Push event JSON RPC messages
Events are submitted in calls to the "addEvents" function. This function takes one parameter: "events", which is an array of event objects documented below.
HTTP requests can be verified using the Event-Push-Service-Md5 header. The header is obtained by hashing the Api Key and the message body as follows: header_value = md5(api_key, md5(message_body))
$gzapikey = "a247bf167a48d899b7a64aced0d6cebdbd5d474578c26cd023505b2c26******";
$message = file_get_contents('php://input');
$servermd5 = $_SERVER['HTTP_EVENT_PUSH_SERVICE_MD5'];
$resultmd5 = md5($apikey.md5($message));Cloud AD Integration
This event is generated when Control Center is synchronizing with an Active Directory domain.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
syncerId | string | yes | AD Integrator identifier |
issueType | integer | yes | AD Synchronization issue type |
isProtectedEntityId | integer | no | Is protected entity ID (only for uninstall) |
lastAdReportDate | timestamp | no | Last AD synchronization date |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"syncerId": "59b7d9bfa849af3a1465b7e3",
"issueType": 0,
"lastAdReportDate": "2017-09-14T08:03:49.671Z",
"module": "adcloud"
}
]
},
"id": 1505376232077
} Antiphishing
This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
aph_type | string | yes | Values: phishing, fraud, untrust |
url | string | yes | Malware url |
status | string | yes | Values: aph_blocked, reportOnly |
last_blocked | timestamp | yes | Last timestamp this malware was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"aph_type": "phishing",
"url": "http://example.com/account/support/",
"status": "aph_blocked",
"last_blocked": "2017-09-14T08:49:43.000Z",
"count": 1,
"module": "aph"
}
]
},
"id": 1505378984190
}Antimalware
This event generated each time Bitdefender detects malware on an endpoint in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
timestamp | timestamp | yes | Timestamp when the malware was detected |
signaturesNumber | string | no | signatures Number |
taskScanType | integer | no | taskScanType |
scanEngineType | integer | no | scanEngineType |
cleaned | integer | no | How many times a file was cleaned if it generated multiple events of the same type in one minute. |
blocked | integer | no | How many times an application or file was blocked if it generated multiple events of the same type in one minute. |
deleted | integer | no | How many times a file was deleted if it generated multiple events of the same type in one minute. |
quarantined | integer | no | How many times ar file was quarantined if it generated multiple events of the same type in one minute. |
ignored | integer | no | How many times a threat was detected and ignored in a file or application if it generated multiple events of the same type in one minute. |
present | integer | no | How many times a threat was detected in a file or application if it generated multiple events of the same type in one minute. |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"signaturesNumber": "7.95265",
"scanEngineType": 3,
"cleaned": 0,
"blocked": 0,
"deleted": 0,
"quarantined": 2,
"ignored": 0,
"present": 0
"module": "av"
}
]
},
"id": 1504872097787
}{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "av",
"product_installed": "BEST",
"user": {
"id": "S-1-5-21-1493276475-1689882908-858204327-1001",
"name": "testadmin"
},
"companyId": "63920a01070088b57f0be1d2",
"computer_name": "IRU-WIN10X64-A",
"computer_fqdn": "iru-win10x64-a",
"computer_ip": "10.17.40.189",
"computer_id": "65030d040a2422770e0022b5",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "quarantined",
"file_path": "C:\\Users\\testadmin\\AppData\\Local\\VirtualStore\\eicar0000001.txt",
"timestamp": "2023-09-14T14:16:30.000Z",
"signaturesNumber": "7.95265",
"scanEngineType": 3,
"cleaned": 0,
"blocked": 0,
"deleted": 0,
"quarantined": 2,
"ignored": 0,
"present": 0
}
]
},
"id": 1694701009244
}Advanced Threat Control (ATC)
This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
exploit_type | string | yes | Values: IDS APP, AVC APP, AVC Exploit |
exploit_path | string | yes | Exploit file path |
process_command_line | string | no | The command line parameters of the detected process |
parent_process_id | integer | no | The pid of the parent of the detected process |
