FortiSIEM
Integrate GravityZone Cloud with FortiSIEM
FortiSIEM can receive, parse, and store JSON formatted events received via HTTP(S) POST. As a Bitdefender partner, you can integrate GravityZone with FortiSIEM by using GravityZone APIs and a FortiSIEM node. With this service, you are able to send data from GravityZone Control Center directly to a cloud or an on-premises environment.
Note
This configuration is set up using the default parser provided by FortiSIEM. For manually creating a different parser, refer to this kb article.
Requirements
An active license for FortiSIEM with the required modules to support third-party integrations.
Administrative privileges on the FortiSIEM console to configure data sources and set up the integration.
An agent with a FortiSIEM Collector Agent is installed and properly configured to receive data from GravityZone.
This agent will facilitate data collection and integration between the two systems.
A FortiSIEM instance is installed and operational within your environment.
This instance is required to configure and manage the integration with GravityZone, as well as to process and analyze incoming data.
Integration steps
Enable Event Push API in GravityZone Control Center
Log in to GravityZone Control Center.
Go to My Account.
Under API keys section, click Add.
Select the Event Push Service API check box and click Save. The new key appears in the API keys table.
Copy the key and save it somewhere safe.
Click Save to apply the changes.
Configure a node in FortiSIEM and get the information required for integration
Log in to your FortiSIEM supervisor machine.
Configure the FortiSIEM node:
Identity the FortiSIEM node receiving the events.
Tip
In a FortiSIEM environment, a node can be any component that is part of the FortiSIEM system, such as Collectors, Supervisors, or Workers. The Collector is a component responsible for gathering and processing data from various sources. For the purpose of this integration, the Collector is normally used.
Establish an SSH connection with the Collector and run the following command:
htpasswd -b /etc/httpd/accounts/passwds <user> <password>
Variable
Details
user
A username with access your FortiSIEM console.
password
The password of the above-mentioned user.
If the password contains special characters, we recommend enclosing the password in single quotes.
Example
htpasswd -b /etc/httpd/accounts/passwds JSmith1 'Password123!'
This command sets up the authentication required and it is automatically used when API requests are sent to the selected node.
Encode the username and password for later use when configuring the API push events and the service URL on the machine where you want the messages delivered:
Combine the username and password: Concatenate the username and password with a colon (
:
) in between. For example,JSmith1:Password123!
.Convert the combined string to Base64.
Example result
SlNtaXRoMTpQYXNzd29yZDEyMyE=
Build the URL required for sending messages to FortiSIEM:
https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>
Tip
This endpoint will be used by GravityZone to send data to FortiSIEM. It is a POST HTTP method in JSON format. It can be compressed into
tar
,tgz
,gz
, andzip
format, in addition to text support.Parameter
Description
Mandatory
FSMNodeName
The unique identifier of the node you want to use for the integration.
Yes
vendor
The name of the product from where the events are received. Possible values:
Bitdefender
.Yes
model
The model of the parser that is used to process events. Possible values:
GravityZone
.Tip
If you want to use a custom parser, enter its ID here.
Yes
reptIp
The reporting IP, or the source of the log. The value you specify here will populate the CMDB as a reporting device.
Yes
reptHost
The reporting device name, or the hostname of the device sending the logs.
Yes
separator
Use this parameter to split the content of one file into multiple events. If omitted, one event file will be created for each event.
Possible valiues: [
%
,0
-9
,a
-Z
].If the value contains any other character, the file name will start with
invalid_event_
and the file will not be processed by the parser.For special URL characters, use encoding characters. For example,
%0A
instead of\n
, or%2C
instead of,
.No
Note
If the Model contains whitespace, such as “Model 24”, you must correctly encode spaces and other special characters in the URL parameters.
Example
https://127.0.0.1/rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com
Use this as the value for the
url
parameter when configuring the API push events and the service URL where you want the messages delivered.
Configure GravityZone to send messages to FortiSIEM
Configure Control Center to send events to this URL: https://your_web_server_hostname_or_public_IP:port/api
.
All settings for Event Push Service API are configured via the setPushEventSettings
method. For detailed information about these settings, refer to Push.
Using your API key of choice, configure the API push events and the service URL where you want the messages delivered:
$ curl --tlsv1.2 -sS -k -X POST \ https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \ -H 'authorization: Basic API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"id":"1","jsonrpc":"2.0","method":"setPushEventSettings","params":{"serviceSettings":{"requireValidSslCertificate":false,"authorization":"Basic xxxxxxxxxx","url":"https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>"},"serviceType":"JSON","status":1,"subscribeToEventTypes":{"adcloudgz":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,"network-monitor":true,"network-sandboxing":true,"new-incident":true,"ransomware-mitigation":true,"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,"troubleshooting-activity":true,"uc":true,"uninstall":true}}}'
Important
When using a valid service certificate signed by a public CA, we recommend setting "requireValidSslCertificate":true
, to force certificate validation. If you are using a self-signed certificate or a certificate signed by your internal CA, set "requireValidSslCertificate":false
.
Important
Make sure to replace "authorization":"Basic xxxxxxxxxx"
and "url":" https://your_web_server_hostname_or_public_IP:port/api"
with the correct values for your server, as defined in the config.json
file, and CONTROL_CENTER_APIs_ACCESS_URL
and API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED
with the correct values for your GravityZone instance.
Once configured, wait about 10 minutes for the settings to take effect, and then make a request using getPushEventSettings
.
$ curl --tlsv1.2 -sS -k -X POST \ https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \ -H 'authorization: Basic API_KEY_BASE64_ENCODED' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"id":"3","jsonrpc":"2.0","method":"getPushEventSettings","params":{}}'
The result should appear as follows:
{ "id": "3", "jsonrpc": "2.0", "result": { "serviceSettings": { "authorization": "********", "requireValidSslCertificate": false, "url": "https://your_web_server_hostname_or_public_IP:port/api" }, "serviceType": "cef", "status": 1, "subscribeToCompanies": null, "subscribeToEventTypes": { "adcloud": false, "antiexploit": true, "aph": true, "av": true, ………. "uninstall": true } } }
To send a test event, you can call the sendTestPushEvent
API method.
$ curl --tlsv1.2 -sS -k -X POST \ https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \ -H 'authorization: Basic API_KEY_BASE64_ENCODED' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"id":"4","jsonrpc":"2.0","method":"sendTestPushEvent","params":{"eventType": "av"}}'
The result should appear as follows:
{
"id": "4",
"jsonrpc": "2.0",
"result": {
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"companyId": "5ac8460f8a799399a78b456c",
"module": "av",
"_testEvent_": true
}
}
The event should shortly show up in the Syslog server and in the server.js
output.