Skip to main content

Push event JSON RPC messages

Events are submitted in calls to the "addEvents" function. This function takes one parameter: "events", which is an array of event objects documented below.

HTTP requests can be verified using the Event-Push-Service-Md5 header. The header is obtained by hashing the Api Key and the message body as follows: header_value = md5(api_key, md5(message_body))

$gzapikey = "a247bf167a48d899b7a64aced0d6cebdbd5d474578c26cd023505b2c26******";
$message = file_get_contents('php://input');
$servermd5 = $_SERVER['HTTP_EVENT_PUSH_SERVICE_MD5'];
$resultmd5 = md5($apikey.md5($message));

Cloud AD Integration

This event is generated when Control Center is synchronizing with an Active Directory domain.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: adcloud

companyId

string

yes

Company identifier

syncerId

string

yes

AD Integrator identifier

issueType

integer

yes

AD Synchronization issue type

isProtectedEntityId

integer

no

Is protected entity ID (only for uninstall)

lastAdReportDate

timestamp

no

Last AD synchronization date

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "syncerId": "59b7d9bfa849af3a1465b7e3",
                "issueType": 0,
                "lastAdReportDate": "2017-09-14T08:03:49.671Z",
                "module": "adcloud"
            }
        ]
    },
    "id": 1505376232077
}    

Antiphishing

This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: aph

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

aph_type

string

yes

Values: phishing, fraud, untrust

url

string

yes

Malware url

status

string

yes

Values: aph_blocked, reportOnly

last_blocked

timestamp

yes

Last timestamp this malware was blocked

count

integer

yes

How many times this malware was detected

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-EXCHANGE-01",
                "computer_fqdn": "fc-exchange-01.fc.dom",
                "computer_ip": "192.168.0.1",
                "computer_id": "59b7d9bfa849af3a1465b7e4",
                "product_installed": "BEST",
                "aph_type": "phishing",
                "url": "http://example.com/account/support/",
                "status": "aph_blocked",
                "last_blocked": "2017-09-14T08:49:43.000Z",
                "count": 1,
                "module": "aph"
            }
        ]
    },
    "id": 1505378984190
}

Antimalware

This event generated each time Bitdefender detects malware on an endpoint in your network.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: av

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

malware_type

string

yes

Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream

malware_name

string

yes

Malware name

hash

string

no

Malware file sha256 hash

final_status

string

yes

Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored

container_id

string

no

The identifier of the container entity

container_host

string

no

The name of the host that manages the container entity

file_path

string

yes

Malware file path

timestamp

timestamp

yes

Timestamp when the malware was detected

signaturesNumber

string

no

signatures Number

taskScanType

integer

no

taskScanType

scanEngineType

integer

no

scanEngineType

cleaned

integer

no

How many times a file was cleaned if it generated multiple events of the same type in one minute.

blocked

integer

no

How many times an application or file was blocked if it generated multiple events of the same type in one minute.

deleted

integer

no

How many times a file was deleted if it generated multiple events of the same type in one minute.

quarantined

integer

no

How many times ar file was quarantined if it generated multiple events of the same type in one minute.

ignored

integer

no

How many times a threat was detected and ignored in a file or application if it generated multiple events of the same type in one minute.

present

integer

no

How many times a threat was detected in a file or application if it generated multiple events of the same type in one minute.

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "10.17.46.196",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "malware_type": "file",
                "malware_name": "EICAR-Test-File (not a virus)",
                "file_path": "C:\\eicar0000001.txt",
                "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
                "final_status": "deleted",
                "timestamp": "2017-09-08T12:01:36.000Z",
                "signaturesNumber": "7.95265",
                "scanEngineType": 3,
                "cleaned": 0,
                "blocked": 0,
                "deleted": 0,
                "quarantined": 2,
                "ignored": 0,
                "present": 0,
                "module": "av"
            }
        ]
    },
    "id": 1504872097787
}
{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "av",
                "product_installed": "BEST",
                "user": {
                    "id": "S-1-5-21-1493276475-1689882908-858204327-1001",
                    "name": "testadmin"
                },
                "companyId": "63920a01070088b57f0be1d2",
                "computer_name": "IRU-WIN10X64-A",
                "computer_fqdn": "iru-win10x64-a",
                "computer_ip": "10.17.40.189",
                "computer_id": "65030d040a2422770e0022b5",
                "malware_type": "file",
                "malware_name": "EICAR-Test-File (not a virus)",
                "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
                "final_status": "quarantined",
                "file_path": "C:\\Users\\testadmin\\AppData\\Local\\VirtualStore\\eicar0000001.txt",
                "timestamp": "2023-09-14T14:16:30.000Z",
                "signaturesNumber": "7.95265",
                "scanEngineType": 3,
                "cleaned": 0,
                "blocked": 0,
                "deleted": 0,
                "quarantined": 2,
                "ignored": 0,
                "present": 0
            }
        ]
    },
    "id": 1694701009244
}

