Bitdefender GravityZone

Overview

Bitdefender GravityZone is an enterprise-level cybersecurity solution offering advanced threat prevention, detection, and response for endpoints, networks, and cloud environments. It features centralized management for streamlined security oversight.

• Vendor: Bitdefender
• Supported environment: Cloud
• Version compatibility: 6.55, 6.56 (Latest version as of now)
• Detection based on: Telemetry / Alert
• Supported application or feature:
  • Antiphishing
  • Application Control
  • Application Inventory
  • Antimalware
  • Advanced Threat Control
  • Data Protection
  • Exchange Malware Detected
  • Invalid Exchange user credentials
  • Firewall
  • Hyper Detect
  • Sandbox Analyzer Detection
  • Antiexploit
  • Network Attack Defense
  • User Control/Content Control
  • Storage Antimalware Event
  • Login from new device
  • Authentication audit
  • SMTP Connection
  • Internet Connection
  • Malware Outbreak

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Configure

This setup guide will show you how to forward your Bitdefender GravityZone events to Sekoia.io.

Steps to follow

• Create a BitDefender GravityZone API key
• Create an intake
• Set the push events settings

Create a BitDefender GravityZone API key

• Log in the BitDefender GravityZone console
• On the top-right bar, open your personal panel and click My Accout

• Scroll down to the API keys section and click + Add

• Type a name for the API Key, select the Event Push Service checkbox and click Generate

• Save the API Key

Create an intake

Go to the intake page and create a new intake from the format Bitdefender GravityZone. Copy the intake key.

Set the push events settings

Bitdefender GravityZone have an ability to setup push events settings using http request.

Two ways are suggested in order to set up the forwarding of your events to Sekoia.io.

If you are not a shell expert, we recommend to use the "pyton script" way as it is easier to set up.

So you can setup it in two ways:

Using python scriptManual

1. Open terminal
2. Create virtual env and install requests library:

     $ python3 -m venv /tmp/venv
     $ /tmp/venv/bin/pip install requests
   

3. Export your API Key and Intake key to environment variables:

     $ export BITDEFENDER_APIKEY="your_api_key"
     $ export SEKOIAIO_INTAKE_KEY="your_intake_key"
   

4. Create python script with the following content:

   import base64
   import sys
   import argparse
   
   import requests
   
   
   BITDEFENDER_PUSH_URL = "https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push"
   
   def activate_forwarding(apikey: str, intake_key: str):
       key = base64.b64encode(b':'+intake_key.encode('utf-8'))
   
       payload = {
         "id": "be630db8-24c2-481c-b150-a79807dd6f7d",
         "jsonrpc": "2.0",
         "method": "setPushEventSettings",
         "params": {
           "status": 1,
           "serviceType": "cef",
           "serviceSettings": {
             "url": "https://intake.sekoia.io/jsons?path=%24.events&status_code=200",
             "requireValidSslCertificate": True,
             "authorization": f"Basic {key}"
           },
           "subscribeToEventTypes": {
             "adcloud": True,
             "antiexploit": True,
             "aph": True,
             "av": True,
             "avc": True,
             "dp": True,
             "endpoint-moved-in": True,
             "endpoint-moved-out": True,
             "exchange-malware": True,
             "exchange-user-credentials": True,
             "fw": True,
             "hd": True,
             "hwid-change": True,
             "install": False,
             "modules": False,
             "network-monitor": True,
             "network-sandboxing": True,
             "new-incident": True,
             "ransomware-mitigation": True,
             "registration": True,
             "security-container-update-available": False,
             "supa-update-status": False,
             "sva": False,
             "sva-load": False,
             "task-status": False,
             "troubleshooting-activity": True,
             "uc": True,
             "uninstall": False
           }
         }
       }
   
       response = requests.post(
           url=BITDEFENDER_PUSH_URL,
           auth=requests.auth.HTTPBasicAuth(apikey,""),
           json=payload,
       )
       if response.status_code == 200:
           setting_id = response.json().get("id")
           print(f"The push setting was successfully created. ID: {setting_id}")
       else:
           print(f"The creation of the forwarding failed. Reason: {response.content}")
   
   
   if __name__ == '__main__':
       parser = argparse.ArgumentParser(prog=sys.argv[0], description='activate the forwarding of events to Sekoia.io')
       parser.add_argument('apikey')
       parser.add_argument('intake_key')
       args = parser.parse_args()
       activate_forwarding(args.apikey, args.intake_key)
   

