Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 7.2.4 External Systems Configuration Guide
    7.2.4
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Bitdefender GravityZone

    Bitdefender GravityZone

    Vendor: Bitdefender

    Product Information: https://www.bitdefender.com/

    Support Added: FortiSIEM 7.0.0

    What is Discovered and Monitored

    The following protocols are used to discover and monitor various aspects of Bitdefender GravityZone.

    Protocol

    Metrics Collected

    Used For
    HTTP POST

    Logs

    		 Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Bitdefender-GravityZone-" to see the event types associated with this device.

    Rules

    There are no specific rules for Bitdefender GravityZone, however events are categorized and normalized for use by generic FortiSIEM detection rules.

    Configuration

    Bitdefender GravityZone Configuration

    Create a GravityZone API Key by taking the following steps.

    1. Sign in to GravityZone Control Center at https://gravityzone.bitdefender.com.

    2. Click your username in the upper-right corner of the console and choose My Account.

    3. Go to the Control Center API section to get the Access URL field.

      The base URL for all API is:  Access_url/v1.0/jsonrpc/

      The base URL will be used in the feature.

    4. Go to the API keys section and click the Add button at the upper side of the table.

    5. Select the Integrations APIs.

    6. Click Save. An API key will be generated for the selected APIs.

    FortiSIEM Configuration

    Enable FortiSIEM HTTP Post Feature

    Take the following steps to enable the FortiSIEM HTTP Post feature.

    1. Login to FortiSIEM Collector/Supervisor via SSH.

      Note: The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and FortiSIEM Collector/Supervisor:

      • 34.159.83.241

      • 34.159.47.15

      • 34.159.150.228

      • 34.85.152.87

      • 34.85.155.173

    2. Run the following command to create a HTTP account.

      htpasswd -bs /etc/httpd/accounts/passwds <http user name> <http password>

    3. Save the <http user name> <http password> information, as it will be used later on in the configuration.

    Enable GravityZone to Forward Events to FortiSIEM

    Take the following steps to enable Bitdefender GravityZone to forward events to FortiSIEM

    1. Login to FortiSIEM Collector/Supervisor via SSH.

    2. Run script enableBitDefenderForwardEventsToFortiSIEM.py to enable GravityZone forward events to FortiSIEM.

      Usage:

      enableBitDefenderForwardEventsToFortiSIEM.py [API base url] [API key] [FSIEM Collector/Supervisor IP] [FSIEM HTTP user] [FSIEM HTTP password]

      Example:

      /opt/phoenix/bin/enableBitDefenderForwardEventsToFortiSIEM.py https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ 71ba6cb43f87389b11fb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3 10.10.10.10 test test*1

      GravityZone will start sending events to FortiSIEM after the Event Push Service settings are reloaded. This happens every 10 minutes.

    Sending a Test Event via GravityZone

    To force Bitdefender GravityZone to send a test event, take the following steps.

    1. Encode API key

      echo -n '<API key>:'| base64 -w 0

    2. Post command to make Gravity to send test event.

      curl -k -X POST \ 
          https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ \ 
         -H 'authorization: Basic <API Key base64 string>' \ 
         -H 'cache-control: no-cache' \ 
         -H 'content-type: application/json' \ 
        -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

    3. Find the REST API GravityZone used to send test event to FortiSIEM. And the HTTP status code is 200.

      tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone

    4. Events can be queried from the Analytics page.

    Example Walkthrough:

    1. echo -n '71ba6cb43f87389b95cb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3:'| base64 -w 0

      API Key:

      NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=

    2. curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ -H 'authorization: Basic NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

    3. tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone 34.85.155.173 - test [19/Aug/2022:10:37:35 -0500] "POST /rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com&separator=%0A HTTP/1.1" 200 -

    4. Log onto FortiSIEM GUI, navigate to Analytics page and query for event.

    Previous
    Next

    Bitdefender GravityZone

    Bitdefender GravityZone

    Vendor: Bitdefender

    Product Information: https://www.bitdefender.com/

    Support Added: FortiSIEM 7.0.0

    What is Discovered and Monitored

    The following protocols are used to discover and monitor various aspects of Bitdefender GravityZone.

