Syslog event messages
Antiphishing
This notification informs you each time the endpoint agent detects a known phishing attempt when accessing a web page.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Indicates if the event is phishing or fraud detection. Possible values: |
| String | yes | Malware URL |
| String | yes | Possible values: |
| Timestamp | yes | A timestamp of the last time this malware was blocked |
| Integer | yes | How many times this malware was detected |
{ "module": "aph", "product_installed": "BEST", "user": { "id": "S-1-5-21-2018264366-2484004464-1617746128-1001", "name": "bdvm" }, "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "aph_type": "fraud", "url": "bdtest.tibeica.com\/ot\/fraud_red.html", "status": "reportOnly", "last_blocked": "2022-05-12T09:35:08.000Z", "count": 1 }
Application Control
Event generated when an application is blocked by the Application Control module.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | Virtual machine name |
| String | no | Virtual machine identifier |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| integer | yes | The mode in which the event occurred. Value:
|
| String | yes | Values: |
| String | yes | Malware file path |
| String | no | The version of the file |
| String | no | The name of the product |
| String | no | The version of the product |
| String | no | The name of the product publisher |
| String | no | The process fingerprint of the application |
| Array | no | Thumbprints (array of strings) |
| String | no | Application Control rule name |
| Timestamp | yes | The date when the application was detected |
| integer | yes | How many times this application was detected |
{ "module": "application-control", "product_installed": "BEST", "user": { "id": "S-11-22-33", "name": "[email protected]" }, "computer_name": "TEST_ENDPOINT", "computer_fqdn": "test-endpoint.dsd.ro", "computer_ip": "31.41.59.265", "computer_id": "625c19913a58151e63702862", "mode": 1, "scanMode": "production", "filePath": "C:\\Program Files\\Microsoft\\Skype\\Skype.exe", "fileVersion": "10.0.0.9999", "productName": "Skype VoIP Service", "productVersion": "10.2", "publisher": "Microsoft", "fingerprint": "b6bf7bc8d96f3ea9d132c83b3da8e7760e420138485657372db4d6a981d3fd9e", "thumbprints": ["03d66dd08835c1ca3f128cceacd1f31ac94163096b20f445ae84285bc0832d72"], "ruleName": "", "date": "2022-04-17T13:44:29.485Z", "count": 1 }
Application Inventory
This notification informs you when new applications have been discovered and added to Application Inventory.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The user involved with the event source |
| String | no | Virtual machine name |
| String | no | Virtual machine identifier |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Timestamp | yes | Date of application discovery |
{ "applications": [{ "name": "Firefox", "version": "0" }], "module": "application-inventory", "product_installed": "BEST", "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "discoveredOn": "2022-04-17T11:35:33.000Z" }
Antimalware
This event generated each time Bitdefender detects malware on an endpoint in your network.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | yes | The data of the previous event |
| String | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | The unique identifier of the virtual machine |
| String | no | The bios UUID for VMware machines |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values: |
| String | yes | Name of the malware as defined by Bitdefender |
| String | no | The SHA256 hash of the infected object. |
| String | yes | Final status of the action taken on the file: |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | The path of the infected object as reported by the product. The path references a local file on the machine that reported the event. |
| Timestamp | yes | Timestamp when the malware was detected |
| String | no | signatures Number |
| Integer | no | taskScanType |
| Integer | no | scanEngineType |
{ "module": "av", "product_installed": "BEST", "user": { "id": "S-1-5-21-2018264366-2484004464-1617746128-1001", "name": "bdvm" }, "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "malware_type": "file", "malware_name": "Gen:Trojan.Heur.LShot.1", "hash": "ca52142291d765efa6b69543c25ca13cb2179ae62a0cb5d2f4a19877244cc3cd", "final_status": "still present", "container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a", "file_path": "C:\\Users\\bdvm\\Desktop\\script.ps1", "timestamp": "2022-05-12T09:34:46.000Z", "signaturesNumber": "7.89727", "scanEngineType": 1 }
Advanced Threat Control (ATC)
This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | no | Identifier for the installed GravityZone component |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | The unique identifier of the virtual machine |
| String | no | The bios UUID for VMware machines |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Shows the reported types that are application (APP) and exploit (Exploit). Possible values: |
