Notification types
This is the list of available notification types:
Malware Outbreak
This notification is sent to the users that have at least 5% of all their managed network objects infected by the same malware.
You can configure the malware outbreak threshold according to your needs in the Notifications Settings window. For more information, refer to Configuring Notification Settings.
Syslog format availability: JSON, CEF
License Expires
A notification is sent 90, 30, 7 days, and also one day before the license expires. The notifications will include company information, product name, the expired license keys and useful URLs.
Note
You must have Manage Company right to view this notification.
Syslog format availability: JSON, CEF
License Usage Limit Has Been Reached
This notification is sent when all of the available licenses have been used.
Syslog format availability: JSON, CEF
License Limit Is About To Be Reached
This notification is sent when 90% of the available licenses have been used.
Note
You must have Manage Company right to view this notification.
Syslog format availability: JSON, CEF
Servers License Usage Limit Has Been Reached
This notification is sent when the number of protected servers reaches the limit specified on your license key.
Note
You must have Manage Company right to view this notification.
Syslog format availability: JSON, CEF
Servers License Limit is About to Be Reached
This notification is sent when 90% of the available license seats for servers have been used.
Note
You must have Manage Company right to view this notification.
Syslog format availability: JSON, CEF
Exchange License Usage Limit Has Been Reached
This notification is triggered each time the number of protected mailboxes from your Exchange servers reaches the limit specified on your license key.
Note
You must have Manage Company right to view this notification.
Syslog format availability: JSON, CEF
Invalid Exchange user credentials
This notification is sent when an on-demand scan task could not start on the target Exchange server due to invalid Exchange user credentials.
Syslog format availability: JSON, CEF
Centralized Quarantine Issues
This notification is sent when an endpoint cannot submit quarantined files to the centralized quarantine network folder. The notification contains details about the endpoint, configured network share, and encountered error.
Update Available
This notification informs you about the availability of a new GravityZone, new package or new product update.
Syslog format availability: JSON, CEF
Internet Connection
This notification is triggered when Internet connectivity changes are detected by the following processes:
License validation
Obtaining an Apple Certificate Signing Request
Communication with Apple and Android mobile devices
Accessing MyBitdefender account
Syslog format availability: JSON, CEF
SMTP Connection
This notification is sent each time BitdefenderGravityZone detects changes regarding the mail server connectivity.
Syslog format availability: JSON, CEF
Mobile device users without email address
This notification is sent after adding mobile devices to multiple users and one or several selected users have no email address specified for their account. This notification is intended to warn you that users with no specified email address cannot enroll the mobile devices assigned to them, since the activation details are automatically sent by email.
For details about adding mobile devices to multiple users, refer to the Mobile devices section.
Syslog format availability: JSON, CEF
Database Backup
This notification informs you about the status of a scheduled database backup, whether successful or unsuccessful. If the database backup has failed, the notification message will display also the failure reason.
Syslog format availability: JSON, CEF
Exchange Malware Detected
This notification informs you when malware is detected on an Exchange Server in your network.
XenServer integration auto-update
This notification is sent when the integration settings automatically update after the XenServer master host gets a new IP address.
Advanced Anti-Exploit
This notification informs you when Advanced Anti-Exploit has detected exploit attempts in your network.
Syslog format availability: JSON, CEF
Antimalware event
This notification informs you when malware is detected on an endpoint in your network. This notification is created for each malware detection,providing details about the infected endpoint (name,IP, installed agent) the type of scan, detected malware, signature version,detection time and the scan engine type.
Syslog format availability: JSON, CEF
Integration out of sync
This notification is sent when an existing virtual platform integration could not synchronize with GravityZone. This may happen due to various reasons such as integration details that have changed, or temporary unavailability of the server. In the notification settings, you can select the integrations for which you want to be notified when a synchronization error occurs. You can check more information about the synchronization status in the notification details.
Syslog format availability: JSON, CEF
Antiphishing event
This notification informs you each time the endpoint agent blocks a known phishing web page from being accessed. This notification also provides details such as the endpoint that attempted to access the unsafe website (name and IP), installed agent or blocked URL.
Syslog format availability: JSON, CEF
Firewall event
With this notification you are informed each time the firewall module of an installed agent has blocked a port scan or an application from accessing the network, according to applied policy.
Syslog format availability: JSON, CEF
ATC/IDS event
This notification is sent each time a potentially dangerous application is detected on an endpoint in your network. You will find details about the application type, name, and path as well as the parent process ID and path and the command line that started the process if the case.
Syslog format availability: JSON, CEF
Content Control event
This notification is triggered each time a user activity such as web browsing or software application is blocked by the endpoint client according to applied policy.
Syslog format availability: JSON, CEF
Note
Content Control event notifications cannot be sent through email. Due to performance reasons, these notifications can only be sent via API to a SIEM platform.
Data Protection event
This notification is sent each time data traffic is blocked on an endpoint according to data protection rules.
Product Modules event
This notification is sent each time a security module of an installed agent gets enabled or disabled.
Syslog format availability: JSON, CEF
Security Server Status event
This type of notification provides information about the status changes of a certain Security Server installed in your network. The Security Server status changes refer to the following events: powered off / powered on, product update, security content update and reboot required.
Syslog format availability: JSON, CEF
Overloaded Security Server event
This notification is sent when the scan load on a Security Server in your network exceeds the defined threshold.
Syslog format availability: JSON, CEF
Product Registration event
This notification informs you when the registration status of an agent installed in your network has changed.
Syslog format availability: JSON, CEF
Authentication Audit
This notification informs you when another GravityZone account, except your own, was used to log in to Control Center from an unrecognized device.
