Configuring Bitdefender Connectors

A Stellar Cyber Bitdefender connector allows you to Contain hosts (Isolate Endpoints) using an API call to the Bitdefender server managing those hosts.

Connector Overview: Bitdefender

Capabilities

  • Collect: No

  • Respond: Yes

  • Native Alerts Mapped: Yes

  • Runs on: DP

  • Interval: N/A (applies only to Collect)

Collected Data

Bitdefender's API does not support pull of data, so that option is not offered in the Stellar Cyber Bitdefender connector. For collection, you set up Bitdefender to push data to a Stellar Cyber sensor configured to ingest httpjson over TLS. (Bitdefender's PUSH event JSON RPC messages are listed in their online documentation). The received logs are is ingested to the Syslog index. From there, Stellar Cyber runs alert integrations and maps certain records (see below) to the Alert Index. A detailed list of how to locate the ingested event types is provided in the section below on Locating Records.

Domain

<Access URL>

where <Access URL> is a variable from the configuration of this connector

Response Actions

Action

Required Fields

API

Contain (Isolate) Host

computer_id or endpointId, and endpoint is type bitdefender

https://< Access URL>/api/v1.0/jsonprc/incidents {params}

where

  • Access URL is the value obtained from your Bitdefender GravityZone Control Center API configuration page.

  • Parameters are:

    • endpointId value

    • jsonprc version (2.0)

    • action to perform (either createIsolateEndpointTask or createRestoreEndpointFromIsolationTask)

    • uuid of the request

Example:

https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/incidents

with params:

{ "endpointId" : "62ba2eeafb978f545505e687" },"jsonrpc": "2.0","method": "createIsolateEndpointTask","id": "301f7b05-ec02-481b-9ed6-c07b97de2b7b"}'

Third Party Native Alert Integration Details

Of the different record types you can configure to push to Stellar Cyber's httpjson parser, the 11 below are normalized and enriched as they are added to the Syslog index. The records are evaluated against existing records in the Alert index. Those that do not already exist are directly and mapped to the XDR Kill Chain and the Alert Index.  For details, see Integration of Third Party Native Alerts.

The other records are run through the ML/SA pipeline, which may generate alerts based on those algorithms. They are assigned a description of The Bitdefender endpoint agent reported an anomaly along with the indicated fields below.

Bitdefender Event

Stellar Cyber Label

Stellar Cyber
TTP*

Bitdefender Fields

Reported Fields

Advanced Threat Control (ATC) 1 module, computer_fqdn, computer_ip, exploit_type event.type, host.name, host.ip, threat.name
Antiexploit Event 1 module, computer_fqdn, computer_ip, detection_threatName event.type, host.name, host.ip, threat.name
Antimalware 1 module, computer_fqdn, computer_ip, malware_name event.type, host.name, host.ip, threat.name
Hyper Detect event 1 module, computer_fqdn, host.ip, malware_name event.type, host.name, host.ip, threat.name
Sandbox Analyzer Detection 1 module, computerName, computerIp, threatType event.type, host.name, host.ip, threat.name
User Control / Content Control 2 module, computer_fqdn, computer_ip, url event.type, host.name, host.ip, url
Data Protection 3 module, computer_fqdn, computer_ip, url event.type, host.name, host.ip, url
Storage Antimalware 3 module, computer_name, malware_name event.type, host.name, host.ip, threat.name
Ransomware activity detection 4 module, computer_fqdn, computer_ip, attack_source event.type, host.name, host.ip, srcip
Antiphishing 5 module, computer_name, computer_fqdn, aph_type event.type, host.name, host.ip,url
Firewall 6 module, computer_name, computer_ip, source_ip event.type, host.name, host.ip, srcip
*TTP mapping legend
  • XDR Malware; XDR Misc Malware

  • Execution; Exploitation for Client Execution

  • Impact; Data Manipulation

  • Impact; Data Encrypted for Impact

  • Initial Access; Phishing

  • XDR NBA; XDR Firewall Anomaly

Required Credentials

To Respond, an Access URL and API key are required from an administrative account in the Bitdefender GravityZone CLOUD Control Center. The API key must be enabled for the following settings: Network API, Reports API, Incidents API, Quarantine API, and Event Push Service API. The account must have licensing that supports Bitdefender's Isolate action.