| String | yes | The path of the object as reported by the product. The path references a local file on the endpoint that reported the event. |
| String | no | The command line parameters of the detected process |
| String | no | The pid of the parent of the detected process |
| String | no | Retrieving data. Wait a few seconds and try to cut or copy again. |
| String | yes | Retrieving data. Wait a few seconds and try to cut or copy again. |
| Timestamp | yes | A timestamp of the last time this application/exploit was blocked |
| Integer | yes | How many times this application/exploit was detected |
{ "module": "avc", "product_installed": "BEST", "user": { "id": "S-1-5-21-2018264366-2484004464-1617746128-1001", "name": "bdvm" }, "VM_NAME": "btoma-windows-10-onPrem", "VM_ID": "vm-4193", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "btoma-windows-10-onPrem", "computer_fqdn": "cmocanu-automation-win64", "computer_ip": "10.18.155.211", "computer_id": "6257cf1130015b2201bf4a00", "exploit_type": "AVC APP", "exploit_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe", "process_command_line": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.0.2.exe -test parameter \\ for 0", "parent_process_id": 1160, "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "status": "avc_disinfected", "last_blocked": "2022-04-17T10:18:25.000Z", "count": 1 }
Data Protection
This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Specifies the blocked traffic type based on the data protection rule:
|
| String | yes | Data protection rule name |
| String | yes | The blocked traffic. Possible values are:
|
| String | yes | Always |
| Timestamp | yes | A timestamp of the last time this email/url was blocked |
| Integer | yes | A timestamp of the last time this email/url was blocked |
{ "module": "dp", "product_installed": "BEST", "user": { "id": "S-1-5-21-3569875631-4240938805-1797204764-1001", "name": "Admin1" }, "computer_name": "TEST_ENDPOINT", "computer_fqdn": "test-endpoint.dsd.ro", "computer_ip": "31.41.59.265", "computer_id": "625c19913a58151e63702862", "target_type": "http", "blocking_rule_name": "asdf", "url": "http:\/\/www.zf.ro\/search", "status": "data_protection_blocked", "last_blocked": "2018-05-25T08:56:42.000Z", "count": 1 }
Exchange Malware Detection
This event is created when Bitdefender detects malware on an Exchange server in your network.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Server name where the malware was detected |
| String | yes | Email sender |
| Array | yes | List of email recipients (array of strings) |
| String | yes | Email subject |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
| Array | yes | List of detected malware (array of { |
{ "name": "Exchange Malware Detected", "created": "2022-04-18T10:52:14+03:00", "company_name": "root", "user_name": "root", "endpoint_id": "625d18aa9f69720ddfaee9c7", "server_name": "TEST_ENDPOINT-email", "installed_agent": "BEST", "sender": "[email protected]", "recipients": ["[email protected]", "[email protected]"], "subject": "test", "detection_time": "2014-10-29T16:14:51.000Z", "detected_malware": [{ "malwareName": "EICAR-Test-File (not a virus)", "malwareType": "virus", "infectedObject": "someFile.txt", "actionTaken": "ignore" }, { "malwareName": "EICAR-Test-File (not a virus)", "malwareType": "virus", "infectedObject": "someFile.txt", "actionTaken": "disinfect" }] }
Exchange License Usage Limit Has Been Reached
This event is generated when Exchange License limit has been reached
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Company's license limit reached |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
{ "name": "Exchange License Usage Limit Has Been Reached", "created": "2019-01-18T13:01:15+00:00", "company_name": "nebula_CO", "user_name": "root", "mailboxes": 8, "license_limit": 5, "license_key": "5IMICR5", "recv_for_his_company": true, "recv_for_partner_company": false }
Exchange User Credentials
This event is generated when an on-demand scan task could not start on the target Exchange server due to invalid user credentials. To complete the task, you need to change your Exchange credentials.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Managed enpoint name |
| String | yes | Name of the policy applied on the endpoint |
{ "name": "Invalid Exchange user credentials", "created": "2022-04-14T09:58:26+00:00", "company_name": "root", "user_name": "sacumen\\administrator", "endpoint_id": "6256a3b130015b2201bf496b", "target_name": "WIN-LFK7I9VSLR2", "policy_name": "no_update" }
Firewall
This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The action that was taken upon the detection |
| String | no | The port of the malware attack |
| String | no | The identifier of the malware attack protocol as defined by Protocol Number |
| String | no | The path to the image file for the process that was just blocked from doing any traffic on the reported port and protocol. |
| Timestamp | yes | A timestamp of the last time this connection was blocked |
| Integer | yes | How many times this connection was detected |
