Skip to main content

ON PREMISES SOLUTIONS

Syslog event messages

Antiphishing

This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: aph

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

yes

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

aph_type

String

yes

Indicates if the event is phishing or fraud detection. Possible values: phishing, fraud, untrust

url

String

yes

Malware URL

status

String

yes

Possible values: aph_blocked, reportOnly

last_blocked

Timestamp

yes

A timestamp of the last time this malware was blocked

count

Integer

yes

How many times this malware was detected

{
	"module": "aph",
	"product_installed": "BEST",
	"user": {
		"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
		"name": "bdvm"
	},
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"aph_type": "fraud",
	"url": "bdtest.tibeica.com\/ot\/fraud_red.html",
	"status": "reportOnly",
	"last_blocked": "2022-05-12T09:35:08.000Z",
	"count": 1
}

Application Control

Event generated when an application is blocked by the Application Control module.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: application-control

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

Virtual machine name

VM_ID

String

no

Virtual machine identifier

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

mode

integer

yes

The mode in which the event occurred. Value:  

  • 1 - if the event occurred in a production environment

  • 2 - the event occurred in testing environment

scanMode

String

yes

Values: production, test

filePath

String

yes

Malware file path

fileVersion

String

no

The version of the file

productName

String

no

The name of the product

productVersion

String

no

The version of the product

publisher

String

no

The name of the product publisher

fingerprint

String

no

The process fingerprint of the application

thumbprints

Array

no

Thumbprints (array of strings)

ruleName

String

no

Application Control rule name

date

Timestamp

yes

The date when the application was detected

count

integer

yes

How many times this application was detected

{
	"module": "application-control",
	"product_installed": "BEST",
	"user": {
		"id": "S-11-22-33",
		"name": "user@domain.com"
	},
	"computer_name": "TEST_ENDPOINT",
	"computer_fqdn": "test-endpoint.dsd.ro",
	"computer_ip": "31.41.59.265",
	"computer_id": "625c19913a58151e63702862",
	"mode": 1,
	"scanMode": "production",
	"filePath": "C:\\Program Files\\Microsoft\\Skype\\Skype.exe",
	"fileVersion": "10.0.0.9999",
	"productName": "Skype VoIP Service",
	"productVersion": "10.2",
	"publisher": "Microsoft",
	"fingerprint": "b6bf7bc8d96f3ea9d132c83b3da8e7760e420138485657372db4d6a981d3fd9e",
	"thumbprints": ["03d66dd08835c1ca3f128cceacd1f31ac94163096b20f445ae84285bc0832d72"],
	"ruleName": "",
	"date": "2022-04-17T13:44:29.485Z",
	"count": 1
}

Application Inventory

This notification informs you when new applications have been discovered and added to Application Inventory.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: application-inventory

product_installed

String

yes

Identifier for the installed GravityZone component

user

Object

no

The user involved with the event source

VM_NAME

String

no

Virtual machine name

VM_ID

String

no

Virtual machine identifier

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

discoveredOn

Timestamp

yes

Date of application discovery

{
	"applications": [{
		"name": "Firefox",
		"version": "0"
	}],
	"module": "application-inventory",
	"product_installed": "BEST",
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"discoveredOn": "2022-04-17T11:35:33.000Z"
}

Antimalware

This event generated each time Bitdefender detects malware on an endpoint in your network.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value:  av

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

String

yes

The data of the previous event

user

String

yes

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

The unique identifier of the virtual machine

UUID_BIOS

String

no

The bios UUID for VMware machines

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

malware_type

String

yes

Describes the type of malware as defined by Bitdefender. Possible values: file, http, cookie, pop3, smtp, process, boot, registry, stream

malware_name

String

yes

Name of the malware as defined by Bitdefender

hash

String

no

The SHA256 hash of the infected object.

final_status

String

yes

Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored

container_id

String

no

The identifier of the container entity

container_host

String

no

The name of the host that manages the container entity

file_path

String

yes

The path of the infected object as reported by the product. The path references a local file on the machine that reported the event.

last_blocked

Timestamp

yes

Timestamp when the malware was detected

signaturesNumber

String

no

signatures Number

taskScanType

Integer

no

taskScanType

scanEngineType

Integer

no

scanEngineType

{
	"module": "av",
	"product_installed": "BEST",
	"user": {
		"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
		"name": "bdvm"
	},
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"malware_type": "file",
	"malware_name": "Gen:Trojan.Heur.LShot.1",
	"hash": "ca52142291d765efa6b69543c25ca13cb2179ae62a0cb5d2f4a19877244cc3cd",
	"final_status": "still present",
	"container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"file_path": "C:\\Users\\bdvm\\Desktop\\script.ps1",
	"timestamp": "2022-05-12T09:34:46.000Z",
	"signaturesNumber": "7.89727",
	"scanEngineType": 1
}

Advanced Threat Control (ATC)

This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: avc

product_installed

String

no

Identifier for the installed GravityZone component

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

The unique identifier of the virtual machine

UUID_BIOS

String

no

The bios UUID for VMware machines

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

exploit_type

String

yes

Shows the reported types that are application (APP) and exploit (Exploit). Possible values: IDS Blocked APPAVC Blocked APP, AVC Blocked Exploit

exploit_path

String

yes

The path of the object as reported by the product. The path references a local file on the endpoint that reported the event.

process_command_line

String

no

The command line parameters of the detected process

parent_process_id

String

no

The pid of the parent of the detected process

parent_process_path

String

no

Retrieving data. Wait a few seconds and try to cut or copy again.

status

String

yes

Retrieving data. Wait a few seconds and try to cut or copy again.

