SIEM Intergration with Bitdefender GravityZone

SIEM Intergration with Bitdefender GravityZone

Requirements

  • Access to Bitdefender GravityZone Console.
  • Ubuntu 24.04 LTS server with the following hardware configuration:
    • Must be on the same network as the SIEM (On-Premises) or able to communicate with SIEM (Cloud).
    • 2 CPU, 4 GB RAM, 80 GB HDD.
    • Full internet access (only required for installation).
  • Event Push Service: Ensure the HTTP collector on third-party platforms supports SSL with TLS 1.2 or higher.
  • Static Public IP.
  • IP Whitelisting: Ensure required Bitdefender IPs are whitelisted for end-to-end communication. See: Bitdefender Documentation
Ensure all firewall rules and port access are configured before installation to avoid connectivity issues.

Step 1: Install Bitdefender GravityZone Connector

  1. Add Bitdefender repository

    sudo sh -c 'echo "deb http://download.bitdefender.com/repos/deb-hydra24-evpsc/ bitdefender non-free" >> /etc/apt/sources.list'
    Note: Ensure the repository URL matches the latest GravityZone version for Ubuntu 24.04.

  2. Add GPG key

    curl -sS https://download.bitdefender.com/repos/gzrepos.key.asc | sudo apt-key add -

  3. Update and install connector

    sudo apt update
sudo apt install gz-evpsc

  4. Configure connector

    Change directory and run the configuration script with required parameters.

    cd /opt/bitdefender/gz-evpsc
sudo ./config.sh <PORT> <SYSLOGPORT> <TRANSPORT> <TARGET> <AUTH> <CONFIG_FILENAME>

    Example parameters:

    ParameterExample
    PORT3200
    SYSLOGPORT514 (SIEM Port)
    TRANSPORTTcp (SIEM Transport)
    TARGET192.168.9.100 (SIEM IP)
    AUTHBasic dGVzdDp0ZXN0 (No change required)
    CONFIG_FILENAMEconfig.json
    sudo ./config.sh 3200 514 Tcp 192.168.9.100 'Basic dGVzdDp0ZXN0' config.json

  5. Enable and start service

    sudo systemctl enable gz-evpsc
sudo systemctl start gz-evpsc
    Verify that the service started successfully using systemctl status gz-evpsc.

Step 2: Configure Auto-Restart for gz-evpsc (Optional)

  1. Create monitoring script

    sudo touch /usr/local/bin/check_gz_evpsc.sh
sudo chmod 755 /usr/local/bin/check_gz_evpsc.sh
  2. #!/bin/bash
# Script to check and restart gz-evpsc service if not running
SERVICE="gz-evpsc"
LOGFILE="/var/log/gz-evpsc-monitor.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
if systemctl is-active --quiet "$SERVICE"; then
    echo "$DATE - $SERVICE is running." >> "$LOGFILE"
else
    echo "$DATE - $SERVICE is not running. Attempting to start..." >> "$LOGFILE"
    systemctl start "$SERVICE"
    if systemctl is-active --quiet "$SERVICE"; then
        echo "$DATE - $SERVICE restarted successfully." >> "$LOGFILE"
    else
        echo "$DATE - Failed to restart $SERVICE." >> "$LOGFILE"
    fi
fi
    Test the script manually before adding it to cron to ensure proper execution.

  3. Set executable permissions

    sudo chmod +x /usr/local/bin/check_gz_evpsc.sh

  4. Create cron job to run every 15 minutes

    sudo crontab -e
# Add the following line:
*/15 * * * * /usr/local/bin/check_gz_evpsc.sh
    Ensure no duplicate cron jobs exist to avoid multiple instances running simultaneously.

  5. Check logs

    cat /var/log/gz-evpsc-monitor.log

Send Test Event from Bitdefender Connector

  1. Test event

    curl -k -H 'Authorization: Basic dGVzdDp0ZXN0' \
-H "Content-Type: application/json" \
-d '{"cef": "0","events": ["CEF:0|Bitdefender|GravityZone|6.4.08|70000|Registration|3|BitdefenderGZModule=registration dvchost=TEST_ENDPOINT BitdefenderGZComputerFQDN=test.example.com dvc=192.168.1.2"]}' \
https://<Public_IP>:3200/api
    Replace <Public_IP> with your actual public IP before running the command.

  2. Verify

    Confirm the event appears in the SIEM dashboard or collector logs.

Step 6: Subscribe to Bitdefender Events via API

  1. Generate API Key

    Log in to Bitdefender account and generate an API key for push subscriptions.

  2. Convert API key to Base64

    # Example API Key (replace with your key)
API_KEY="d9730b5205ced97357947bb30edec6dc2f4ce0a6e6449b43eacc1beacc1b9cd0"
# Append colon and encode to Base64
echo -n "$API_KEY:" | base64

  3. Subscribe to events

    curl --tlsv1.2 -sS -k -X POST \
https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic <Base64_API_Key>' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"1","jsonrpc":"2.0","method":"setPushEventSettings","params":{"serviceSettings":{"requireValidSslCertificate":false,"authorization":"Basic dGVzdDp0ZXN0","url":"https://<Public_IP>:3200/api"},"serviceType":"cef","status":1,"subscribeToEventTypes":{"adcloudgz":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,"network-monitor":true,"network-sandboxing":true,"new-incident":true,"ransomware-mitigation":true,"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,"troubleshooting-activity":true,"uc":true,"uninstall":true}}}'

  4. Verify

    Confirm that events are visible in your SIEM solution.

    Check firewall rules if events do not appear.

    • Related Articles

    • Bitdefender GravityZone | Account Creation.

      Hello Team, Greeting of the day!! Please find below the details of your GravityZone console: URL: https://gravityzone.bitdefender.com Username: Password: Admin@123456 (Please remember to change your password after the first login) License Key: ...

    • Bitdefender GravityZone | Policy Inheritance Rules

      Hello Team, We would like to clarify that Bitdefender GravityZone offers a feature called “Inheritance Rules”, which allows specific policy sections to be inherited from another policy. Please note that when a section is set to inherit, it will ...

    • Bitdefender GravityZone Business Products Comparison

      Hello Team, Below is the Comparison for all Bitdefender GravityZone Business Products. Bitdefender GravityZone Business Products Comparison S.No Features Business Security Business Security Premium Business Security Enterprise (EDR) Business security ...

    • Check Bitdefender GravityZone Endpoint's Communication Server Address

      Hello Team, Follow the steps below to check the Bitdefender GravityZone Endpoint's Communication Server Address (EPAG): Run CMD as Administrator Navigate to the EPAG folder by typing the following command: cd C:\Program Files\Bitdefender\Endpoint ...

    • BitDefender GravityZone Ports communication status tool.

      Hello Team, The tool Check-BitdefenderPorts-WithRelay.exe is designed to automatically verify the status of all required Bitdefender GravityZone ports for both relay and non-relay machines. It is a lightweight executable utility that checks all ...