{ "module": "fw", "product_installed": "BEST", "user": { "id": "S-1-5-18", "name": "SYSTEM" }, "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "status": "traffic_blocked", "local_port": "445", "protocol_id": "6", "application_path": "System", "last_blocked": "2022-04-17T11:34:59.000Z", "count": 1 }
Hyper Detect event
Event generated when a malware is detected by the Hyper Detect module.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| String | no | The data of the previous event |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Name of the malware as defined by Bitdefender |
| String | no | Malware file: |
| String | yes | Final status of the action taken on the file: |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | Malware file path |
| String | no | Values: |
| String | no | Values: |
| Boolean | no |
|
| String | no | The parameters of the command line |
| String | no | The path of the process |
| String | no | The command line of the parent process |
| Integer | no | The identifier of the parent process |
| String | no | The path of the parent process |
| String | yes | The hardware identifier |
| Timestamp | yes | Timestamp when the malware was detected |
{ "module": "hd", "product_installed": "BEST", "user": { "name": "bdvm", "sid": "S-1-5-21-2018264366-2484004464-1617746128-1001" }, "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "malware_type": "file", "malware_name": "Gen:Illusion.Jazz.1.2010103", "hash": "", "final_status": "still present", "container_id": "4216d501-36c5-22ed-de02-0e4da0badb7a", "file_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe", "attack_type": "Ransomware", "detection_level": "Normal", "is_fileless_attack": "false", "process_info_path": "C:\\Users\\bdvm\\Desktop\\_samples_on_execute\\_samples_on_execute\\paranoia.3.2.exe", "process_info_command_line": "-test parameter \\ for 3", "parent_process_id": 12432, "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "hwid": "01d51642-c536-ed22-de02-0e4da0badb7a-00505696d1c3", "date": "2022-04-15T08:06:27.000Z" }
Product Modules Status
This event is generated when a security module of the installed agent gets enabled or disabled.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| Boolean | no | Whether the machine is container host or not |
{ "module": "modules", "product_installed": "BEST", "VM_NAME": "btoma-exchange-onPrem-1", "VM_ID": "vm-4306", "UUID_INSTANCE": "5016fdf7-03ea-023f-35d0-0ec397f011ba", "UUID_BIOS": "4216e16b-0341-2783-16c4-b353301c2a73", "computer_name": "btoma-exchange-onPrem-1", "computer_fqdn": "win-lfk7i9vslr2.sacumen.local", "computer_ip": "10.18.154.115", "computer_id": "625c06b42dc02c725f5f1942", "container_id": "4216e16b-0341-2783-16c4-b353301c2a73", "malware_status": 1, "avc_status": 1, "pu_status": 0, "dlp_status": 1, "exchange_av_status": 1, "exchange_as_status": 1, "exchange_at_status": 0, "exchange_cf_status": 0, "exchange_od_status": 1, "patch_management": 1, "app_control_status": 1 }
Sandbox Analyzer Detection
This event is generated each time Sandbox Analyzer detects a new threat among the submitted files.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Company identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The IP of the computer which submitted the file for analysis |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Integer | yes | Time of the event as reported by the product, already formatted in a string representation |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values are: |
| String | no | GravityZone network sandbox submission ID |
| Array | yes | File paths (array of strings) |
| Array | yes | File sizes (array of strings) |
| Array | yes | Remediation actions (array of strings). |
{ "name": "Sandbox Analyzer Detection", "created": "2022-05-03T12:34:00+03:00", "company_name": "root", "user_name": "test", "computer_name": "TEST_ENDPOINT-sbx", "computer_ip": "31.41.59.265", "detection_time": "07 Jul 2016, 15:11:54", "threat_type": "Ransomware", "file_info": [{ "file_path": "C:\\Users\\Administrator\\Documents\\installer.xml", "file_size": "2.55 KB", "remediation_action": "Quarantined" }, { "file_path": "D:\\opt\\bitdefender\\installer2.xml", "file_size": "2.55 KB", "remediation_action": "Deleted" }, { "file_path": "D:\\sources\\console\\CommonConsole\\app\\modules\\policies\\view\\endpoints\\networkSandboxing\\installer3.xml", "file_size": "2.55 KB", "remediation_action": "Quarantined" }] }
Product Registration
This event is generated when the registration status of an agent installed in your network has changed.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | yes | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| Boolean | no | Whether the machine is container host or not |
| String | yes | Values: |
{ "module": "registration", "product_installed": "BEST", "computer_name": "TEST_ENDPOINT", "computer_fqdn": "test-endpoint.dsd.ro", "computer_ip": "31.41.59.265", "computer_id": "625c19913a58151e63702862", "product_registration": "registered" }
Outdated Update Server
This event is generated when an update server has outdated malware signatures.