last_blocked

Timestamp

yes

A timestamp of the last time this application/exploit was blocked

count

Integer

yes

How many times this application/exploit was detected

{
	"module": "avc",
	"product_installed": "BEST",
	"user": {
		"id": "S-1-5-21-2018264366-2484004464-1617746128-1001",
		"name": "bdvm"
	},
	"VM_NAME": "btoma-windows-10-onPrem",
	"VM_ID": "vm-4193",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "btoma-windows-10-onPrem",
	"computer_fqdn": "cmocanu-automation-win64",
	"computer_ip": "10.18.155.211",
	"computer_id": "6257cf1130015b2201bf4a00",
	"exploit_type": "AVC APP",
	"exploit_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe",
	"process_command_line": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe  -test parameter \\ for 0",
	"parent_process_id": 1160,
	"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
	"status": "avc_disinfected",
	"last_blocked": "2022-04-17T10:18:25.000Z",
	"count": 1
}

Data Protection

This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: dp

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

String

no

The data of the previous event

user

Object

no

The data of the previous event

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

target_type

String

yes

Specifies the blocked traffic type based on the data protection rule:

  • http - the event was generated due to a rule matching http traffic

  • mail - the event was generated due to a rule matching mail traffic

blocking_rule_name

String

yes

Data protection rule name

url

String

yes

The blocked traffic. Possible values are:

  • The exact URL that was blocked, if target_type = http

  • The subject of the email that was blocked, if target_type = mail

status

String

yes

Always data_protection_blocked

last_blocked

Timestamp

yes

A timestamp of the last time this email/url was blocked

count

Integer

yes

A timestamp of the last time this email/url was blocked

{
	"module": "dp",
	"product_installed": "BEST",
	"user": {
		"id": "S-1-5-21-3569875631-4240938805-1797204764-1001",
		"name": "Admin1"
	},
	"computer_name": "TEST_ENDPOINT",
	"computer_fqdn": "test-endpoint.dsd.ro",
	"computer_ip": "31.41.59.265",
	"computer_id": "625c19913a58151e63702862",
	"target_type": "http",
	"blocking_rule_name": "asdf",
	"url": "http:\/\/www.zf.ro\/search",
	"status": "data_protection_blocked",
	"last_blocked": "2018-05-25T08:56:42.000Z",
	"count": 1
}

Exchange Malware Detection

This event is created when Bitdefender detects malware on an Exchange server in your network.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Exchange Malware Detected

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

installed_agent

String

yes

Identifier for the installed GravityZone component

oldData

String

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

serverName

String

yes

Server name where the malware was detected

sender

String

yes

Email sender

recipients

Array

yes

List of email recipients (array of strings)

subject

String

yes

Email subject

detectionTime

Timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

malware

Array

yes

List of detected malware (array of {malwareName: string, malwareType: string, actionTaken: string, infectedObject: string})

{
	"name": "Exchange Malware Detected",
	"created": "2022-04-18T10:52:14+03:00",
	"company_name": "root",
	"user_name": "root",
	"endpoint_id": "625d18aa9f69720ddfaee9c7",
	"server_name": "TEST_ENDPOINT-email",
	"installed_agent": "BEST",
	"sender": "test@test.com",
	"recipients": ["test@test.com", "test@test.com"],
	"subject": "test",
	"detection_time": "2014-10-29T16:14:51.000Z",
	"detected_malware": [{
		"malwareName": "EICAR-Test-File (not a virus)",
		"malwareType": "virus",
		"infectedObject": "someFile.txt",
		"actionTaken": "ignore"
	}, {
		"malwareName": "EICAR-Test-File (not a virus)",
		"malwareType": "virus",
		"infectedObject": "someFile.txt",
		"actionTaken": "disinfect"
	}]
}

Exchange License Usage Limit Has Been Reached

This event is generated when Exchange License limit has been reached

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Exchange License Usage Limit Has Been Reached

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Company's license limit reached

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

{	"name": "Exchange License Usage Limit Has Been Reached",
	"created": "2019-01-18T13:01:15+00:00",
	"company_name": "nebula_CO",
	"user_name": "root",
	"mailboxes": 8,
	"license_limit": 5,
	"license_key": "5IMICR5",
	"recv_for_his_company": true,
	"recv_for_partner_company": false
}

Exchange User Credentials

This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: exchange-user-credentials

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

target_name

String

yes

Managed enpoint name

policy_name

String

yes

Name of the policy applied on the endpoint

{
	"name": "Invalid Exchange user credentials",
	"created": "2022-04-14T09:58:26+00:00",
	"company_name": "root",
	"user_name": "sacumen\\administrator",
	"endpoint_id": "6256a3b130015b2201bf496b",
	"target_name": "WIN-LFK7I9VSLR2",
	"policy_name": "no_update"
}

Firewall

This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: fw

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

String

no

The data of the previous event

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

status

String

yes

The action that was taken upon the detection

local_port

String

no

The port of the malware attack

protocol_id

String

no

The identifier of the malware attack protocol as defined by Protocol Number

application_path

String

no

The path to the image file for the process that was just blocked from doing any traffic on the reported port and protocol.

last_blocked

Timestamp

yes

A timestamp of the last time this connection was blocked

count

Integer

yes

How many times this connection was detected

{
	"module": "fw",
	"product_installed": "BEST",
	"user": {
		"id": "S-1-5-18",
		"name": "SYSTEM"
	},
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"status": "traffic_blocked",
	"local_port": "445",
	"protocol_id": "6",
	"application_path": "System",
	"last_blocked": "2022-04-17T11:34:59.000Z",
	"count": 1
}

Hyper Detect event

Event generated when a malware is detected by the Hyper Detect module.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: hd

