
| Boolean | no | Boolean describing whether or not file was submitted to a sandbox analyzer |
| String | no | The hostname of the sandbox analyzer where the file was submitted |
| String | no | The version of the security server which detected the malwa |
| String | no | The version of the engines used to detect the malware |
{
"name": "Storage Antimalware Event",
"created": "2022-04-15T17:02:59+03:00",
"company_name": "root",
"user_name": "root",
"computer_name": "bitdefender-sva",
"storage_name": "10.17.42.77",
"storage_ip": "10.17.42.77",
"storage_type": "Unknown",
"malware_path": "\/ifs\/data\/btoma_test3",
"malware_hash": "2f41772245a9d55a0725061337b18e8eba2cee7965d081b52c40afe2c0201dcd",
"malware_type": "Malware",
"malware_name": "BAT.Trojan.FormatC.Z",
"malware_status": "Blocked",
"detection_time": "2022-04-15T14:02:02.000Z",
"sandboxDetection": 0,
"sandboxHostname": "",
"security_server_version": "6.2.7.11403",
"engines_version": "7.91671"
}Login event
Login from new device event.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | no | The operating system used from the other device to login |
| String | no | The browser used from the other device to login |
| String | no | The browser's version used from the other device to login |
| String | no | The IP of the other device at login time |
{
"name": "Login from new device",
"created": "2022-05-31T15:48:15+03:00",
"company_name": "root",
"user_name": "root",
"os": "Windows",
"browser_version": "102.0.0.0",
"browser_name": "Chrome",
"request_time": "31 May 2022, 15:48:14 +03:00",
"device_ip": "10.17.90.108"
}Authentication audit event
Authentication audit
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | no | The platform from which the authentication was done |
| String | no | The browser from which the authentication was don |
| String | no | The browser version from which the authentication was done |
| String | no | The device IP of the system from which the authentication was done |
{
"name": "Authentication audit",
"created": "2022-04-17T13:31:34+03:00",
"company_name": "root",
"user_name": "test",
"platform": "Windows",
"browser": "Firefox",
"browser_version": "99.0",
"ip": "10.22.91.27",
"date": "17 Apr 2022, 13:31:34 +03:00"
}SMTP Connection
This event is created when the status of SMTP Connection changes.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | no | Connection Error Code |
| String | no | Connection Error Message |
| String | no | SMTP connection status |
{
"name": "SMTP Connection",
"created": "2022-05-31T16:03:57+03:00",
"company_name": "root",
"user_name": "test",
"status": false,
"error_code": 503,
"error_message": "Expected response code 354 but got code \"503\", with message \"503 5.5.2 Need rcpt command\r\n\""
}Internet Connection
This event is created when the status of Internet Connection changes.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | no | Connection Error Code |
| String | no | Connection Error Message |
| String | no | SMTP connection status |
{
"name": "Internet Connection",
"created": "2022-09-12T15:53:34+03:00",
"company_name": "root",
"user_name": "test",
"status": false,
"error_code": 28,
"error_message": "Operation timed out after 10000 milliseconds with 0 out of 0 bytes received"
}License expires event
License expires.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The amount of days left from license from which the notification should start being sent to the user |
| Integer | yes | The number of days until the user's license will expire |
| Boolean | yes | Always false |
{
"name": "License Expires",
"created": "2022-04-23T18:05:47+03:00",
"company_name": "root",
"user_name": "test",
"license_key": "SUQ2GEC",
"product_id": 2906,
"license_company_id": "6177f22f9908e641be7b8ec4",
"threshold": 1,
"days": 1,
"is_partner": false,
"recv_for_his_company": true,
"recv_for_partner_company": false
}License Limit Is About To Be Reached event
License limit is about to be reached.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of days the license has been used by the user |
| Integer | yes | The total number of days available to user for using the license |
{
"name": "License Limit Is About To Be Reached",
"created": "2022-04-17T16:07:12+03:00",
"company_name": "root",
"user_name": "root",
"license_key": "30W6TMF",
"recv_for_his_company": true,
"recv_for_partner_company": false,
"used": 3,
"total": 4
