IBM Security QRadar

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha

Hello, 

I am not aware of any such script. 

What I do note is that the documents you are following are for QRadar 7.3.3 Patch 6 which is long since EOL. 
Please review the protocl doc for Microdift Defender Endpoint API.

 https://www.ibm.com/docs/en/dsm?topic=pco-microsoft-defender-endpoint-siem-rest-api-protocol-configuration-options

Though if you have successful tests completing in the QRadar UI and still no events, then please raise a case direct with QRadar Support to help investigate the logs. 
They may be able to increase the debug level of the logs as well to capture more information. 

Regards,

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha

Hi Comghall,

In HTTP listener, QRadar listens to the log that is forwarded by bit defender gravity zone and to forward, there should be some script to register the QRadar so that bit defender forwards the logs to the QRadar SIEM. The way of API working is different in bit defender gravity zone. The bit defender push the logs once the SIEM registers on it.

Similar documentation is found on other SIEM as well to register. Please refer the documentation:

https://docs.fortinet.com/document/fortisiem/7.1.5/external-systems-configuration-guide/354631/bitdefender-gravityzone

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

https://docs.stellarcyber.ai/prod-docs/4.3.x/Configure/LogParser/Bitdefender-Log-Ingestion.htm

Can you please revalidate if the script is required to push bit defender gravity zone logs to QRadar SIEM and the antivirus is bit defender gravity zone, not the Microsoft Defender.

Looking forward to hearing from you.

Best Regards,

Ishwor Shrestha

Hello, 

I am not aware of any such script. 

What I do note is that the documents you are following are for QRadar 7.3.3 Patch 6 which is long since EOL. 
Please review the protocl doc for Microdift Defender Endpoint API.

 https://www.ibm.com/docs/en/dsm?topic=pco-microsoft-defender-endpoint-siem-rest-api-protocol-configuration-options

Though if you have successful tests completing in the QRadar UI and still no events, then please raise a case direct with QRadar Support to help investigate the logs. 
They may be able to increase the debug level of the logs as well to capture more information. 

Regards,

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha

Hello Ishwor, 

Apologies, I had made a few assumptions from my 1st post. 
Ok, so digging more I see that you are using the BitDefender DSM for QRadar app.
https://exchange.xforce.ibmcloud.com/hub/extension/de133797c363c03147a7acd194bf53e2
That as of version 2.0.0 now has added suppoty for GravityZone. 

I would point you to updated Documents from BitDefender for GravityZone:
https://www.bitdefender.com/business/support/en/77209-335051-ibm-qradar.html

Regards,

Hi Comghall,

In HTTP listener, QRadar listens to the log that is forwarded by bit defender gravity zone and to forward, there should be some script to register the QRadar so that bit defender forwards the logs to the QRadar SIEM. The way of API working is different in bit defender gravity zone. The bit defender push the logs once the SIEM registers on it.

Similar documentation is found on other SIEM as well to register. Please refer the documentation:

https://docs.fortinet.com/document/fortisiem/7.1.5/external-systems-configuration-guide/354631/bitdefender-gravityzone

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

https://docs.stellarcyber.ai/prod-docs/4.3.x/Configure/LogParser/Bitdefender-Log-Ingestion.htm

Can you please revalidate if the script is required to push bit defender gravity zone logs to QRadar SIEM and the antivirus is bit defender gravity zone, not the Microsoft Defender.

Looking forward to hearing from you.

Best Regards,

Ishwor Shrestha

Hello, 

I am not aware of any such script. 

What I do note is that the documents you are following are for QRadar 7.3.3 Patch 6 which is long since EOL. 
Please review the protocl doc for Microdift Defender Endpoint API.

 https://www.ibm.com/docs/en/dsm?topic=pco-microsoft-defender-endpoint-siem-rest-api-protocol-configuration-options

Though if you have successful tests completing in the QRadar UI and still no events, then please raise a case direct with QRadar Support to help investigate the logs. 
They may be able to increase the debug level of the logs as well to capture more information. 

Regards,

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha

Hi Comghall Morgan,

We have already gone through the documentation. Within the documentation, under section "Subscribe the HTTP Receiver to the GravityZone Event Push API Service" at the end there is line stating to configure event push "To start sending events using GravityZone Event Push API Service, please refer to Event Push". After redirecting, we need to request the parameter where the registration is required and to do so we need some certain script to register the QRadar to the bitdefender so that bitdefender would push the events to QRadar. Please find the attached screenshot for your reference.

