Hash on real log GravityZone Connector diferent with the hash on Push event JSON test

cerrytarise

Hello Guys,

I just want to make my cloud-based Bitdefender GravityZone antimalware integrate with my Google Security / Chronicle (Google SIEM). Everything is okay, the log with the event types new-incident, uninstall, install, task-status, modules is normal for parsing to my siem.

But for the event type Antimalware and Hyper Detect event, I got some error, its because the JSON log, on the hash section give me uppercase Hash, is diferent with the send test push event.

Here is, if I request send push event for event type Antimalware:

{      "id":"ad12cb61-52b3-4209-a87a-93a8530d91cb",      "jsonrpc":"2.0",      "result": {            "companyId": "59a14b271da197c6108b4567",            "computer_name": "FC-WIN7-X64-01",            "computer_fqdn": "fc-win7-x64-01",            "computer_ip": "10.17.46.196",            "computer_id": "59a1604e60369e06733f8abb",            "product_installed": "BEST",            "malware_type": "file",            "malware_name": "Test malware name",            "file_path": "C:\\eicar0000001.txt",            "hash":  "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1",            "final_status": "deleted",            "timestamp": "2017-09-08T12:01:36.000Z",            "module": "av",            "_testEvent_": true      }  }

and here is a real log

Feb 24 12:45:10 bitdefender-fwd
{
"module": "av",
"product_installed": "BEST",
"user": {
"id": "S-1-5-18",
"name": "SYSTEM"
},
"companyId": "6785c379e66900d22a068ca8",
"computer_name": "",
"computer_fqdn": "",
"computer_ip": "",
"computer_id": "678772710c1ee6df367b23cf",
"malware_type": "file",
"malware_name": "JS.Heur.Morpheus.15.1E0DA81C.Gen",
"hash": "1D1822F6BF048B1C018E90E9687BE5E6E5FBC3F3851C86DBFA72D746CD4D2CF1",
"final_status": "deleted",
"file_path": "",
"timestamp": "2025-02-24T05:44:55.000Z",
"signaturesNumber": "7.98429",
"taskScanType": 2,
"scanEngineType": 3,
"cleaned": 0,
"blocked": 0,
"deleted": 1,
"quarantined": 0,
"ignored": 0,
"present": 0
}

The diferent is on a hash section, I got error on my SIEM parser that allow a hash with regex 0-9a-f, and i cannot change the rule, so can you guys help me why on real log with event type antimalware the hash section have uppercase instead of lowercase?

Thank you before

Andrei_S Enterprise

Hello @cerrytarise ,

The Test Push Event has a fixed set of values and information, formatted exactly like in our KB article so the hash will always we in the lowercase. For a real event the hash is sent by our security agent (BEST) and it's not something that we can configure in any way, usually this should be adjusted at the SIEM level to accept it.

Kind Regards,

Andrei