diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_accounts.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_accounts.py new file mode 100644 index 0000000..8746268 --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_accounts.py @@ -0,0 +1,144 @@ +""" +Bitdefender GravityZone - Accounts API Event Generator +API Endpoint: /v1.0/jsonrpc/accounts +Methods: getAccountsList, deleteAccount, createAccount, updateAccount, + configureNotificationsSettings, getNotificationsSettings +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_ROLES = [1, 2, 3, 4, 5] # 1=company admin, 2=network admin, 3=reporter, etc. +_LANGUAGES = ["en_US", "en_GB", "de_DE", "fr_FR", "es_ES"] +_NAMES = ["alice", "bob", "carol", "dave", "eve", "frank"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _fake_account() -> dict: + name = random.choice(_NAMES) + return { + "id": _rand_id(), + "email": f"{name}.{random.randint(10, 99)}@example.com", + "profile": { + "fullName": name.capitalize() + " Smith", + "timezone": "UTC", + "preferredLanguage": random.choice(_LANGUAGES), + }, + "role": random.choice(_ROLES), + "isActive": random.choice([True, True, True, False]), + "twoFactorAuthEnabled": random.choice([True, False]), + "lastLogin": _now_iso(), + } + + +def _build_getAccountsList() -> dict: + accounts = [_fake_account() for _ in range(random.randint(2, 6))] + return { + "method": "getAccountsList", + "result": { + "total": len(accounts), + "page": 1, + "perPage": 30, + "pagesCount": 1, + "items": accounts, + }, + } + + +def _build_createAccount() -> dict: + return { + "method": "createAccount", + "result": {"id": _rand_id()}, + } + + +def _build_updateAccount() -> dict: + return { + "method": "updateAccount", + "result": {"result": True}, + } + + +def _build_deleteAccount() -> dict: + return { + "method": "deleteAccount", + "result": {"result": True}, + } + + +def _build_configureNotificationsSettings() -> dict: + return { + "method": "configureNotificationsSettings", + "result": {"result": True}, + } + + +def _build_getNotificationsSettings() -> dict: + return { + "method": "getNotificationsSettings", + "result": { + "notifications": { + "malwareDetectionAlert": { + "sendEmail": True, + "emailAddresses": ["soc@example.com"], + }, + "blocklistThreats": {"sendEmail": False, "emailAddresses": []}, + "productRegistration": { + "sendEmail": True, + "emailAddresses": ["admin@example.com"], + }, + "licenseExpiration": { + "sendEmail": True, + "emailAddresses": ["admin@example.com"], + }, + } + }, + } + + +_SCENARIOS = [ + _build_getAccountsList, + _build_createAccount, + _build_updateAccount, + _build_deleteAccount, + _build_configureNotificationsSettings, + _build_getNotificationsSettings, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_accounts_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Accounts API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "accounts", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_accounts_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_companies.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_companies.py new file mode 100644 index 0000000..0b9b479 --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_companies.py @@ -0,0 +1,80 @@ +""" +Bitdefender GravityZone - Companies API Event Generator +API Endpoint: /v1.0/jsonrpc/companies +Methods: getCompanyDetails, updateCompanyDetails +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_COUNTRIES = ["US", "GB", "DE", "FR", "CA", "AU"] +_COMPANY_NAMES = ["Acme Corp", "Globex Inc", "Initech", "Umbrella LLC"] +_CITIES = ["New York", "London", "Berlin", "Toronto"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _build_getCompanyDetails() -> dict: + return { + "method": "getCompanyDetails", + "result": { + "id": _rand_id(), + "name": random.choice(_COMPANY_NAMES), + "address": f"{random.randint(1, 999)} Main St", + "city": random.choice(_CITIES), + "country": random.choice(_COUNTRIES), + "phone": ( + f"+1-{random.randint(200, 999)}-" + f"{random.randint(100, 999)}-{random.randint(1000, 9999)}" + ), + "licenseType": random.choice(["business", "enterprise"]), + "parentId": None, + }, + } + + +def _build_updateCompanyDetails() -> dict: + return { + "method": "updateCompanyDetails", + "result": {"result": True}, + } + + +_SCENARIOS = [_build_getCompanyDetails, _build_updateCompanyDetails] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_companies_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Companies API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "companies", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_companies_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_incidents.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_incidents.py new file mode 100644 index 0000000..31c69a5 --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_incidents.py @@ -0,0 +1,144 @@ +""" +Bitdefender GravityZone - Incidents API Event Generator +API Endpoint: /v1.0/jsonrpc/incidents +Methods: addToBlocklist, getBlocklistItems, removeFromBlocklist, + createIsolateEndpointTask, createRestoreEndpointFromIsolationTask +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + +def _rand_hostname() -> str: + return f"{random.choice(['DESKTOP', 'LAPTOP', 'WKS', 'SRV', 'WIN10'])}-{random.randint(1000, 9999)}" + +def _random_hash(hash_type: str = "sha256") -> str: + length = 64 if hash_type == "sha256" else 32 + return f"{random.randint(0, 16 ** length - 1):0{length}x}" + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_HASH_TYPES = ["md5", "sha256"] +_BLOCKLIST_REASONS = ["malware", "suspicious-activity", "policy-violation", "user-request"] +_ISOLATION_REASONS = [ + "ransomware-detected", + "lateral-movement-suspected", + "active-incident", + "threat-investigation", +] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _build_addToBlocklist() -> dict: + hash_type = random.choice(_HASH_TYPES) + return { + "method": "addToBlocklist", + "result": { + "hashType": hash_type, + "hashList": [_random_hash(hash_type) for _ in range(random.randint(1, 5))], + "sourceInfo": { + "type": random.choice(["file", "process"]), + "computerName": _rand_hostname(), + "filePath": "C:\\Windows\\Temp\\malware.exe", + }, + "reason": random.choice(_BLOCKLIST_REASONS), + "result": True, + }, + } + + +def _build_getBlocklistItems() -> dict: + items = [ + { + "id": _rand_id(), + "hash": _random_hash(), + "hashType": "sha256", + "addedAt": _now_iso(), + "addedBy": f"user{random.randint(1, 10)}@example.com", + "reason": random.choice(_BLOCKLIST_REASONS), + "status": random.choice(["active", "pending"]), + } + for _ in range(random.randint(2, 10)) + ] + return { + "method": "getBlocklistItems", + "result": {"total": len(items), "items": items}, + } + + +def _build_removeFromBlocklist() -> dict: + return { + "method": "removeFromBlocklist", + "result": {"result": True}, + } + + +def _build_createIsolateEndpointTask() -> dict: + return { + "method": "createIsolateEndpointTask", + "result": { + "taskId": _rand_id(), + "endpointId": _rand_id(), + "computerName": _rand_hostname(), + "isolationReason": random.choice(_ISOLATION_REASONS), + "status": "pending", + "createdAt": _now_iso(), + }, + } + + +def _build_createRestoreEndpointFromIsolationTask() -> dict: + return { + "method": "createRestoreEndpointFromIsolationTask", + "result": { + "taskId": _rand_id(), + "endpointId": _rand_id(), + "computerName": _rand_hostname(), + "status": "pending", + "createdAt": _now_iso(), + }, + } + + +_SCENARIOS = [ + _build_addToBlocklist, + _build_getBlocklistItems, + _build_removeFromBlocklist, + _build_createIsolateEndpointTask, + _build_createRestoreEndpointFromIsolationTask, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_incidents_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Incidents API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "incidents", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_incidents_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_integrations.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_integrations.py new file mode 100644 index 0000000..a0bb639 --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_integrations.py @@ -0,0 +1,117 @@ +""" +Bitdefender GravityZone - Integrations API Event Generator +API Endpoint: /v1.0/jsonrpc/integrations +Methods: getHourlyUsageForAmazonEC2Instances, + configureAmazonEC2IntegrationUsingCrossAccountRole, + generateAmazonEC2ExternalIdForCrossAccountRole, + getAmazonEC2ExternalIdForCrossAccountRole, + disableAmazonEC2Integration +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_AWS_REGIONS = ["us-east-1", "us-west-2", "eu-west-1", "ap-southeast-1", "ca-central-1"] +_INSTANCE_TYPES = ["t3.micro", "t3.small", "t3.medium", "m5.large", "c5.xlarge"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _build_getHourlyUsageForAmazonEC2Instances() -> dict: + instances = [ + { + "instanceId": f"i-{random.randint(0x100000000000, 0xffffffffffff):012x}", + "instanceType": random.choice(_INSTANCE_TYPES), + "region": random.choice(_AWS_REGIONS), + "usageHours": random.randint(1, 744), + "startDate": _now_iso(), + "endDate": _now_iso(), + "licenseConsumed": random.choice([True, False]), + } + for _ in range(random.randint(2, 8)) + ] + return { + "method": "getHourlyUsageForAmazonEC2Instances", + "result": {"total": len(instances), "items": instances}, + } + + +def _build_configureAmazonEC2IntegrationUsingCrossAccountRole() -> dict: + return { + "method": "configureAmazonEC2IntegrationUsingCrossAccountRole", + "result": { + "result": True, + "roleArn": ( + f"arn:aws:iam::{random.randint(100000000000, 999999999999)}:" + "role/BitdefenderGZRole" + ), + "regions": random.sample(_AWS_REGIONS, random.randint(1, 3)), + }, + } + + +def _build_generateAmazonEC2ExternalIdForCrossAccountRole() -> dict: + return { + "method": "generateAmazonEC2ExternalIdForCrossAccountRole", + "result": {"externalId": str(uuid.uuid4()).replace("-", "")}, + } + + +def _build_getAmazonEC2ExternalIdForCrossAccountRole() -> dict: + return { + "method": "getAmazonEC2ExternalIdForCrossAccountRole", + "result": {"externalId": str(uuid.uuid4()).replace("-", "")}, + } + + +def _build_disableAmazonEC2Integration() -> dict: + return { + "method": "disableAmazonEC2Integration", + "result": {"result": True}, + } + + +_SCENARIOS = [ + _build_getHourlyUsageForAmazonEC2Instances, + _build_configureAmazonEC2IntegrationUsingCrossAccountRole, + _build_generateAmazonEC2ExternalIdForCrossAccountRole, + _build_getAmazonEC2ExternalIdForCrossAccountRole, + _build_disableAmazonEC2Integration, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_integrations_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Integrations API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "integrations", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_integrations_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_licensing.