Skip to main content

LogRhythm

Integrate GravityZone Cloud with LogRhythm

As a Bitdefender partner, you can integrate GravityZone with Logrythm using GravityZone APIs and a LogRhythm Open Collector. With this service, you are able to send data from GravityZone Control Center to LogRhythm.

Requirements

  • A LogRhythm instance installed with the PM role.

  • A virtual machine with a LogRhythm Open Collector agent installed.

  • A virtual machine with a LogRhythm System Monitor Agent installed.

Integration steps

Enable Event Push API in GravityZone Control Center

  1. Log in to GravityZone Control Center.

  2. Go to My Account.

  3. Under API keys section, click Add.

  4. Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.

    14099_1.png
  5. Click Save to preserve the changes made in My Account page.

Configure the integration in Logrythm

  1. Log in to the endpoint that has Open Collector installed.

  2. Configure a Webhook Beat.

  3. Initialize the Webhook Beat:

    1. Start the Beat:

      ./lrctl webhookbeat start

      The configuration menu is displayed. Use your keyboard arrows to navigate between fields.

    2. Select New webhookbeat instance from the list.

    3. Under Enter the unique identifier for the webhookbeat instance, enter a name for the instance.

    4. Set up a listener using the Enter the hostname/IP for webhook configuration. The default value is localhost.

      Note

      If you provide your own hostname/external IP, make sure it is publicly exposed on the specified port and is mapped to the same system on which the beat is running.

    5. Under Enter the port on the Webhook server beat where data should be sent, enter 8080.

    6. Under Do you want to enable HTTPS?, select No.

    7. Restart Open Collector and Metrics to apply new settings.

      ./lrctl oc restart && ./lrctl metrics restart
  4. Configure Open Collector to process Antimalware and Firewall events from GravityZone Event Push Service.

    1. Download these plugin files and copy them to the Open Collector machine where the lrctl script is located.

    2. Enable a Custom OC Pipeline, if not present.

      ./lrctl ocpipeline install ./lrctl lrjq install
    3. Import the plugin.

      cat bitdefender.pipe | ./lrctl oc pipe augument import
    4. Restart all the services on the Open Collector.

      ./lrctl webhookbeat restart && ./lrctl metrics restart && ./lrctl oc restart
  5. Prepare a certificate to use in the main.go script. You can use one of your existing certificate or generate a new one.

  6. Run the main.go script and configure it to receive events from the Event Push Service.

    1. Run main.go for the first time. You need to configure the webhook address, certificate and private key.

      go run main.go
    2. Enter the IP of the webhook. If you are running the script on the same machine where you are running the webhook, you can leave localhost.

      Config file not found. Please provide the following information:
      For the OC webhook, localhost is the default. Would you like to change it? (y/n)
    3. Enter 8080 as the port.

      For the OpenCollector Webhook Port, 8081 is the default. Would you like to change it? (y/n)
    4. Use the certificate you prepared in step 5.

      Enter the path of the certificate.crt file ca_crt_file_path (you may want to try fullchain.crt:
    5. Enter the certificate's private key.

      Enter the path to privkey.cem file ca_priv_file_path (you may want to try privkey.pem:
    6. Disable debug mode.

      Enable debug mode? (y/n)
    7. Run again the script as a server.

      This will listen on the port 443 and it is the location where the endpoint should send the events.

  7. Post the following JSON to the GravityZone API with the tags below replaced to match your setup, and the events you want to monitor set to true:

    {
      "params": {
        "status": 1,
        "serviceType": "jsonRPC",
        "serviceSettings": {
          "url": "https://<agent_ip>:443/webhook",
          "requireValidSslCertificate": false,
          "authorization": "<secret>"
        },
        "subscribeToEventTypes": {
          "hwid-change": true,
          "modules": true,
          "sva": true,
          "registration": true,
          "supa-update-status": true,
          "av": true,
          "aph": true,
          "fw": true,
          "avc": true,
          "uc": true,
          "dp": true,
          "device-control": true,
          "sva-load": true,
          "task-status": true,
          "exchange-malware": true,
          "network-sandboxing": true,
          "malware-outbreak": true,
          "adcloud": true,
          "exchange-user-credentials": true,
          "exchange-organization-info": true,
          "hd": true,
          "antiexploit": true
        }
      },
      "jsonrpc": "2.0",
      "method": "setPushEventSettings",
      "id": "1"
    }

    Note

    Only av and fw events are available in LogRhythm.

  8. Configure LogRhythm to display events with low priority and test out the integration by using an EICAR or performing a port scan:

    1. On LogRhythm PM, open LogRhythm console.

    2. Select Deployment Management.

    3. Open Platform Manager tab.

    4. Change global risk priority from 50 to 0.

      Note

      EICAR test events have 10 points, and port scan is 19 points.

    5. Apply changes.

    6. Use the EICAR or prot scan to generate an event.

  9. Configure the risk priority in LogRhythm specified in step 8 to match your specific requirements and environment.