The article covers the requirements to perform Bitdefender Gravity zone cloud integration. You can also learn how to configure Chronicle forwarder, install Bitdefender GravityZone Connector, and configure GravityZone to send messages to the SIEM.
Introduction
Bitdefender GravityZone – the cloud platform, provides alerts about security events in CEF and JSON message standards. These alerts are sent through the Event Push Service.
The GravityZone APIs are exposed using JSON-RPC 2.0 protocol specified here.
If your SIEM does not have any HTTP/HTTPS listeners but supports a Syslog service, you need to install the GravityZone Event Push Service Connector.
This documentation will help you install and configure Event Push Service Connector to forward the events from GravityZone to Chronicle.
The connector uses the POST method to receive authenticated and secured messages from the GravityZone Event Push Service. It parses the message and then forwards it to a local or a remote Syslog server. You can use the Syslog server to feed these messages to the Chronicle.
Requirements
- A GravityZone API key that covers Event Push Service API in BASE64 encoded with Colon appended.
- Ubuntu 20.04 LTS server with the following Hardware configuration:
-
- 1 CPU
- 2 GB RAM
- 1 Gbit virtual NIC
- 80 GB HDD
3. Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully.
4. The following IP addresses must be whitelisted to ensure end-to-end communication between the GravityZone Event Push Service and the SIEM/HTTP collector:
-
- 34.159.83.241
- 34.159.47.15
- 34.159.150.228
- 34.85.152.87
- 34.85.155.173
5. Static Public IP with Public FQDN is required as Bitdefender Gravityzone cloud reversely connects back to the shipper to verify the authenticity on ports 443 and 3200.
In this documentation, We use 123.123.123.123 as the static IP and test.test.com as the domain resolving our static IP.
Note
This configuration can sustain an environment with up to 15000 endpoints. The CPU and network usage will increase proportionally with the number of endpoints.
Important
The SIEM receiving events from the event push requires a Public IP assigned for the GravityZone Event Push server to forward events to.
Configure Chronicle Forwarder
The following steps are required to configure Chronicle Forwarder to start listening on 11678 port in order to accept the events from Bitdefender GravityZone Connector
- Add Bitdefender Port to Chronicle Forwarder config file
cd ~/config
nano nfrX-fwdr.conf
- syslog:
common:
enabled: true
data_type: BITDEFENDER
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11678
udp_address: 0.0.0.0:11678
ctrl+x to save
2. Restart docker container in order to refresh the Chronicle Forwarder configuration:
docker ps
docker stop <container name>
docker start <container name>
docker logs <container name>
Bitdefender GravityZone Connector Installation
- Connect to the Ubuntu 20.04 server.
- Add the Bitdefender Connector repository to APT.
curl -sS https://download.bitdefender.com/repos/gzrepos.key.asc | apt-key add -
curl -sS https://download.bitdefender.com/repos/gzrepos.key.asc | apt-key add -
sudo echo "deb http://download.bitdefender.com/repos/deb-hydra20-evpsc/ bitdefender non-free" >> /etc/apt/sources.list
3. Install the DEB package.
sudo apt update
sudo apt install gz-evpsc
4. Run the configuration script.
cd /opt/bitdefender/gz-evpsc
./config.sh 3200 11678 Tcp 127.0.0.1 'Basic dGVzdDp0ZXN0' config.json
# Usage:
# ./config.sh <PORT> <FORWARDER PORT> <TRANSPORT> <TARGET> <AUTH> <CONFIG_FILENAME>
Note
The connector needs to have a public IP address assigned for the GravityZone Event Push server to forward events to.
5. Add certificates paths to the config file.
By default, the config.sh script creates self-signed certificates for the HTTPS connector server. For better security, certificates obtained from a certificate authority can be placed in the following files:
/opt/bitdefender/gz-evpsc/api/config/server.key
/opt/bitdefender/gz-evpsc/api/config/server.crt
6. Enable the system service
systemctl enable gz-evpsc
7. Start the system service
systemctl start gz-evpsc
Test the connector
- Use the following cURL command to send the test payload to the collector service you have just configured:
curl -k -H 'Authorization: Basic dGVzdDp0ZXN0' -H "Content-Type: application/json" -d
'{"cef": "0","events":
["CEF:0|Bitdefender|GravityZone|6.4.08|70000|Registration|3|BitdefenderGZModule=registrationd
vchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com
dvc=192.168.1.2","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|
Product ModulesStatus|5|BitdefenderGZModule=modules
dvchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com
dvc=192.168.1.2","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|
Product ModulesStatus|5|BitdefenderGZModule=modules
dvchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com dvc=192.168.1.2"]}'
https://127.0.0.1:3200/api
Important
- Replace the authorization header and URL with the one configured above in the config.json file.
- The event should appear in your defined syslog server and as output of the running server.js.