Syslog format availability: JSON, CEF
Login from New Device
This notification informs you that your GravityZone account was used to log in to Control Center from a device you have not used for this purpose before. The notification is automatically configured to be visible both in Control Center and on email and you can only view it. This notification also includes the email address of the account used.
Syslog format availability: JSON, CEF
Certificate Expires
This notification informs you that a security certificate expires. The notification is sent 30, seven and one day prior to expiration date.
Syslog format availability: JSON, CEF
GravityZone Update
The notification is sent when a GravityZone update is completed. If failed, the update will run again in 24 hours.
Syslog format availability: JSON, CEF
Task Status
This notification informs you either each time a task status changes, or only when a task finishes, according to your preferences.
Syslog format availability: JSON, CEF
Outdated Update Server
This notification is sent when an Update Serverr in your network has outdated security content.
Syslog format availability: JSON, CEF
Network Attack Defense event
This notification is sent each time the Network Attack Defense module detects an attack attempt on your network. This notification also informs you if the attack attempt was conducted either from outside the network or from a compromised endpoint inside the network. Other details include data about the endpoint, attack technique, attacker’s IP, and the action taken by Network Attack Defense.
Syslog format availability: JSON, CEF
Custom Report Has Been Generated
This notification informs you when a query-based report has been generated.
Syslog format availability: N/A
New Application in Application Inventory
This notification informs you when Application Control detects a new application installed on monitored endpoints.
Syslog format availability: JSON, CEF
Blocked Application
This notification informs you when Application Control blocked or would have blocked a process of an unauthorized application, depending on the module configuration (Production or Test Mode).
Syslog format availability: JSON, CEF
Sensor integration status
This notification informs you when the status of a sensor integration changes. You can configure this notification to alert you in the GravityZoneControl Center, via email, or both.
By default, the notification is sent out every 2 hours if a sensor integration issue persists. But you can customize this time interval.
Sandbox Analyzer Detection
This notification alerts you every time Sandbox Analyzer detects a new threat among the automatically submitted samples. You are presented with details such as hostname or IP of the endpoint, time and date of the detection, threat type, path, name, size of the files and the remediation action taken on each one.
This notification is not sent for manual submissions.
Note
You will not receive notifications for clean analyzed samples. Information on all submitted samples is available in the Sandbox Analyzer Results report and in the Sandbox Analyzer section, in the main menu of Control Center.
Syslog format availability: JSON, CEF
HyperDetect event
This notification informs you when HyperDetect finds any antimalware or unblocked events in the network. This notification is sent for each HyperDetect event and provides the following details:
Affected endpoint information (name, IP, installed agent)
Malware type and name
Infected file path and parent process path. For file-less attacks it is provided the name of the executable used in the attack.
Infection status
The SHA256 hash of the malware executable
The type of the intended attack (targeted attack, grayware, exploits, ransomware, suspicious files and network traffic)
Detection level (Permissive, Normal, Aggressive)
Detection time and date
Detection type
Logged user
Command line used
Syslog format availability: JSON, CEF
You can view details about the infection and further investigate the issues by generating a HyperDetect Activity report right from the Notifications page. To do so:
In Control Center, click the
Notification button to display the Notification Area.Click the Show more link at the end of the notification to open the Notifications page.
Click the View report button in the notification details. This opens the report configuration window.
Configure the report if needed. For more information, refer to Creating Reports.
Click Generate.
Note
To avoid spamming, you will receive maximum one notification per hour.
Missing Patch Issue
This notification occurs when endpoints in your network are missing one or more available patches.
GravityZone automatically sends a notification containing all findings within the last 24 hours to the notification date.
You can view which endpoints are in this situation by clicking the View report button in notification details.
By default, the notification refers to security patches, but you may configure it to inform you of non-security patches as well.
Syslog format availability: JSON, CEF
New Incident
This notification informs you when a new incident occurs. Once enabled, the notification is generated every time a new incident is displayed under the Incidents section of Control Center. The corresponding syslog event contains a list of relevant items extracted from the incident details which you can use to enrich Security information and event management (SIEM) driven correlations. For more details click the Incidents Name
Syslog format availability: JSON, CEF
Note
In order to get notifications for new incidents, the minimum value for the Severity Score field is
10. However, you can adjust by entering any value between10and100.Ransomware detection
This notification informs you when GravityZone detects a ransomware attack within your network. You are provided with details regarding the targeted endpoint, the user that was logged in, the source of the attack, the number of encrypted files, and the time and date of the attack.
At the time you receive the notification the attack is already blocked.
The link in the notification will redirect you to the Ransomware Activity page, where you can view the list of encrypted files and restore them if needed.
Syslog format availability: JSON, CEF
Storage Antimalware
This notification is sent when malware is detected on an ICAP-compliant storage device. This notification is created for each malware detection, providing details about the infected storage device (name, IP, type), detected malware and detection time.
Syslog format availability: JSON, CEF
Blocked Devices
This notification is triggered when a blocked device or a device with read-only permission connects to the endpoint. If the exact same device connects multiple times in one hour, only one notification is sent during this interval. If the device connects again after one hour a new notification is triggered.
Syslog format availability: JSON, CEF
Troubleshooting activity
This notification informs you when a troubleshooting event in your network ends. You can view details about the event type and status, the troubleshooting target, the storage location where you can find the logs archive, and others.
Syslog format availability: JSON, CEF
New Investigation Files Activity
This notification is triggered when there are new requests related to forensic data gathering.
Security Container update status
The notification informs you when the product update status changes for a Security Container installed in your network.
Syslog format availability: JSON, CEF
Anti-Tampering event
This notification informs you whenever the security agent’s callback functions are maliciously removed or disabled, or vulnerable drivers are detected on endpoints.