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

String

no

The data of the previous event

user

Object

no

The data of the previous event

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

malware_name

String

yes

Name of the malware as defined by Bitdefender

hash

String

no

Malware file: sha256, hash

final_status

String

yes

Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored

container_id

String

no

The identifier of the container entity

container_host

String

no

The name of the host that manages the container entity

file_path

String

yes

Malware file path

attack_type

String

no

Values: targeted attack, grayware, exploits, ransomware, suspicious files and network traffic

detection_level

String

no

Values: permissive, normal, aggressive

is_fileless_attack

Boolean

no

True for fileless attack

command_line_parameters

String

no

The parameters of the command line

process_info_path

String

no

The path of the process

process_info_command_line

String

no

The command line of the parent process

parent_process_id

Integer

no

The identifier of the parent process

parent_process_path

String

no

The path of the parent process

hwid

String

yes

The hardware identifier

date

Timestamp

yes

Timestamp when the malware was detected

	{
		"module": "hd",
		"product_installed": "BEST",
		"user": {
			"name": "bdvm",
			"sid": "S-1-5-21-2018264366-2484004464-1617746128-1001"
		},
		"VM_NAME": "Pi-machine",
		"VM_ID": "Pi-3141",
		"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
		"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
		"computer_name": "Pi-machine",
		"computer_fqdn": "Pi14159-automation-win64",
		"computer_ip": "31.14.159.265",
		"computer_id": "6257cf1130015b2201bf4a00",
		"malware_type": "file",
		"malware_name": "Gen:Illusion.Jazz.1.2010103",
		"hash": "",
		"final_status": "still present",
		"container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a",
		"file_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe",
		"attack_type": "Ransomware",
		"detection_level": "Normal",
		"is_fileless_attack": "false",
		"process_info_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe",
		"process_info_command_line": "-test parameter \\ for 3",
		"parent_process_id": 12432,
		"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
		"hwid": "01d51642-c536-ed22-de02-0e4da0badb7a-00505696d1c3",
		"date": "2022-04-15T08:06:27.000Z"
	}

Product Modules Status

This event is generated when a security module of the installed agent gets enabled or disabled.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: modules

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

container_id

String

no

The identifier of the container entity

container_host

String

no

The name of the host that manages the container entity

is_container_host

Boolean

no

Whether the machine is container host or not

	{
		"module": "modules",
		"product_installed": "BEST",
		"VM_NAME": "btoma-exchange-onPrem-1",
		"VM_ID": "vm-4306",
		"UUID_INSTANCE": "5016fdf7-03ea-023f-35d0-0ec397f011ba",
		"UUID_BIOS": "4216e16b-0341-2783-16c4-b353301c2a73",
		"computer_name": "btoma-exchange-onPrem-1",
		"computer_fqdn": "win-lfk7i9vslr2.sacumen.local",
		"computer_ip": "10.18.154.115",
		"computer_id": "625c06b42dc02c725f5f1942",
		"container_id": "4216e16b-0341-2783-16c4-b353301c2a73",
		"malware_status": 1,
		"avc_status": 1,
		"pu_status": 0,
		"dlp_status": 1,
		"exchange_av_status": 1,
		"exchange_as_status": 1,
		"exchange_at_status": 0,
		"exchange_cf_status": 0,
		"exchange_od_status": 1,
		"patch_management": 1,
		"app_control_status": 1
	}

Sandbox Analyzer Detection

This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Sandbox Analyzer Detection

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

companyId

String

yes

Company identifier in the GravityZone database

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

computer_name

String

yes

The name of the computer

computerIp

String

yes

The IP of the computer which submitted the file for analysis

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

detectionTime

Integer

yes

Time of the event as reported by the product, already formatted in a string representation

threatType

String

yes

Describes the type of malware as defined by Bitdefender. Possible values are: file, http, cookie, pop3, smtp, process, boot, registry and stream

submissionId

String

no

GravityZone network sandbox submission ID

filePaths

Array

yes

File paths (array of strings)

fileSizes

Array

yes

File sizes (array of strings)

remediationActions

Array

yes

Remediation actions (array of strings).

{
	"name": "Sandbox Analyzer Detection",
	"created": "2022-05-03T12:34:00+03:00",
	"company_name": "root",
	"user_name": "test",
	"computer_name": "TEST_ENDPOINT-sbx",
	"computer_ip": "31.41.59.265",
	"detection_time": "07 Jul 2016, 15:11:54",
	"threat_type": "Ransomware",
	"file_info": [{
		"file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
		"file_size": "2.55 KB",
		"remediation_action": "Quarantined"
	}, {
		"file_path": "D:\\opt\\bitdefender\\installer2.xml",
		"file_size": "2.55 KB",
		"remediation_action": "Deleted"
	}, {
		"file_path": "D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml",
		"file_size": "2.55 KB",
		"remediation_action": "Quarantined"
	}]
}

Product Registration

This event is generated when the registration status of an agent installed in your network has changed.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: registration

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

yes

The data of the previous event

user

Object

yes

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

companyId

String

yes

Company identifier in the GravityZone database

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

container_id

String

no

The identifier of the container entity

container_host

String

no

The name of the host that manages the container entity

is_container_host

Boolean

no

Whether the machine is container host or not

product_registration

String

yes

Values: registered, unregistered

{
	"module": "registration",
	"product_installed": "BEST",
	"computer_name": "TEST_ENDPOINT",
	"computer_fqdn": "test-endpoint.dsd.ro",
	"computer_ip": "31.41.59.265",
	"computer_id": "625c19913a58151e63702862",
	"product_registration": "registered"
}

Outdated Update Server

This event is generated when an update server has outdated malware signatures.

Name

Type

Mandatory

Description

module

Boolean

yes

Event type identifier. Value: supa-update-status

status

Integer

yes

The status of the server update. Possible values:

  • 1 - up to date

  • 2 - outdated

fromSupa

Integer

yes

The ID of the Update Server.

