Fortinet black logo

External Systems Configuration Guide

Bitdefender GravityZone

Vendor: Bitdefender

Product Information: https://www.bitdefender.com/

Support Added: FortiSIEM 7.0.0

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Bitdefender GravityZone.

Protocol

Metrics Collected

Used For

HTTP POST

Logs

Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Bitdefender-GravityZone-" to see the event types associated with this device.

Rules

There are no specific rules for Bitdefender GravityZone, however events are categorized and normalized for use by generic FortiSIEM detection rules.

Configuration

Bitdefender GravityZone Configuration

Create a GravityZone API Key by taking the following steps.

  1. Sign in to GravityZone Control Center at https://gravityzone.bitdefender.com.

  2. Click your username in the upper-right corner of the console and choose My Account.

  3. Go to the Control Center API section to get the Access URL field.

    The base URL for all API is:  Access_url/v1.0/jsonrpc/

    The base URL will be used in the feature.

  4. Go to the API keys section and click the Add button at the upper side of the table.

  5. Select the Integrations APIs.

  6. Click Save. An API key will be generated for the selected APIs.

FortiSIEM Configuration

Enable FortiSIEM HTTP Post Feature

Take the following steps to enable the FortiSIEM HTTP Post feature.

  1. Login to FortiSIEM Collector/Supervisor via SSH.

    Note: The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and FortiSIEM Collector/Supervisor:

    • 34.159.83.241

    • 34.159.47.15

    • 34.159.150.228

    • 34.85.152.87

    • 34.85.155.173

  2. Run the following command to create a HTTP account.

    htpasswd -bs /etc/httpd/accounts/passwds <http user name> <http password>

  3. Save the <http user name> <http password> information, as it will be used later on in the configuration.

Enable GravityZone to Forward Events to FortiSIEM

Take the following steps to enable Bitdefender GravityZone to forward events to FortiSIEM

  1. Login to FortiSIEM Collector/Supervisor via SSH.

  2. Run script enableBitDefenderForwardEventsToFortiSIEM.py to enable GravityZone forward events to FortiSIEM.

    Usage:

    enableBitDefenderForwardEventsToFortiSIEM.py [API base url] [API key] [FSIEM Collector/Supervisor IP] [FSIEM HTTP user] [FSIEM HTTP password]

    Example:

    /opt/phoenix/bin/enableBitDefenderForwardEventsToFortiSIEM.py https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ 71ba6cb43f87389b11fb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3 10.10.10.10 test test*1

    GravityZone will start sending events to FortiSIEM after the Event Push Service settings are reloaded. This happens every 10 minutes.

Sending a Test Event via GravityZone

To force Bitdefender GravityZone to send a test event, take the following steps.

  1. Encode API key

    echo -n '<API key>:'| base64 -w 0

  2. Post command to make Gravity to send test event.

    curl -k -X POST \ 
              https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ \ 
             -H 'authorization: Basic <API Key base64 string>' \ 
             -H 'cache-control: no-cache' \ 
             -H 'content-type: application/json' \ 
            -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}' 
  3. Find the REST API GravityZone used to send test event to FortiSIEM. And the HTTP status code is 200.

    tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone

  4. Events can be queried from the Analytics page.

Example Walkthrough:

  1. echo -n '71ba6cb43f87389b95cb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3:'| base64 -w 0

    API Key:

    NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=

  2. curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ -H 'authorization: Basic NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

  3. tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone 34.85.155.173 - test [19/Aug/2022:10:37:35 -0500] "POST /rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com&separator=%0A HTTP/1.1" 200 -

  4. Log onto FortiSIEM GUI, navigate to Analytics page and query for event.

Vendor: Bitdefender

Product Information: https://www.bitdefender.com/

Support Added: FortiSIEM 7.0.0

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Bitdefender GravityZone.

Protocol

Metrics Collected

Used For

HTTP POST

Logs

Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Bitdefender-GravityZone-" to see the event types associated with this device.

Rules

There are no specific rules for Bitdefender GravityZone, however events are categorized and normalized for use by generic FortiSIEM detection rules.

Configuration

Bitdefender GravityZone Configuration

Create a GravityZone API Key by taking the following steps.

  1. Sign in to GravityZone Control Center at https://gravityzone.bitdefender.com.

  2. Click your username in the upper-right corner of the console and choose My Account.

  3. Go to the Control Center API section to get the Access URL field.

    The base URL for all API is:  Access_url/v1.0/jsonrpc/

    The base URL will be used in the feature.

  4. Go to the API keys section and click the Add button at the upper side of the table.

  5. Select the Integrations APIs.

  6. Click Save. An API key will be generated for the selected APIs.

FortiSIEM Configuration

Enable FortiSIEM HTTP Post Feature

Take the following steps to enable the FortiSIEM HTTP Post feature.

  1. Login to FortiSIEM Collector/Supervisor via SSH.

    Note: The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and FortiSIEM Collector/Supervisor:

    • 34.159.83.241

    • 34.159.47.15

    • 34.159.150.228

    • 34.85.152.87

    • 34.85.155.173

  2. Run the following command to create a HTTP account.

    htpasswd -bs /etc/httpd/accounts/passwds <http user name> <http password>

  3. Save the <http user name> <http password> information, as it will be used later on in the configuration.

Enable GravityZone to Forward Events to FortiSIEM

Take the following steps to enable Bitdefender GravityZone to forward events to FortiSIEM

  1. Login to FortiSIEM Collector/Supervisor via SSH.

  2. Run script enableBitDefenderForwardEventsToFortiSIEM.py to enable GravityZone forward events to FortiSIEM.

    Usage:

    enableBitDefenderForwardEventsToFortiSIEM.py [API base url] [API key] [FSIEM Collector/Supervisor IP] [FSIEM HTTP user] [FSIEM HTTP password]

    Example:

    /opt/phoenix/bin/enableBitDefenderForwardEventsToFortiSIEM.py https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ 71ba6cb43f87389b11fb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3 10.10.10.10 test test*1

    GravityZone will start sending events to FortiSIEM after the Event Push Service settings are reloaded. This happens every 10 minutes.

Sending a Test Event via GravityZone

To force Bitdefender GravityZone to send a test event, take the following steps.

  1. Encode API key

    echo -n '<API key>:'| base64 -w 0

  2. Post command to make Gravity to send test event.

    curl -k -X POST \ 
              https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ \ 
             -H 'authorization: Basic <API Key base64 string>' \ 
             -H 'cache-control: no-cache' \ 
             -H 'content-type: application/json' \ 
            -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}' 
  3. Find the REST API GravityZone used to send test event to FortiSIEM. And the HTTP status code is 200.

    tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone

  4. Events can be queried from the Analytics page.

Example Walkthrough:

  1. echo -n '71ba6cb43f87389b95cb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3:'| base64 -w 0

    API Key:

    NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=

  2. curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ -H 'authorization: Basic NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

  3. tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone 34.85.155.173 - test [19/Aug/2022:10:37:35 -0500] "POST /rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com&separator=%0A HTTP/1.1" 200 -

  4. Log onto FortiSIEM GUI, navigate to Analytics page and query for event.