Can you please confirm whether we need script to register or not?

------------------------------
ishwor shrestha

Original Message:
Sent: Tue May 21, 2024 06:34 AM
From: Comghall Morgan
Subject: Bit Defender Cloud Integration with Cloud

Hello Ishwor, 

Apologies, I had made a few assumptions from my 1st post. 
Ok, so digging more I see that you are using the BitDefender DSM for QRadar app.
https://exchange.xforce.ibmcloud.com/hub/extension/de133797c363c03147a7acd194bf53e2
That as of version 2.0.0 now has added suppoty for GravityZone. 

I would point you to updated Documents from BitDefender for GravityZone:
https://www.bitdefender.com/business/support/en/77209-335051-ibm-qradar.html

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Sun May 19, 2024 11:59 PM
From: ishwor shrestha
Subject: Bit Defender Cloud Integration with Cloud

Hi Comghall,

In HTTP listener, QRadar listens to the log that is forwarded by bit defender gravity zone and to forward, there should be some script to register the QRadar so that bit defender forwards the logs to the QRadar SIEM. The way of API working is different in bit defender gravity zone. The bit defender push the logs once the SIEM registers on it.

Similar documentation is found on other SIEM as well to register. Please refer the documentation:

https://docs.fortinet.com/document/fortisiem/7.1.5/external-systems-configuration-guide/354631/bitdefender-gravityzone

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

https://docs.stellarcyber.ai/prod-docs/4.3.x/Configure/LogParser/Bitdefender-Log-Ingestion.htm

Can you please revalidate if the script is required to push bit defender gravity zone logs to QRadar SIEM and the antivirus is bit defender gravity zone, not the Microsoft Defender.

Looking forward to hearing from you.

Best Regards,

Ishwor Shrestha

------------------------------
ishwor shrestha

Original Message:
Sent: Thu May 16, 2024 10:30 AM
From: Comghall Morgan
Subject: Bit Defender Cloud Integration with Cloud

Hello, 

I am not aware of any such script. 

What I do note is that the documents you are following are for QRadar 7.3.3 Patch 6 which is long since EOL. 
Please review the protocl doc for Microdift Defender Endpoint API.

 https://www.ibm.com/docs/en/dsm?topic=pco-microsoft-defender-endpoint-siem-rest-api-protocol-configuration-options

Though if you have successful tests completing in the QRadar UI and still no events, then please raise a case direct with QRadar Support to help investigate the logs. 
They may be able to increase the debug level of the logs as well to capture more information. 

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Thu May 16, 2024 06:48 AM
From: ishwor shrestha
Subject: Bit Defender Cloud Integration with Cloud

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha

------------------------------
ishwor shrestha
------------------------------

Hello, 

I am not aware of any such script. 

What I do note is that the documents you are following are for QRadar 7.3.3 Patch 6 which is long since EOL. 
Please review the protocl doc for Microdift Defender Endpoint API.

 https://www.ibm.com/docs/en/dsm?topic=pco-microsoft-defender-endpoint-siem-rest-api-protocol-configuration-options

Though if you have successful tests completing in the QRadar UI and still no events, then please raise a case direct with QRadar Support to help investigate the logs. 
They may be able to increase the debug level of the logs as well to capture more information. 

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Thu May 16, 2024 06:48 AM
From: ishwor shrestha
Subject: Bit Defender Cloud Integration with Cloud

Dear Team,

We have tried integrating Bit defender Cloud with IBM QRadar and configured HTTP Listener and all the tests are successful. Bit defender works on push method via API and we have gone through all the documentation published by Bit Defender  (IBM QRadar

Bitdefender		remove preview
IBM QRadar The article provides information about the GravityZone Cloud integration with IBM QRadar. For the GravityZone On-premises integration, refer to IBM QRadar. This integration provides you with the possibility to better monitor GravityZone events using IBM QRadar. View this on Bitdefender >

We have researched other SIEM integrations and found all other SIEM have their own script to tell bit defender to push the logs to SIEM (to register with bit defender). Is there any script published by IBM to push the Bit defender logs to QRadar SIEM.

Any help is appreciated.

Best Regards,

Ishwor Shrestha