Advanced Threat Control (ATC)

This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value:avc

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

exploit_type

string

yes

Values: IDS APP, AVC APP, AVC Exploit

exploit_path

string

yes

Exploit file path

process_command_line

string

no

The command line parameters of the detected process

parent_process_id

integer

no

The pid of the parent of the detected process

parent_process_path

string

no

The path of the parent process of the detection

status

string

yes

Values: avc_blocked, avc_allowed, avc_disinfected

last_blocked

timestamp

yes

Last timestamp this application/exploit was blocked

count

integer

yes

How many times this application/exploit was detected

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "exploit_type": "AVC Blocked Exploit",
                "exploit_path": "C:\\Users\\admin\\Desktop\\Tools\\avcsim\\win32\\avcsim32.exe",
                "status": "avc_blocked",
                "last_blocked": "2017-09-14T07:56:33.000Z",
                "count": 1,
                "module": "avc"
            }
        ]
    },
    "id": 1505375801845
}

Data Protection

This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: dp

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

target_type

string

yes

Malware type: mail, http

blocking_rule_name

string

yes

Data protection rule name

url

string

yes

Url

status

string

yes

Always "data_protection_blocked"

last_blocked

timestamp

yes

Last timestamp this email/url was blocked

count

integer

yes

How many times this malware was detected

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "target_type": "http",
                "blocking_rule_name": "dv",
                "url": "http://example.com/",
                "status": "data_protection_blocked",
                "last_blocked": "2017-09-11T10:23:43.000Z",
                "count": 1,
                "module": "dp"
            }
        ]
    },
    "id": 1505125464691
}

Exchange Malware Detection

This event is created when Bitdefender detects malware on an Exchange server in your network.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: exchange-malware

product_installed

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

serverName

string

yes

Server name

sender

string

yes

Email sender

recipients

array

yes

List of email recipients (array of strings)

subject

string

yes

Email subject

detectionTime

timestamp

yes

Detection time

malware

array

yes

List of detected malware (array of {"malwareName": string, "malwareType": string, "actionTaken": string, "infectedObject": string})

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC- EXCHANGE - 01",
                "computer_fqdn": "fc- exchange - 01.fc.dom",
                "computer_ip": "192.168.0.1",
                "computer_id": "59b7d9bfa849af3a1465b7e4",
                "product_installed": "BEST",
                "endpointId": "59b7d9bfa849af3a1465b7e3",
                "serverName": "FC- EXCHANGE - 01",
                "sender": "[email protected]",
                "recipients": [
                    "[email protected]"
                ],
                "subject": "Emailing Sending.. WL - cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0",
                "detectionTime": "2017- 09 - 13T14: 20:37.000Z",
                "malware": [
                    {
                        "malwareName": "Trojan.Generic.KD.874127",
                        "malwareType": "virus",
                        "actionTaken": "quarantine",
                        "infectedObject": "WL- cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0"
                    }
                ],
                "module": "exchange-malware"
            }
        ]
    },
    "id": 1505312459584
}

Exchange License Usage Limit Has Been Reached

This event is generated when Exchange License limit has been reached

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: exchange-organization-info

companyId

string

yes

Company identifier

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "endpointId": "59b7d9bfa849af3a1465b7e3",
                "module": "exchange-organization-info",
                "mailboxes":8,
                "license_limit":5,
                "license_key":"5IMI111"
            }
        ]
    },
    "id": 1505387661508
}    

Exchange User Credentials

This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: exchange-user-credentials

companyId

string

yes

Company identifier

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "endpointId": "59b7d9bfa849af3a1465b7e3",
                "module": "exchange-user-credentials"
            }
        ]
    },
    "id": 1505387661508
}    

Firewall

This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: fw

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

status

string

yes

Status

local_port

string

no

Local port

protocol_id

string

no

The identifier of the malware attack protocol as defined by Protocol Number

application_path

string

no

Application path

source_ip

string

no

Source IP address

last_blocked

timestamp

yes

Last timestamp this connection was blocked

count

integer

yes

How many times this connection was detected

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "status": "portscan_blocked",
                "protocol_id": "6",
                "source_ip": "192.168.0.2",
                "last_blocked": "2017-09-08T12:52:03.000Z",
                "count": 1,
                "module": "fw"
            }
        ]
    },
    "id": 1504875129648
}