}License Usage Limit Has Been Reached event
License usage limit has been reached.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of days the license has been used by the user |
| Integer | yes | The total number of days available to user for using the license |
{
"name": "Exchange License Usage Limit Has Been Reached",
"created": "2022-05-12T12:28:48+03:00",
"company_name": "root",
"user_name": "test",
"mailboxes": 7,
"license_limit": 6,
"license_key": "30W6TMF",
"recv_for_his_company": true,
"recv_for_partner_company": false
}Servers License Limit Is About To Be Reached event
Servers license limit is about to be reached.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of licensed servers |
| Integer | yes | The total number of servers the license allows |
{
"name": "Servers License Limit Is About To Be Reached",
"created": "2022-04-17T15:58:10+03:00",
"company_name": "root",
"user_name": "test",
"license_key": "30W6TMF",
"recv_for_his_company": true,
"recv_for_partner_company": false,
"servers_used": 1,
"servers_total": 2
}Servers License Usage Limit Has Been Reached event
Servers License Usage Limit Has Been Reached
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of licensed servers |
| Integer | yes | The total number of servers the license allows |
{
"name": "Servers License Usage Limit Has Been Reached",
"created": "2022-04-17T16:07:12+03:00",
"company_name": "root",
"user_name": "test",
"license_key": "30W6TMF",
"recv_for_his_company": true,
"recv_for_partner_company": false,
"servers_used": 2,
"servers_total": 2
}Malware Outbreak
This notification is sent when at least X%(predefined 5%) of all the managed network objects are infected by the same malware.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | Name of the malware as defined by Bitdefender |
| Array | yes | Protected entities that was infected |
| Integer | yes | Protected entities configuration settings |
| Array | no | Protected eps entities that were infected |
| Integer | no | Protected eps entities configuration settings |
| Array | no | Protected sve entities that was infected |
| Integer | no | Protected sve entities configuration settings |
| Array | no | The ID of the csv file with the list of infected endpoints |
| Integer | yes | Total number of infected endpoints |
| Integer | yes | Number of occurrences since the last reporting |
| Timestamp | yes | Time of the event when was detected the first malware |
| Timestamp | yes | Interval End when was detected the last malware |
| Boolean | no | Show company name |
{
"name": "Malware Outbreak",
"created": "2022-05-12T13:35:07+03:00",
"company_name": "root",
"user_name": "root",
"malware_name": "Gen:Trojan.Heur.LShot.1",
"count": 1,
"total": 13,
"interval_start": "2022-05-12 12:35:06",
"interval_end": "2022-05-12 13:35:07",
"protected_entities": [{
"name": "Pi14159-AUTOMAT",
"company": {
"id": "6177f22f9908e641be7b8ec4",
"name": "root"
}
}],
"protected_entities_more": 0,
"show_company_name": false,
"csv_id": "627ce2db468f4e01fb3d7322"
} Mobile users without email event
Mobile device users without email address
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Array | yes | The list of mobile users without email |
{
"name": "Mobile device users without email address",
"created": "2022-04-26T11:51:40",
"company_name": "root",
"user_name": "root",
"users": ["test", "test3"]
}
Database Backup event
Database backup
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Boolean | yes | The success status of the database backup operation |
| Boolean | yes | The scheduling status of the database backup operation |
| String | yes | The version of the database for which the backup operation has been done |
| Timestamp | yes | Timestamp when the database backup operation was finished |
| Integer | yes | The location of the database for which the backup operation has been done |
| String | yes | The location of the database for which the backup operation has been done |
| Timestamp | yes | Timestamp when the next database backup operation is scheduled |
| Integer | yes | Database Backup Status: |
{
"name": "Database Backup",
"created": "2022-04-14T08:59:57+00:00",
"company_name": "root",
"user_name": "root",
"backup_status": 0,
"is_successful": true,
"is_scheduled": false,
"db_version": "023-001-001",
"date": "2022-04-14T08:59:51",
"location_type": 2,
"location": "\\\\10.18.156.38\\share",
"next_backup": null