Name | Type | Mandatory | Description |
---|---|---|---|
| Boolean | yes | Event type identifier. Value: |
| Integer | yes | The status of the server update. Possible values:
|
| Integer | yes | The ID of the Update Server. |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
{ "fromSupa": 1, "module": "supa-update-status", "product_installed": "BEST", "computer_name": "TEST_ENDPOINT", "computer_fqdn": "test-endpoint.dsd.ro", "computer_ip": "31.41.59.265", "computer_id": "625c19913a58151e63702862", "status": 0 }
Overloaded Security Server
This event is generated when the scan load on a Security Server in your network exceeds the defined threshold.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | no | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | yes | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Integer | yes | The load average of the Security Server |
| Integer | yes | The CPU usage of the Security Server |
| Integer | yes | The memory usage of the Security Server |
| Integer | yes | The network usage of the Security Server |
| Integer | yes | The overall usage of the Security Server |
| String | no | The load of the Security Server |
{ "module": "sva-load", "product_installed": "SVA", "VM_NAME": "btoma-SVA-outdated-onPrem", "VM_ID": "vm-4191", "UUID_INSTANCE": "5016cfec-c7fd-7531-fa29-9185931879c4", "UUID_BIOS": "4216a8ee-3cef-46f9-9925-d588eee65766", "computer_name": "btoma-SVA-outdated-onPrem", "computer_fqdn": "bitdefender-sva", "computer_ip": "10.18.159.8", "computer_id": "6256984b601b8b21f976ad88", "loadAverage": 1, "cpuUsage": 8, "memoryUsage": 45, "networkUsage": 0, "overallUsage": 8, "svaLoad": "Overloaded" }
Security Server Status
This event is created when the status of a certain Security Server changes. The status refers to power (powered on/powered off), product update, signatures update and reboot required.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | Company identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| Boolean | yes | True if the Security Server is powered off |
| Boolean | no | The Security Server update availability status |
| Timestamp | no | Timestamp when the last signatures update of the Security Server was finished |
| Boolean | no | True if a reboot is required |
| Timestamp | no | Timestamp when the last update of the Security Server was finished |
| String | no | The error of the last Security Server update |
| String | no | The engines version of the Security Server |
{ "module": "sva", "product_installed": "SVA", "VM_NAME": "Bitdefender SVE SVA (dell-xen2)", "VM_ID": "OpaqueRef:5bfc190d-2c54-d3da-e104-2b899b59d039", "UUID_INSTANCE": "eab611f7-3f7b-8a01-88e0-a78f2e35373b", "computer_name": "Bitdefender SVE SVA (dell-xen2)", "computer_fqdn": "sva-xen2", "computer_ip": "10.17.12.194", "computer_id": "6258082f6437b27cd93926e5", "powered_off": 1 }
Antiexploit Event
This event is generated when Advanced Anti-Exploit triggers a detection.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The identifier of the container entity |
| String | no | The name of the host that manages the container entity |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The action that was taken upon the detection |
| String | no | Detection threat name |
| String | yes | The pid of the detection |
| String | yes | The technique employed in the detection |
| String | no | Detection parent pid |
| String | yes | The path of the detection |
| String | no | The path of the parent process of the detection |
| String | no | Detection CVE |
| String | no | Detection payload |
| String | no | The user that was logged when the detection was found |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
{ "module": "antiexploit", "product_installed": "BEST", "VM_NAME": "btoma-exchange-onPrem", "VM_ID": "vm-4190", "UUID_INSTANCE": "501606d3-c8b0-1127-920a-1edc7d3a76b0", "UUID_BIOS": "42166a12-1437-7e14-db35-8f100b85041b", "computer_name": "btoma-exchange-onPrem", "computer_fqdn": "win-lfk7i9vslr2.sacumen.local", "computer_ip": "10.18.159.13", "computer_id": "6256a3b130015b2201bf496d", "container_id": "42166a12-1437-7e14-db35-8f100b85041b", "detection_action": "kill", "detection_pid": "46856", "detection_exploitTechnique": "ProcessCreation\/ObsoleteChildProcessCreation", "detection_parentPid": "48508", "detection_path": "C:\\Users\\Administrator\\Desktop\\samples\\samples\\bd_anti-exploit-test\\test-gemma-alert\\opera64.exe", "detection_parentPath": "C:\\Windows\\System32\\cmd.exe", "detection_username": "[email protected]", "detection_time": "2022-04-17T11:52:30.000Z", "endpoint_id": "6256a3b130015b2201bf496b" }
Network Attack Defense Event
This event is generated when the Network Attack Defense module triggers a detection.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the container entity |
| String | yes | The name of the host that manages the container entity |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | no | The label set in the Network grid by the Admin |
| String | yes | The action that was taken upon the detection |
| String | yes | The name of the detection as received from BEST |
| String | yes | Name of the attack technique as set in the Network Attack Defense policy |
| String | yes | IP of the attack source |
| String | yes | IP of the victim's endpoint |
| String | yes | The port on which the attack occurred |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
{ "name": "Network Incidents event", "created": "2022-04-26T09:49:18+03:00", "company_name": "root", "user_name": "[email protected]", "computer_id": "625c19913a58151e63702862", "computer_name": "TEST_ENDPOINT", "computer_ip": "31.41.59.265", "computer_fqdn": "test-endpoint.dsd.ro", "action_taken": "block", "attack_technique": "discovery", "detection_name": "Eicar.NetworkMonitor.DiscoveryThreat", "source_ip": "213.211.198.58", "victim_ip": "10.17.134.4", "local_port": "80", "date": "2015-02-02T13:34:54.000Z" }
Task Status
This event is generated each time a task status changes.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the user that created the task |
| String | yes | The identifier of the task |
| String | yes | The name of the task |
| Integer | yes | The type of the task |
| String | yes | The name of the task |
| Boolean | yes | True if the task was executed successfully |
| Integer | yes | The status of the task |
| String | yes | The error message of the failed task |
| Integer | yes | The error code of the failed task |
{ "module": "task-status", "product_installed": "BEST", "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "userId": "6177f2319908e641be7b8eda", "taskId": "627cd4a6c9f8cd6efe672e74", "taskName": "Restore Quarantine Item Task 2022-05-12(sub-task)", "taskType": 280, "targetName": "Pi-machine", "isSuccessful": true, "status": 3, "errorMessage": "", "errorCode": 0, "errorMessageParams": [] }
User Control/Content Control
This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | Values: |
| String | no | Malware url |
| String | no | Values: |
| String | no | Values: |
| String | no | Malware file path |
| String | no | Values: |
| Timestamp | no | Last timestamp this malware was blocked |
| Integer | no | How many times this malware was detected |
{ "module": "uc", "product_installed": "SVA", "user": { "id": "S-1-5-21-2807410960-349943591-4067985531-1001", "name": "admin" }, "computer_name": "AD-ONPREM-2019A 1", "computer_fqdn": "ad-onprem-2019a", "computer_ip": "10.18.156.47", "computer_id": "627cd5854e604906f22aa6ed", "uc_type": "http", "url": "http:\/\/block_type_4.com", "block_type": "http_categories", "categories": "Illegal,Shopping,OnlinePay,IM", "status": "uc_site_blocked", "last_blocked": "2015-02-25T12:21:54.000Z", "count": 2 }
Storage Antimalware Event
This event is generated each time SVA detects a new threat among the protected storage (NAS).