Locating Records

Use the following fields as a guide to query for records.

ClosedField details

msg_origin.source: bitdefender

All of the indicated modules contain endpoint data; those that are alert-related are additionally mapped to the Alert index.

Bitdefender Module /
Stellar Cyber event.type

Bitdefender Event / Stellar Cyber Label

Stellar Cyber msg_class

Stellar Cyber
msg_origin. category

Mapped to Alert Index

adcloud

Cloud AD Integration

bitdefender_cloud_ad_integration

endpoint

 

antiexploit

Antiexploit Event

bitdefender_antiexploit_event

endpoint

yes

aph

Antiphishing

bitdefender_antiphishing

endpoint

yes

av

Antimalware

bitdefender_antimalware

endpoint

yes

avc

Advanced Threat Control (ATC)

bitdefender_advanced_threat_control

endpoint

yes

device-control

Device Control

bitdefender_device_control

endpoint

 

dp

Data Protection

bitdefender_data_protection

endpoint

yes

endpoint-moved-in

Endpoint moved in

bitdefender_endpoint_moved_in

endpoint

 

endpoint-moved-out

Endpoint moved out

bitdefender_endpoint_moved_out

endpoint

 

exchange-malware

Exchange Malware Detection

bitdefender_exchange_malware_detection

email

 

exchange-organization-info

Exchange License Usage Limit Has Been Reached

bitdefender_exchange_organization_info

endpoint

 

exchange-user-credentials

Exchange User Credentials

bitdefender_exchange_user_credentials

endpoint

 

fw

Firewall

bitdefender_firewall

endpoint

 

hd

Hyper Detect event

bitdefender_hyper_detect_event

endpoint

yes

hwid-change

Hardware ID Change

bitdefender_hardware_id_change

endpoint

 

install

Install Agent

bitdefender_install_agent

endpoint

 

modules

Product Modules Status

bitdefender_product_modules_status

endpoint

 

network-monitor

Network Attack Defense Event

bitdefender_network_attack_defense_event

ndr

 

network-sandboxing

Sandbox Analyzer Detection

bitdefender_sandbox_analyzer_detection

endpoint

yes

new-incident

New Incident

bitdefender_new_incident

xdr

 

ransomware-mitigation

Ransomware activity detection

bitdefender_ransomware_activity_detection

endpoint

yes

registration

Product Registration

bitdefender_product_registration

endpoint

 

storage-antimalware

Storage Antimalware Event

bitdefender_storage_antimalware_event

endpoint

yes

supa-update-status

Outdated Update Server

bitdefender_outdated_update_server

endpoint

 

sva

Security Server Status

bitdefender_security_server_status

endpoint

 

sva-load

Overloaded Security Server

bitdefender_overloaded_security_server

endpoint

 

task-status

Task Status

bitdefender_task_status

endpoint

 

troubleshooting-activity

Troubleshooting activity

bitdefender_troubleshooting_activity

endpoint

 

uc

User Control/Content Control

bitdefender_user_control_content_control

endpoint

yes

uninstall

Uninstall Agent

bitdefender_uninstall_agent

endpoint

 

               Let us know if you find the above overview useful.

Adding a Bitdefender Connector

To add a Bitdefender connector:

  1. Configure Bitdefender API access
  2. Add the connector in Stellar Cyber
  3. Test the connector
  4. Verify ingestion

Configuring Bitdefender API Access

You must configure obtain the following information from your Bitdefender GravityZone console before you add the connector in Stellar Cyber:

  • Access URL

  • API Key

  1. Log in to the Bitdefender GravityZone CLOUD Console as an administrative user.

  2. Access your account settings.

  3. Locate and save the Access URL information for use in the next section (for example: https://cloud.gravityzone.bitdefender.com).

    Do not include /api at the end of the URL.