}Certificate expires event
Certificate Expires
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | yes | The type of certificate used by current user |
| Integer | yes | The number of days until the user's certificate will expire |
| Timestamp | yes | Timestamp when the certificate expiration was notified to the user |
| Integer | yes | The amount of days left from certificate from which the notification should start being sent to the user |
{
"name": "Certificate expires",
"created": "2022-04-24T05:00:59+03:00",
"company_name": "root",
"user_name": "test",
"certificate_type": 1,
"days_left": 0,
"last_notification_date": "2022-04-24T05:00:59+03:00",
"threshold": 1
}
Upgrade Status
This event is generated when endpoints are protected by old products(Bitdefender Tools or Security Endpoint) in Gravity Zone Console.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Array | yes | Protected entities that were found protected by old products |
| Integer | yes | More protected entities will appear in next event if set to 1 |
| Array | no | The ID of the CSV file with the list of protected endpoints |
| Integer | yes | Number of occurrences since the last reporting |
| Boolean | no | Show company name |
{
"name": "Upgrade status",
"created": "2015-06-22T11:11:39+03:00",
"company_name": "Bitdefender",
"user_name": "[email protected]",
"count": 1,
"protected_entities": [{
"name": "stomoiaga-win",
"company": {
"id": "5be196701da1978e108b4567",
"name": "Bitdefender"
}
}],
"protected_entities_more": 0,
"show_company_name": false,
"csv_id": {
"$id": "5587c33bb1a43d673d8b456c"
}
}
Troubleshooting activity
The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The ID of the current Troubleshooting task. |
| String | yes | The type of the task |
| Integer | yes | Integer representing the error code if the task has failed |
| String | no | Name of the user account who started the Troubleshooting task |
| String | no | The path on the target machine where the Troubleshooting archive is placed |
| String | no | The path on network share where the Troubleshooting archive is placed |
| Boolean | no | The option to also upload to Bitdefender Cloud the Troubleshooting archive |
| Integer | yes | The status with which the task has finished |
| Integer | no | The reason for which the Troubleshooting activity was stopped |
| Integer | no | In case some delivery methods succeeded and some not, which one has failed |
| Timestamp | no | Timestamp of when the event has started |
| Timestamp | no | Time of the event as reported by the product, already formatted in a string representation |
{
"product_installed": "BEST",
"computer_name": "TEST_ENDPOINT_WINDOWS_10",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.0.101",
"computer_id": "5ee30e2b29a4e218489442b6",
"taskId": "5ee30e78f23f7312e6087824",
"taskType": "Gather Logs",
"errorCode": 0,
"username": "vagrant",
"localPath": "localPath",
"networkSharePath": "networkSharePath",
"saveToBitdefenderCloud": 0,
"status": 3,
"startDate": "2020-06-12T05:11:19.000Z",
"endDate": "2020-06-12T06:43:00.801Z"
}
Update Available
This notification informs you about the availability of new updates for GravityZone components.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Available Version for GravityZone components |
| String | yes | Current Version for GravityZone compone |
| Timestamp | yes | The time when the update was released |
| Integer | no | CONSOLE UPDATE / PACKAGE UPDATE / PRODUCT UPDATE |
| Integer | no | Product type for which is the new update(BEST, Security Server) |
{
"name": "Update Available",
"created": "9 Jun 2022, 10:33:31 +03:00",
"company_name": "root",
"user_name": "test",
"available_version": "6.28.1-4",
"release_date": "9 Jun 2022, 10:33:31 +03:00",
"update_type": 0,
"current_version": "6.27.1-5"
}
Device Control
Every time the Device Control module detects a device inserted into a client system, an event is generated.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The user that was logged in when the incident was found |
| String | no | The version of the agent |
| String | yes | Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added. |
| String | no | A descriptive name for the device |
| Integer | yes | The class of the device |
| String | no | The identifier of the device |
| Integer | no | Product ID of the device |
| Integer | no | ID of the vendor |
