×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Stainer
Engager
Member since: ‎08-08-2024
‎01-16-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-08-2024
Topics I've Started
No posts to display.
View All

Re: Are there any fixes that we could do to forwar...

by in Splunk Cloud Platform
‎01-14-2025 10:33 PM
‎01-14-2025 10:33 PM
UPDATE: Here are the setPushEventSettings public IPs that need to be whitelisted: setPushEventSettings Sup friends, So I just came across this Bitdefender issue and here's what worked for me: 1. Ensure your HEC endpoint supports TLS 1.2 (it most certainly does):   openssl s_client -connect http-inputs-namehere.splunkcloud.com:443 -tls1_2   2. Ensure your Splunk Cloud HEC access for ingestion IP Allow List has the IP ranges for IPs Bitdefender Cloud API responses - Splunk Cloud > Settings > Server settings > IP allow list - I'm still not sure what they are, but you probably get these from Bitdefender Support. 3. Ensure the integration command is properly formatted - if your stack is on GCP the HEC URL will be different. I believe it would be http-inputs.namehere.splunkcloud.com. My example below is for stacks hosted in AWS (more info on that here https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector   curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push -H 'authorization: Basic <Auth header base64>' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://http-inputs-namehere.splunkcloud.com:443/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk <Splunk Cloud HEC Token>"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true}}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'   So without the Bitdefender IPs, I had to test by opening up the HEC allow list with 0.0.0.0/0 (takes a couple of  minutes for the change to take effect), getting a successful response, and then immediately removing it, but this will let you know if this is the issue. Or you could wait to get the IPs from Bitdefender. If you do get a successful response, you can send a test event with this:   curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push -H 'authorization: Basic <Auth header base64>' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'   Hope this helps! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-16-2025 12:01 AM
Karma given to
View All