Bitdefender telemetry data aggregates threat indicators, system events, and configuration details from endpoints. This pack parses Bitdefender EDR telemetry data from GravityZone and OnPrem systems, providing normalization and enrichment of endpoint activity events including file operations, process events, network connections, registry changes, and authentication events.
Requirements
-
Graylog Server version 6.1.2 or later with valid Enterprise license
-
TLS 1.2 server configuration enabled
-
Bitdefender GravityZone or OnPrem configured to send Syslog-formatted logs to Graylog
-
Appropriate Bitdefender license for telemetry data generation
Supported Versions
-
GravityZone Version 6.56.0-1 and matching OnPrem versions
Log Collection and Delivery
Bitdefender telemetry events are delivered to Graylog via syslog. Only Syslog-formatted logs are supported. TLS 1.2 is required for the syslog connection.
Graylog Syslog Input Configuration
Configure Graylog to receive Bitdefender telemetry:
-
Create a Syslog input in Graylog (TCP recommended) with TLS 1.2 enabled
-
Set 'Store full message' to true for complete message retention
-
Configure Bitdefender to route logs with application_name 'BitdefenderEdr'
Bitdefender GravityZone Configuration
Configure Bitdefender to export telemetry:
-
In GravityZone console, navigate to syslog integration settings.
-
Configure the Graylog server IP address and syslog input port.
-
Enable telemetry event export for desired event types.
-
Verify TLS 1.2 connectivity.
Stream Configuration
This technology pack includes 1 stream:
- Illuminate:Bitdefender Telemetry Messages
Index Set Configuration
This technology pack includes 1 index set definition:
- Bitdefender Telemetry Logs
What is Provided
-
Parsing rules to extract Bitdefender telemetry events into Graylog schema compatible fields
-
Graylog Information Model message categorization for authentication, network, file, process, and registry events
-
Security Core support for endpoint telemetry categorization
-
Illuminate spotlight dashboard with five tabs: Overview, Network Activity, File Activity, Process Activity, and User Activity
GIM Categorization
GIM categorization is provided for the following event types:
| Event Type | gim_event_type_code | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|
| log_on | 100000 | authentication | authentication.logon | logon |
| log_out | 102500 | authentication | authentication.logoff | logoff |
| network_connection (connect) | 120200 | network | network.open | network connection initiated |
| network_connection (disconnect) | 120300 | network | network.close | network connection ended |
| process_create | 190000 | process | process.execute | process started |
| terminate_process | 190100 | process | process.stop | process stopped |
| file_create | 200000 | file | file.create | file created |
| file_delete | 200100 | file | file.delete | file deleted |
| file_modify | 201000 | file | file.modify | file modified |
| file_read, file_move | 209999 | file | file.default | file event |
| file_access | 201500 | file | file.access | file accessed |
| reg_create_key | 250500 | registry | registry.key_change | registry key added |
| reg_delete_key | 250501 | registry | registry.key_change | registry key deleted |
| reg_delete_value | 250002 | registry | registry.value_change | registry value deleted |
| reg_modify_value | 250003 | registry | registry.value_change | registry value modified |
Bitdefender Telemetry Spotlight Content Pack
This spotlight offers a dashboard with 5 tabs:
Overview
File Activity
Network Activity
Process Activity
User Activity