Hyper Detect event

Event generated when a malware is detected by the Hyper Detect module.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: hd

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

malware_type

string

yes

Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream

malware_name

string

yes

Malware name

hash

string

no

Malware file sha256 hash

final_status

string

yes

Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored

container_id

string

no

The identifier of the container entity

container_host

string

no

The name of the host that manages the container entity

file_path

string

yes

Malware file path

attack_type

string

no

Values: targeted attack, grayware, exploits, ransomware, suspicious files and network traffic

detection_level

string

no

Values: permissive, normal, aggressive

is_fileless_attack

string

no

True for fileless attack

command_line_parameters

string

no

Command line parameters

process_info_path

string

no

Process path

process_info_command_line

string

no

Process command line parameters

parent_process_id

integer

no

Parent process ID

parent_process_path

string

no

Parent process path

hwid

string

yes

Hardware identifier

date

timestamp

yes

Timestamp when the malware was detected

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "hd",
                "product_installed": "EPS",
                "user": {
                    "name": "admin",
                    "sid": "BF410F3B-5F3A-41E1-BF8F-28DE6948A355
"
                },
                "computer_name": "DHMSI",
                "computer_fqdn": "dhmsi",
                "computer_ip": "10.10.18.226",
                "computer_id": "5c4999491ddfad7177316f80",
                "malware_type": "file",
                "malware_name": "",
                "hash": "hash_3",
                "final_status": "quarantined",
                "file_path": "44e695d9ed259aea10e5b57145d0d0dc.b
ender",
                "attack_type": "suspicious files and network tra
ffic",
                "detection_level": "normal",
                "is_fileless_attack": 1,
                "command_line_parameters": "a b c",
		"process_info_path": "C:\\a.exe",
		"process_info_command_line": "c:\\a.exe  -testParam",
		"parent_process_id": 1716,
		"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
                "hwid": "00000000-0000-0000-0000-406186b5****",
                "companyId": "5c497704f9bf8d0b1b4df***",
                "date": "2019-01-24T11:13:04.000Z"
            }
        ]
    },
    "id": 1547719287349
}    

Product Modules Status

This event is generated when a security module of the installed agent gets enabled or disabled.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: modules

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computerId

string

yes

Unique endpoint identifier in the GravityZone database

container_id

string

no

The identifier of the container entity

container_host

string

no

The name of the host that manages the container entity

is_container_host

boolean

no

Whether the machine is container host or not

malware_status

boolean

no

Antimalware module

aph_status

boolean

no

Antiphishing module

firewall_status

boolean

no

Firewall module

avc_status

boolean

no

Active Threat Control module

ids_status

boolean

no

Intrusion detection system module

uc_web_filtering

boolean

no

Content Control Web Access Control module

uc_categ_filtering

boolean

no

Content Control Web Categories Filtering module

uc_application_status

boolean

no

Content Control Application Blacklisting module

dp_status

boolean

no

Content Control Data Protection module

pu_status

boolean

no

Power User module

dlp_status

boolean

no

Device Control module

exchange_av_status

boolean

no

Exchange Protection Antimalware module

exchange_as_status

boolean

no

Exchange Protection Antispam module

exchange_at_status

boolean

no

Exchange Protection Attachment filtering module

exchange_cf_status

boolean

no

Exchange Protection Content filtering module

exchange_od_status

boolean

no

Exchange Protection On demand scan module

volume_encryption

boolean

no

Encryption module

patch_management

boolean

no

Patch management module

container_protection_status

boolean

no

Container Protection module

network_monitor_status

boolean

no

Network Attack Defense module

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC- WIN7 - X64 - 01",
                "computer_fqdn": "fc- win7 - x64 - 01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "malware_status": 1,
                "aph_status": 1,
                "firewall_status": 1,
                "avc_status": 1,
                "uc_web_filtering": 0,
                "uc_categ_filtering": 0,
                "uc_application_status": 0,
                "dp_status": 0,
                "pu_status": 1,
                "dlp_status": 0,
                "module": "modules"
            }
        ]
    },
    "id": 1504871857671
}

