Integrate GravityZone Cloud with Splunk
As a Bitdefender partner, you can integrate GravityZone with Splunk by using GravityZone APIs and Splunk HTTP Event Collector. With this service, you are able to send data from GravityZoneControl Center directly to Splunk Enterprise or Splunk Cloud.
Prerequisites
To integrate GravityZone with Splunk, you must have at hand:
Credentials for your GravityZone Cloud account.
Credentials for your Splunk account (cloud or on-premises).
Optionally, you can use a script to automatically enable the integration.
For Bitdefender Splunk App to correlate data coming from GravityZone, you must install Bitdefender Splunk Add-on.
Integration steps
To use the GravityZone integration with Splunk you need to follow these steps:
Log in to GravityZoneControl Center.
Go to My Account.
Under API keys section, click Add.
Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.
Click Save to preserve the changes made in My Account page.
Log in to Splunk.
Go to Settings > Data Inputs > HTTP Event Colector.
Click New Token.
In the Add Data screen, fill in the Name field, as suggested in the image below, and click Next.
For Source type, click Select and choose
_json
.When using Bitdefender Splunk App, after installing BitdefenderSplunk Add-on, click Select and choose
bitdefender:gz
as the source.At Index, select a default index or create a new one. The events received by HTTP Event Collector will be inserted in the selected index.
Click Review.
Verify the data you entered and click Submit.
The token has been created successfully. Copy the token value and save it. You will need it later to enable the integration.
Go to Settings > Data Inputs > HTTP Event Collector and click Global Settings.
In the new window, under All Tokens section, select Enabled.
Click Save.
After you created the Event Push Service key in GravityZoneControl Center and enabled HTTP Event Collector in Splunk, you need to enable the integration. That means you have to start sending events from GravityZone to Splunk.
Get the information needed to configure Event Push Service settings from your favorite terminal emulator on Linux or Mac:
GravityZone API URL.
You find it in MyAccount > Control Center API and it should be similar to
https://cloudgz.gravityzone.bitdefender.com/api
.The authorization header of the API key generated in GravityZone.
The header value is Basic base64 encode.
Important
To obtain the authorization header, run the
echo
command followed by API key with colon (:
).> echo -n '604821e87e4c7de3aa15d0e6a97f5ab362281dbf0763746671da2caf4b5cccd1:' | base64 -w 0
The result should be something like this:
NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=
Splunk URL.
You find it in your Splunk Cloud platform and it should be something like this:
https://prd-p-xlpxkqpw84k2.cloud.splunk.com
. If you use Splunk on-premises, the URL is already in place.HTTP Event Collector token.
Run this command (the settings you have to edit are underlined):
> curl -k -X POST \ https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \ -H 'authorization: Basic NjA0ODIxZTg3ZTRjN2RlM2FhMTVkMGU2YTk3ZjVhYjM2MjI4MWRiZjA3NjM3NDY2NzFkYTJjYWY0YjVjY2NkMTo=' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://input-prd-p-r2rmnllpzv4n.cloud.splunk.com:8088/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk EA900DEB-22C8-402B-A7F9-A926C1633E7A"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true}}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'
Note
GravityZone starts sending events to Splunk after the Event Push Service settings are reloaded. This happens every 10 minutes.
To start sending events immediately, run this command (the settings you have to edit are underlined):
> curl -k -X POST \ https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \ -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'
The return should be similar to:
{"id":"1","jsonrpc":"2.0","result":true}
Test the Splunk integration
To test the integration, run this command (the settings you have to edit are underlined):
> curl -k -X POST \ https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \ -H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'
You can also start sending events from GravityZone to Splunk by running a script created by Bitdefender. You can do this in your favorite terminal emulator on Linux or Mac.
Download the script from here.
Make the script executable by running the command:
chmod +x bdpusheventconfig.sh
Run the script with the command:
./bdpusheventconfig.sh -g [console_url] -k [api_key] -t [service_type] -u [service_url] -a [splunk_auth_token] -v -d [events]
The script includes the following options:
Option | Description |
| GravityZone API url |
| GravityZone API key |
| Service type: splunk or jsonRPC |
| Splunk or RPC url |
| Splunk authorization token |
| Verify service SSL certificate |
| Connect to Splunk Cloud free trials. Adds 'input-' to the service host and uses port 8088 (if port is not specified). |
| Connect to Splunk Cloud instances. Adds 'http-inputs-' to the service host and uses port 443 (if port is not specified). |
| Help |
These options are similar to the ones used when enabling the integration manually.
The [events] list refers to one or more space-separated events that are to be sent from GravityZone to Splunk. These events are described in the table below:
Event type identifier | Description |
| Product Modules event |
| Security Server Status event |
| Product Registration event |
| Outdated Update Server event (where the Update Server is a Relay) |
| Antimalware event |
| Antiphishing event |
| Firewall event |
| ATC/IDS event |
| User Control event |
| Data Protection event |
| HyperDetect event |
| Overloaded Security Server event |
| Task Status event |
| Exchange Malware Detection event |
| Sandbox Analyzer Detection |
| Active Directory Integration Issue |
| Exchange User Credentials |
| Antiexploit Event |
| Network Attack Defense Event |
| Endpoint moved in (used for moving endpoints from one company to another) |
| Endpoint moved out (used for moving endpoints from one company to another) |
| Hardware ID change |
| Install agent |
| New incident |
| Ransomware activity detection |
| Security Container update available |
| Troubleshooting activity |
| Uninstall agent |
To subscribe to all events, use the value all
or specify each one of them. If the events list is empty (no event types specified) then the integration is disabled.
Examples
Enable the Splunk integration
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -d modules sva registration supa-update-status av aph fw avc uc dp sva-load task-status exchange-malware network-sandboxing adcloud exchange-user-credentials
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c all
Configure a json RPC service
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t jsonRPC -u https://rpc.example.com modules sva registration supa-update-status av aph fw avc uc dp sva-load task-status exchange-malware network-sandboxing adcloud exchange-user-credentials
Disable the Splunk integration
./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 –c
For details about Push Events Service, refer to the Push section.
For details about creating reports based on data from GravityZone in Splunk, refer to Create reports in Splunk based on GravityZone data.