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

{
	"fromSupa": 1,
	"module": "supa-update-status",
	"product_installed": "BEST",
	"computer_name": "TEST_ENDPOINT",
	"computer_fqdn": "test-endpoint.dsd.ro",
	"computer_ip": "31.41.59.265",
	"computer_id": "625c19913a58151e63702862",
	"status": 0
}

Overloaded Security Server

This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: sva-load

product_installed

String

no

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

yes

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

companyId

String

yes

Company identifier in the GravityZone database

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

loadAverage

Integer

yes

The load average of the Security Server

cpu_load_percent

Integer

yes

The CPU usage of the Security Server

memoryUsage

Integer

yes

The memory usage of the Security Server

networkUsage

Integer

yes

The network usage of the Security Server

overallUsage

Integer

yes

The overall usage of the Security Server

svaLoad

String

no

The load of the Security Server

	{
		"module": "sva-load",
		"product_installed": "SVA",
		"VM_NAME": "btoma-SVA-outdated-onPrem",
		"VM_ID": "vm-4191",
		"UUID_INSTANCE": "5016cfec-c7fd-7531-fa29-9185931879c4",
		"UUID_BIOS": "4216a8ee-3cef-46f9-9925-d588eee65766",
		"computer_name": "btoma-SVA-outdated-onPrem",
		"computer_fqdn": "bitdefender-sva",
		"computer_ip": "10.18.159.8",
		"computer_id": "6256984b601b8b21f976ad88",
		"loadAverage": 1,
		"cpuUsage": 8,
		"memoryUsage": 45,
		"networkUsage": 0,
		"overallUsage": 8,
		"svaLoad": "Overloaded"
	}

Security Server Status

This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: sva

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

companyId

String

yes

Company identifier in the GravityZone database

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

powered_off

Boolean

yes

True if the Security Server is powered off

product_update_available

Boolean

no

The Security Server update availability status

signature_update

Timestamp

no

Timestamp when the last signatures update of the Security Server was finished

product_reboot_required

Boolean

no

True if a reboot is required

lastupdate

Timestamp

no

Timestamp when the last update of the Security Server was finished

lastupdateerror

String

no

The error of the last Security Server update

updatesigam

String

no

The engines version of the Security Server

{
	"module": "sva",
	"product_installed": "SVA",
	"VM_NAME": "Bitdefender SVE SVA (dell-xen2)",
	"VM_ID": "OpaqueRef:5bfc190d-2c54-d3da-e104-2b899b59d039",
	"UUID_INSTANCE": "eab611f7-3f7b-8a01-88e0-a78f2e35373b",
	"computer_name": "Bitdefender SVE SVA (dell-xen2)",
	"computer_fqdn": "sva-xen2",
	"computer_ip": "10.17.12.194",
	"computer_id": "6258082f6437b27cd93926e5",
	"powered_off": 1
}

Antiexploit Event

This event is generated when Advanced Anti-Exploit triggers a detection.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: antiexploit

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

container_id

String

no

The identifier of the container entity

container_host

String

no

The name of the host that manages the container entity

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

detection_action

String

yes

The action that was taken upon the detection

detection_threatName

String

no

Detection threat name

detection_pid

String

yes

The pid of the detection

detection_exploitTechnique

String

yes

The technique employed in the detection

detection_parentPid

String

no

Detection parent pid

detection_path

String

yes

The path of the detection

detection_parentPath

String

no

The path of the parent process of the detection

detection_cve

String

no

Detection CVE

detection_payload

String

no

Detection payload

detection_username

String

no

The user that was logged when the detection was found

detection_time

Timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

{
	"module": "antiexploit",
	"product_installed": "BEST",
	"VM_NAME": "btoma-exchange-onPrem",
	"VM_ID": "vm-4190",
	"UUID_INSTANCE": "501606d3-c8b0-1127-920a-1edc7d3a76b0",
	"UUID_BIOS": "42166a12-1437-7e14-db35-8f100b85041b",
	"computer_name": "btoma-exchange-onPrem",
	"computer_fqdn": "win-lfk7i9vslr2.sacumen.local",
	"computer_ip": "10.18.159.13",
	"computer_id": "6256a3b130015b2201bf496d",
	"container_id": "42166a12-1437-7e14-db35-8f100b85041b",
	"detection_action": "kill",
	"detection_pid": "46856",
	"detection_exploitTechnique": "ProcessCreation\/ObsoleteChildProcessCreation",
	"detection_parentPid": "48508",
	"detection_path": "C:\\Users\\Administrator\\Desktop\\samples\\samples\\bd_anti-exploit-test\\test-gemma-alert\\opera64.exe",
	"detection_parentPath": "C:\\Windows\\System32\\cmd.exe",
	"detection_username": "Administrator@sacumen.local",
	"detection_time": "2022-04-17T11:52:30.000Z",
	"endpoint_id": "6256a3b130015b2201bf496b"
}
    

Network Attack Defense Event

This event is generated when the Network Attack Defense module triggers a detection.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: network-monitor

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user_name

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

container_id

String

yes

The identifier of the container entity

container_host

String

yes

The name of the host that manages the container entity

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

label

String

no

The label set in the Network grid by the Admin

actionTaken

String

yes

The action that was taken upon the detection

detection_name

String

yes

The name of the detection as received from BEST

detection_attackTechnique

String

yes

Name of the attack technique as set in the Network Attack Defense policy

source_ip

String

yes

IP of the attack source

victim_ip

String

yes

IP of the victim's endpoint

local_port

String

yes

The port on which the attack occurred

timestamp

Timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

	{
		"name": "Network Incidents event",
		"created": "2022-04-26T09:49:18+03:00",
		"company_name": "root",
		"user_name": "user1@domain.com",
		"computer_id": "625c19913a58151e63702862",
		"computer_name": "TEST_ENDPOINT",
		"computer_ip": "31.41.59.265",
		"computer_fqdn": "test-endpoint.dsd.ro",
		"action_taken": "block",
		"attack_technique": "discovery",
		"detection_name": "Eicar.NetworkMonitor.DiscoveryThreat",
		"source_ip": "213.211.198.58",
		"victim_ip": "10.17.134.4",
		"local_port": "80",
		"date": "2015-02-02T13:34:54.000Z"
	}

Task Status

This event is generated each time a task status changes.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: task-status