Sandbox Analyzer Detection

This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: network-sandboxing

companyId

string

yes

Company identifier

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

deviceExternalId

string

no

Unique endpoint identifier in the GravityZone database

submissionId

string

no

GravityZone network sandbox submission ID

computerName

string

yes

Computer name

computerIp

string

yes

Computer IP address

detectionTime

integer

yes

Detection time

threatType

string

yes

Threat type

filePaths

array

yes

File paths (array of strings)

fileSizes

array

yes

File sizes (array of strings)

remediationActions

array

yes

Remediation actions (array of strings). Possible values:

  • 0 - disinfect

  • 1 - delete

  • 2 - move

  • 3 - reportOnly

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "endpointId": "59a1604e60369e06733f8aba",
                "computerName": "FC-WIN7-X64-01",
                "computerIp": "192.168.0.1",
                "detectionTime": 1505386969,
                "threatType": "RANSOMWARE",
                "filePaths": [
                    "C:\\Users\\Administrator\\Documents\\installer.xml",
                    "D:\\opt\\bitdefender\\installer2.xml",
                    "D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml"
                ],
                "fileSizes": [
                    "2614",
                    "2615",
                    "2616"
                ],
                "remediationActions": [
                    "1",
                    "",
                    "1"
                ],
                "module": "network-sandboxing"
            }
        ]
    },
    "id": 1505386971126
}    

Product Registration

This event is generated when the registration status of an agent installed in your network has changed.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: registration

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

container_id

string

no

The identifier of the container entity

container_host

string

no

The name of the host that manages the container entity

is_container_host

boolean

no

Whether the machine is container host or not

product_registration

string

yes

Values: registered, unregistered

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-EXCHANGE-01",
                "computer_fqdn": "fc-exchange-01.fc.dom",
                "computer_ip": "192.168.0.1",
                "computer_id": "59b7d9bfa849af3a1465b7e4",
                "product_installed": "BEST",
                "product_registration": "registered",
                "module": "registration"
            }
        ]
    },
    "id": 1505221060168
}

Outdated Update Server

This event is generated when an update server has outdated malware signatures.

Parameters:

Name

Type

Mandatory

Description

fromSupa

boolean

yes

Identifies events sent from Relays (always true)

module

string

yes

Event type identifier. Value: supa-update-status

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

status

boolean

yes

Update status

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "status": 0,
                "fromSupa": 1,
                "module": "supa-update-status"
            }
        ]
    },
    "id": 1505379714808
}

Overloaded Security Server

This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: sva-load

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

loadAverage

integer

yes

Load average

cpuUsage

integer

yes

Cpu usage

memoryUsage

integer

yes

Memory usage

networkUsage

integer

yes

Network usage

overallUsage

integer

yes

Overall usage

svaLoad

string

no

SVA load

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "bitdefender-sva",
                "computer_fqdn": "bitdefender-sva",
                "computer_ip": "192.168.0.1",
                "computer_id": "59b8f3aba849af3a1465b81e",
                "product_installed": "SVA",
                "loadAverage": 1,
                "cpuUsage": 48,
                "memoryUsage": 32,
                "networkUsage": 0,
                "overallUsage": 48,
    "svaLoad": "Normal",
            "module": "sva-load"
            }
        ]
    },
    "id": 1505293227782
}    

Security Server Status

This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: sva

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

powered_off

boolean

yes

Powered off

product_update_available

boolean

no

Product update available

signature_update

timestamp

no

Last signatures update timestamp

product_reboot_required

boolean

no

True if a reboot is required

lastupdate

string

no

Last update

lastupdateerror

string

no

Last update error

updatesigam

string

no

Security Server engines version

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "bitdefender-sva",
                "computer_fqdn": "bitdefender-sva",
                "computer_ip": "192.168.0.1",
                "computer_id": "59b8f3aba849af3a1465b81e",
                "product_installed": "SVA",
                "powered_off": 0,
                "product_update_available": 1,
                "product_reboot_required": 0,
                "lastupdate": "0",
                "updatesigam": "7.72479",
                "module": "sva"
            }
        ]
    },
    "id": 1505293227782
}    

Antiexploit Event

This event is generated when Advanced Anti-Exploit triggers a detection.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: antiexploit