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_licensing.py new file mode 100644 index 0000000..9cc828a --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_licensing.py @@ -0,0 +1,89 @@ +""" +Bitdefender GravityZone - Licensing API Event Generator +API Endpoint: /v1.0/jsonrpc/licensing +Methods: getLicenseInfo, setLicenseKey, getMonthlyUsage +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _build_getLicenseInfo() -> dict: + return { + "method": "getLicenseInfo", + "result": { + "licenseKey": f"GZ-{random.randint(100000, 999999)}-{random.randint(1000, 9999)}", + "type": random.choice( + ["BusinessSecurity", "BusinessSecurityPremium", "Enterprise"] + ), + "status": random.choice(["active", "expired", "trial"]), + "startDate": "2024-01-01", + "endDate": "2025-12-31", + "seats": random.randint(50, 500), + "usedSeats": random.randint(10, 49), + "modules": { + "advancedThreatControl": True, + "patchManagement": random.choice([True, False]), + "fullDiskEncryption": random.choice([True, False]), + "edr": random.choice([True, False]), + "networkSandboxAnalyzer": random.choice([True, False]), + }, + }, + } + + +def _build_setLicenseKey() -> dict: + return { + "method": "setLicenseKey", + "result": {"result": True}, + } + + +def _build_getMonthlyUsage() -> dict: + months = [ + {"month": f"2024-{m:02d}", "slots": random.randint(40, 500)} + for m in range(1, 13) + ] + return { + "method": "getMonthlyUsage", + "result": {"usageData": months}, + } + + +_SCENARIOS = [_build_getLicenseInfo, _build_setLicenseKey, _build_getMonthlyUsage] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_licensing_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Licensing API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "licensing", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_licensing_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_network.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_network.py new file mode 100644 index 0000000..33345ea --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_network.py @@ -0,0 +1,215 @@ +""" +Bitdefender GravityZone - Network API Event Generator +API Endpoint: /v1.0/jsonrpc/network +Methods: getEndpointsList, getManagedEndpointDetails, createCustomGroup, + deleteCustomGroup, getCustomGroupsList, moveEndpoints, deleteEndpoint, + moveCustomGroup, getNetworkInventoryItems, createScanTask, + getScanTasksList, setEndpointLabel +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + +def _rand_hostname() -> str: + return f"{random.choice(['DESKTOP', 'LAPTOP', 'WKS', 'SRV', 'WIN10'])}-{random.randint(1000, 9999)}" + +def _rand_ip() -> str: + return f"10.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(1, 254)}" + +def _rand_mac() -> str: + return ":".join(f"{random.randint(0, 255):02x}" for _ in range(6)) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_OS_TYPES = ["Windows 10", "Windows 11", "Windows Server 2019", "Ubuntu 22.04", "macOS 13"] +_AGENT_VERSIONS = ["7.9.5.177", "7.8.4.160", "7.7.3.140"] +_SCAN_TYPES = [1, 2, 3] # 1=quick, 2=full, 3=custom +_POLICY_NAMES = ["Default Policy", "Strict Policy", "Server Policy"] +_LABELS = ["", "critical-server", "dev-machine", "finance"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _fake_endpoint() -> dict: + return { + "id": _rand_id(), + "name": _rand_hostname(), + "fqdn": f"{_rand_hostname().lower()}.corp.example.com", + "groupId": _rand_id(), + "isManaged": True, + "operatingSystemVersion": random.choice(_OS_TYPES), + "ip": _rand_ip(), + "macs": [_rand_mac()], + "agentVersion": random.choice(_AGENT_VERSIONS), + "state": random.choice([1, 2, 3]), + "lastSeen": _now_iso(), + "policy": { + "id": _rand_id(), + "name": random.choice(_POLICY_NAMES), + }, + "modules": { + "antimalware": {"installed": True, "running": True}, + "firewall": {"installed": random.choice([True, False]), "running": True}, + "advancedThreatControl": {"installed": True, "running": True}, + "contentControl": {"installed": random.choice([True, False]), "running": True}, + }, + "riskScore": round(random.uniform(0.0, 10.0), 2), + "label": random.choice(_LABELS), + } + + +def _build_getEndpointsList() -> dict: + endpoints = [_fake_endpoint() for _ in range(random.randint(3, 10))] + return { + "method": "getEndpointsList", + "result": { + "total": len(endpoints), + "page": 1, + "perPage": 30, + "pagesCount": 1, + "items": endpoints, + }, + } + + +def _build_getManagedEndpointDetails() -> dict: + return { + "method": "getManagedEndpointDetails", + "result": _fake_endpoint(), + } + + +def _build_createCustomGroup() -> dict: + return { + "method": "createCustomGroup", + "result": {"id": _rand_id()}, + } + + +def _build_deleteCustomGroup() -> dict: + return { + "method": "deleteCustomGroup", + "result": {"result": True}, + } + + +def _build_getCustomGroupsList() -> dict: + groups = [ + {"id": _rand_id(), "name": f"Group-{random.randint(1, 50)}", "parentId": None} + for _ in range(random.randint(2, 6)) + ] + return { + "method": "getCustomGroupsList", + "result": {"items": groups}, + } + + +def _build_moveEndpoints() -> dict: + return {"method": "moveEndpoints", "result": {"result": True}} + + +def _build_deleteEndpoint() -> dict: + return {"method": "deleteEndpoint", "result": {"result": True}} + + +def _build_moveCustomGroup() -> dict: + return {"method": "moveCustomGroup", "result": {"result": True}} + + +def _build_getNetworkInventoryItems() -> dict: + items = [ + { + "id": _rand_id(), + "name": _rand_hostname(), + "type": random.choice(["computer", "virtualMachine", "mobileDevice"]), + "ip": _rand_ip(), + "operatingSystem": random.choice(_OS_TYPES), + "lastSeen": _now_iso(), + } + for _ in range(random.randint(3, 10)) + ] + return { + "method": "getNetworkInventoryItems", + "result": {"total": len(items), "items": items}, + } + + +def _build_createScanTask() -> dict: + return { + "method": "createScanTask", + "result": {"id": _rand_id()}, + } + + +def _build_getScanTasksList() -> dict: + tasks = [ + { + "id": _rand_id(), + "name": f"ScanTask-{random.randint(100, 999)}", + "status": random.choice([1, 2, 3]), + "scanType": random.choice(_SCAN_TYPES), + "startDate": _now_iso(), + "endDate": _now_iso() if