Encode API Key
In order to get the events, you need to convert your API Key into BASE64 encoded format with Colon appended.
Eg.; API = d9730b5205ced97357947bb30edec6dc2f4ce0a6e6449b43eacc1beacc1b9cd0
Add colon at the end.
Your API Key will look like below:
d9730b5205ced97357947bb30edec6dc2f4ce0a6e6449b43eacc1beacc1b9cd0:
Now use the below command to convert the API Key into Base64:
echo -n ‘d9730b5205ced97357947bb30edec6dc2f4ce0a6e6449b43eacc1beacc1b9cd0:’ | base64
Copy the newly generated base64 encoded API key and save it.
Configure GravityZone to send messages to the SIEM
Now that the HTTPS collector service is running and listening for messages, you can configure Control Center to send events to the above-defined URL: https://your_web_server_hostname_or_public_IP:port/api.
In our use case, we will use below url:
https://123.123.123.123:3200/api
or https://test.test.com:3200/api
All settings for Event Push Service API are configured via the setPushEventSettings method. For detailed information about these settings, refer to Push.
Using your API key, configure the API push events and the service URL where you want the messages delivered:
$ curl --tlsv1.2 -sS -k -X POST \
https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic 4oCYZDk3MzBiNTIwNWNlZDk3MzU3OTQ3YmIzMGVkZWM2ZGMyZjRjZTBhNmU2NDQ5YjQzZWF
jYzFiZWFjYzFiOWNkMDrigJk=' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"1","jsonrpc":"2.0","method":"setPushEventSettings",
"params":{"serviceSettings":{"requireValidSslCertificate":false,"authorization":"Basic
dGVzdDp0ZXN0","url":"https://test.test.com:3200/api"},"serviceType":"jsonRPC","status":1,
"subscribeToEventTypes":{"adcloudgz":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,
"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,
"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,
"network-monitor":true,"network-sandboxing":true,"new-incident":true,"ransomware-mitigation":true,
"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,
"troubleshooting-activity":true,"uc":true,"uninstall":true}}}'
Important
- When using a valid service certificate signed by a public CA, we recommend setting "requireValidSslCertificate":true , to force certificate validation.
- Make sure to replace "authorization":"Basic xxxxxxxxxx" and "url":" https://your_web_server_hostname_or_public_IP:port/api" with the correct values for your server, as defined in the config.json file, and CONTROL_CENTER_APIs_ACCESS_URL and API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED with the correct values for your GravityZone instance.
Once configured, wait about 10 minutes for the settings to take effect, and then make a request using getPushEventSettings as below:
$ curl --tlsv1.2 -sS -k -X POST \
https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic 4oCYZDk3MzBiNTIwNWNlZDk3MzU3OTQ3YmIzMGVkZWM2ZGMyZjRjZTBhNmU2NDQ5YjQz
ZWFjYzFiZWFjYzFiOWNkMDrigJk=' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"2","jsonrpc":"2.0","method":"getPushEventSettings","params":{}}'
The result should look like this:
{
"id": "2",
"jsonrpc": "2.0",
"result": {
"serviceSettings": {
"authorization": "dGVzdDp0ZXN0",
"requireValidSslCertificate": false,
"url": " https://test.test.com:3200/api "
},
"serviceType": "jsonRPC",
"status": 1,
"subscribeToCompanies": null,
"subscribeToEventTypes": {
"adcloud": false,
"antiexploit": true,
"aph": true,
"av": true,
……….
"uninstall": true
}
}
}
To send a test event, you can call the sendTestPushEvent API method.
$ curl --tlsv1.2 -sS -k -X POST \
https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic 4oCYZDk3MzBiNTIwNWNlZDk3MzU3OTQ3YmIzMGVkZWM2ZGMyZjRjZTBhNmU2NDQ5YjQz
ZWFjYzFiZWFjYzFiOWNkMDrigJk=' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"4","jsonrpc":"2.0","method":"sendTestPushEvent","params":{"eventType": "av"}}'
The result should look like this:
{
"id": "4",
"jsonrpc": "2.0",
"result": {
"computer_name": "FC-WIN7-X64-01",
"computer_fqdn": "fc-win7-x64-01",
"computer_ip": "10.17.46.196",
"computer_id": "59a1604e60369e06733f8abb",
"product_installed": "BEST",
"malware_type": "file",
"malware_name": "EICAR-Test-File (not a virus)",
"file_path": "C:\\eicar0000001.txt",
"hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
"final_status": "deleted",
"timestamp": "2017-09-08T12:01:36.000Z",
"companyId": "5ac8460f8a799399a78b456c",
"module": "av",
"_testEvent_": true
}
}
The event should shortly show up in Chronicle and in the server.js output.
Check the log files
You can find the log file here:
/opt/bitdefender/var/log/gz-evpsc/log.txt
Comments
0 comments
Please sign in to leave a comment.