The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

This content pack is for Bitdefender and will parse Telemetry logs. 

Hint: Please note this content pack does not apply to all Bitdefender products.

Supported Version(s)

• GravityZone Version 6.56.0-1 and matching OnPrem versions

Requirements

• Graylog 6.1.2+

• The Graylog server must be configured to accept TLS 1.2.

• Bitdefender GravityZone/Bitdefender OnPrem must be configured to send Syslog-formatted logs to a Graylog Syslog input.

• Bitdefender GravityZone/Bitdefender OnPrem must have the correct license to generate Telemetry data.

Stream Configuration

This technology pack includes one stream:

• "Illuminate:Bitdefender Telemetry Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

• “Bitdefender Telemetry Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided?

• Telemetry log parsing and a custom dashboard with four tabs.

Limitations

• Only Syslog-formatted logs are supported.

Log Format Examples

All 14 Bitdefender Telemetry logs are supported. Seethe Bitdefender Syslog documentation for more information.

terminate_process Logs Example

{"ctc_version":"2.13.4.3","machine_name":"1022H2X64-N74","event_version":1,"event_name":"terminate_process","pid":7912,"datetime":1715023652647,"os_version":"Windows 10","company_id":"5b9bc2701da197f07a8b4567","hardware_id":"4D8E0E42-22F0-2D94-6823-C3863931877A-0050568E1657","os_family":"windows","os_platform":"x64","os_type":"client","product_version":"7.9.11.406"}

Configure Graylog Syslog Input

Hint: GravityZone/Telemetry requires a TLS 1.2 connection. Your server must be configured to support TLS connection. Issue a private key/certificate if needed.

Bitdefender GravityZone/Bitdefender OnPrem must be configured to send Syslog-formatted logs to a Graylog Syslog input.

This pack rewrites the message field to reduce license utilization. To get the full message, set Store full message in the input settings to true.

The logs get identified via the application_name "BitdefenderEdr." The static input field "Routed From" with the value "Route - Bitdefender Telemetry Logs" can also be used.

Message Fields Included in This Pack

Most fields are renamed. The prefix BitdefenderGZ may be substituted with vendor_. Other fields are mapped to Graylog schema fields.

Categorization

The following event types and modules are currently categorized:

vendor_event_module	GIM Event Type Code	GIM Event Type
log_on	100000	Logon
log_out	102500	Logoff
file_create	200000	File Created
file_delete	200100	File deleted
file_modify	201000	File Modified
file_read	209999	File Default
file_move	209999	File Default
network_connection	129999	Network Messages
reg_create_key	250500	Registry Key Added
reg_delete_key	250501	Registry Key Deleted
reg_delete_value	250002	Registry Value Deleted
reg_modify_value	250003	Registry Value Modified
terminate_process	190100	Process Stopped
process_create	190000	Process Created

Dashboard

Bitdefender Telemetry Content Pack offers a dashboard with 5 tabs: Overview, Network Activity, File Activity, a Process Activity, and a User Activity dashboard:

Overview

Network Activity

File Activity

Process Activity

User Activity