random.choice([True, False]) else None, + "targetEndpoints": [_rand_id() for _ in range(random.randint(1, 5))], + } + for _ in range(random.randint(1, 5)) + ] + return { + "method": "getScanTasksList", + "result": {"total": len(tasks), "items": tasks}, + } + + +def _build_setEndpointLabel() -> dict: + return {"method": "setEndpointLabel", "result": {"result": True}} + + +_SCENARIOS = [ + _build_getEndpointsList, + _build_getManagedEndpointDetails, + _build_createCustomGroup, + _build_deleteCustomGroup, + _build_getCustomGroupsList, + _build_moveEndpoints, + _build_deleteEndpoint, + _build_moveCustomGroup, + _build_getNetworkInventoryItems, + _build_createScanTask, + _build_getScanTasksList, + _build_setEndpointLabel, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_network_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Network API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "network", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_network_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_packages.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_packages.py new file mode 100644 index 0000000..7eded96 --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_packages.py @@ -0,0 +1,131 @@ +""" +Bitdefender GravityZone - Packages API Event Generator +API Endpoint: /v1.0/jsonrpc/packages +Methods: getInstallationLinks, createPackage, getPackagesList, + deletePackage, getPackageDetails +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_OS_PLATFORMS = ["windows", "linux", "mac"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _fake_package() -> dict: + return { + "id": _rand_id(), + "name": f"BEST-Package-{random.randint(1, 20)}", + "description": "Auto-generated deployment package", + "language": "en_US", + "modules": { + "antimalware": True, + "advancedThreatControl": True, + "firewall": random.choice([True, False]), + "contentControl": random.choice([True, False]), + "deviceControl": random.choice([True, False]), + "patchManagement": random.choice([True, False]), + "fullDiskEncryption": random.choice([True, False]), + }, + "scanMode": random.choice([1, 2, 3]), + "deploymentOptions": { + "downloadFromCloud": True, + "uninstallPassword": random.choice([True, False]), + }, + "platform": random.choice(_OS_PLATFORMS), + "version": ( + f"7.{random.randint(5, 9)}.{random.randint(0, 9)}.{random.randint(100, 200)}" + ), + } + + +def _build_getInstallationLinks() -> dict: + links = [ + { + "id": _rand_id(), + "packageName": f"BEST-Package-{random.randint(1, 10)}", + "installLink": ( + f"https://cloud.gravityzone.bitdefender.com/Packages/STD/0/" + f"{_rand_id()}/gravityzone_business_security.exe" + ), + "osType": random.choice(_OS_PLATFORMS), + } + for _ in range(random.randint(1, 3)) + ] + return { + "method": "getInstallationLinks", + "result": {"installationLinks": links}, + } + + +def _build_createPackage() -> dict: + return { + "method": "createPackage", + "result": {"id": _rand_id()}, + } + + +def _build_getPackagesList() -> dict: + pkgs = [_fake_package() for _ in range(random.randint(2, 6))] + return { + "method": "getPackagesList", + "result": {"total": len(pkgs), "items": pkgs}, + } + + +def _build_deletePackage() -> dict: + return {"method": "deletePackage", "result": {"result": True}} + + +def _build_getPackageDetails() -> dict: + return { + "method": "getPackageDetails", + "result": _fake_package(), + } + + +_SCENARIOS = [ + _build_getInstallationLinks, + _build_createPackage, + _build_getPackagesList, + _build_deletePackage, + _build_getPackageDetails, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_packages_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Packages API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "packages", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_packages_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_policies.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_policies.py new file mode 100644 index 0000000..b62cb3b --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_policies.py @@ -0,0 +1,113 @@ +""" +Bitdefender GravityZone - Policies API Event Generator +API Endpoint: /v1.0/jsonrpc/policies +Methods: getPoliciesList, getPolicyDetails +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_POLICY_NAMES = [ + "Default Policy", + "Strict Endpoint Policy", + "Server Policy", + "Developer Workstation Policy", + "Finance Workstation Policy", + "Executive Device Policy", + "PCI-DSS Compliance Policy", +] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _fake_policy() -> dict: + return { + "id": _rand_id(), + "name": random.choice(_POLICY_NAMES), + "isDefault": random.choice([True, False]), + "assignedEndpoints": random.randint(0, 100), + "updatedAt": _now_iso(), + "modules": { + "antimalware": { + "enabled": True, + "onAccess": True, + "onDemand": True, + "quarantine": True, + }, + "firewall": { + "enabled": random.choice([True, False]), + "blockAllExceptAllowed": False, + }, + "contentControl": { + "enabled": random.choice([True, False]), + "webCategories": ["malware", "phishing"], + }, + "deviceControl": {"enabled": random.choice([True, False])}, + "advancedThreatControl": { + "enabled": True, + "level": random.choice(["permissive", "normal", "aggressive"]), + }, + "hvi": {"enabled": random.choice([True, False])}, + }, + } + + +def _build_getPoliciesList() -> dict: + policies = [_fake_policy() for _ in range(random.randint(2, 7))] + return { + "method": "getPoliciesList", + "result": { + "total": len(policies), + "page": 1, + "perPage": 30, + "pagesCount": 1, + "items": policies, + }, + } + + +def _build_getPolicyDetails() -> dict: + return { + "method": "getPolicyDetails", + "result": _fake_policy(), + } + + +_SCENARIOS = [_build_getPoliciesList, _build_getPolicyDetails] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_policies_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Policies API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "policies", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_policies_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_push_events.