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

userId

String

yes

The identifier of the user that created the task

taskId

String

yes

The identifier of the task

taskName

String

yes

The name of the task

taskType

Integer

yes

The type of the task

targetName

String

yes

The name of the task

isSuccessful

Boolean

yes

True if the task was executed successfully

status

Integer

yes

The status of the task

errorMessage

String

yes

The error message of the failed task

errorCode

Integer

yes

The error code of the failed task

{
	"module": "task-status",
	"product_installed": "BEST",
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"userId": "6177f2319908e641be7b8eda",
	"taskId": "627cd4a6c9f8cd6efe672e74",
	"taskName": "Restore Quarantine Item Task 2022-05-12(sub-task)",
	"taskType": 280,
	"targetName": "Pi-machine",
	"isSuccessful": true,
	"status": 3,
	"errorMessage": "",
	"errorCode": 0,
	"errorMessageParams": []
}

User Control/Content Control

This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: uc

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user.name

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

uc_type

String

no

Values: application, http

url

String

no

Malware url

block_type

String

no

Values: application, http_timelimiter, http_blacklist, http_categories, http_bogus, http_antimalware

categories

String

no

Values: WebProxy, Games, Tabloids, Hate, Gambling, Drugs, Illegal, Shopping, OnlinePay, Video, SocialNetwork, OnlineDating, IM, SearchEngines, RegionalTLDS, News, Pornography, MatureContent, Blog, FileSharing, Narcotics, VideoOnline, Religious, Suicide, Health, ViolentCartoons, Weapons, Hacking, Scams, CasualGames, OnlineGames, ComputerGames, PhotosOnline, Ads, Advice, Bank, Business, ComputerAndSoftware, Education, Entertainment, Government, Hobbies, Hosting, JobSearch, Portals, RadioMusic, Sports, TimeWasters, Travel, WebMail

application_path

String

no

Malware file path

status

String

no

Values: uc_application_blocked, uc_site_blocked

last_blocked

Timestamp

no

Last timestamp this malware was blocked

count

Integer

no

How many times this malware was detected

{
		"module": "uc",
		"product_installed": "SVA",
		"user": {
			"id": "S-1-5-21-2807410960-349943591-4067985531-1001",
			"name": "admin"
		},
		"computer_name": "AD-ONPREM-2019A 1",
		"computer_fqdn": "ad-onprem-2019a",
		"computer_ip": "10.18.156.47",
		"computer_id": "627cd5854e604906f22aa6ed",
		"uc_type": "http",
		"url": "http:\/\/block_type_4.com",
		"block_type": "http_categories",
		"categories": "Illegal,Shopping,OnlinePay,IM",
		"status": "uc_site_blocked",
		"last_blocked": "2015-02-25T12:21:54.000Z",
		"count": 2
	}

Storage Antimalware Event

This event is generated each time SVA detects a new threat among the protected storage (NAS).

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Storage Antimalware Event

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

endpointId

String

yes

Managed endpoint identifier in the GravityZone database

computer_name

String

yes

The name of the computer

storage_name

String

yes

The name of the storage unit

storage_ip

String

yes

The IP address of the storage unit

storage_type

String

yes

The type of the storage unit.(E.g., Nutanix, Citrix etc.)

malware_path

String

yes

The path of the infected object as reported by the product. The path references a local file on the machine that reported the event

malware_hash

String

yes

The SHA256 hash of the infected object

malware_type

String

yes

Describes the type of malware as defined by Bitdefender. Possible values are: file, http, cookie, pop3, smtp, process, boot, registry, and stream

malware_name

String

yes

Name of the malware as defined by Bitdefender

status

String

yes

Final status for the detected objects. Possible values are: still present, deleted, blocked, quarantined, disinfected, restored

detection_time

Timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

sandboxDetection

Boolean

no

Boolean describing whether or not file was submitted to a sandbox analyzer

sandboxHostname

String

no

The hostname of the sandbox analyzer where the file was submitted

security_server_version

String

no

The version of the security server which detected the malwa

engines_version

String

no

The version of the engines used to detect the malware

{
	"name": "Storage Antimalware Event",
	"created": "2022-04-15T17:02:59+03:00",
	"company_name": "root",
	"user_name": "root",
	"computer_name": "bitdefender-sva",
	"storage_name": "10.17.42.77",
	"storage_ip": "10.17.42.77",
	"storage_type": "Unknown",
	"malware_path": "\/ifs\/data\/btoma_test3",
	"malware_hash": "2f41772245a9d55a0725061337b18e8eba2cee7965d081b52c40afe2c0201dcd",
	"malware_type": "Malware",
	"malware_name": "BAT.Trojan.FormatC.Z",
	"malware_status": "Blocked",
	"detection_time": "2022-04-15T14:02:02.000Z",
	"sandboxDetection": 0,
	"sandboxHostname": "",
	"security_server_version": "6.2.7.11403",
	"engines_version": "7.91671"
}

Login event

Login from new device event.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Login from new device

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

os

String

no

The operating system used from the other device to login

browser_name

String

no

The browser used from the other device to login

browser_version

String

no

The browser's version used from the other device to login

device_ip

String

no

The IP of the other device at login time

{
	"name": "Login from new device",
	"created": "2022-05-31T15:48:15+03:00",
	"company_name": "root",
	"user_name": "root",
	"os": "Windows",
	"browser_version": "102.0.0.0",
	"browser_name": "Chrome",
	"request_time": "31 May 2022, 15:48:14 +03:00",
	"device_ip": "10.17.90.108"
}

Authentication audit event

Authentication audit

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Authentication audit

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

platform

String

no

The platform from which the authentication was done

browser

String

no

The browser from which the authentication was don

browser_version

String

no

The browser version from which the authentication was done

ip

String

no

The device IP of the system from which the authentication was done

{
	"name": "Authentication audit",
	"created": "2022-04-17T13:31:34+03:00",
	"company_name": "root",
	"user_name": "test",
	"platform": "Windows",
	"browser": "Firefox",
	"browser_version": "99.0",
	"ip": "10.22.91.27",
	"date": "17 Apr 2022, 13:31:34 +03:00"
}