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

container_id

string

no

The identifier of the container entity

container_host

string

no

The name of the host that manages the container entity

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

detection_action

string

yes

The action that was taken upon the detection

detection_threatName

string

no

Threat type

detection_pid

string

yes

The pid of the detection

detection_exploitTechnique

string

yes

The technique employed in the detection

detection_parentPid

string

no

The pid of the parent of the detected process

detection_path

string

yes

The path of the detection

detection_parentPath

string

no

The path of the parent process of the detection

detection_cve

string

no

Detection CVE

detection_payload

string

no

Detection payload

detection_username

string

no

The user that was logged when the detection was found

detection_time

timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "antiexploit",
                "product_installed": "BEST",
                "companyId": "5cf10c8af23f73097377c924",
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "5cf51ba5e8ee8c5b1852a9d7",
                "endpointId": "5cf51ba5e8ee8c5b1852a9d6",
                "detection_action": "kill",
                "detection_threatName": "EICAR-Test-File (not a 
virus)",
                "detection_pid": "2000",
                "detection_exploitTechnique": "Flash/Generic",
                "detection_parentPid": "4000",
                "detection_path": "C:\\file15c8ba8b90ea1de127962
f464.exe",
                "detection_parentPath": "C:\\file25c8ba8b90ea1de
127962f464.exe",
                "detection_username": "[email protected]",
                "detection_time": "2019-06-03T13:58:30.000Z"
            }
        ]
    },
    "id": 1547719287349
}

Network Attack Defense Event

This event is generated when the Network Attack Defense module triggers a detection.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: network-monitor

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Endpoint identifier

label

string

no

The label set in the Network grid by the Admin

actionTaken

string

yes

The action that was taken upon the detection

detection_name

string

yes

The name of the detection as received from BEST

detection_attackTechnique

string

yes

Name of the attack technique as set in the Network Attack Defense policy

source_ip

string

yes

IP of the attack source

victim_ip

string

yes

IP of the victim's endpoint

local_port

string

yes

The port on which the attack occurred

timestamp

timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "network-monitor",
                "product_installed": "BEST",
                "user": {
                    "userName": "[email protected]",
                    "userSid": "S-1-2-3-4"
                },
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "5d639e8f48ac2f04f6e00b1c",
                "actionTaken": "reportOnly",
                "detection_name": "PrivacyThreat.PasswordStealer
.HTTP",
                "detection_attackTechnique": "discovery",
                "source_ip": "10.17.134.4",
                "victim_ip": "213.211.198.58",
                "local_port": "80",
                "timestamp": "2019-01-24T11:13:04.000Z"
            }
        ]
    },
    "id": 1547719287349
}

Task Status

This event is generated each time a task status changes.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: task-status

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

userId

string

yes

User identifier

taskId

string

yes

Task identifier

taskName

string

yes

Task name

taskType

integer

yes

Task type

targetName

string

yes

Task name

isSuccessful

boolean

yes

True if the task was executed successfully

status

integer

yes

Task status

errorMessage

string

yes

Error message

errorCode

integer

yes

Error code

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "userId": "59a14b2b1da197c6108b4568",
                "taskId": "59b28dc81da19711058b4568",
                "taskName": "Quick Scan 2017-09-08(sub-task)",
                "taskType": 272,
                "targetName": "FC-WIN7-X64-01",
                "isSuccessful": 1,
                "status": 3,
                "errorMessage": "",
                "errorCode": 0,
                "module": "task-status"
            }
        ]
    },
    "id": 1504874269032
}

User Control/Content Control

This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.

Important

Depending on your designated server, you might not have this event type activated by default. Log in to your console and check your URL: if you are using https://cloud.gravityzone.bitdefender.com, you need to contact support and request them to activate the event type.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: uc

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

uc_type

string

no

Values: application, http

url

string

no

Url

block_type

string

no

Values: application, http_timelimiter, http_blacklist, http_categories, http_bogus, http_antimalware

categories

string

no

Values: WebProxy, Games, Tabloids, Hate, Gambling, Drugs, Illegal, Shopping, OnlinePay, Video, SocialNetwork, OnlineDating, IM, SearchEngines, RegionalTLDS, News, Pornography, MatureContent, Blog, FileSharing, Narcotics, VideoOnline, Religious, Suicide, Health, ViolentCartoons, Weapons, Hacking, Scams, CasualGames, OnlineGames, ComputerGames, PhotosOnline, Ads, Advice, Bank, Business, ComputerAndSoftware, Education, Entertainment, Government, Hobbies, Hosting, JobSearch, Portals, RadioMusic, Sports, TimeWasters, Travel, WebMail

application_path

string

no

Application path

status

string

no

Values: uc_application_blocked, uc_site_blocked

last_blocked

timestamp

no

Last timestamp this malware was blocked

count

integer

no

How many times this malware was detected

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "192.168.0.1",
                "computer_id": "59a1604e60369e06733f8abb",
                "product_installed": "BEST",
                "uc_type": "http",
                "url": "http://192.168.0.1:2869/upnphost/udhisapi.dll",
                "block_type": "http_timelimiter",
                "categories": "",
                "status": "uc_site_blocked",
                "last_blocked": "2017-09-08T12:46:30.000Z",
                "count": 1,
                "module": "uc"
            }
        ]
    },
    "id": 1504874799367
}

Storage Antimalware Event

This event is generated each time SVA detects a new threat among the protected storage (NAS).