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_push_events.py new file mode 100644 index 0000000..a5dcb4c --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_push_events.py @@ -0,0 +1,438 @@ +""" +Bitdefender GravityZone - Push Events API Event Generator +API Endpoint: /v1.0/jsonrpc/push +Methods: setPushEventSettings, getPushEventSettings, sendTestPushEvent, + getPushEventStats, resetPushEventStats + +Also generates all documented push event types: + av, fw, aph, hd, dp, avc, antiexploit, network-sandboxing, + uc, registration, modules, exchange-malware, + exchange-user-credentials, endpoint-moved-in, endpoint-moved-out, + sva, sva-load, network-monitor +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + +def _rand_hostname() -> str: + return f"{random.choice(['DESKTOP', 'LAPTOP', 'WKS', 'SRV', 'WIN10'])}-{random.randint(1000, 9999)}" + +def _rand_ip() -> str: + return f"10.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(1, 254)}" + +def _rand_hash32() -> str: + return f"{random.randint(0, 0xffffffffffffffffffffffffffffffff):032x}" + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_MALWARE_NAMES = [ + "Trojan.GenericKD.123456", "Ransomware.WannaCry", "Adware.BrowseFox", + "Exploit.CVE-2021-44228", "Backdoor.Cobalt.Strike", "PUA.CoinMiner", + "Worm.Conficker", "Spyware.AgentTesla", "Rootkit.NecursDropper", +] +_FW_PROTOCOLS = ["TCP", "UDP", "ICMP"] + + +# ── Push event payload builders ─────────────────────────────────────────────── + +def _payload_av() -> tuple[str, dict]: + return "av", { + "module": "av", + "computerName": _rand_hostname(), + "computerFQDN": f"{_rand_hostname().lower()}.corp.example.com", + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "malwareName": random.choice(_MALWARE_NAMES), + "malwareType": random.choice(["virus", "trojan", "ransomware", "adware", "spyware"]), + "filePath": random.choice([ + "C:\\Users\\user\\Downloads\\malware.exe", + "C:\\Windows\\Temp\\payload.dll", + "/tmp/malicious_script.sh", + ]), + "hash": _rand_hash32(), + "detectionType": random.randint(1, 10), + "action": random.choice(["quarantine", "block", "remove", "ignore"]), + "status": random.choice(["resolved", "pending", "failed"]), + "timestamp": _now_iso(), + "username": f"DOMAIN\\user{random.randint(1, 100)}", + } + + +def _payload_fw() -> tuple[str, dict]: + return "fw", { + "module": "fw", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "localAddress": _rand_ip(), + "localPort": random.randint(1024, 65535), + "remoteAddress": _rand_ip(), + "remotePort": random.randint(1, 65535), + "protocol": random.choice(_FW_PROTOCOLS), + "direction": random.choice(["in", "out"]), + "action": random.choice(["blocked", "allowed"]), + "applicationPath": random.choice([ + "C:\\Program Files\\App\\app.exe", + "/usr/bin/python3", + "C:\\Windows\\System32\\svchost.exe", + ]), + "timestamp": _now_iso(), + } + + +def _payload_aph() -> tuple[str, dict]: + return "aph", { + "module": "aph", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "processName": random.choice(["chrome.exe", "iexplore.exe", "winword.exe", "excel.exe"]), + "processPath": "C:\\Program Files\\...", + "exploitTechnique": random.choice([ + "ROP Chain", "Heap Spray", "Stack Pivot", "VBScript God Mode", "NULL Dereference", + ]), + "action": random.choice(["block", "report"]), + "timestamp": _now_iso(), + } + + +def _payload_hd() -> tuple[str, dict]: + return "hd", { + "module": "hd", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "threatName": random.choice(_MALWARE_NAMES), + "threatType": random.choice(["fileless", "script", "powershell", "wmi", "macro"]), + "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "commandLine": "powershell.exe -encodedcommand " + "A" * random.randint(50, 150), + "detectionLevel": random.choice(["permissive", "normal", "aggressive"]), + "action": random.choice(["block", "quarantine", "report"]), + "timestamp": _now_iso(), + } + + +def _payload_dp() -> tuple[str, dict]: + return "dp", { + "module": "dp", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "dataType": random.choice(["credit-card", "ssn", "iban", "custom"]), + "applicationName": random.choice(["chrome.exe", "outlook.exe", "filezilla.exe"]), + "action": random.choice(["block", "report"]), + "ruleId": _rand_id(), + "ruleName": random.choice(["PCI Data Rule", "PII Protection Rule", "Custom DLP Rule"]), + "timestamp": _now_iso(), + } + + +def _payload_avc() -> tuple[str, dict]: + return "avc", { + "module": "avc", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "processPath": random.choice([ + "C:\\Windows\\Temp\\loader.exe", + "C:\\Users\\Public\\Documents\\updater.exe", + ]), + "processHash": _rand_hash32(), + "detectionName": random.choice(_MALWARE_NAMES), + "action": random.choice(["block", "report", "allow"]), + "parentProcess": "explorer.exe", + "commandLine": "cmd.exe /c whoami & ipconfig /all", + "timestamp": _now_iso(), + } + + +def _payload_antiexploit() -> tuple[str, dict]: + return "antiexploit", { + "module": "antiexploit", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "exploitedProcess": random.choice(["acrobat.exe", "flash.exe", "java.exe", "office.exe"]), + "exploitType": random.choice(["CVE-2021-40444", "CVE-2022-30190", "Log4Shell"]), + "action": random.choice(["block", "disinfect"]), + "timestamp": _now_iso(), + } + + +def _payload_network_sandboxing() -> tuple[str, dict]: + return "network-sandboxing", { + "module": "network-sandboxing", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "filePath": "C:\\Downloads\\suspicious.pdf", + "fileHash": _rand_hash32(), + "threatName": random.choice(_MALWARE_NAMES), + "sandboxVerdict": random.choice(["malicious", "suspicious", "clean"]), + "action": random.choice(["block", "quarantine"]), + "timestamp": _now_iso(), + } + + +def _payload_uc() -> tuple[str, dict]: + return "uc", { + "module": "uc", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "username": f"DOMAIN\\user{random.randint(1, 100)}", + "url": random.choice([ + "http://malware-domain.ru/payload.exe", + "https://phishing-bank.com/login", + "http://gambling-site.com", + ]), + "category": random.choice(["malware", "phishing", "gambling", "social-networking"]), + "action": random.choice(["block", "allow"]), + "timestamp": _now_iso(), + } + + +def _payload_registration() -> tuple[str, dict]: + return "registration", { + "module": "registration", + "computerName": _rand_hostname(), + "computerFQDN": f"{_rand_hostname().lower()}.corp.example.com", + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "action": random.choice(["new-endpoint", "re-registered", "unregistered"]), + "operatingSystem": random.choice(["Windows 10", "Windows 11", "Ubuntu 22.04"]), + "agentVersion": ( + f"7.{random.randint(5, 9)}.{random.randint(0, 5)}.{random.randint(100, 200)}" + ), + "timestamp": _now_iso(), + } + + +def _payload_modules() -> tuple[str, dict]: + return "modules", { + "module": "modules", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "moduleStatuses": { + "antimalware": random.choice(["running", "stopped", "error"]), + "firewall": random.choice(["running", "stopped", "not-installed"]), + "advancedThreatControl": random.choice(["running", "stopped"]), + "contentControl": random.choice(["running", "stopped", "not-installed"]), + "deviceControl": random.choice(["running", "not-installed"]), + "patchManagement": random.choice(["running", "stopped", "not-installed"]), + }, + "timestamp": _now_iso(), + } + + +def _payload_exchange_malware() -> tuple[str, dict]: + return "exchange-malware", { + "module": "exchange-malware", + "serverName": f"EXCH-{random.randint(1, 5)}", + "serverIp": _rand_ip(), + "senderEmail": f"attacker{random.randint(1, 100)}@evil.com", + "recipientEmail": f"user{random.randint(1, 100)}@example.com", + "subject": random.choice(["Invoice #12345", "Urgent: Your account", "RE: Meeting"]), + "malwareName": random.choice(_MALWARE_NAMES), + "attachmentName": random.choice(["invoice.pdf.exe", "document.docm", "report.zip"]), + "action": random.choice(["deleted", "quarantine", "blocked"]), + "timestamp": _now_iso(), + } + + +def _payload_exchange_user_credentials() -> tuple[str, dict]: + return "exchange-user-credentials", { + "module": "exchange-user-credentials", + "serverName": f"EXCH-{random.randint(1, 5)}", + "serverIp": _rand_ip(), + "username": f"DOMAIN\\user{random.randint(1, 100)}", + "action": random.choice(["suspicious-login", "brute-force", "credential-stuffing"]), + "sourceIp": _rand_ip(), + "timestamp": _now_iso(), + } + + +def _payload_endpoint_moved_in() -> tuple[str, dict]: + return "endpoint-moved-in", { + "module": "endpoint-moved-in", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "sourceGroupId": _rand_id(), + "destinationGroupId": _rand_id(), + "timestamp": _now_iso(), + } + + +def _payload_endpoint_moved_out() -> tuple[str, dict]: + return "endpoint-moved-out", { + "module": "endpoint-moved-out", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "sourceGroupId": _rand_id(), + "destinationGroupId": _rand_id(), + "timestamp": _now_iso(), + } + + +def _payload_sva() -> tuple[str, dict]: + return "sva", { + "module": "sva", + "svaName": f"SVA-{random.randint(1, 5)}", + "svaIp": _rand_ip(), + "status": random.choice(["online", "offline", "degraded"]), + "version": ( + f"6.{random.randint(1, 9)}.{random.randint(0, 9)}.{random.randint(100, 500)}" + ), + "protectedEndpoints": random.randint(10, 200), + "timestamp": _now_iso(), + } + + +def _payload_sva_load() -> tuple[str, dict]: + return "sva-load", { + "module": "sva-load", + "svaName": f"SVA-{random.randint(1, 5)}", + "svaIp": _rand_ip(), + "cpuUsage": round(random.uniform(10.0, 95.0), 1), + "memoryUsage": round(random.uniform(20.0, 90.0), 1), + "loadLevel": random.choice(["low", "medium", "high", "critical"]), + "timestamp": _now_iso(), + } + + +def _payload_network_monitor() -> tuple[str, dict]: + return "network-monitor", { + "module": "network-monitor", + "computerName": _rand_hostname(), + "computerIp": _rand_ip(), + "endpointId": _rand_id(), + "remoteIp": _rand_ip(), + "remotePort": random.randint(1, 65535), + "protocol": random.choice(_FW_PROTOCOLS), + "attackType": random.choice([ + "PortScan", "BruteForce", "ARP Poisoning", "DNS Spoofing", "SYN Flood", + ]), + "action": random.choice(["block", "report"]), + "timestamp": _now_iso(), + } + + +# Push API management method builders + +def _build_setPushEventSettings() -> dict: + return {"method": "setPushEventSettings", "result": {"result": True}} + + +def _build_getPushEventSettings() -> dict: + return { + "method": "getPushEventSettings", + "result": { + "status": 1, + "serviceType": "json", + "serviceSettings": { + "url": "https://siem.example.com:8080/gz/events", + "requireValidSslCertificate": True, + }, + "subscribeToEventTypes": { + "av": True, "fw": True, "aph": True, "hd": True, "dp": True, + "avc": True, "antiexploit": True, "network-sandboxing": True, + "uc": True, "registration": True, "modules": True, + "exchange-malware": True, "exchange-user-credentials": True, + "endpoint-moved-in": True, "endpoint-moved-out": True, + "sva": True, "sva-load": True, "network-monitor": True, + }, + }, + } + + +def _build_getPushEventStats() -> dict: + return { + "method": "getPushEventStats", + "result": { + "totalSent": random.randint(1000, 100000), + "totalFailed": random.randint(0, 50), + "lastSuccessfulDelivery": _now_iso(), + }, + } + + +def _build_resetPushEventStats() -> dict: + return {"method": "resetPushEventStats", "result": {"result": True}} + + +def _build_sendTestPushEvent() -> dict: + return {"method": "sendTestPushEvent", "result": {"result": True}} + + +# ── Scenario pool ───────────────────────────────────────────────────────────── + +_PUSH_EVENT_PAYLOADS = [ + _payload_av, _payload_fw, _payload_aph, _payload_hd, + _payload_dp, _payload_avc, _payload_antiexploit, + _payload_network_sandboxing, _payload_uc, _payload_registration, + _payload_modules, _payload_exchange_malware, + _payload_exchange_user_credentials, _payload_endpoint_moved_in, + _payload_endpoint_moved_out, _payload_sva, _payload_sva_load, + _payload_network_monitor, +] + +_MANAGEMENT_SCENARIOS = [ + _build_setPushEventSettings, + _build_getPushEventSettings, + _build_getPushEventStats, + _build_resetPushEventStats, + _build_sendTestPushEvent, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_push_events_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone push event or push API management call.""" + # Weight toward push events (80%) vs management API calls (20%) + if random.random() < 0.8: + event_type, data = random.choice(_PUSH_EVENT_PAYLOADS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "push", + "jsonrpc": "2.0", + "method": "push", + "eventType": event_type, + "id": _rand_id(), + "params": {"events": [data]}, + } + else: + scenario = random.choice(_MANAGEMENT_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "push", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_push_events_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_quarantine.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_quarantine.py new file mode 100644 index 0000000..9c4746f --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_quarantine.py @@ -0,0 +1,164 @@ +""" +Bitdefender GravityZone - Quarantine API Event Generator +API Endpoint: /v1.0/jsonrpc/quarantine +Methods: getQuarantineItemsList, createRemoveQuarantineItemTask, + createRestoreQuarantineItemTask, createRemoveQuarantineExchangeItemTask, + createRestoreQuarantineExchangeItemTask +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + +def _rand_hostname() -> str: + return f"{random.choice(['DESKTOP', 'LAPTOP', 'WKS', 'SRV', 'WIN10'])}-{random.randint(1000, 9999)}" + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_QUARANTINE_REASONS = [ + "on-access-scan", "on-demand-scan", "real-time-scan", + "manual", "exchange-scan", "policy-action", +] +_MALWARE_NAMES = [ + "Trojan.GenericKD.123456", "Ransomware.WannaCry", "Adware.BrowseFox", + "Exploit.CVE-2021-44228", "Backdoor.Cobalt.Strike", "PUA.CoinMiner", +] +_FILE_PATHS = [ + "C:\\Users\\user\\Downloads\\infected.exe", + "C:\\Windows\\Temp\\payload.dll", + "/tmp/.malware", +] +_EMAIL_SUBJECTS = ["Invoice", "Urgent Notice", "Account Suspended"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _fake_quarantine_item(exchange: bool = False) -> dict: + item: dict = { + "id": _rand_id(), + "endpointId": _rand_id(), + "computerName": _rand_hostname(), + "malwareName": random.choice(_MALWARE_NAMES), + "malwareType": random.choice(["virus", "trojan", "ransomware", "adware"]), + "hash": f"{random.randint(0, 16 ** 64 - 1):064x}", + "quarantineDate": _now_iso(), + "reason": random.choice(_QUARANTINE_REASONS), + "status": random.choice(["quarantined", "pending-delete", "pending-restore"]), + } + if exchange: + item["senderEmail"] = f"attacker{random.randint(1, 99)}@malicious.com" + item["recipientEmail"] = f"user{random.randint(1, 100)}@example.com" + item["subject"] = random.choice(_EMAIL_SUBJECTS) + else: + item["filePath"] = random.choice(_FILE_PATHS) + item["fileSize"] = random.randint(1024, 10485760) + return item + + +def _build_getQuarantineItemsList() -> dict: + items = [ + _fake_quarantine_item(exchange=random.choice([True, False])) + for _ in range(random.randint(2, 8)) + ] + return { + "method": "getQuarantineItemsList", + "result": { + "total": len(items), + "page": 1, + "perPage": 30, + "pagesCount": 1, + "items": items, + }, + } + + +def _build_createRemoveQuarantineItemTask() -> dict: + return { + "method": "createRemoveQuarantineItemTask", + "result": { + "taskId": _rand_id(), + "status": "pending", + "targetItems": [_rand_id() for _ in range(random.randint(1, 3))], + "createdAt": _now_iso(), + }, + } + + +def _build_createRestoreQuarantineItemTask() -> dict: + return { + "method": "createRestoreQuarantineItemTask", + "result": { + "taskId": _rand_id(), + "status": "pending", + "targetItems": [_rand_id() for _ in range(random.randint(1, 3))], + "restorePath": "C:\\Users\\user\\Desktop\\restored\\", + "createdAt": _now_iso(), + }, + } + + +def _build_createRemoveQuarantineExchangeItemTask() -> dict: + return { + "method": "createRemoveQuarantineExchangeItemTask", + "result": { + "taskId": _rand_id(), + "status": "pending", + "targetItems": [_rand_id() for _ in range(random.randint(1, 3))], + "createdAt": _now_iso(), + }, + } + + +def _build_createRestoreQuarantineExchangeItemTask() -> dict: + return { + "method": "createRestoreQuarantineExchangeItemTask", + "result": { + "taskId": _rand_id(), + "status": "pending", + "targetItems": [_rand_id() for _ in range(random.randint(1, 2))], + "createdAt": _now_iso(), + }, + } + + +_SCENARIOS = [ + _build_getQuarantineItemsList, + _build_createRemoveQuarantineItemTask, + _build_createRestoreQuarantineItemTask, + _build_createRemoveQuarantineExchangeItemTask, + _build_createRestoreQuarantineExchangeItemTask, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_quarantine_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Quarantine API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "quarantine", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_quarantine_log(), indent=2)) diff --git a/Backend/event_generators/endpoint_security/bitdefender_gravityzone_reports.py b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_reports.py new file mode 100644 index 0000000..0e6005e --- /dev/null +++ b/Backend/event_generators/endpoint_security/bitdefender_gravityzone_reports.py @@ -0,0 +1,120 @@ +""" +Bitdefender GravityZone - Reports API Event Generator +API Endpoint: /v1.0/jsonrpc/reports +Methods: createReport, getReportsList, getDownloadLinks, deleteReport +""" +import json +import random +import uuid +from datetime import datetime, timezone + + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +def _now_iso() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + +def _rand_id() -> str: + return str(uuid.uuid4()) + + +# ── Domain constants ────────────────────────────────────────────────────────── + +_REPORT_TYPES = [ + "malwareStatus", "networkStatus", "policyCompliance", + "updateStatus", "licenseUsage", "executiveSummary", + "topMalware", "topTargetedEndpoints", "deviceControl", + "webCategoryTraffic", "firewallActivity", "scanTaskStatus", +] +_REPORT_FORMATS = ["pdf", "csv", "xlsx"] +_REPORT_FREQUENCIES = ["once", "daily", "weekly", "monthly"] +_REPORT_STATUSES = ["pending", "running", "finished", "error"] + + +# ── Private builders ────────────────────────────────────────────────────────── + +def _build_createReport() -> dict: + return { + "method": "createReport", + "result": {"id": _rand_id()}, + } + + +def _build_getReportsList() -> dict: + report_type = random.choice(_REPORT_TYPES) + reports = [ + { + "id": _rand_id(), + "name": f"{report_type}-{random.randint(1, 100)}", + "type": random.choice(_REPORT_TYPES), + "format": random.choice(_REPORT_FORMATS), + "frequency": random.choice(_REPORT_FREQUENCIES), + "status": random.choice(_REPORT_STATUSES), + "scheduledDate": _now_iso(), + "createdAt": _now_iso(), + "size": random.randint(50000, 5000000), + } + for _ in range(random.randint(2, 8)) + ] + return { + "method": "getReportsList", + "result": { + "total": len(reports), + "page": 1, + "perPage": 30, + "pagesCount": 1, + "items": reports, + }, + } + + +def _build_getDownloadLinks() -> dict: + base = "https://cloud.gravityzone.bitdefender.com/reports" + links = [ + { + "id": _rand_id(), + "link": f"{base}/{_rand_id()}/download", + "expiresAt": _now_iso(), + } + for _ in range(random.randint(1, 3)) + ] + return { + "method": "getDownloadLinks", + "result": {"downloadLinks": links}, + } + + +def _build_deleteReport() -> dict: + return {"method": "deleteReport", "result": {"result": True}} + + +_SCENARIOS = [ + _build_createReport, + _build_getReportsList, + _build_getDownloadLinks, + _build_deleteReport, +] + + +# ── Public generator ────────────────────────────────────────────────────────── + +def bitdefender_gravityzone_reports_log(overrides: dict | None = None) -> dict: + """Return one simulated GravityZone Reports API event.""" + scenario = random.choice(_SCENARIOS)() + event = { + "timestamp": _now_iso(), + "vendor": "bitdefender", + "product": "gravityzone", + "api": "reports", + "jsonrpc": "2.0", + "method": scenario["method"], + "id": _rand_id(), + "result": scenario["result"], + } + if overrides: + event.update(overrides) + return event + + +if __name__ == "__main__": + print(json.dumps(bitdefender_gravityzone_reports_log(), indent=2)) diff --git a/Backend/event_generators/shared/hec_sender.py b/Backend/event_generators/shared/hec_sender.py index 30c67f6..e152c13 100644 --- a/Backend/event_generators/shared/hec_sender.py +++ b/Backend/event_generators/shared/hec_sender.py @@ -543,6 +543,51 @@ "zscaler_private_access", ["zscaler_private_access_log"], ), + #Bitdefender Generators can be used with gron,json,dottedjson parsers. + "bitdefender_gravityzone_accounts": ( + "bitdefender_gravityzone_accounts", + ["bitdefender_gravityzone_accounts_log"], + ), + "bitdefender_gravityzone_companies": ( + "bitdefender_gravityzone_companies", + ["bitdefender_gravityzone_companies_log"], + ), + "bitdefender_gravityzone_incidents": ( + "bitdefender_gravityzone_incidents", + ["bitdefender_gravityzone_incidents_log"], + ), + "bitdefender_gravityzone_integrations": ( + "bitdefender_gravityzone_integrations", + ["bitdefender_gravityzone_integrations_log"], + ), + "bitdefender_gravityzone_licensing": ( + "bitdefender_gravityzone_licensing", + ["bitdefender_gravityzone_licensing_log"], + ), + "bitdefender_gravityzone_network": ( + "bitdefender_gravityzone_network", + ["bitdefender_gravityzone_network_log"], + ), + "bitdefender_gravityzone_packages": ( + "bitdefender_gravityzone_packages", + ["bitdefender_gravityzone_packages_log"], + ), + "bitdefender_gravityzone_policies": ( + "bitdefender_gravityzone_policies", + ["bitdefender_gravityzone_policies_log"], + ), + "bitdefender_gravityzone_push_events": ( + "bitdefender_gravityzone_push_events", + ["bitdefender_gravityzone_push_events_log"], + ), + "bitdefender_gravityzone_quarantine": ( + "bitdefender_gravityzone_quarantine", + ["bitdefender_gravityzone_quarantine_log"], + ), + "bitdefender_gravityzone_reports": ( + "bitdefender_gravityzone_reports", + ["bitdefender_gravityzone_reports_log"], + ), } # I need to move this down below sourcetype_map so #HEC_URL = os.getenv(