BitDefender

BitDefender specializes in providing anti-virus protection against malware, phishing, ransomware, and other cyber threats.

The event source sends logs that will generate both web proxy and virus infection events. You are required to use a syslog server to send data to InsightIDR.

You can learn more about BitDefender by visiting the product website at https://www.bitdefender.com/.

The event source currently handles:

  • Anti-malware: This event is generated each time BitDefender detects malware on an endpoint in your network.
  • User Control: This event is generated when a user activity, for example, the web browsing of a software application, is blocked on the endpoint according to the applied policy.

To set up BitDefender, you’ll need to:

  1. Review the requirements.
  2. Configure BitDefender to send data to your Collector.
  3. Set up the BitDefender event source in InsightIDR.
  4. Verify the configuration works.

Review the Requirements

To build the connector, you will need basic knowledge of Linux. Ensure that your system meets these requirements:

  • The GravityZone platform cloud solution is installed
  • You have a GravityZone API key that covers Event Push Service API
  • Ubuntu 20.04 LTS server with the following hardware configuration:
    • 1 CPU
    • 2 GB RAM
    • 1 Gbit virtual NIC
    • 80 GB HDD

Configure BitDefender to send data to your Collector

Before you can set up the BitDefender event source, you must do the following:

  • Generate the API Key
  • Set up BitDefender’s Connector
  • Set the service type in the setPushEventSetting request

Generate the API Key

This event source supports the Syslog service, which requires a node.js connector. The connector uses the POST method to receive authenticated and secured messages from the GravityZone Event Push Service API.

It parses the message and then forwards it to a local or a remote Syslog server. You can use the Syslog server to feed these messages to InsightIDR.

The API key is generated from the MyAccount section of the Control Center. Each API key allows the application to call methods exposed by one or several APIs. The allowed APIs are selected at the time the API key is generated.

To send Syslog data you must generate an API key. The BitDefender event source works by using the BitDefender GravityZone API, where alerts about security events are sent through the Event Push Service API.

To generate API keys, refer to the BitDefender documentation at: https://www.bitdefender.com/business/support/en/77211-125280-getting-started.html#UUID-e6befdd4-3eb1-4b6e-cc6c-19bdd16847b4_section-idm4640169987334432655171029621

Setting up BitDefender’s Connector

To create the connector:

  1. Install the connector
  2. Obtain the security certificate for authentication
  3. Build the node.js connector
  4. Test the connector
  5. Configure GravityZone to send messages to InsightIDR.

For detailed steps about setting up the connector, view the BitDefender documentation at: https://www.bitdefender.com/business/support/en/77211-144080-build-an-event-push-service-api-connector-for-cef-standard.html#UUID-eb0b4208-bb81-9179-6dbe-87726c9c1a98_section-idm4605863319792032703024258925

setPushEventSetting request

The setPushEventSetting request is an important setting in the configuration, because this type of request allows you to decide the service type of the connector.

This request determines what format the response will be in. You set the serviceType parameter in the response body, which currently supports only jsonRPC (a remote procedure call protocol encoded in JSON).

Supported Parameters

Rapid7 currently supports only the av and uc parameters for Anti-malware and User Control, which must be set to true in the setPushEventSetting request.

json
1
"params": {
2
"status": 1,
3
"serviceType": "jsonRPC",
4
"serviceSettings": {
5
"url": "http://example.com",
6
"authorization": "Bearer sfasdfw34243",
7
"requireValidSslCertificate": true
8
},
9
"subscribeToEventTypes": {
10
"modules": true,
11
"sva": true,
12
"registration": true,
13
"supa-update-status": true,
14
"av": true,
15
"aph": true,
16
"fw": true,
17
"avc": true,
18
"uc": true,
19
"dp": true,
20
"sva-load": true,
21
"task-status": true,
22
"exchange-malware": true,
23
"network-sandboxing": true,
24
"adcloud": true,
25
"exchange-user-credentials": true,
26
"endpoint-moved-out": true,
27
"endpoint-moved-in": true,
28
"troubleshooting-activity": true,
29
"uninstall": true,
30
"install": true,
31
"hwid-change": true,
32
"new-incident": true,
33
"antiexploit": true,
34
"network-monitor": true,
35
"ransomware-mitigation": true,
36
"security-container-update-available": true
37
},
38
"subscribeToCompanies": [
39
"54a295d8b1a43d7c4a7b23c6",
40
"54a295d8b1a43d7c4a7be321"
41
]
42
},
43
"jsonrpc": "2.0",
44
"method": "setPushEventSettings",
45
"id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
46
}

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for BitDefender in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the BitDefender event source tile.
  4. Choose your Collector and select BitDefender as your event source.
  5. (Optional) Name your event source.
  6. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  7. Specify an unused port on the Collector that can receive forwarded BitDefender events. We recommend that you use TCP as your protocol.
  8. Click Save.

Verify the configuration

Complete the following steps to verify the configuration and ensure events are making it to the Collector.

  1. Open Log Search to view the new event source you just created.
  2. Select the applicable log sets and the log names within them. The log name will be the event source name you chose or "BitDefender" if you didn’t name the event source.
  3. Select View Raw Log. If you see log messages in the box, then this shows that logs are flowing to the Collector.

The Bitdefender event source allows InsightIDR to parse the following log types:

  • Virus Infection
  • Web Proxy

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

Anti-malware

json
1
"module": "av",
2
"product_installed": "BEST",
3
"user": {
4
"id": "user_id",
5
"name": "SYSTEM"
6
},
7
"VM_NAME": "MY_VM",
8
"VM_ID": "my-vm-id",
9
"UUID_INSTANCE": "a986e788-adf1-4157-ab07-9d7803ac1308",
10
"UUID_BIOS": "e549aead-7c1c-4a43-a413-f28f72d94253",
11
"computer_name": "MYCOMPUTER",
12
"computer_fqdn": "mycomputer.bitdefendercustomer.com",
13
"computer_ip": "10.0.0.1",
14
"computer_id": "dfke8kksuifys737485jd6sh",
15
"malware_type": "file",
16
"malware_name": "Piece.Of.Malware",
17
"hash": "kzjdkfjhsdfxug8erjtgnsefdl8cghv8ewirjtg8e39e9u3984ruaweoijhfkshf",
18
"final_status": "blocked",
19
"container_id": "8ee778de-100e-43cf-bb37-fbc4e5bcda10",
20
"file_path": "C:\\Path\\To\\A\\File.exe",
21
"timestamp": "2022-05-06T09:23:27.000Z",
22
"signaturesNumber": "1.00000",
23
"scanEngineType": 1
24
}

User Control

json
1
"module": "uc",
2
"product_installed": "BEST",
3
"user": {
4
"id": "user_id",
5
"name": "SYSTEM"
6
},
7
"computer_name": "MYCOMPUTER",
8
"computer_fqdn": "mycomputer.bitdefendercustomer.com",
9
"computer_ip": "10.0.0.1",
10
"computer_id": "dfke8kksuifys737485jd6sh",
11
"uc_type": "http",
12
"url": "bitdefenderurlpage\/page_category\/page_name.jsp",
13
"block_type": "http_timelimiter",
14
"categories": "",
15
"status": "uc_site_blocked",
16
"last_blocked": "2022-05-06T09:23:27.000Z",
17
"count": 2
18
}