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: storage-antimalware

companyId

string

yes

Company identifier

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

computer_name

string

yes

Computer name

storage_name

string

yes

The name of the storage unit

storage_ip

string

yes

The IP address of the storage unit

storage_type

string

yes

The type of the storage unit.(E.g., Nutanix, Citrix etc.)

file_path

string

yes

File path

file_hash

string

yes

File hash

malware_type

string

yes

Describes the type of malware as defined by Bitdefender. Possible values are: 'file', 'http', 'cookie', 'pop3', 'smtp', 'process', 'boot', 'registry' and 'stream'

malware_name

string

yes

Name of the malware as defined by Bitdefender

status

string

yes

Final status for the detected objects. Possible values are: still present, deleted, blocked, quarantined, disinfected, restored.

detection_time

timestamp

yes

Time of the event as reported by the product, already formatted in a string representation

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "companyId": "59a14b271da197c6108b4567",
                "endpointId": "59a1604e60369e06733f8aba",
                "computerName": "SVA_WITH_ICAP",
                "storage_name": "fileserver001",
                "storage_ip": "192.168.0.1",
                "storage_type": "Nutanix",
                "file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
                "file_hash": "04d7cff845e23111633cc0a268634f5e6c18145d0a9b5a38dedd8a58a422001c",
                "malware_type": "1", 
                "malware_name": "BAT.Trojan.FormatC.Z", 
                "status": "5", 
                "detection_time": "2018-05-07T10:23:43.000Z",
                "module": "storage-antimalware"
            }
        ]
    },
    "id": 1505386971126
}    

Install Agent

This event is generated when the agent is installed on endpoints.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: install

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

hwid

string

yes

Hardware identifier

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "product_installed": "BEST",
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "5cf51ba5e8ee8c5b1852a9d7",
                "module": "install",
                "endpointId": "5e2085febf255a545e52276b",
                "hwid": "00000000-0000-0000-0000-406186b5bdbd50"
            }
        ]
    },
    "id": 1547719287350
}

Uninstall Agent

This event is generated when an agent is uninstalled from an endpoint.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: uninstall

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

reason

integer

yes

Uninstalling method. Available options:

  • 1 - local uninstall

  • 2 - deleted from the network inventory in GravityZoneControl Center

  • 3 - uninstall task from GravityZoneControl Center

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "product_installed": "BEST",
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "59b7d9bfa849af3a1465b7e4",
                "endpointId": "5e2085febf255a545e52276b",
                "reason": 1,
                "module": "uninstall"
            }
        ]
    },
    "id": 1505221060168
}

Hardware ID Change

This event is generated when the hardware ID of an endpoint from your network is changed.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: hwid-change

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

old_hwid

string

yes

The old hardware ID of the machine

new_hwid

string

yes

The new hardware ID of the machine

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "hwid-change",
                "product_installed": "BEST",
                "companyId": "5e207bc354060806ed24a132",
                "computer_name": "A",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.526",
                "computer_id": "5e284ff5b7e43d387ba54a96",
                "old_hwid": "00000000-0000-0000-0000-406186b5bde
7",
                "new_hwid": "00000000-0000-0000-0000-406186b5bde
6",
                "endpointId": "5e284ff5b7e43d387ba54a95"
            }
        ]
    },
    "id": 1547719287349
}

Endpoint moved in

This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the destination company.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: endpoint-moved-in

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

hwid

string

yes

Hardware identifier

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "product_installed": "BEST",
                "companyId": "59a14b271da197c6108b4568",
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "59b7d9bfa849af3a1465b7e3",
                "endpointId": "5e2085febf255a545e52276a",
                "module": "endpoint-moved-in",
                "hwid": "5e284ff-5b7e43d387ba-54a95"
            }
        ]
    },
    "id": 1505221060169
}

Endpoint moved out

This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the source company.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: endpoint-moved-out

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

endpointId

string

yes

Managed endpoint identifier in the GravityZone database

hwid

string

yes

Hardware identifier

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "product_installed": "BEST",
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "TEST_ENDPOINT",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.18.226",
                "computer_id": "59b7d9bfa849af3a1465b7e4",
                "endpointId": "5e2085febf255a545e52276b",
                "module": "endpoint-moved-out",
                "hwid": "5e284ff-5b7e43d387ba-54a95"
            }
        ]
    },
    "id": 1505221060170
}