SMTP Connection

This event is created when the status of SMTP Connection changes.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: SMTP Connection

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

error_code

Integer

no

Connection Error Code

error_message

String

no

Connection Error Message

status

String

no

SMTP connection status

{
	"name": "SMTP Connection",
	"created": "2022-05-31T16:03:57+03:00",
	"company_name": "root",
	"user_name": "test",
	"status": false,
	"error_code": 503,
	"error_message": "Expected response code 354 but got code \"503\", with message \"503 5.5.2 Need rcpt command\r\n\""
}

Internet Connection

This event is created when the status of Internet Connection changes.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Internet Connection

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

error_code

Integer

no

Connection Error Code

error_message

String

no

Connection Error Message

status

String

no

SMTP connection status

{
	"name": "Internet Connection",
	"created": "2022-09-12T15:53:34+03:00",
	"company_name": "root",
	"user_name": "test",
	"status": false,
	"error_code": 28,
	"error_message": "Operation timed out after 10000 milliseconds with 0 out of 0 bytes received"
}

License expires event

License expires.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: License Expires

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Whether the license limit has been reached by the current company or not

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

threshold

Integer

yes

The amount of days left from license from which the notification should start being sent to the user

days

Integer

yes

The number of days until the user's license will expire

is_partner

Boolean

yes

Always false

{
	"name": "License Expires",
	"created": "2022-04-23T18:05:47+03:00",
	"company_name": "root",
	"user_name": "test",
	"license_key": "SUQ2GEC",
	"product_id": 2906,
	"license_company_id": "6177f22f9908e641be7b8ec4",
	"threshold": 1,
	"days": 1,
	"is_partner": false,
	"recv_for_his_company": true,
	"recv_for_partner_company": false
}

License Limit Is About To Be Reached event

License limit is about to be reached.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: License Limit Is About To Be Reached

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Whether the license limit has been reached by the current company or not

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

used

Integer

yes

The number of days the license has been used by the user

total

Integer

yes

The total number of days available to user for using the license

{
	"name": "License Limit Is About To Be Reached",
	"created": "2022-04-17T16:07:12+03:00",
	"company_name": "root",
	"user_name": "root",
	"license_key": "30W6TMF",
	"recv_for_his_company": true,
	"recv_for_partner_company": false,
	"used": 3,
	"total": 4
}

License Usage Limit Has Been Reached event

License usage limit has been reached.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Exchange License Usage Limit Has Been Reached

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Whether the license limit has been reached by the current company or not

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

used

Integer

yes

The number of days the license has been used by the user

total

Integer

yes

The total number of days available to user for using the license

{
	"name": "Exchange License Usage Limit Has Been Reached",
	"created": "2022-05-12T12:28:48+03:00",
	"company_name": "root",
	"user_name": "test",
	"mailboxes": 7,
	"license_limit": 6,
	"license_key": "30W6TMF",
	"recv_for_his_company": true,
	"recv_for_partner_company": false
}

Servers License Limit Is About To Be Reached event

Servers license limit is about to be reached.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Servers License Limit Is About To Be Reached

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Whether the license limit has been reached by the current company or not

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

servers_used

Integer

yes

The number of licensed servers

servers_total

Integer

yes

The total number of servers the license allows

{
	"name": "Servers License Limit Is About To Be Reached",
	"created": "2022-04-17T15:58:10+03:00",
	"company_name": "root",
	"user_name": "test",
	"license_key": "30W6TMF",
	"recv_for_his_company": true,
	"recv_for_partner_company": false,
	"servers_used": 1,
	"servers_total": 2
}

Servers License Usage Limit Has Been Reached event

Servers License Usage Limit Has Been Reached

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Servers License Usage Limit Has Been Reached

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

license_key

String

yes

The license key of the user which uses the license

recv_for_his_company

Boolean

yes

Whether the license limit has been reached by the current company or not

recv_for_partner_company

Boolean

yes

Whether the license limit has been reached by the partner companies or not

servers_used

Integer

yes

The number of licensed servers

servers_total

Integer

yes

The total number of servers the license allows

{
	"name": "Servers License Usage Limit Has Been Reached",
	"created": "2022-04-17T16:07:12+03:00",
	"company_name": "root",
	"user_name": "test",
	"license_key": "30W6TMF",
	"recv_for_his_company": true,
	"recv_for_partner_company": false,
	"servers_used": 2,
	"servers_total": 2
}

Malware Outbreak

This notification is sent when at least X%(predefined 5%) of all the managed network objects are infected by the same malware.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Malware Outbreak

company_name

String

yes

The company name of the device from which the event was triggered

malware_name

String

yes

Name of the malware as defined by Bitdefender

protected_entities

Array

yes

Protected entities that was infected

protected_entities_more

Integer

yes

Protected entities configuration settings

protected_entities_eps

Array

no

Protected eps entities that were infected

protected_entities_epsmore

Integer

no

Protected eps entities configuration settings

protected_entities_sve

Array

no

Protected sve entities that was infected

protected_entities_svemore

Integer

no

Protected sve entities configuration settings

csv_id

Array

no

The ID of the csv file with the list of infected endpoints

total

Integer

yes

Total number of infected endpoints

count

Integer

yes

Number of occurrences since the last reporting

interval_start

Timestamp

yes

Time of the event when was detected the first malware

interval_end

Timestamp

yes

Interval End when was detected the last malware

show_company_name

Boolean

no

Show company name

{
	"name": "Malware Outbreak",
	"created": "2022-05-12T13:35:07+03:00",
	"company_name": "root",
	"user_name": "root",
	"malware_name": "Gen:Trojan.Heur.LShot.1",
	"count": 1,
	"total": 13,
	"interval_start": "2022-05-12 12:35:06",
	"interval_end": "2022-05-12 13:35:07",
	"protected_entities": [{
		"name": "Pi14159-AUTOMAT",
		"company": {
			"id": "6177f22f9908e641be7b8ec4",
			"name": "root"
		}
	}],
	"protected_entities_more": 0,
	"show_company_name": false,
	"csv_id": "627ce2db468f4e01fb3d7322"
} 