parent_process_path | string | no | The path of the parent process of the detection |
status | string | yes | Values: avc_blocked, avc_allowed, avc_disinfected |
last_blocked | timestamp | yes | Last timestamp this application/exploit was blocked |
count | integer | yes | How many times this application/exploit was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"exploit_type": "AVC Blocked Exploit",
"exploit_path": "C:\\Users\\admin\\Desktop\\Tools\\avcsim\\win32\\avcsim32.exe",
"status": "avc_blocked",
"last_blocked": "2017-09-14T07:56:33.000Z",
"count": 1,
"module": "avc"
}
]
},
"id": 1505375801845
}Data Protection
This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
target_type | string | yes | Malware type: mail, http |
blocking_rule_name | string | yes | Data protection rule name |
url | string | yes | Url |
status | string | yes | Always "data_protection_blocked" |
last_blocked | timestamp | yes | Last timestamp this email/url was blocked |
count | integer | yes | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"target_type": "http",
"blocking_rule_name": "dv",
"url": "http://example.com/",
"status": "data_protection_blocked",
"last_blocked": "2017-09-11T10:23:43.000Z",
"count": 1,
"module": "dp"
}
]
},
"id": 1505125464691
}Exchange Malware Detection
This event is created when Bitdefender detects malware on an Exchange server in your network.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
serverName | string | yes | Server name |
sender | string | yes | Email sender |
recipients | array | yes | List of email recipients (array of strings) |
subject | string | yes | Email subject |
detectionTime | timestamp | yes | Detection time |
malware | array | yes | List of detected malware (array of {"malwareName": string, "malwareType": string, "actionTaken": string, "infectedObject": string}) |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- EXCHANGE - 01",
"computer_fqdn": "fc- exchange - 01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"serverName": "FC- EXCHANGE - 01",
"sender": "[email protected]",
"recipients": [
"[email protected]"
],
"subject": "Emailing Sending.. WL - cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0",
"detectionTime": "2017- 09 - 13T14: 20:37.000Z",
"malware": [
{
"malwareName": "Trojan.Generic.KD.874127",
"malwareType": "virus",
"actionTaken": "quarantine",
"infectedObject": "WL- cbe100c9f42a20ef9a4b1c20ed1a59f9 - 0"
}
],
"module": "exchange-malware"
}
]
},
"id": 1505312459584
}Exchange License Usage Limit Has Been Reached
This event is generated when Exchange License limit has been reached
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-organization-info",
"mailboxes":8,
"license_limit":5,
"license_key":"5IMI111"
}
]
},
"id": 1505387661508
} Exchange User Credentials
This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59b7d9bfa849af3a1465b7e3",
"module": "exchange-user-credentials"
}
]
},
"id": 1505387661508
} Firewall
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | string | yes | Status |
local_port | string | no | Local port |
protocol_id | string | no | The identifier of the malware attack protocol as defined by Protocol Number |
application_path | string | no | Application path |
source_ip | string | no | Source IP address |
last_blocked | timestamp | yes | Last timestamp this connection was blocked |
count | integer | yes | How many times this connection was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": "portscan_blocked",
"protocol_id": "6",
"source_ip": "192.168.0.2",
"last_blocked": "2017-09-08T12:52:03.000Z",
"count": 1,
"module": "fw"
}
]
},
"id": 1504875129648
}Hyper Detect event
Event generated when a malware is detected by the Hyper Detect module.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
malware_type | string | yes | Type of the detected malware: file, http, cookie, pop3, smtp, process, boot, registry, stream |
malware_name | string | yes | Malware name |
hash | string | no | Malware file sha256 hash |
final_status | string | yes | Final status of the action taken on the file: ignored, still present, deleted, blocked, quarantined, disinfected, restored |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
file_path | string | yes | Malware file path |