  4. Select the option to Add an API Key.

  5. Create the key with at least these options:

    Network API

    Reports API

    Incidents API

    Quarantine API

    Event Push Service API

  6. Save the API key.

  7. Locate the new key in the API keys table and save the value for use in the next section.

Adding the Connector in Stellar Cyber

To add a Bitdefender client connector in Stellar Cyber:

  1. Log in to Stellar Cyber.

  2. Click System | Integration | Connectors. The Connector Overview appears.

  3. Click Create. The General tab of the Add Connector screen appears. The information on this tab cannot be changed after you add the connector.

    The asterisk (*) indicates a required field.

  4. Choose Endpoint Security from the Category drop-down.

  5. Choose Bitdefender from the Type drop-down.

  6. For this connector, the supported Function is Respond, which is enabled already.

  7. Enter a Name.

    Notes:
    • This field does not accept multibyte characters.
    • It is recommended that you follow a naming convention such as tenantname-connectortype.
  8. Choose a Tenant Name. This is the Stellar Cyber tenant allowed to use this connector.

  9. Choose the device on which to run the connector.

  10. Click Next. The Configuration tab appears. Complete this screen with the data you collected from your Bitdefender steps in the previous section.

    The asterisk (*) indicates a required field.

  11. Enter the Access URL you obtained above (for example: https://cloud.gravityzone.bitdefender.com).

    Do not include /api at the end of the URL.

  12. Enter the API Key you configured above.

  13. Click Next. The final confirmation tab appears.

  14. Click Submit.

The new connector is immediately active.

Testing the Connector

When you add (or edit) a connector, we recommend that you run a test to validate the connectivity parameters you entered. (The test validates only the authentication / connectivity; it does not validate data flow).

For connectors running on a sensor, Stellar Cyber recommends that you allow 30-60 seconds for new or modified configuration details to be propagated to the sensor before performing a test.

  1. Click System | Integrations | Connectors. The Connector Overview appears.

  2. Locate the connector that you added, or modified, or that you want to test.

  3. Click Test at the right side of that row. The test runs immediately.

    Note that you may run only one test at a time.

Stellar Cyber conducts a basic connectivity test for the connector and reports a success or failure result. A successful test indicates that you entered all of the connector information correctly.

To aid troubleshooting your connector, the dialog remains open until you explicitly close it by using the X button. If the test fails, you can select the  button from the same row to review and correct issues.

The connector status is updated every five (5) minutes. A successful test clears the connector status, but if issues persist, the status reverts to failed after a minute.

Repeat the test as needed.

ClosedDisplay sample messages...

Success !

Failure with summary of issue:

Show More example detail:

If the test fails, the common HTTP status error codes are as follows:

HTTP Error Code HTTP Standard Error Name Explanation Recommendation
400 Bad Request This error occurs when there is an error in the connector configuration.

Did you configure the connector correctly?

401 Unauthorized

This error occurs when an authentication credential is invalid or when a user does not have sufficient privileges to access a specific API.

Did you enter your credentials correctly?

Are your credentials expired?

Are your credentials entitled or licensed for that specific resource?

403 Forbidden This error occurs when the permission or scope is not correct in a valid credential.

Did you enter your credentials correctly?

Do you have the required role or permissions for that credential?

404 Not Found This error occurs when a URL path does not resolve to an entity. Did you enter your API URL correctly?
429 Too Many Requests

This error occurs when the API server receives too much traffic or if a user’s license or entitlement quota is exceeded.

The server or user license/quota will eventually recover. The connector will periodically retry the query.

If this occurs unexpectedly or too often, work with your API provider to investigate the server limits, user licensing, or quotas.

For a full list of codes, refer to HTTP response status codes.

Verifying Ingestion

Use these steps to verify the records related to Bitdefender are in Stellar Cyber:

  1. Click Investigate | Threat Hunting. The Interflow Search tab appears.

  2. Change the Indices to Syslog. The table immediately updates to show ingested Interflow records.

  3. Use the card at the top of this topic to find keywords for your connector and search for related keywords.

For Respond actions, refer to Understanding Event Details to understand how work with the Contain Host feature.