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | The name of the computer |
| String | yes | The name of the storage unit |
| String | yes | The IP address of the storage unit |
| String | yes | The type of the storage unit.(E.g., Nutanix, Citrix etc.) |
| String | yes | The path of the infected object as reported by the product. The path references a local file on the machine that reported the event |
| String | yes | The SHA256 hash of the infected object |
| String | yes | Describes the type of malware as defined by Bitdefender. Possible values are: |
| String | yes | Name of the malware as defined by Bitdefender |
| String | yes | Final status for the detected objects. Possible values are: |
| Timestamp | yes | Time of the event as reported by the product, already formatted in a string representation |
| Boolean | no | Boolean describing whether or not file was submitted to a sandbox analyzer |
| String | no | The hostname of the sandbox analyzer where the file was submitted |
| String | no | The version of the security server which detected the malwa |
| String | no | The version of the engines used to detect the malware |
{ "name": "Storage Antimalware Event", "created": "2022-04-15T17:02:59+03:00", "company_name": "root", "user_name": "root", "computer_name": "bitdefender-sva", "storage_name": "10.17.42.77", "storage_ip": "10.17.42.77", "storage_type": "Unknown", "malware_path": "\/ifs\/data\/btoma_test3", "malware_hash": "2f41772245a9d55a0725061337b18e8eba2cee7965d081b52c40afe2c0201dcd", "malware_type": "Malware", "malware_name": "BAT.Trojan.FormatC.Z", "malware_status": "Blocked", "detection_time": "2022-04-15T14:02:02.000Z", "sandboxDetection": 0, "sandboxHostname": "", "security_server_version": "6.2.7.11403", "engines_version": "7.91671" }
Login event
Login from new device event.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | no | The operating system used from the other device to login |
| String | no | The browser used from the other device to login |
| String | no | The browser's version used from the other device to login |
| String | no | The IP of the other device at login time |
{ "name": "Login from new device", "created": "2022-05-31T15:48:15+03:00", "company_name": "root", "user_name": "root", "os": "Windows", "browser_version": "102.0.0.0", "browser_name": "Chrome", "request_time": "31 May 2022, 15:48:14 +03:00", "device_ip": "10.17.90.108" }
Authentication audit event
Authentication audit
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | no | The platform from which the authentication was done |
| String | no | The browser from which the authentication was don |
| String | no | The browser version from which the authentication was done |
| String | no | The device IP of the system from which the authentication was done |
{ "name": "Authentication audit", "created": "2022-04-17T13:31:34+03:00", "company_name": "root", "user_name": "test", "platform": "Windows", "browser": "Firefox", "browser_version": "99.0", "ip": "10.22.91.27", "date": "17 Apr 2022, 13:31:34 +03:00" }
SMTP Connection
This event is created when the status of SMTP Connection changes.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | no | Connection Error Code |
| String | no | Connection Error Message |
| String | no | SMTP connection status |
{ "name": "SMTP Connection", "created": "2022-05-31T16:03:57+03:00", "company_name": "root", "user_name": "test", "status": false, "error_code": 503, "error_message": "Expected response code 354 but got code \"503\", with message \"503 5.5.2 Need rcpt command\r\n\"" }
Internet Connection
This event is created when the status of Internet Connection changes.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | no | Connection Error Code |
| String | no | Connection Error Message |
| String | no | SMTP connection status |
{ "name": "Internet Connection", "created": "2022-09-12T15:53:34+03:00", "company_name": "root", "user_name": "test", "status": false, "error_code": 28, "error_message": "Operation timed out after 10000 milliseconds with 0 out of 0 bytes received" }
License expires event
License expires.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The amount of days left from license from which the notification should start being sent to the user |
| Integer | yes | The number of days until the user's license will expire |
| Boolean | yes | Always false |
{ "name": "License Expires", "created": "2022-04-23T18:05:47+03:00", "company_name": "root", "user_name": "test", "license_key": "SUQ2GEC", "product_id": 2906, "license_company_id": "6177f22f9908e641be7b8ec4", "threshold": 1, "days": 1, "is_partner": false, "recv_for_his_company": true, "recv_for_partner_company": false }
License Limit Is About To Be Reached event
License limit is about to be reached.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of days the license has been used by the user |
| Integer | yes | The total number of days available to user for using the license |