attack_type | string | no | Values: targeted attack, grayware, exploits, ransomware, suspicious files and network traffic |
detection_level | string | no | Values: permissive, normal, aggressive |
is_fileless_attack | string | no | True for fileless attack |
command_line_parameters | string | no | Command line parameters |
process_info_path | string | no | Process path |
process_info_command_line | string | no | Process command line parameters |
parent_process_id | integer | no | Parent process ID |
parent_process_path | string | no | Parent process path |
hwid | string | yes | Hardware identifier |
date | timestamp | yes | Timestamp when the malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hd",
"product_installed": "EPS",
"user": {
"name": "admin",
"sid": "BF410F3B-5F3A-41E1-BF8F-28DE6948A355
"
},
"computer_name": "DHMSI",
"computer_fqdn": "dhmsi",
"computer_ip": "10.10.18.226",
"computer_id": "5c4999491ddfad7177316f80",
"malware_type": "file",
"malware_name": "",
"hash": "hash_3",
"final_status": "quarantined",
"file_path": "44e695d9ed259aea10e5b57145d0d0dc.b
ender",
"attack_type": "suspicious files and network tra
ffic",
"detection_level": "normal",
"is_fileless_attack": 1,
"command_line_parameters": "a b c",
"process_info_path": "C:\\a.exe",
"process_info_command_line": "c:\\a.exe -testParam",
"parent_process_id": 1716,
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"hwid": "00000000-0000-0000-0000-406186b5****",
"companyId": "5c497704f9bf8d0b1b4df***",
"date": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
} Product Modules Status
This event is generated when a security module of the installed agent gets enabled or disabled.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computerId | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
malware_status | boolean | no | Antimalware module |
aph_status | boolean | no | Antiphishing module |
firewall_status | boolean | no | Firewall module |
avc_status | boolean | no | Active Threat Control module |
ids_status | boolean | no | Intrusion detection system module |
uc_web_filtering | boolean | no | Content Control Web Access Control module |
uc_categ_filtering | boolean | no | Content Control Web Categories Filtering module |
uc_application_status | boolean | no | Content Control Application Blacklisting module |
dp_status | boolean | no | Content Control Data Protection module |
pu_status | boolean | no | Power User module |
dlp_status | boolean | no | Device Control module |
exchange_av_status | boolean | no | Exchange Protection Antimalware module |
exchange_as_status | boolean | no | Exchange Protection Antispam module |
exchange_at_status | boolean | no | Exchange Protection Attachment filtering module |
exchange_cf_status | boolean | no | Exchange Protection Content filtering module |
exchange_od_status | boolean | no | Exchange Protection On demand scan module |
volume_encryption | boolean | no | Encryption module |
patch_management | boolean | no | Patch management module |
container_protection_status | boolean | no | Container Protection module |
network_monitor_status | boolean | no | Network Attack Defense module |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC- WIN7 - X64 - 01",
"computer_fqdn": "fc- win7 - x64 - 01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_status": 1,
"aph_status": 1,
"firewall_status": 1,
"avc_status": 1,
"uc_web_filtering": 0,
"uc_categ_filtering": 0,
"uc_application_status": 0,
"dp_status": 0,
"pu_status": 1,
"dlp_status": 0,
"module": "modules"
}
]
},
"id": 1504871857671
}Sandbox Analyzer Detection
This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
deviceExternalId | string | no | Unique endpoint identifier in the GravityZone database |
submissionId | string | no | GravityZone network sandbox submission ID |
computerName | string | yes | Computer name |
computerIp | string | yes | Computer IP address |
detectionTime | integer | yes | Detection time |
threatType | string | yes | Threat type |
filePaths | array | yes | File paths (array of strings) |
fileSizes | array | yes | File sizes (array of strings) |
remediationActions | array | yes | Remediation actions (array of strings). Possible values:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "FC-WIN7-X64-01",
"computerIp": "192.168.0.1",
"detectionTime": 1505386969,
"threatType": "RANSOMWARE",