| Timestamp | yes | The date when the device was blocked |
{ "module": "device-control",
"product_installed": "BEST",
"VM_NAME": "btoma-win-2k12-onPrem-2",
"VM_ID": "vm-4309",
"UUID_INSTANCE": "5016768a-2a1b-979f-f05b-21e4b67c371c",
"UUID_BIOS": "42161832-3f3a-f1c9-1fa4-0c27a0c6be6d",
"computer_name": "btoma-win-2k12-onPrem-2",
"computer_fqdn": "win-9nvehq2j63g",
"computer_ip": "10.18.154.75",
"computer_id": "625c0f55a154a3606228a812",
"username": "", "action": "blocked",
"deviceName": "NECVMWar VMware IDE CDR10 ATA Device",
"deviceClass": 2,
"deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10_______________1.00____\\5&290FD3AB&0&1.0.0",
"productId": 0,
"vendorId": 0,
"date": "2022-04-17T13:06:23.000Z"
}
Ransomware activity detection
This event occurs when the endpoint agent blocks ransomware attack.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Ransomware attack type |
| String | yes | The number of files encrypted during the attack |
| Integer | yes | The date and time when the attack was detected |
| String | yes | The remote IP in case of a remote attack respectively the process path in case of a local attack |
{
"module": "ransomware-mitigation",
"product_installed": "BEST",
"user": {
"name": "bdvm",
"sid": "S-1-5-21-2018264366-2484004464-1617746128-1001"
},
"VM_NAME": "Pi-machine",
"VM_ID": "Pi-3141",
"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
"computer_name": "Pi-machine",
"computer_fqdn": "Pi14159-automation-win64",
"computer_ip": "31.14.159.265",
"computer_id": "6257cf1130015b2201bf4a00",
"attack_type": "local",
"item_count": "12",
"detected_on": 1650191436,
"attack_source": "C:\\Users\\bdvm\\Desktop\\samples\\samples\\ransomeware_remediation\\RanSim\\RanSim\\TestDirectory\\Scenarios\\Collaborator\\1934050139_Collaborator.txr"
}
New Incident
This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.
Name | Type | Mandatory | Description |
|---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the incident |
| Integer | yes | Integer ranging between 0 and 100 that defines the severity of the incident |
| Integer | yes | The UID of the node on which the attack originated |
| String | yes | The action taken by the product about the incident |
| String | no | The name of the detection |
| String | no | Malware file name |
| String | no | Malware file path |
| String | no | Malware file MD5 hash |
| String | no | Malware file sha256 hash |
| String | no | The domain URL |
| String | no | The protocol of the application |
| Integer | no | The pid of the process |
| String | no | The path of the process |
| Integer | no | The PID of the parent process |
| String | no | The path of the parent process |
| Array | no | Types of the attack implicated in the incident |
| Array | no | The identifiers of the Mitre attacks implicated in the incident |
| String | no | The command line of the process |
| String | yes | The severity of the produced event |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | no | The user that was logged in when the incident was found |
| String | no | The SID of the user involved with the event source |
{
"name": "New Incident",
"created": "2022-05-12T09:34:03.690Z",
"company_name": "root",
"user_name": "root",
"module": "new-incident",
"computer_id": "6256a431cb46d1222c00c5a6",
"computer_fqdn": "Pi14159-automation-win64",
"computer_name": "Pi14159-automation-win64",
"detection_name": "Gen:Trojan.Heur.LShot.1",
"attack_types": ["Malware"],
"computer_ip": "31.14.159.265",
"severity_score": 65,
"incident_id": "627cd48c12eb1f08b5d42dbe",
"attack_entry": 1926087460,
"process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell_ise.exe",
"file_path": "c:\\users\\bdvm\\desktop\\script.ps1",
"file_name": "script.ps1",
"att_ck_id": [],
"severity": "medium",
"main_action": "no action"
}Security Container Status Update
This notification informs you when the product update status changes for a Security Container installed in your network.
Name | Type | Mandatory | Description |
|---|---|---|---|
| Timestamp | yes | Timestamp of the event |
| String | yes | A list of outdated security containers |
| String | yes | Name of the event |
{
"name": "Security Container Status Update",
"created": "2022-04-18T11:12:14+03:00",
"company_name": "root",
"user_name": "root",
"module": "security-container-update-status",
"securityContainers": [{
"securityContainerName": "security-container-x",
"hostName": "TEST_ENDPOINT"
}]
}