{ "name": "License Limit Is About To Be Reached", "created": "2022-04-17T16:07:12+03:00", "company_name": "root", "user_name": "root", "license_key": "30W6TMF", "recv_for_his_company": true, "recv_for_partner_company": false, "used": 3, "total": 4 }
License Usage Limit Has Been Reached event
License usage limit has been reached.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of days the license has been used by the user |
| Integer | yes | The total number of days available to user for using the license |
{ "name": "Exchange License Usage Limit Has Been Reached", "created": "2022-05-12T12:28:48+03:00", "company_name": "root", "user_name": "test", "mailboxes": 7, "license_limit": 6, "license_key": "30W6TMF", "recv_for_his_company": true, "recv_for_partner_company": false }
Servers License Limit Is About To Be Reached event
Servers license limit is about to be reached.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of licensed servers |
| Integer | yes | The total number of servers the license allows |
{ "name": "Servers License Limit Is About To Be Reached", "created": "2022-04-17T15:58:10+03:00", "company_name": "root", "user_name": "test", "license_key": "30W6TMF", "recv_for_his_company": true, "recv_for_partner_company": false, "servers_used": 1, "servers_total": 2 }
Servers License Usage Limit Has Been Reached event
Servers License Usage Limit Has Been Reached
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | The license key of the user which uses the license |
| Boolean | yes | Whether the license limit has been reached by the current company or not |
| Boolean | yes | Whether the license limit has been reached by the partner companies or not |
| Integer | yes | The number of licensed servers |
| Integer | yes | The total number of servers the license allows |
{ "name": "Servers License Usage Limit Has Been Reached", "created": "2022-04-17T16:07:12+03:00", "company_name": "root", "user_name": "test", "license_key": "30W6TMF", "recv_for_his_company": true, "recv_for_partner_company": false, "servers_used": 2, "servers_total": 2 }
Malware Outbreak
This notification is sent when at least X%(predefined 5%) of all the managed network objects are infected by the same malware.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | Name of the malware as defined by Bitdefender |
| Array | yes | Protected entities that was infected |
| Integer | yes | Protected entities configuration settings |
| Array | no | Protected eps entities that were infected |
| Integer | no | Protected eps entities configuration settings |
| Array | no | Protected sve entities that was infected |
| Integer | no | Protected sve entities configuration settings |
| Array | no | The ID of the csv file with the list of infected endpoints |
| Integer | yes | Total number of infected endpoints |
| Integer | yes | Number of occurrences since the last reporting |
| Timestamp | yes | Time of the event when was detected the first malware |
| Timestamp | yes | Interval End when was detected the last malware |
| Boolean | no | Show company name |
{ "name": "Malware Outbreak", "created": "2022-05-12T13:35:07+03:00", "company_name": "root", "user_name": "root", "malware_name": "Gen:Trojan.Heur.LShot.1", "count": 1, "total": 13, "interval_start": "2022-05-12 12:35:06", "interval_end": "2022-05-12 13:35:07", "protected_entities": [{ "name": "Pi14159-AUTOMAT", "company": { "id": "6177f22f9908e641be7b8ec4", "name": "root" } }], "protected_entities_more": 0, "show_company_name": false, "csv_id": "627ce2db468f4e01fb3d7322" }
Mobile users without email event
Mobile device users without email address
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Array | yes | The list of mobile users without email |
{ "name": "Mobile device users without email address", "created": "2022-04-26T11:51:40", "company_name": "root", "user_name": "root", "users": ["test", "test3"] }
Database Backup event
Database backup
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Boolean | yes | The success status of the database backup operation |
| Boolean | yes | The scheduling status of the database backup operation |
| String | yes | The version of the database for which the backup operation has been done |
| Timestamp | yes | Timestamp when the database backup operation was finished |
| Integer | yes | The location of the database for which the backup operation has been done |
| String | yes | The location of the database for which the backup operation has been done |
| Timestamp | yes | Timestamp when the next database backup operation is scheduled |
| Integer | yes | Database Backup Status: |
{ "name": "Database Backup", "created": "2022-04-14T08:59:57+00:00", "company_name": "root", "user_name": "root", "backup_status": 0, "is_successful": true, "is_scheduled": false, "db_version": "023-001-001", "date": "2022-04-14T08:59:51", "location_type": 2, "location": "\\\\10.18.156.38\\share", "next_backup": null }
Certificate expires event
Certificate Expires