"filePaths": [
"C:\\Users\\Administrator\\Documents\\installer.xml",
"D:\\opt\\bitdefender\\installer2.xml",
"D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml"
],
"fileSizes": [
"2614",
"2615",
"2616"
],
"remediationActions": [
"1",
"",
"1"
],
"module": "network-sandboxing"
}
]
},
"id": 1505386971126
} Product Registration
This event is generated when the registration status of an agent installed in your network has changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
is_container_host | boolean | no | Whether the machine is container host or not |
product_registration | string | yes | Values: registered, unregistered |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-EXCHANGE-01",
"computer_fqdn": "fc-exchange-01.fc.dom",
"computer_ip": "192.168.0.1",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"product_installed": "BEST",
"product_registration": "registered",
"module": "registration"
}
]
},
"id": 1505221060168
}Outdated Update Server
This event is generated when an update server has outdated malware signatures.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
fromSupa | boolean | yes | Identifies events sent from Relays (always true) |
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
status | boolean | yes | Update status |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"status": 0,
"fromSupa": 1,
"module": "supa-update-status"
}
]
},
"id": 1505379714808
}Overloaded Security Server
This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
loadAverage | integer | yes | Load average |
cpuUsage | integer | yes | Cpu usage |
memoryUsage | integer | yes | Memory usage |
networkUsage | integer | yes | Network usage |
overallUsage | integer | yes | Overall usage |
svaLoad | string | no | SVA load |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"loadAverage": 1,
"cpuUsage": 48,
"memoryUsage": 32,
"networkUsage": 0,
"overallUsage": 48,
"svaLoad": "Normal",
"module": "sva-load"
}
]
},
"id": 1505293227782
} Security Server Status
This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
powered_off | boolean | yes | Powered off |
product_update_available | boolean | no | Product update available |
signature_update | timestamp | no | Last signatures update timestamp |
product_reboot_required | boolean | no | True if a reboot is required |
lastupdate | string | no | Last update |
lastupdateerror | string | no | Last update error |
updatesigam | string | no | Security Server engines version |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "bitdefender-sva",
"computer_fqdn": "bitdefender-sva",
"computer_ip": "192.168.0.1",
"computer_id": "59b8f3aba849af3a1465b81e",
"product_installed": "SVA",
"powered_off": 0,
"product_update_available": 1,
"product_reboot_required": 0,
"lastupdate": "0",
"updatesigam": "7.72479",
"module": "sva"
}
]
},
"id": 1505293227782
} Antiexploit Event
This event is generated when Advanced Anti-Exploit triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
container_id | string | no | The identifier of the container entity |
container_host | string | no | The name of the host that manages the container entity |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
detection_action | string | yes | The action that was taken upon the detection |
detection_threatName | string | no | Threat type |
detection_pid | string | yes | The pid of the detection |
detection_exploitTechnique | string | yes | The technique employed in the detection |
detection_parentPid | string | no | The pid of the parent of the detected process |
detection_path | string | yes | The path of the detection |
detection_parentPath | string | no | The path of the parent process of the detection |
detection_cve | string | no | Detection CVE |
detection_payload | string | no | Detection payload |
detection_username | string | no | The user that was logged when the detection was found |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "antiexploit",
"product_installed": "BEST",
"companyId": "5cf10c8af23f73097377c924",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"endpointId": "5cf51ba5e8ee8c5b1852a9d6",
"detection_action": "kill",
"detection_threatName": "EICAR-Test-File (not a
virus)",
"detection_pid": "2000",
"detection_exploitTechnique": "Flash/Generic",
"detection_parentPid": "4000",