    Protocol

    Metrics Collected

    Used For
    HTTP POST

    Logs

    		 Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Bitdefender-GravityZone-" to see the event types associated with this device.

    Rules

    There are no specific rules for Bitdefender GravityZone, however events are categorized and normalized for use by generic FortiSIEM detection rules.

    Configuration

    Bitdefender GravityZone Configuration

    Create a GravityZone API Key by taking the following steps.

    1. Sign in to GravityZone Control Center at https://gravityzone.bitdefender.com.

    2. Click your username in the upper-right corner of the console and choose My Account.

    3. Go to the Control Center API section to get the Access URL field.

      The base URL for all API is:  Access_url/v1.0/jsonrpc/

      The base URL will be used in the feature.

    4. Go to the API keys section and click the Add button at the upper side of the table.

    5. Select the Integrations APIs.

    6. Click Save. An API key will be generated for the selected APIs.

    FortiSIEM Configuration

    Enable FortiSIEM HTTP Post Feature

    Take the following steps to enable the FortiSIEM HTTP Post feature.

    1. Login to FortiSIEM Collector/Supervisor via SSH.

      Note: The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and FortiSIEM Collector/Supervisor:

      • 34.159.83.241

      • 34.159.47.15

      • 34.159.150.228

      • 34.85.152.87

      • 34.85.155.173

    2. Run the following command to create a HTTP account.

      htpasswd -bs /etc/httpd/accounts/passwds <http user name> <http password>

    3. Save the <http user name> <http password> information, as it will be used later on in the configuration.

    Enable GravityZone to Forward Events to FortiSIEM

    Take the following steps to enable Bitdefender GravityZone to forward events to FortiSIEM

    1. Login to FortiSIEM Collector/Supervisor via SSH.

    2. Run script enableBitDefenderForwardEventsToFortiSIEM.py to enable GravityZone forward events to FortiSIEM.

      Usage:

      enableBitDefenderForwardEventsToFortiSIEM.py [API base url] [API key] [FSIEM Collector/Supervisor IP] [FSIEM HTTP user] [FSIEM HTTP password]

      Example:

      /opt/phoenix/bin/enableBitDefenderForwardEventsToFortiSIEM.py https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ 71ba6cb43f87389b11fb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3 10.10.10.10 test test*1

      GravityZone will start sending events to FortiSIEM after the Event Push Service settings are reloaded. This happens every 10 minutes.

    Sending a Test Event via GravityZone

    To force Bitdefender GravityZone to send a test event, take the following steps.

    1. Encode API key

      echo -n '<API key>:'| base64 -w 0

    2. Post command to make Gravity to send test event.

      curl -k -X POST \ 
          https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ \ 
         -H 'authorization: Basic <API Key base64 string>' \ 
         -H 'cache-control: no-cache' \ 
         -H 'content-type: application/json' \ 
        -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

    3. Find the REST API GravityZone used to send test event to FortiSIEM. And the HTTP status code is 200.

      tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone

    4. Events can be queried from the Analytics page.

    Example Walkthrough:

    1. echo -n '71ba6cb43f87389b95cb5e64b7811e4fb3f8cd111454a9cb23ae483c75cea3d3:'| base64 -w 0

      API Key:

      NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=

    2. curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push/ -H 'authorization: Basic NzAAYTZjYjQzZjg3Mzg5Yjk1Y2I1ZTY0Yjc4MTFlNGZiM2Y4Y2QxMTE0NTRhOWNiMjNhZTQ4M2M3NWNlYTNkMzo=' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

    3. tail -1000f /etc/httpd/logs/ssl_access_log |grep GravityZone 34.85.155.173 - test [19/Aug/2022:10:37:35 -0500] "POST /rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com&separator=%0A HTTP/1.1" 200 -

    4. Log onto FortiSIEM GUI, navigate to Analytics page and query for event.

    Previous
    Next