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Integer | yes | The type of certificate used by current user |
| Integer | yes | The number of days until the user's certificate will expire |
| Timestamp | yes | Timestamp when the certificate expiration was notified to the user |
| Integer | yes | The amount of days left from certificate from which the notification should start being sent to the user |
{ "name": "Certificate expires", "created": "2022-04-24T05:00:59+03:00", "company_name": "root", "user_name": "test", "certificate_type": 1, "days_left": 0, "last_notification_date": "2022-04-24T05:00:59+03:00", "threshold": 1 }
Upgrade Status
This event is generated when endpoints are protected by old products(Bitdefender Tools or Security Endpoint) in Gravity Zone Console.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| Array | yes | Protected entities that were found protected by old products |
| Integer | yes | More protected entities will appear in next event if set to 1 |
| Array | no | The ID of the CSV file with the list of protected endpoints |
| Integer | yes | Number of occurrences since the last reporting |
| Boolean | no | Show company name |
{ "name": "Upgrade status", "created": "2015-06-22T11:11:39+03:00", "company_name": "Bitdefender", "user_name": "[email protected]", "count": 1, "protected_entities": [{ "name": "stomoiaga-win", "company": { "id": "5be196701da1978e108b4567", "name": "Bitdefender" } }], "protected_entities_more": 0, "show_company_name": false, "csv_id": { "$id": "5587c33bb1a43d673d8b456c" } }
Troubleshooting activity
The event is generated when a troubleshooting task ends, and it informs you of its status. If successful, it provides you with the logs.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The ID of the current Troubleshooting task. |
| String | yes | The type of the task |
| Integer | yes | Integer representing the error code if the task has failed |
| String | no | Name of the user account who started the Troubleshooting task |
| String | no | The path on the target machine where the Troubleshooting archive is placed |
| String | no | The path on network share where the Troubleshooting archive is placed |
| Boolean | no | The option to also upload to Bitdefender Cloud the Troubleshooting archive |
| Integer | yes | The status with which the task has finished |
| Integer | no | The reason for which the Troubleshooting activity was stopped |
| Integer | no | In case some delivery methods succeeded and some not, which one has failed |
| Timestamp | no | Timestamp of when the event has started |
| Timestamp | no | Time of the event as reported by the product, already formatted in a string representation |
{ "product_installed": "BEST", "computer_name": "TEST_ENDPOINT_WINDOWS_10", "computer_fqdn": "test-endpoint.dsd.ro", "computer_ip": "10.10.0.101", "computer_id": "5ee30e2b29a4e218489442b6", "taskId": "5ee30e78f23f7312e6087824", "taskType": "Gather Logs", "errorCode": 0, "username": "vagrant", "localPath": "localPath", "networkSharePath": "networkSharePath", "saveToBitdefenderCloud": 0, "status": 3, "startDate": "2020-06-12T05:11:19.000Z", "endDate": "2020-06-12T06:43:00.801Z" }
Update Available
This notification informs you about the availability of new updates for GravityZone components.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | yes | Available Version for GravityZone components |
| String | yes | Current Version for GravityZone compone |
| Timestamp | yes | The time when the update was released |
| Integer | no | CONSOLE UPDATE / PACKAGE UPDATE / PRODUCT UPDATE |
| Integer | no | Product type for which is the new update(BEST, Security Server) |
{ "name": "Update Available", "created": "9 Jun 2022, 10:33:31 +03:00", "company_name": "root", "user_name": "test", "available_version": "6.28.1-4", "release_date": "9 Jun 2022, 10:33:31 +03:00", "update_type": 0, "current_version": "6.27.1-5" }
Device Control
Every time the Device Control module detects a device inserted into a client system, an event is generated.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | no | The user that was logged in when the incident was found |
| String | no | The version of the agent |
| String | yes | Action taken on the device: allowed, blocked, readonly. Present only when the state of the device is added. |
| String | no | A descriptive name for the device |
| Integer | yes | The class of the device |
| String | no | The identifier of the device |
| Integer | no | Product ID of the device |
| Integer | no | ID of the vendor |
| Timestamp | yes | The date when the device was blocked |
{ "module": "device-control", "product_installed": "BEST", "VM_NAME": "btoma-win-2k12-onPrem-2", "VM_ID": "vm-4309", "UUID_INSTANCE": "5016768a-2a1b-979f-f05b-21e4b67c371c", "UUID_BIOS": "42161832-3f3a-f1c9-1fa4-0c27a0c6be6d", "computer_name": "btoma-win-2k12-onPrem-2", "computer_fqdn": "win-9nvehq2j63g", "computer_ip": "10.18.154.75", "computer_id": "625c0f55a154a3606228a812", "username": "", "action": "blocked", "deviceName": "NECVMWar VMware IDE CDR10 ATA Device", "deviceClass": 2, "deviceId": "IDE\\CDROMNECVMWAR_VMWARE_IDE_CDR10_______________1.00____\\5&290FD3AB&0&1.0.0", "productId": 0, "vendorId": 0, "date": "2022-04-17T13:06:23.000Z" }
