Skip to main content

Raw Events

Raw Events helps you filter which events GravityZone processes. The settings on this page are applicable at company level.

raw_events_cp_242085_en.png

This feature becomes available in the Configuration tab if you have the following:

  • GravityZone Business Security Enterprise or Bitdefender EDR license

  • One of the storage add-on licenses: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on

  • EDR or XDR module enabled

Note

The prerequisites listed above are for feature availability and certain core endpoint-related events. However, certain event types within the Raw Events grid may have further prerequisites. Be sure to consult the Requirements column in GravityZoneControl Center or, for more detailed information, the individual requirements below this article.

Events are collected from available endpoints. Support is available for Windows, Linux, and macOS. To see which events are available for each type of operating system, you can check the OS type column. To see a full list of supported events, refer to Raw Events - Event types supported.

You can send these events to one feature at a time: either to a SIEM, to the Search feature, or to Bitdefender MDR.

To enable or disable events, follow these steps:

  1. Select the event types from the grid.

  2. Click Change status.

  3. Select either Enable or Disable.

  4. Click Accept.

Note

The changes you make on this page do not affect endpoints that have the following policy option enabled: Policies > General > Security Telemetry.

For more information on which events are sent to the Control Center and which are ignored, which events are aggregated and how, refer to Raw Events processing rules.

Added (Category: Service)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > System > Audit Security System Extension. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > System.

    Security policy tree

  3. Open the Audit Security System Extension policy.

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

Create (Category: Scheduled task)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access > Audit Other Object Access Events. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.

    Security policy tree

  3. Open the Audit Other Object Access Events policy.

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

Delete (Category: Scheduled task)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access > Audit Other Object Access Events. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.

    Security policy tree

  3. Open the Audit Other Object Access Events policy.

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

Logon failed (Category: User)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff > Audit Logon. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff.

    Security policy tree

  3. Open the Audit Logon policy.

    Audit Logon policy

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

Modify (Category: Scheduled task)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access > Audit Other Object Access Events. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.

    Security policy tree

  3. Open the Audit Other Object Access Events policy.

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

O365 Mail (Category: Office 365)

Make sure the following requirements are met:

  • The Office 365 sensor integration must be active in Configuration > Sensors Management.

  • Licenses:

    • a product license that includes EDR or XDR

    • the Bitdefender XDR Sensor - Productivity license

    • a GravityZone EDR Data Retention Add-on.

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

Settings changed (Category: User)

Make sure the following requirements are met:

  • Licenses:

    • a product license that includes EDR or XDR

    • a GravityZone EDR Data Retention Add-on

      Note

      You have the following three options available for data retention add-ons: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

  • Local security policy: Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Account Management > Audit User Account Management. For more information on how to enable this policy, refer to the section below.

Configure local security policy

Follow these steps to configure the local security policy:

  1. Go to Start > Local Security Policy.

  2. Navigate the tree to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Account Management.

    Security policy tree

  3. Open the Audit User Account Management policy.

  4. Configure it as shown below:

    Policy configuration

  5. Apply the changes.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

In this section: