Skip to main content

Elastic SIEM

Integrate GravityZone Cloud with Elastic SIEM

As a Bitdefender partner, you can integrate GravityZone with Elastic using GravityZone APIs and an Elastic Agent. With this service, you are able to send data from GravityZone Control Center to Elastic.

Requirements

  • A Basic Elastic Stack license or better

  • Elastic Integration version 2.1.1 or higher

  • Kibana 8.14.3 or higher

  • A configured Elastic Agent to act as a collector

  • A configured Fleet Server, which is an agent management platform used to configure and manage the Fleet Server integration.

Integration steps

Enable Event Push API in GravityZone Control Center

  1. Log in to GravityZone Control Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API keys table.

    14099_1.png
  5. Click Save to apply the changes.

Configure the integration in Kibana

  1. Log in to Kibana with an administrator account.

  2. In the main menu, click Management and select Add Integrations.

    Elastic_integration_952483_1_en.png

    The Add BitDefender integration window is displayed.

  3. Under the Browse integrations tab, use the search function to locate the Bitdefender integration and select it.

    Elastic_integration_952483_3_en.png
  4. Click the Add BitDefender button.

    Elastic_integration_952483_4_en.png

    The Configure integration window is displayed.

  5. Fill in the information in the Integration settings section:

    • Integration name: The name for the new integration

    • Description: A brief description for easy identification of the integration

    Elastic_integration_952483_en.png
  6. Scroll down to the Receive Push Notifications Events option, enable it, and then fill in the information:

    • Under BitDefender GravityZone Push Notification ID, leave the default value.

      Note

      If you have multiple GravityZone companies you want to integrate, check the Elastic documentation to determine what input is required.

    • Under Company ID to company name mapping, add the pair ID:name for each monitored company.

    • Make sure the BitDefender GravityZone push notification option is enabled.

    • Set the Listen Address to 0.0.0.0.

    • Under Listen Port, type 8443.

    • Generate a random password and add it under Authorization Value.

      Tip

      This key will be used later to register the agent in GravityZone.

  7. Generate or purchase a security certificate and store it on the endpoit where the Elastic Agent which will receive the data is installed.

  8. Set the TLS settings for the agent HTTP listener as shown below. Keep the default webhook path (/bitdefender/push/notification).

    Elastic_integration_952483_2_en.png
  9. Scroll down to the Poll Push Notification Information option, make sure it is enabled, and configure the following settings:

    • Under BitDefender GravityZone Push Notification ID, leave the default value.

      Note

      If you have multiple GravityZone companies you want to integrate, check the Elastic documentation to determine what input is required.

    • Add the Event Push Service API URL under URL of BitDefender GravityZone API push endpoint using this format

      https://<cloud_control_API_URL>/api/v1.0/jsonrpc/push 

      Parameter

      Description

      cloud_control_API_URL

      //add description

  10. Enter the key created in the Enable Event Push API in GravityZone Control Center section, under GravityZone API Key.

  11. Scroll down to the Push Notification Configuration option and enable it.

    Optionally, you can click the Advanced options button to change the pooling time for statistics.

  12. Scroll down to the Push Notification Statistics option and enable it.

    Optionally, you can click the Advanced options button to change the status of the integration in GravityZone.

  13. Scroll down to the Where to add this integration? section, go to the Existing hosts tab, and configure the settings under the Agent policy section:

    • Under the Agent policy, select the Elastic policy used by the endpoint that will receive data from GravityZone.

  14. Scroll down to the bottom of the page and click Save.

Enable the Elastic integration in GravityZone

After you created the Event Push Service key in GravityZoneControl Center, you need to enable the integration. That means you have to start sending events from GravityZone to Elastic.

Use the setPushEventSettings method to starting sending data:

{
  "params": {
    "status": 1,
    "serviceType": "jsonRPC",
    "serviceSettings": {
      "url": "https://<agent_ip>:<agent_port>/<webhook_path>",
      "requireValidSslCertificate": false,
      "authorization": "<secret>"
    },
    "subscribeToEventTypes": {
      "hwid-change": true,
      "modules": true,
      "sva": true,
      "registration": true,
      "supa-update-status": true,
      "av": true,
      "aph": true,
      "fw": true,
      "avc": true,
      "uc": true,
      "dp": true,
      "device-control": true,
      "sva-load": true,
      "task-status": true,
      "exchange-malware": true,
      "network-sandboxing": true,
      "malware-outbreak": true,
      "adcloud": true,
      "exchange-user-credentials": true,
      "exchange-organization-info": true,
      "hd": true,
      "antiexploit": true
    }
  },
  "jsonrpc": "2.0",
  "method": "setPushEventSettings",
  "id": "1"
}

Variable

Description

agent_address

The FQDN or public IP of the agent that will receive data from GravityZone.

agent_port

The port entered in step 6, under Listen Port, in the Configure the integration in Kibana procedure.

webhook_path

The port entered in step 7 in the Configure the integration in Kibana procedure.

secret

The port entered in step 6, under Authorization Value, in the Configure the integration in Kibana procedure.