Troubleshooting activity

The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: troubleshooting-activity

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

taskId

string

yes

The ID of the current Troubleshooting task.

taskType

string

yes

The type of the task

errorCode

integer

yes

Integer representing the error code if the task has failed

username

string

no

Name of the user account who started the Troubleshooting task

localPath

string

no

The path on the target machine where the Troubleshooting archive is placed

networkSharePath

string

no

The path on network share where the Troubleshooting archive is placed

saveToBitdefenderCloud

boolean

no

The option to also upload to Bitdefender Cloud the Troubleshooting archive

status

integer

yes

The status with which the task has finished

stopReason

integer

no

The reason for which the Troubleshooting activity was stopped

failedStorageType

integer

no

In case some delivery methods succeeded and some not, which one has failed

startDate

timestamp

no

Timestamp of when the event has started

endDate

timestamp

no

Time of the event as reported by the product, already formatted in a string representation

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "product_installed": "BEST",
                "companyId": "59a14b271da197c6108b4567",
                "computer_name": "TEST_ENDPOINT_WINDOWS_10",
                "computer_fqdn": "test-endpoint.dsd.ro",
                "computer_ip": "10.10.0.101",
                "computer_id": "5ee30e2b29a4e218489442b6",
                "module": "troubleshooting-activity",
                "taskId": "5eea0105f23f731302405833",
                "taskType": "Debug Session",
                "errorCode": 3,
                "username": "[email protected]",
                "localPath": "/test/dir",
                "networkSharePath": "//1.2.3.4/dir",
                "saveToBitdefenderCloud": 0,
                "status": 3,
                "stopReason": 2,
                "failedStorageType": 1,
                "startDate": "2020-06-24T06:06:48.000Z",
                "endDate": "2020-06-24T06:09:28.000Z"
            }
        ]
    },
    "id": 1505221060169
}

Device Control

Every time the Device Control module detects a device inserted into a client system, an event is generated.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: device-control

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

username

string

no

The user that was logged in when the incident was found

silentAgentVersion

string

no

Agent version

action

string

yes

Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added.

deviceName

string

no

A descriptive name for the device

deviceClass

integer

yes

Device class

deviceId

string

no

Device ID

productId

integer

no

Product ID of the device

vendorId

integer

no

ID of the vendor

date

timestamp

yes

The date when the device was blocked

Example:

{
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "device-control",
                "product_installed": "BEST",
                "computer_name": "FC-WIN7-X64-01",
                "computer_fqdn": "fc-win7-x64-01",
                "computer_ip": "10.17.46.207",
                "computer_id": "5d529fb7008739443adb4003",
                "username": "Admin",
                "action": "blocked",
                "deviceName": "CD-ROM Drive",
                "deviceClass": 2,
                "deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10
_______________1.00____\\5&3A794E10&0&1.0.0",
                "productId": 0,
                "vendorId": 0,
                "date": "2019-08-13T11:33:18.000Z"
            }
        ]
    },
    "id": 1565697106257
}

Ransomware activity detection

This event occurs when the endpoint agent blocks ransomware attack.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: ransomware-mitigation

product_installed

string

yes

Identifier for the installed GravityZone component

companyId

string

yes

Company identifier

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

company_name

string

yes

The company in which the attack was detected.

endpoint_id

string

yes

Managed endpoint identifier in the GravityZone database

attack_type

string

yes

Ransomware attack type

item_count

string

yes

The number of files encrypted during the attack

detected_on

integer

yes

The date and time when the attack was detected

attack_source

string

yes

The remote IP in case of a remote attack respectively the process path in case of a local attack

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "ransomware-mitigation",
                "companyId": "5dad6f685f627d42cb3cd434",
                "product_installed": "SVA",
                "user": {
                    "name": "user",
                    "sid": "S-11-22-33"
                },
                "company_name": "Bitdefender",
                "computer_name": "DC-Nebula",
                "computer_fqdn": "dc-nebula.nebula.local",
                "computer_ip": "10.17.16.10",
                "computer_id": "5ed4d2fef23f7325715dbb22",
                "attack_type": "remote",
                "item_count": "23",
                "detected_on": 1591007594,
                "attack_source": "10.10.20.120"
            }
        ]
    },
    "id": 1505221060169
}    

New Incident

This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.