Mobile users without email event

Mobile device users without email address

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Mobile device users without email address

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

users

Array

yes

The list of mobile users without email

{
	"name": "Mobile device users without email address",
	"created": "2022-04-26T11:51:40",
	"company_name": "root",
	"user_name": "root",
	"users": ["test", "test3"]
}

Database Backup event

Database backup

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Database Backup

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

is_successful

Boolean

yes

The success status of the database backup operation

is_scheduled

Boolean

yes

The scheduling status of the database backup operation

db_version

String

yes

The version of the database for which the backup operation has been done

date

Timestamp

yes

Timestamp when the database backup operation was finished

location_type

Integer

yes

The location of the database for which the backup operation has been done

location

String

yes

The location of the database for which the backup operation has been done

next_backup

Timestamp

yes

Timestamp when the next database backup operation is scheduled

backup_status

Integer

yes

Database Backup Status: 0 successful, 1 failure, 2 processing

{
	"name": "Database Backup",
	"created": "2022-04-14T08:59:57+00:00",
	"company_name": "root",
	"user_name": "root",
	"backup_status": 0,
	"is_successful": true,
	"is_scheduled": false,
	"db_version": "023-001-001",
	"date": "2022-04-14T08:59:51",
	"location_type": 2,
	"location": "\\\\10.18.156.38\\share",
	"next_backup": null
}

Certificate expires event

Certificate Expires

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Certificate expires

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

certificate_type

Integer

yes

The type of certificate used by current user

days_left

Integer

yes

The number of days until the user's certificate will expire

last_notification_date

Timestamp

yes

Timestamp when the certificate expiration was notified to the user

threshold

Integer

yes

The amount of days left from certificate from which the notification should start being sent to the user

{
	"name": "Certificate expires",
	"created": "2022-04-24T05:00:59+03:00",
	"company_name": "root",
	"user_name": "test",
	"certificate_type": 1,
	"days_left": 0,
	"last_notification_date": "2022-04-24T05:00:59+03:00",
	"threshold": 1
}

Upgrade Status

This event is generated when endpoints are protected by old products(Bitdefender Tools or Security Endpoint) in Gravity Zone Console.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Upgrade status

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

protected_entities

Array

yes

Protected entities that were found protected by old products

protected_entities_more

Integer

yes

More protected entities will appear in next event if set to 1

csv_id

Array

no

The ID of the CSV file with the list of protected endpoints

count

Integer

yes

Number of occurrences since the last reporting

show_company_name

Boolean

no

Show company name

{
	"name": "Upgrade status",
	"created": "2015-06-22T11:11:39+03:00",
	"company_name": "Bitdefender",
	"user_name": "root@bitdefender.com",
	"count": 1,
	"protected_entities": [{
		"name": "stomoiaga-win",
		"company": {
			"id": "5be196701da1978e108b4567",
			"name": "Bitdefender"
		}
	}],
	"protected_entities_more": 0,
	"show_company_name": false,
	"csv_id": {
		"$id": "5587c33bb1a43d673d8b456c"
	}
}

Troubleshooting activity

The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: troubleshooting-activity

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

taskId

String

yes

The ID of the current Troubleshooting task.

taskType

String

yes

The type of the task

errorCode

Integer

yes

Integer representing the error code if the task has failed

username

String

no

Name of the user account who started the Troubleshooting task

localPath

String

no

The path on the target machine where the Troubleshooting archive is placed

networkSharePath

String

no

The path on network share where the Troubleshooting archive is placed

saveToBitdefenderCloud

Boolean

no

The option to also upload to Bitdefender Cloud the Troubleshooting archive

status

Integer

yes

The status with which the task has finished

stopReason

Integer

no

The reason for which the Troubleshooting activity was stopped

failedStorageType

Integer

no

In case some delivery methods succeeded and some not, which one has failed

startDate

Timestamp

no

Timestamp of when the event has started

endDate

Timestamp

no

Time of the event as reported by the product, already formatted in a string representation

{
	"product_installed": "BEST",
	"computer_name": "TEST_ENDPOINT_WINDOWS_10",
	"computer_fqdn": "test-endpoint.dsd.ro",
	"computer_ip": "10.10.0.101",
	"computer_id": "5ee30e2b29a4e218489442b6",
	"taskId": "5ee30e78f23f7312e6087824",
	"taskType": "Gather Logs",
	"errorCode": 0,
	"username": "vagrant",
	"localPath": "localPath",
	"networkSharePath": "networkSharePath",
	"saveToBitdefenderCloud": 0,
	"status": 3,
	"startDate": "2020-06-12T05:11:19.000Z",
	"endDate": "2020-06-12T06:43:00.801Z"
}

Update Available

This notification informs you about the availability of new updates for GravityZone components.

Name

Type

Mandatory

Description

name

String

yes

Event type identifier. Value: Update Available

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

available_version

String

yes

Available Version for GravityZone components

current_version

String

yes

Current Version for GravityZone compone

release_date

Timestamp

yes

The time when the update was released

update_type

Integer

no

CONSOLE UPDATE / PACKAGE UPDATE / PRODUCT UPDATE

product_type

Integer

no

Product type for which is the new update(BEST, Security Server)

{
	"name": "Update Available",
	"created": "9 Jun 2022, 10:33:31 +03:00",
	"company_name": "root",
	"user_name": "test",
	"available_version": "6.28.1-4",
	"release_date": "9 Jun 2022, 10:33:31 +03:00",
	"update_type": 0,
	"current_version": "6.27.1-5"
}

Device Control

Every time the Device Control module detects a device inserted into a client system, an event is generated.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: device-control

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

username

String

no

The user that was logged in when the incident was found

silentAgentVersion

String

no

The version of the agent

action

String

yes

Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added.

