Skip to main content

Splunk

To set up the link between Splunk and GravityZone follow the steps below.

1. Verify Prerequisites

The following software needs to be installed:

2. Install the Bitdefender Gravityzone for Splunk App

The Bitdefender Gravityzone for Splunk App provides a Dashboard where you can view all the information received from GravityZone, organized into multiple sections and widgets. Using the app you can also search for information or generate reports.

To install the app, follow these steps:

  1. Download the Bitdefender Gravityzone for Splunk App installation package from here.

  2. Log in to Splunk Enterprise.

  3. From the home page, click the Manage Apps button on the upper left side of the screen:

    171284_1.png
  4. Click the Install app from file button on the right side of the screen.

  5. Click Browse....

  6. Select the package downloaded from step 1.

  7. Click Upload.

3. Install the Bitdefender Gravityzone Add-on for Splunk

The Bitdefender Gravityzone Add-on for Splunk supports the Bitdefender Gravityzone App for Splunk by providing source mapping, data extractions and transformations. It acts like a parser, converting all data gathered from various Bitdefender sources into a CIM format, which is compatible with Splunk.

To install the app, follow these steps:

  1. Download the Bitdefender Gravityzone Add-on for Splunk installation package from here.

  2. Log in to Splunk Enterprise.

  3. From the home page, click the Manage Apps button on the upper left side of the screen:

    171284_1.png
  4. Click the Install app from file button on the right side of the screen.

  5. Click Browse....

  6. Select the package downloaded from step 1.

  7. Click Upload.

4. Enable Event Push API in GravityZoneControl Center

  1. Log in to GravityZoneControl Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.

    14099_1.png
  5. Click Save to preserve the changes made in My Account page.

5. Enable a new token for HTTP Event Collector in Splunk

  1. Log in to Splunk.

  2. Go to Settings > Data Inputs > HTTP Event Collector.

    14099_2.png
  3. Click New Token.

  4. In the Add Data screen, fill in the Name field, as suggested in the image below, and click Next.

    14099_3.png
  5. For Source type, click Select and choose choose bitdefender:gz as the source.

    14099_5.png
  6. At Index, select a default index or create a new one. The events received by HTTP Event Collector will be inserted in the selected index.

  7. Click Review.

  8. Verify the data you entered and click Submit.

    The token has been created successfully. Copy the token value and save it. You will need it later to enable the integration.

    14099_6.png
  9. Go to Settings > Data Inputs > HTTP Event Collector and click Global Settings.

    14099_7.png
  10. In the new window, under All Tokens section, select Enabled.

    14099_8.png
  11. Click Save.

6.Enable the Splunk integration

After you created the Event Push Service key in GravityZoneControl Center and enabled HTTP Event Collector in Splunk, you need to enable the integration. That means you have to start sending events from GravityZone to Splunk.

  1. Get the information needed to configure Event Push Service settings from your favorite terminal emulator on Linux or Mac:

    • GravityZone API URL.

      You find it in MyAccount > Control Center API and it should be similar to https://cloudgz.gravityzone.bitdefender.com/api.

    • The authorization header of the API key generated in GravityZone.

      The header value is Basic base64 encode.

      Important

      To obtain the authorization header, run the echo command followed by API key with colon (:).

      > echo -n '604821e87e4c7de3aa15d0e6a97f5ab362281dbf0763746671da2caf4b5cccd1:' | base64 -w 0

      The result should be something like this:

      NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=
    • Splunk URL.

      You find it in your Splunk Cloud platform and it should be something like this: https://prd-p-xlpxkqpw84k2.splunkcloud.com. If you use Splunk on-premises, the URL is already in place.

    • HTTP Event Collector token.

  2. Run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://http-inputs-[hostname].splunkcloud.com:443/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk EA900DEB-22C8-402B-A7F9-A926C1633E7A"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true}}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'

    Note

    GravityZone starts sending events to Splunk after the Event Push Service settings are reloaded. This happens every 10 minutes.

    To start sending events immediately, run this command (the settings you have to edit are underlined):

    > curl -k -X POST \
    https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
    -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
    -H 'cache-control: no-cache' \
    -H 'content-type: application/json' \
    -d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'

The return should be similar to:

{"id":"1","jsonrpc":"2.0","result":true}

Test the Splunk integration

To test the integration, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

You can also start sending events from GravityZone to Splunk by running a script created by Bitdefender. You can do this in your favorite terminal emulator on Linux or Mac.

  1. Download the script from here.

  2. Make the script executable by running the command:

    chmod +x bdpusheventconfig.sh
  3. Run the script with the command:

    ./bdpusheventconfig.sh -g [console_url] -k [api_key] -t [service_type] -u [service_url] -a [splunk_auth_token] -v -d [events]

The script includes the following options:

Option

Description

-g [console url]

GravityZone API url

-k [api_key]

GravityZone API key

-t [service_type]

Service type: splunk or jsonRPC

-u [service_url]

Splunk or RPC url

-a [splunk_auth_token]

Splunk authorization token

-v

Verify service SSL certificate

-c

Connect to Splunk Cloud free trials. Adds 'input-' to the service host and uses port 8088 (if port is not specified).

-d

Connect to Splunk Cloud instances. Adds 'http-inputs-' to the service host and uses port 443 (if port is not specified).

-h, --help

Help

These options are similar to the ones used when enabling the integration manually.

The [events] list refers to one or more space-separated events that are to be sent from GravityZone to Splunk. These events are described in the table below:

Event type identifier

Description

modules

Product Modules event

sva

Security Server Status event

registration

Product Registration event

supa-update-status

Outdated Update Server event (where the Update Server is a Relay)

av

Antimalware event

aph

Antiphishing event

fw

Firewall event

avc

ATC/IDS event

uc

User Control event

dp

Data Protection event

hd

HyperDetect event

sva-load

Overloaded Security Server event

task-status

Task Status event

exchange-malware

Exchange Malware Detection event

network-sandboxing

Sandbox Analyzer Detection

adcloud

Active Directory Integration Issue

exchange-user-credentials

Exchange User Credentials

antiexploit

Antiexploit Event

network-monitor

Network Attack Defense Event

endpoint-moved-in

Endpoint moved in (used for moving endpoints from one company to another)

endpoint-moved-out

Endpoint moved out (used for moving endpoints from one company to another)

hwid-change

Hardware ID change

install

Install agent

new-incident

New incident

ransomware-mitigation

Ransomware activity detection

security-container-update-available

Security Container update available

troubleshooting-activity

Troubleshooting activity

uninstall

Uninstall agent

To subscribe to all events, use the value all or specify each one of them. If the events list is empty (no event types specified) then the integration is disabled.

Examples

Enable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -d 
modules sva registration supa-update-status av aph fw avc uc dp sva-load
 task-status exchange-malware network-sandboxing adcloud 
exchange-user-credentials
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c 
all

Configure a json RPC service

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t jsonRPC -u 
https://rpc.example.com modules sva registration supa-update-status av 
aph fw avc uc dp sva-load task-status exchange-malware 
network-sandboxing adcloud exchange-user-credentials

Disable the Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push 
-k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u 
https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 –c

For details about Push Events Service, refer to the Push section.

For details about creating reports based on data from GravityZone in Splunk, refer to Create reports in Splunk based on GravityZone data.