What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Bitdefender GravityZone Security Telemetry Integration Requirements

    Taylor Walton

    24-Mar-2026

    Bitdefender GravityZone Security Telemetry Integration Requirements

    This knowledge base article outlines the actions required on the customer side to enable the Bitdefender GravityZone integration and Security Telemetry forwarding to the SIEM environment.

    Overview

    To complete the Bitdefender integration, there are two separate data flows that may be used:

    • Bitdefender SIEM integration for core event forwarding
    • Bitdefender Security Telemetry for additional endpoint telemetry sent directly by Bitdefender agents

    SOCFortress can prepare the Graylog inputs, parsing, and dashboards, but the customer is responsible for the Bitdefender-side configuration, DNS, firewall changes, and endpoint rollout.

    Customer Responsibilities

    1. Create a Public DNS Record

    Create a public DNS record that points to the public IP address of the firewall sitting in front of the SIEM environment.

    Example:

    • firehose.your_domain.com

    This is required so Bitdefender GravityZone can send traffic to a public, reachable hostname.

    2. Configure Firewall Port Forwarding

    Create the required firewall/NAT rule(s) so incoming Bitdefender traffic is forwarded to the appropriate internal SIEM host.

    Based on the implementation discussed, the customer needed to forward the following:

    • Port 5557/TCP → forward to the CoPilot VM on copilot_ip:5557

    Important: If your deployment uses different internal IPs or ports, use the values provided by SOCFortress for your environment.

    3. Whitelist Bitdefender Source IP Addresses

    If your firewall policy restricts inbound traffic by source IP, make sure the required Bitdefender Event Push Service source IPs are allowed. Bitdefender documents these IPs in their setPushEventSettings article and states they must be whitelisted to ensure communication between GravityZone and the SIEM/HTTP collector.

    Bitdefender reference:
    https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html

    Bitdefender-documented source IPs at the time of writing:

    • 34.148.142.174
    • 34.126.111.12
    • 34.48.74.208
    • 35.198.138.109
    • 35.246.228.213
    • 35.234.118.64
    • 34.159.83.241
    • 34.159.47.15

    Note: Bitdefender may update these IPs over time, so always validate against the Bitdefender article above before implementing or troubleshooting the integration.

    4. Configure the Bitdefender GravityZone Forwarding Rule

    In the Bitdefender GravityZone console, create or update the forwarding configuration so events are sent to the hostname and port provided by SOCFortress.

    Security Telemetry forwarding example:

    • Host: firehose.your_domain.com
    • Port: 5557

    SOCFortress will confirm the correct destination settings for the standard SIEM feed and the Security Telemetry feed.

    5. Enable “Ignore SSL Errors” for Initial Validation

    When first enabling the Security Telemetry forwarding, enable the Ignore SSL Errors option in Bitdefender GravityZone.

    This helps validate connectivity and confirm the incoming message structure during initial setup. Once the connection and certificates are confirmed working as expected, SOCFortress can advise whether this setting should remain enabled.

    What SOCFortress Will Handle

    • Create the required Graylog inputs
    • Add certificates to support encrypted telemetry ingestion where needed
    • Validate that logs are arriving successfully
    • Build Graylog pipeline rules to parse and normalize the incoming JSON payloads
    • Create or update Grafana dashboards after sufficient telemetry is flowing
    • Assist with troubleshooting connectivity, parsing, and visualization issues

    Expected Data Flow

    1. Bitdefender GravityZone sends events to the public DNS hostname
    2. The edge firewall forwards the traffic to the internal SIEM destination
    3. Graylog receives the data on the configured input
    4. SOCFortress applies parsing and normalization
    5. Grafana dashboards are built on top of the normalized data

    Validation Checklist

    • Public DNS record has been created
    • Firewall/NAT rules are in place
    • Bitdefender source IPs are whitelisted if source filtering is enforced
    • Bitdefender forwarding has been configured
    • Ignore SSL Errors has been enabled for initial testing
    • Security Telemetry has been rolled out to endpoints
    • SOCFortress has confirmed events are being received and parsed correctly
    • VPN access has been provided if dashboard work is requested

    Notes

    • The Security Telemetry feed was observed to arrive encrypted initially. SOCFortress added the required certificates on the Graylog side so the telemetry could be decrypted and parsed correctly.
    • After decryption was corrected, SOCFortress implemented Graylog pipeline parsing to extract the JSON fields and normalize the events.
    • Once the endpoint rollout was expanded, increased telemetry volume was successfully observed.

    Summary

    For the Bitdefender integration to work properly, the customer must provide a reachable public DNS record, configure the necessary firewall rules, whitelist the Bitdefender Event Push Service source IPs if filtering is enabled, enable forwarding in GravityZone, roll out Security Telemetry to endpoints, and provide VPN access if dashboard development is requested. Once those pieces are in place, SOCFortress can complete the ingestion, parsing, normalization, and dashboard work.

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.