deviceName

String

no

A descriptive name for the device

deviceClass

Integer

yes

The class of the device

deviceId

String

no

The identifier of the device

productId

Integer

no

Product ID of the device

vendorId

Integer

no

ID of the vendor

date

Timestamp

yes

The date when the device was blocked

{	"module": "device-control",
	"product_installed": "BEST",
	"VM_NAME": "btoma-win-2k12-onPrem-2",
	"VM_ID": "vm-4309",
	"UUID_INSTANCE": "5016768a-2a1b-979f-f05b-21e4b67c371c",
	"UUID_BIOS": "42161832-3f3a-f1c9-1fa4-0c27a0c6be6d",
	"computer_name": "btoma-win-2k12-onPrem-2",
	"computer_fqdn": "win-9nvehq2j63g",
	"computer_ip": "10.18.154.75",
	"computer_id": "625c0f55a154a3606228a812",
	"username": "",	"action": "blocked",
	"deviceName": "NECVMWar VMware IDE CDR10 ATA Device",
	"deviceClass": 2,
	"deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10_______________1.00____\\5&290FD3AB&0&1.0.0",
	"productId": 0,
	"vendorId": 0,
	"date": "2022-04-17T13:06:23.000Z"
}

Ransomware activity detection

This event occurs when the endpoint agent blocks ransomware attack.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: ransomware-mitigation

product_installed

String

yes

Identifier for the installed GravityZone component

oldData

Object

no

The data of the previous event

user

Object

no

The user involved with the event source

VM_NAME

String

no

The name of the virtual machine

VM_ID

String

no

The identifier of the virtual machine

UUID_INSTANCE

String

no

Virtual machine unique identifier

UUID_BIOS

String

no

Only for VMware: bios UUID

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

endpoint_id

String

yes

Managed endpoint identifier in the GravityZone database

attack_type

String

yes

Ransomware attack type

item_count

String

yes

The number of files encrypted during the attack

detected_on

Integer

yes

The date and time when the attack was detected

attack_source

String

yes

The remote IP in case of a remote attack respectively the process path in case of a local attack

{
	"module": "ransomware-mitigation",
	"product_installed": "BEST",
	"user": {
		"name": "bdvm",
		"sid": "S-1-5-21-2018264366-2484004464-1617746128-1001"
	},
	"VM_NAME": "Pi-machine",
	"VM_ID": "Pi-3141",
	"UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b",
	"UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a",
	"computer_name": "Pi-machine",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_ip": "31.14.159.265",
	"computer_id": "6257cf1130015b2201bf4a00",
	"attack_type": "local",
	"item_count": "12",
	"detected_on": 1650191436,
	"attack_source": "C:\\Users\\bdvm\\Desktop\\samples\\samples\\ransomeware_remediation\\RanSim\\RanSim\\TestDirectory\\Scenarios\\Collaborator\\1934050139_Collaborator.txr"
}

New Incident

This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.

Name

Type

Mandatory

Description

module

String

yes

Event type identifier. Value: new-incident

computer_name

String

yes

The name of the computer

computer_fqdn

String

yes

The FQDN of the endpoint

computer_ip

String

yes

The IP address

computer_id

String

yes

Unique endpoint identifier in the GravityZone database

incident_id

String

yes

The identifier of the incident

severity_score

Integer

yes

Integer ranging between 0 and 100 that defines the severity of the incident

attack_entry

Integer

yes

The UID of the node on which the attack originated

main_action

String

yes

The action taken by the product about the incident

detection_name

String

no

The name of the detection

file_name

String

no

Malware file name

file_path

String

no

Malware file path

file_hash_md5

String

no

Malware file MD5 hash

file_hash_sha256

String

no

Malware file sha256 hash

url

String

no

The domain URL

protocol

String

no

The protocol of the application

process_pid

Integer

no

The pid of the process

process_path

String

no

The path of the process

parent_process_pid

Integer

no

The PID of the parent process

parent_process_path

String

no

The path of the parent process

attack_types

Array

no

Types of the attack implicated in the incident

att_ck_id

Array

no

The identifiers of the Mitre attacks implicated in the incident

process_command_line

String

no

The command line of the process

severity

String

yes

The severity of the produced event

created

Timestamp

yes

Timestamp of the event

company_name

String

yes

The company name of the device from which the event was triggered

user_name

String

yes

The user name used when the event was triggered

username

String

no

The user that was logged in when the incident was found

user_sid

String

no

The SID of the user involved with the event source

{
	"name": "New Incident",
	"created": "2022-05-12T09:34:03.690Z",
	"company_name": "root",
	"user_name": "root",
	"module": "new-incident",
	"computer_id": "6256a431cb46d1222c00c5a6",
	"computer_fqdn": "Pi14159-automation-win64",
	"computer_name": "Pi14159-automation-win64",
	"detection_name": "Gen:Trojan.Heur.LShot.1",
	"attack_types": ["Malware"],
	"computer_ip": "31.14.159.265",
	"severity_score": 65,
	"incident_id": "627cd48c12eb1f08b5d42dbe",
	"attack_entry": 1926087460,
	"process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell_ise.exe",
	"file_path": "c:\\users\\bdvm\\desktop\\script.ps1",
	"file_name": "script.ps1",
	"att_ck_id": [],
	"severity": "medium",
	"main_action": "no action"
}

Security Container Status Update

This notification informs you when the product update status changes for a Security Container installed in your network.

Name

Type

Mandatory

Description

created

Timestamp

yes

Timestamp of the event

securityContainers

String

yes

A list of outdated security containers

name

String

yes

Name of the event

{
	"name": "Security Container Status Update",
	"created": "2022-04-18T11:12:14+03:00",
	"company_name": "root",
	"user_name": "root",
	"module": "security-container-update-status",
	"securityContainers": [{
		"securityContainerName": "security-container-x",
		"hostName": "TEST_ENDPOINT"
	}]
}