Parameters:

Name

Type

Mandatory

Description

module

string

yes

Event type identifier. Value: new-incident

computer_name

string

yes

Computer name

computer_fqdn

string

yes

FQDN

computer_ip

string

yes

Computer IP address

computer_id

string

yes

Unique endpoint identifier in the GravityZone database

incident_id

string

yes

Incident identifier

severity_score

integer

yes

Severity score

attack_entry

integer

yes

Attack entry

main_action

string

yes

Main action

detection_name

string

no

Detection name

file_name

string

no

File name

file_path

string

no

File path

file_hash_md5

string

no

MD5 file hash

file_hash_sha256

string

no

SHA-256 file hash

url

string

no

Domain URL

port

integer

no

Domain port

protocol

string

no

Application protocol

source_ip

string

no

Source IP address

process_pid

integer

no

Process pid

process_path

string

no

Process path

parent_process_pid

integer

no

Parent process PID

parent_process_path

string

no

Parent process path

attack_types

array

no

Attack types

att_ck_id

array

no

The IDs of MITRE ATT&CK

process_command_line

string

no

Process parameters in command line

severity

string

yes

The severity of the produced event

companyId

string

yes

Company identifier

endpointId

string

yes

Endpoint identifier

username

string

no

The user that was logged in when the incident was found

user_sid

string

no

The SID of the user involved with the event source

Example:

 {
    "jsonrpc": "2.0",
    "method": "addEvents",
    "params": {
        "events": [
            {
                "module": "new-incident",
                "created": "2020-07-20T09:36:23.485Z",
                "computer_id": "5efb3a520075db7384dfa286",
                "computer_fqdn": "desktop-jac14gs",
                "computer_name": "DESKTOP-JAC14GS",
                "detection_name": "ATC.Malicious",
                "attack_types": [
                    "Other"
                ],
                "computer_ip": "10.17.23.30",
                "severityScore": 90,
                "incident_id": "5f1557cbe7b2584f3959ee19",
                "attack_entry": 1688239188,
                "parent_process_path": "c:\\windows\\system32\\cmd.exe",
                "parent_process_pid": 9636,
                "process_path": "c:\\users\\bdadmin\\desktop\\atcsim\\atcsim32.exe",
                "process_pid": 10324,
                "username": "DESKTOP-JAC14GS\\bdadmin",
                "user_sid": "S-1-5-21-3349207704-443292085-2237656896-1003",
                "process_command_line": "detect",
                "file_hash_md5": "ccb1b07bdf330627f02b3c832663a489",
                "file_hash_sha256": "d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55",
                "att_ck_id": [
                    "T1036",
                    "T1059",
                    "T1002",
                    "T1012"
                ],
                "severity": "high",
                "main_action": "no action",
                "endpointId": "5efb3a520075db7384dfa285",
                "companyId": "5efb2f7154060876cb4a13d2"
            }
        ]
    },
    "id": 1505221060171
}    

Partner change

This event is generated every time a client company has joined or left your management.

Name

Type

Mandatory

Description

moved_company_id

string

yes

The ID of the company that has changed its partner.

moved_company_name

string

yes

The name of the company that has changed its partner.

action

string

yes

The action taken by the partner. Possible values:

  • joined - the company has joined your management.

  • left - the company has left your management.

license_type

string

no

The license type of the company.

end_subscription_date

timestamp

no

The company's subscription end date.

auto_renew_period

string

no

The number of months with which the subscription validity will be automatically extended.

minimal_commitment_usage_endpoints

integer

no

The minimum number of endpoints that this company has committed to use on a monthly basis.

enabled_services

array

no

What services are enabled for the company.

id

integer

yes

The ID of the event.

name

string

yes

The name of the event.

severity

integer

yes

The severity of the event. Possible values: 0 - 10.

Example:

 {
 	"jsonrpc": "2.0",
 	"method": "addEvents",
 	"params": {
 		"events": [{
 			"module": "partner-changed",
 			"companyId": "638f118f6b82bec40d0976df",
 			"moved_company_id": "628f107f6b82bec40d0976af",
 			"moved_company_name": "Bitdefender",
 			"action": "joined",
 			"license_type": "Monthly",
 			"end_subscription_date": "2022-12-30T23:59:00",
 			"auto_renew_period": 12,
 			"minimal_commitment_usage_endpoints": 2,
 			"enabled_services": [
 				"Email Security",
 				"Full Disk Encryption",
 				"Patch Management",
 				"HyperDetect",
 				"Sandbox Analyzer"
 			]
 		}]
 	},
 	"id": 1505221060171
 }