5. Run the script with the following command:

     $ /tmp/venv/bin/python3 bitdefender_activate_forwarding.py "${BITDEFENDER_APIKEY}" "${SEKOIAIO_INTAKE_KEY}"
   

1. Open your terminal
2. Export your API Key and Intake key to environment variables:

     $ export BITDEFENDER_APIKEY="your_api_key"
     $ export SEKOIAIO_INTAKE_KEY="your_intake_key"
   

3. Convert the Bitdefender APIKey into base64:

     $ echo -n '${BITDEFENDER_APIKEY}:' | base64
   

4. Convert the Intake Key into base64:

     $ echo -n ':${SEKOIA_INTAKE_KEY}' | base64
   

5. Create payload.json with following content ( replace base64_intake_key with the value from the previous steps):

   {
     "id": "be630db8-24c2-481c-b150-a79807dd6f7d",
     "jsonrpc": "2.0",
     "method": "setPushEventSettings",
     "params": {
       "status": 1,
       "serviceType": "cef",
       "serviceSettings": {
         "url": "https://intake.sekoia.io/jsons?path=%24.events&status_code=200",
         "authorization": "Basic <base64_intake_key>",
         "requireValidSslCertificate": true
       },
       "subscribeToEventTypes": {
         "adcloud": false,
         "antiexploit": true,
         "aph": true,
         "av": true,
         "avc": true,
         "dp": true,
         "endpoint-moved-in": true,
         "endpoint-moved-out": true,
         "exchange-malware": true,
         "exchange-user-credentials": true,
         "fw": true,
         "hd": true,
         "hwid-change": true,
         "install": false,
         "modules": false,
         "network-monitor": true,
         "network-sandboxing": true,
         "new-incident": true,
         "ransomware-mitigation": true,
         "registration": true,
         "security-container-update-available": false,
         "supa-update-status": false,
         "sva": false,
         "sva-load": false,
         "task-status": false,
         "troubleshooting-activity": true,
         "uc": true,
         "uninstall": false
       }
     }
   }
   

6. Send the payload to the Bitdefender API (replace base64_api_key with the value from the previous steps):

   $ curl -k -X POST \
   https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
   -H "Authorization: Basic <base64_api_key>" \
   -H 'cache-control: no-cache' \
   -H 'content-type: application/json' \
   -d @payload.json
   

Enjoy your events on the Events page

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

antimalware_1antimalware_2login_1

CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\Users\\\\jdoe\\\\Downloads\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500

CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\Users\\\\jdoe\\\\Downloads\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500

CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Related Built-in Rules

The following Sekoia.io built-in rules match the intake Bitdefender GravityZone [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Bitdefender GravityZone [BETA] on ATT&CK Navigator

Bitdefender GravityZone Endpoint Detection

Bitdefender GravityZone detected a malicious activity on an endpoint

• Effort: master

Burp Suite Tool Detected

Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).

• Effort: intermediate

CVE-2020-0688 Microsoft Exchange Server Exploit

Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.

• Effort: elementary

CVE-2020-17530 Apache Struts RCE

Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).

• Effort: intermediate

CVE-2021-20021 SonicWall Unauthenticated Administrator Access

Detects the exploitation of SonicWall Unauthenticated Admin Access.

• Effort: advanced

CVE-2021-20023 SonicWall Arbitrary File Read

Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.

• Effort: advanced

CVE-2021-22893 Pulse Connect Secure RCE Vulnerability

Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.

• Effort: intermediate

Cryptomining

Detection of domain names potentially related to cryptomining activities.

• Effort: master

Detect requests to Konni C2 servers

This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.

• Effort: elementary

Discord Suspicious Download

Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.

• Effort: intermediate

Download Files From Suspicious TLDs

Detects download of certain file types from hosts in suspicious TLDs

• Effort: master

Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

• Effort: master

Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

• Effort: master

Koadic MSHTML Command

Detects Koadic payload using MSHTML module

• Effort: intermediate

Possible Malicious File Double Extension

Detects request to potential malicious file with double extension

• Effort: elementary

Process Trace Alteration

PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.

• Effort: advanced

ProxyShell Microsoft Exchange Suspicious Paths

Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.

• Effort: elementary

Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL

Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.

• Effort: elementary

Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

• Effort: master

Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

• Effort: master

Remote Monitoring and Management Software - Atera

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.

• Effort: master

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

• Effort: elementary

SecurityScorecard Vulnerability Assessment Scanner New Issues

Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.

• Effort: master

Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

• Effort: master

SolarWinds Wrong Child Process

Detects SolarWinds process starting an unusual child process. Process solarwinds.businesslayerhost.exe and solarwinds.businesslayerhostx64.exe created an unexepected child process which doesn't correspond to the legitimate ones.