"detection_path": "C:\\file15c8ba8b90ea1de127962
f464.exe",
"detection_parentPath": "C:\\file25c8ba8b90ea1de
127962f464.exe",
"detection_username": "[email protected]",
"detection_time": "2019-06-03T13:58:30.000Z"
}
]
},
"id": 1547719287349
}Network Attack Defense Event
This event is generated when the Network Attack Defense module triggers a detection.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Endpoint identifier |
label | string | no | The label set in the Network grid by the Admin |
actionTaken | string | yes | The action that was taken upon the detection |
detection_name | string | yes | The name of the detection as received from BEST |
detection_attackTechnique | string | yes | Name of the attack technique as set in the Network Attack Defense policy |
source_ip | string | yes | IP of the attack source |
victim_ip | string | yes | IP of the victim's endpoint |
local_port | string | yes | The port on which the attack occurred |
timestamp | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "network-monitor",
"product_installed": "BEST",
"user": {
"userName": "[email protected]",
"userSid": "S-1-2-3-4"
},
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5d639e8f48ac2f04f6e00b1c",
"actionTaken": "reportOnly",
"detection_name": "PrivacyThreat.PasswordStealer
.HTTP",
"detection_attackTechnique": "discovery",
"source_ip": "10.17.134.4",
"victim_ip": "213.211.198.58",
"local_port": "80",
"timestamp": "2019-01-24T11:13:04.000Z"
}
]
},
"id": 1547719287349
}Task Status
This event is generated each time a task status changes.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
userId | string | yes | User identifier |
taskId | string | yes | Task identifier |
taskName | string | yes | Task name |
taskType | integer | yes | Task type |
targetName | string | yes | Task name |
isSuccessful | boolean | yes | True if the task was executed successfully |
status | integer | yes | Task status |
errorMessage | string | yes | Error message |
errorCode | integer | yes | Error code |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"userId": "59a14b2b1da197c6108b4568",
"taskId": "59b28dc81da19711058b4568",
"taskName": "Quick Scan 2017-09-08(sub-task)",
"taskType": 272,
"targetName": "FC-WIN7-X64-01",
"isSuccessful": 1,
"status": 3,
"errorMessage": "",
"errorCode": 0,
"module": "task-status"
}
]
},
"id": 1504874269032
}User Control/Content Control
This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.
Important
Depending on your designated server, you might not have this event type activated by default. Log in to your console and check your URL: if you are using https://cloud.gravityzone.bitdefender.com, you need to contact support and request them to activate the event type.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
uc_type | string | no | Values: application, http |
url | string | no | Url |
block_type | string | no | Values: application, http_timelimiter, http_blacklist, http_categories, http_bogus, http_antimalware |
categories | string | no | Values: WebProxy, Games, Tabloids, Hate, Gambling, Drugs, Illegal, Shopping, OnlinePay, Video, SocialNetwork, OnlineDating, IM, SearchEngines, RegionalTLDS, News, Pornography, MatureContent, Blog, FileSharing, Narcotics, VideoOnline, Religious, Suicide, Health, ViolentCartoons, Weapons, Hacking, Scams, CasualGames, OnlineGames, ComputerGames, PhotosOnline, Ads, Advice, Bank, Business, ComputerAndSoftware, Education, Entertainment, Government, Hobbies, Hosting, JobSearch, Portals, RadioMusic, Sports, TimeWasters, Travel, WebMail |
application_path | string | no | Application path |
status | string | no | Values: uc_application_blocked, uc_site_blocked |
last_blocked | timestamp | no | Last timestamp this malware was blocked |
count | integer | no | How many times this malware was detected |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "192.168.0.1",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"uc_type": "http",
"url": "http://192.168.0.1:2869/upnphost/udhisapi.dll",
"block_type": "http_timelimiter",
"categories": "",
"status": "uc_site_blocked",
"last_blocked": "2017-09-08T12:46:30.000Z",
"count": 1,
"module": "uc"
}
]
},
"id": 1504874799367
}Storage Antimalware Event
This event is generated each time SVA detects a new threat among the protected storage (NAS).