Ransomware activity detection
This event occurs when the endpoint agent blocks ransomware attack.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | Identifier for the installed GravityZone component |
| Object | no | The data of the previous event |
| Object | no | The user involved with the event source |
| String | no | The name of the virtual machine |
| String | no | The identifier of the virtual machine |
| String | no | Virtual machine unique identifier |
| String | no | Only for VMware: bios UUID |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | Managed endpoint identifier in the GravityZone database |
| String | yes | Ransomware attack type |
| String | yes | The number of files encrypted during the attack |
| Integer | yes | The date and time when the attack was detected |
| String | yes | The remote IP in case of a remote attack respectively the process path in case of a local attack |
{ "module": "ransomware-mitigation", "product_installed": "BEST", "user": { "name": "bdvm", "sid": "S-1-5-21-2018264366-2484004464-1617746128-1001" }, "VM_NAME": "Pi-machine", "VM_ID": "Pi-3141", "UUID_INSTANCE": "50164ed1-28af-41af-cdaf-8e550506c37b", "UUID_BIOS": "4216d501-36c5-22ed-de02-0e4da0badb7a", "computer_name": "Pi-machine", "computer_fqdn": "Pi14159-automation-win64", "computer_ip": "31.14.159.265", "computer_id": "6257cf1130015b2201bf4a00", "attack_type": "local", "item_count": "12", "detected_on": 1650191436, "attack_source": "C:\\Users\\bdvm\\Desktop\\samples\\samples\\ransomeware_remediation\\RanSim\\RanSim\\TestDirectory\\Scenarios\\Collaborator\\1934050139_Collaborator.txr" }
New Incident
This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON, which you can use to enrich SIEM driven correlations with EDR specific data.
Name | Type | Mandatory | Description |
---|---|---|---|
| String | yes | Event type identifier. Value: |
| String | yes | The name of the computer |
| String | yes | The FQDN of the endpoint |
| String | yes | The IP address |
| String | yes | Unique endpoint identifier in the GravityZone database |
| String | yes | The identifier of the incident |
| Integer | yes | Integer ranging between 0 and 100 that defines the severity of the incident |
| Integer | yes | The UID of the node on which the attack originated |
| String | yes | The action taken by the product about the incident |
| String | no | The name of the detection |
| String | no | Malware file name |
| String | no | Malware file path |
| String | no | Malware file MD5 hash |
| String | no | Malware file sha256 hash |
| String | no | The domain URL |
| String | no | The protocol of the application |
| Integer | no | The pid of the process |
| String | no | The path of the process |
| Integer | no | The PID of the parent process |
| String | no | The path of the parent process |
| Array | no | Types of the attack implicated in the incident |
| Array | no | The identifiers of the Mitre attacks implicated in the incident |
| String | no | The command line of the process |
| String | yes | The severity of the produced event |
| Timestamp | yes | Timestamp of the event |
| String | yes | The company name of the device from which the event was triggered |
| String | yes | The user name used when the event was triggered |
| String | no | The user that was logged in when the incident was found |
| String | no | The SID of the user involved with the event source |
{ "name": "New Incident", "created": "2022-05-12T09:34:03.690Z", "company_name": "root", "user_name": "root", "module": "new-incident", "computer_id": "6256a431cb46d1222c00c5a6", "computer_fqdn": "Pi14159-automation-win64", "computer_name": "Pi14159-automation-win64", "detection_name": "Gen:Trojan.Heur.LShot.1", "attack_types": ["Malware"], "computer_ip": "31.14.159.265", "severity_score": 65, "incident_id": "627cd48c12eb1f08b5d42dbe", "attack_entry": 1926087460, "process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell_ise.exe", "file_path": "c:\\users\\bdvm\\desktop\\script.ps1", "file_name": "script.ps1", "att_ck_id": [], "severity": "medium", "main_action": "no action" }
Security Container Status Update
This notification informs you when the product update status changes for a Security Container installed in your network.
Name | Type | Mandatory | Description |
---|---|---|---|
| Timestamp | yes | Timestamp of the event |
| String | yes | A list of outdated security containers |
| String | yes | Name of the event |
{ "name": "Security Container Status Update", "created": "2022-04-18T11:12:14+03:00", "company_name": "root", "user_name": "root", "module": "security-container-update-status", "securityContainers": [{ "securityContainerName": "security-container-x", "hostName": "TEST_ENDPOINT" }] }