• Effort: intermediate

Suspicious Download Links From Legitimate Services

Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.

• Effort: intermediate

Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

• Effort: advanced

Suspicious TOR Gateway

Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

• Effort: advanced

Suspicious URI Used In A Lazarus Campaign

Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.

• Effort: intermediate

TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

• Effort: master

WAF Correlation Block actions

Detection of multiple block actions (more than 30) triggered by the same source by WAF detection rules

• Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
Authentication logs	None
Network device logs	None
File monitoring	None

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	alert
Category	``
Type	denied, info, start

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

antimalware_1.jsonantimalware_2.jsonlogin_1.json

{
    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500",
    "event": {
        "action": "blocked",
        "category": [
            "malware"
        ],
        "module": "av",
        "severity": 9,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-05-15T09:06:52Z",
    "host": {
        "ip": "10.0.0.4",
        "name": "desktop-jdo.example.org"
    },
    "observer": {
        "product": "GravityZone",
        "vendor": "Bitdefender",
        "version": "6.50.0-27"
    },
    "organization": {
        "id": "8646b1be9aae4aefb3b23147"
    },
    "related": {
        "ip": [
            "10.0.0.4"
        ],
        "user": [
            "jdoe"
        ]
    },
    "source": {
        "user": {
            "id": "S-1-5-21-1111111111-222222222-3333333333-500",
            "name": "jdoe"
        }
    },
    "threat": {
        "indicator": {
            "file": {
                "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp",
                "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp"
            },
            "name": "EICAR-Test-File (not a virus)",
            "type": "file"
        }
    }
}

{
    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500",
    "event": {
        "action": "blocked",
        "category": [
            "malware"
        ],
        "module": "av",
        "severity": 9,
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-05-15T09:06:53Z",
    "host": {
        "ip": "10.0.0.4",
        "name": "desktop-jdo.example.org"
    },
    "observer": {
        "product": "GravityZone",
        "vendor": "Bitdefender",
        "version": "6.50.0-27"
    },
    "organization": {
        "id": "8646b1be9aae4aefb3b23147"
    },
    "related": {
        "ip": [
            "10.0.0.4"
        ],
        "user": [
            "jdoe"
        ]
    },
    "source": {
        "user": {
            "id": "S-1-5-21-1111111111-222222222-3333333333-500",
            "name": "jdoe"
        }
    },
    "threat": {
        "indicator": {
            "file": {
                "hash": {
                    "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
                },
                "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp",
                "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp"
            },
            "name": "EICAR-Test-File (not a virus)",
            "type": "file"
        }
    }
}

{
    "message": "CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4",
    "event": {
        "category": [
            "authentication"
        ],
        "severity": 3,
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "1.2.3.4"
    },
    "observer": {
        "product": "GZ",
        "vendor": "Bitdefender",
        "version": "6.50.0-27"
    },
    "related": {
        "user": [
            "jdoe"
        ]
    },
    "source": {
        "user": {
            "name": "jdoe"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
@timestamp	date	Date/time when the event originated.
bitdefender.gravityzone.exploit.type	keyword	Exploit type detected by Bitdefender GravityZone.
destination.user.name	keyword	Short name or login of the user.
email.sender.address	keyword	Address of the message sender.
email.subject	keyword	The subject of the email message.
event.action	keyword	The action captured by the event.
event.kind	keyword	The kind of the event. The highest categorization field in the hierarchy.
event.module	keyword	Name of the module this data is coming from.
event.severity	long	Numeric severity of the event.
event.type	keyword	Event type. The third categorization field in the hierarchy.
file.path	keyword	Full path to the file, including the file name.
host.id	keyword	Unique host id.
host.ip	ip	Host ip addresses.
host.name	keyword	Name of the host.
observer.product	keyword	The product name of the observer.
observer.vendor	keyword	Vendor name of the observer.
observer.version	keyword	Observer version.
organization.id	keyword	Unique identifier for the organization.
process.parent.name	keyword	Process name.
process.parent.path	keyword	Path of the parent process.
rule.name	keyword	Rule name
source.ip	ip	IP address of the source.
source.user.id	keyword	Unique identifier of the user.
source.user.name	keyword	Short name or login of the user.
threat.indicator.file.hash.sha256	keyword	SHA256 hash.
threat.indicator.file.name	keyword	Name of the file including the extension, without the directory.
threat.indicator.file.path	keyword	Full path to the file, including the file name.
threat.indicator.type	keyword	Type of indicator
url.original	wildcard	Unmodified original url as seen in the event source.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.