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
companyId | string | yes | Company identifier |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
computer_name | string | yes | Computer name |
storage_name | string | yes | The name of the storage unit |
storage_ip | string | yes | The IP address of the storage unit |
storage_type | string | yes | The type of the storage unit.(E.g., Nutanix, Citrix etc.) |
file_path | string | yes | File path |
file_hash | string | yes | File hash |
malware_type | string | yes | Describes the type of malware as defined by Bitdefender. Possible values are: 'file', 'http', 'cookie', 'pop3', 'smtp', 'process', 'boot', 'registry' and 'stream' |
malware_name | string | yes | Name of the malware as defined by Bitdefender |
status | string | yes | Final status for the detected objects. Possible values are: |
detection_time | timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"companyId": "59a14b271da197c6108b4567",
"endpointId": "59a1604e60369e06733f8aba",
"computerName": "SVA_WITH_ICAP",
"storage_name": "fileserver001",
"storage_ip": "192.168.0.1",
"storage_type": "Nutanix",
"file_path": "C:\\Users\\Administrator\\Documents\\installer.xml",
"file_hash": "04d7cff845e23111633cc0a268634f5e6c18145d0a9b5a38dedd8a58a422001c",
"malware_type": "1",
"malware_name": "BAT.Trojan.FormatC.Z",
"status": "5",
"detection_time": "2018-05-07T10:23:43.000Z",
"module": "storage-antimalware"
}
]
},
"id": 1505386971126
} Install Agent
This event is generated when the agent is installed on endpoints.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "5cf51ba5e8ee8c5b1852a9d7",
"module": "install",
"endpointId": "5e2085febf255a545e52276b",
"hwid": "00000000-0000-0000-0000-406186b5bdbd50"
}
]
},
"id": 1547719287350
}Uninstall Agent
This event is generated when an agent is uninstalled from an endpoint.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
reason | integer | yes | Uninstalling method. Available options:
|
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"reason": 1,
"module": "uninstall"
}
]
},
"id": 1505221060168
}Hardware ID Change
This event is generated when the hardware ID of an endpoint from your network is changed.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
old_hwid | string | yes | The old hardware ID of the machine |
new_hwid | string | yes | The new hardware ID of the machine |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "hwid-change",
"product_installed": "BEST",
"companyId": "5e207bc354060806ed24a132",
"computer_name": "A",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.526",
"computer_id": "5e284ff5b7e43d387ba54a96",
"old_hwid": "00000000-0000-0000-0000-406186b5bde
7",
"new_hwid": "00000000-0000-0000-0000-406186b5bde
6",
"endpointId": "5e284ff5b7e43d387ba54a95"
}
]
},
"id": 1547719287349
}Endpoint moved in
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the destination company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4568",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e3",
"endpointId": "5e2085febf255a545e52276a",
"module": "endpoint-moved-in",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060169
}Endpoint moved out
This event is generated when endpoints are moved in Network Inventory from one company to another. The event is received by the source company.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
endpointId | string | yes | Managed endpoint identifier in the GravityZone database |
hwid | string | yes | Hardware identifier |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.18.226",
"computer_id": "59b7d9bfa849af3a1465b7e4",
"endpointId": "5e2085febf255a545e52276b",
"module": "endpoint-moved-out",
"hwid": "5e284ff-5b7e43d387ba-54a95"
}
]
},
"id": 1505221060170
}Troubleshooting activity
The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
taskId | string | yes | The ID of the current Troubleshooting task. |
taskType | string | yes | The type of the task |
errorCode | integer | yes | Integer representing the error code if the task has failed |
username | string | no | Name of the user account who started the Troubleshooting task |
localPath | string | no | The path on the target machine where the Troubleshooting archive is placed |
networkSharePath | string | no | The path on network share where the Troubleshooting archive is placed |
saveToBitdefenderCloud | boolean | no | The option to also upload to Bitdefender Cloud the Troubleshooting archive |
status | integer | yes | The status with which the task has finished |
stopReason | integer | no | The reason for which the Troubleshooting activity was stopped |
failedStorageType | integer | no | In case some delivery methods succeeded and some not, which one has failed |
startDate | timestamp | no | Timestamp of when the event has started |
endDate | timestamp | no | Time of the event as reported by the product, already formatted in a string representation |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"product_installed": "BEST",
"companyId": "59a14b271da197c6108b4567",
"computer_name": "TEST_ENDPOINT_WINDOWS_10",
"computer_fqdn": "test-endpoint.dsd.ro",
"computer_ip": "10.10.0.101",
"computer_id": "5ee30e2b29a4e218489442b6",
"module": "troubleshooting-activity",
"taskId": "5eea0105f23f731302405833",
"taskType": "Debug Session",
"errorCode": 3,
"username": "[email protected]",
"localPath": "/test/dir",
"networkSharePath": "//1.2.3.4/dir",
"saveToBitdefenderCloud": 0,
"status": 3,
"stopReason": 2,
"failedStorageType": 1,
"startDate": "2020-06-24T06:06:48.000Z",
"endDate": "2020-06-24T06:09:28.000Z"
}
]
},
"id": 1505221060169
}Device Control
Every time the Device Control module detects a device inserted into a client system, an event is generated.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
username | string | no | The user that was logged in when the incident was found |
silentAgentVersion | string | no | Agent version |
action | string | yes | Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added. |
deviceName | string | no | A descriptive name for the device |
deviceClass | integer | yes | Device class |
deviceId | string | no | Device ID |
productId | integer | no | Product ID of the device |
vendorId | integer | no | ID of the vendor |
date | timestamp | yes | The date when the device was blocked |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "device-control",
"product_installed": "BEST",
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.207",
"computer_id": "5d529fb7008739443adb4003",
"username": "Admin",
"action": "blocked",
"deviceName": "CD-ROM Drive",
"deviceClass": 2,
"deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10
_______________1.00____\\5&3A794E10&0&1.0.0",
"productId": 0,
"vendorId": 0,
"date": "2019-08-13T11:33:18.000Z"
}
]
},
"id": 1565697106257
}Ransomware activity detection
This event occurs when the endpoint agent blocks ransomware attack.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
product_installed | string | yes | Identifier for the installed GravityZone component |
companyId | string | yes | Company identifier |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
company_name | string | yes | The company in which the attack was detected. |
endpoint_id | string | yes | Managed endpoint identifier in the GravityZone database |
attack_type | string | yes | Ransomware attack type |
item_count | string | yes | The number of files encrypted during the attack |
detected_on | integer | yes | The date and time when the attack was detected |
attack_source | string | yes | The remote IP in case of a remote attack respectively the process path in case of a local attack |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "ransomware-mitigation",
"companyId": "5dad6f685f627d42cb3cd434",
"product_installed": "SVA",
"user": {
"name": "user",
"sid": "S-11-22-33"
},
"company_name": "Bitdefender",
"computer_name": "DC-Nebula",
"computer_fqdn": "dc-nebula.nebula.local",
"computer_ip": "10.17.16.10",
"computer_id": "5ed4d2fef23f7325715dbb22",
"attack_type": "remote",
"item_count": "23",
"detected_on": 1591007594,
"attack_source": "10.10.20.120"
}
]
},
"id": 1505221060169
} New Incident
This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.
Parameters:
Name | Type | Mandatory | Description |
|---|---|---|---|
module | string | yes | Event type identifier. Value: |
computer_name | string | yes | Computer name |
computer_fqdn | string | yes | FQDN |
computer_ip | string | yes | Computer IP address |
computer_id | string | yes | Unique endpoint identifier in the GravityZone database |
incident_id | string | yes | Incident identifier |
severity_score | integer | yes | Severity score |
attack_entry | integer | yes | Attack entry |
main_action | string | yes | Main action |
detection_name | string | no | Detection name |
file_name | string | no | File name |
file_path | string | no | File path |
file_hash_md5 | string | no | MD5 file hash |
file_hash_sha256 | string | no | SHA-256 file hash |
url | string | no | Domain URL |
port | integer | no | Domain port |
protocol | string | no | Application protocol |
source_ip | string | no | Source IP address |
process_pid | integer | no | Process pid |
process_path | string | no | Process path |
parent_process_pid | integer | no | Parent process PID |
parent_process_path | string | no | Parent process path |
attack_types | array | no | Attack types |
att_ck_id | array | no | The IDs of MITRE ATT&CK |
process_command_line | string | no | Process parameters in command line |
severity | string | yes | The severity of the produced event |
companyId | string | yes | Company identifier |
endpointId | string | yes | Endpoint identifier |
username | string | no | The user that was logged in when the incident was found |
user_sid | string | no | The SID of the user involved with the event source |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [
{
"module": "new-incident",
"created": "2020-07-20T09:36:23.485Z",
"computer_id": "5efb3a520075db7384dfa286",
"computer_fqdn": "desktop-jac14gs",
"computer_name": "DESKTOP-JAC14GS",
"detection_name": "ATC.Malicious",
"attack_types": [
"Other"
],
"computer_ip": "10.17.23.30",
"severityScore": 90,
"incident_id": "5f1557cbe7b2584f3959ee19",
"attack_entry": 1688239188,
"parent_process_path": "c:\\windows\\system32\\cmd.exe",
"parent_process_pid": 9636,
"process_path": "c:\\users\\bdadmin\\desktop\\atcsim\\atcsim32.exe",
"process_pid": 10324,
"username": "DESKTOP-JAC14GS\\bdadmin",
"user_sid": "S-1-5-21-3349207704-443292085-2237656896-1003",
"process_command_line": "detect",
"file_hash_md5": "ccb1b07bdf330627f02b3c832663a489",
"file_hash_sha256": "d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55",
"att_ck_id": [
"T1036",
"T1059",
"T1002",
"T1012"
],
"severity": "high",
"main_action": "no action",
"endpointId": "5efb3a520075db7384dfa285",
"companyId": "5efb2f7154060876cb4a13d2"
}
]
},
"id": 1505221060171
} Partner change
This event is generated every time a client company has joined or left your management.
Name | Type | Mandatory | Description |
|---|---|---|---|
moved_company_id | string | yes | The ID of the company that has changed its partner. |
moved_company_name | string | yes | The name of the company that has changed its partner. |
action | string | yes | The action taken by the partner. Possible values:
|
license_type | string | no | The license type of the company. |
end_subscription_date | timestamp | no | The company's subscription end date. |
auto_renew_period | string | no | The number of months with which the subscription validity will be automatically extended. |
minimal_commitment_usage_endpoints | integer | no | The minimum number of endpoints that this company has committed to use on a monthly basis. |
enabled_services | array | no | What services are enabled for the company. |
id | integer | yes | The ID of the event. |
name | string | yes | The name of the event. |
severity | integer | yes | The severity of the event. Possible values: |
Example:
{
"jsonrpc": "2.0",
"method": "addEvents",
"params": {
"events": [{
"module": "partner-changed",
"companyId": "638f118f6b82bec40d0976df",
"moved_company_id": "628f107f6b82bec40d0976af",
"moved_company_name": "Bitdefender",
"action": "joined",
"license_type": "Monthly",
"end_subscription_date": "2022-12-30T23:59:00",
"auto_renew_period": 12,
"minimal_commitment_usage_endpoints": 2,
"enabled_services": [
"Email Security",
"Full Disk Encryption",
"Patch Management",
"HyperDetect",
"Sandbox Analyzer"
]
}]
},
"id": 1505221060171
}