Skip to main content

FortiSIEM

Integrate GravityZone Cloud with FortiSIEM

FortiSIEM can receive, parse, and store JSON formatted events received via HTTP(S) POST. As a Bitdefender partner, you can integrate GravityZone with FortiSIEM by using GravityZone APIs and a FortiSIEM node. With this service, you are able to send data from GravityZone Control Center directly to a cloud or an on-premises environment.

Note

This configuration is set up using the default parser provided by FortiSIEM. For manually creating a different parser, refer to this kb article.

Requirements

  • An active license for FortiSIEM with the required modules to support third-party integrations.

  • Administrative privileges on the FortiSIEM console to configure data sources and set up the integration.

  • An agent with a FortiSIEM Collector Agent is installed and properly configured to receive data from GravityZone.

    This agent will facilitate data collection and integration between the two systems.

  • A FortiSIEM instance is installed and operational within your environment.

    This instance is required to configure and manage the integration with GravityZone, as well as to process and analyze incoming data.

Integration steps

Enable Event Push API in GravityZone Control Center

  1. Log in to GravityZone Control Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API keys table.

    14099_1.png

  5. Copy the key and save it somewhere safe.

  6. Click Save to apply the changes.

Configure a node in FortiSIEM and get the information required for integration

  1. Log in to your FortiSIEM supervisor machine.

  2. Configure the FortiSIEM node:

    1. Identity the FortiSIEM node receiving the events.

      Tip

      In a FortiSIEM environment, a node can be any component that is part of the FortiSIEM system, such as Collectors, Supervisors, or Workers. The Collector is a component responsible for gathering and processing data from various sources. For the purpose of this integration, the Collector is normally used.

    2. Establish an SSH connection with the Collector and run the following command: 

      htpasswd -b /etc/httpd/accounts/passwds <user> <password>

      Variable

      Details

      user

      A username with access your FortiSIEM console.

      password

      The password of the above-mentioned user.

      If the password contains special characters, we recommend enclosing the password in single quotes.

      Example

      htpasswd -b /etc/httpd/accounts/passwds JSmith1 'Password123!'

      This command sets up the authentication required and it is automatically used when API requests are sent to the selected node.

    3. Encode the username and password for later use when configuring the API push events and the service URL on the machine where you want the messages delivered:

      1. Combine the username and password: Concatenate the username and password with a colon (:) in between. For example, JSmith1:Password123!.

      2. Convert the combined string to Base64.

        Example result

        SlNtaXRoMTpQYXNzd29yZDEyMyE=

    4. Build the URL required for sending messages to FortiSIEM:

      https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>

      Tip

      This endpoint will be used by GravityZone to send data to FortiSIEM. It is a POST HTTP method in JSON format. It can be compressed into tar, tgz, gz, and zip format, in addition to text support.

      Parameter

      Description

      Mandatory

      FSMNodeName

      The unique identifier of the node you want to use for the integration.

      Yes

      vendor

      The name of the product from where the events are received. Possible values: Bitdefender.

      Yes

      model

      The model of the parser that is used to process events. Possible values: GravityZone.

      Tip

      If you want to use a custom parser, enter its ID here.

      Yes

      reptIp

      The reporting IP, or the source of the log. The value you specify here will populate the CMDB as a reporting device.

      Yes

      reptHost

      The reporting device name, or the hostname of the device sending the logs.

      Yes

      separator

      Use this parameter to split the content of one file into multiple events. If omitted, one event file will be created for each event.

      Possible valiues: [%, 0-9, a-Z].

      If the value contains any other character, the file name will start with invalid_event_ and the file will not be processed by the parser.

      For special URL characters, use encoding characters. For example, %0A instead of \n, or %2C instead of ,.

      No

      Note

      If the Model contains whitespace, such as “Model 24”, you must correctly encode spaces and other special characters in the URL parameters.

      Example

      https://127.0.0.1/rawupload?vendor=Bitdefender&model=GravityZone&reptIp=104.17.52.22&reptName=cloud.gravityzone.bitdefender.com

      Use this as the value for the url parameter when configuring the API push events and the service URL where you want the messages delivered.

Configure GravityZone to send messages to FortiSIEM

Configure Control Center to send events to this URL: https://your_web_server_hostname_or_public_IP:port/api.

All settings for Event Push Service API are configured via the setPushEventSettings method. For detailed information about these settings, refer to Push.

Using your API key of choice, configure the API push events and the service URL where you want the messages delivered:

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'authorization: Basic API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"1","jsonrpc":"2.0","method":"setPushEventSettings","params":{"serviceSettings":{"requireValidSslCertificate":false,"authorization":"Basic xxxxxxxxxx","url":"https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>"},"serviceType":"JSON","status":1,"subscribeToEventTypes":{"adcloudgz":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,"network-monitor":true,"network-sandboxing":true,"new-incident":true,"ransomware-mitigation":true,"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,"troubleshooting-activity":true,"uc":true,"uninstall":true}}}'

Important

When using a valid service certificate signed by a public CA, we recommend setting  "requireValidSslCertificate":true , to force certificate validation. If you are using a self-signed certificate or a certificate signed by your internal CA, set "requireValidSslCertificate":false.

Important

Make sure to replace "authorization":"Basic xxxxxxxxxx" and "url":" https://your_web_server_hostname_or_public_IP:port/api" with the correct values for your server, as defined in the config.json file, and CONTROL_CENTER_APIs_ACCESS_URL and API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED with the correct values for your GravityZone instance.

Once configured, wait about 10 minutes for the settings to take effect, and then make a request using getPushEventSettings.

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'authorization: Basic API_KEY_BASE64_ENCODED' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"3","jsonrpc":"2.0","method":"getPushEventSettings","params":{}}'

The result should appear as follows:

{
  "id": "3",
  "jsonrpc": "2.0",
  "result": {
    "serviceSettings": {
      "authorization": "********",
      "requireValidSslCertificate": false,
      "url": "https://your_web_server_hostname_or_public_IP:port/api"
    },
    "serviceType": "cef",
    "status": 1,
    "subscribeToCompanies": null,
    "subscribeToEventTypes": {
      "adcloud": false,
      "antiexploit": true,
      "aph": true,
      "av": true,
      ……….
      "uninstall": true
    }
  }
}

To send a test event, you can call the sendTestPushEvent API method.

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'authorization: Basic API_KEY_BASE64_ENCODED' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"4","jsonrpc":"2.0","method":"sendTestPushEvent","params":{"eventType": "av"}}'

The result should appear as follows:

{
  "id": "4",
  "jsonrpc": "2.0",
  "result": {
    "computer_name": "FC-WIN7-X64-01",
    "computer_fqdn": "fc-win7-x64-01",
    "computer_ip": "10.17.46.196",
    "computer_id": "59a1604e60369e06733f8abb",
    "product_installed": "BEST",
    "malware_type": "file",
    "malware_name": "EICAR-Test-File (not a virus)",
    "file_path": "C:\\eicar0000001.txt",
    "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
    "final_status": "deleted",
    "timestamp": "2017-09-08T12:01:36.000Z",
    "companyId": "5ac8460f8a799399a78b456c",
    "module": "av",
    "_testEvent_": true
  }
}

The event should shortly show up in the Syslog server and in the server.js output.

In this section: