Bitdefender GravityZone

LAST UPDATED: APRIL 28, 2025

Overview

Bitdefender Control Center APIs allow developers to automate business workflows. D3's integration with Bitdefender provides the ability to manage groups and endpoints, create scan tasks, quarantine items and retrieve report results for each predefined report.

D3 SOAR is providing REST operations to function with Bitdefender GravityZone.

Bitdefender GravityZone is available for use in:

D3 SOAR	V14.0.0+
Category	Endpoint Security
Deployment Options	Option II, Option IV

Known Limitations

The API enforces a fixed number of requests per second per API key. When the limit is exceeded, further requests are denied with an HTTP 429 status code. Below are the applicable rate limits:

30 requests per minute per API Key

Create Scan Task
Delete Endpoints
Quarantine Files
Remove Quarantine Files

5 requests per minute per API Key

Add to Blocklist
Remove From Block List

10 requests per second per API Key

All other commands not mentioned above

Refer to API rate limits for detailed information.

Connection

To connect to Bitdefender GravityZone from D3 SOAR, follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The URL of the Bitdefender server.	https://cloud.gravityzone.bitdefender.com
API Key	The API key used to authenticate the connection.	*****
API Version	The API version to use for the connection.	v1.0

Configuring Bitdefender GravityZone to Work with D3 SOAR

Log into Bitdefender GravityZone using an administrator account.
The account must have the following rights: Manage Networks, Manage Users, Manage Company, and View and analyze data.
Click the icon, then select the My account option.
Scroll down to the API keys section, then click the + Add button.
Configure the API key.
1. Enter a name for the key.
2. Select the APIs to use with the key.
3. Click the Generate button to retrieve the API key.
Copy the API key to be used for the connection. Refer to step 3i sub-step 2 in Configuring D3 SOAR to Work with Bitdefender GravityZone.
The API key will not be visible after this point.

Configuring D3 SOAR to Work with Bitdefender GravityZone

Log in to D3 SOAR.
Find the Bitdefender GravityZone integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Bitdefender GravityZone in the search box to find the integration, then click it to select it.
4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Bitdefender GravityZone.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add a description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, users have the option to choose the specific tenant sites to share the connection with. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Active: Check the checkbox to ensure the connection is available for use.
8. Configure User Permissions: Defines which users have access to the connection.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input the Server URL. The default value is https://cloud.gravityzone.bitdefender.com.
  2. Copy the API Key from the Bitdefender GravityZone platform. Refer to Configuring Bitdefender GravityZone to Work with D3 SOAR.
  3. Input the API Version. The default value is v1.0.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

Bitdefender GravityZone includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Bitdefender GravityZone API, refer to the Bitdefender GravityZone API reference.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.

The selected time format will now be visible when configuring Date/Time command input parameters.

Add to Blocklist

Adds new hashes to the blocklist.

Input

Input Parameter	Required/Optional	Description	Example
Hashes	Required	The list of hash values to add to the blocklist.	JSON `[ "***", "***" ]`
Hash Type	Required	The hash type for the provided hash values. Available options are: SHA256 - 1 MD5 - 1	SHA256 - 1
Description	Required	The description for the action.	Added a hash of 'atomic-red-team-master.zip' from public API

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add to Blocklist failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Not enough rights for this companyId to add a hash to blocklist.

Error Sample Data

Add to Blocklist failed.

Status Code: 403.

Message: Not enough rights for this companyId to add a hash to blocklist.

Create Group

Creates a new custom group of endpoints.

READER NOTE

Parent ID is an optional parameter to run this command.

Run the List Groups command with the Parent ID parameter filled to obtain the Parent ID. Parent IDs can be found in the raw data at the path $.result[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Group Name

Required

The name of the group.

Group 1-1

Parent ID

Optional

The ID of the parent group under which to nest the target group. The ID can be a company ID or group ID. Parent ID can be obtained using the List Groups command with the Parent ID parameter filled.

By default, the group will be created under the Computers and Groups group of the current user.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Group failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 409.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Group name already exists.

Error Sample Data

Create Group failed.

Status Code: 409.

Message: Group name already exists.

Create Scan Task

Creates a new scan task.

READER NOTE

Endpoint IDs and Mac Addresses are optional parameters to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
Run the List Endpoints command to obtain the Mac Addresses. Mac Addresses can be found in the raw data at the paths:
- $.result.items[*].macs (if Endpoint Type is set to Endpoints)
- $.result.items[*].details.macs (if Endpoint Type is set to Active Directory Endpoints).

Input

Input Parameter	Required/Optional	Description	Example
Scan Name	Optional	The name of the scan. If left blank, the scan name will be generated automatically.	my scan 1
Endpoint IDs	Optional	The list of endpoint IDs to scan. The IDs can designate endpoints or containers. Endpoint IDs can be obtained using the List Endpoints command. Endpoint IDs and Mac Addresses cannot both be empty.	JSON `[ "***", "***" ]`
Mac Addresses	Optional	The list of MAC addresses of the endpoints to scan. A maximum of 100 MAC addresses is allowed. MAC addresses can be obtained using the List Endpoints command. Endpoint IDs and Mac Addresses cannot both be empty.	JSON `[ "***", "***" ]`
Scan Type	Required	The scan type to perform. Available options are: Quick Scan - 1 Full Scan - 2 Memory Scan - 3 Custom Scan - 4 By default, the value is set to Quick Scan - 1.	Quick Scan - 1
Custom Scan Depth	Optional	The depth for a custom scan. This is only applicable and required when the Scan Type is set to Custom Scan - 4. Available options are: Aggressive - 1 Normal - 2 Permissivearray - 3 By default, the value is set to Aggressive - 1.	Aggressive - 1
Custom Scan Paths	Optional	The paths to include for a custom scan. This is only applicable and required when the Scan Type is set to Custom Scan - 4.	JSON `[ "LocalDrives", "Localdisk" ]`

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Scan Task failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The input parameters 'Endpoint IDs' & 'Mac Addresses' cannot be empty at the same time.

Error Sample Data

Create Scan Task failed.

Status Code: 400.

Message: The input parameters 'Endpoint IDs' & 'Mac Addresses' cannot be empty at the same time.

Delete Endpoints

Deletes endpoints under Custom Groups by moving them to the Deleted group. Re-running this command on the same endpoints will permanently delete them.

READER NOTE

Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

Input

Input Parameter

Required/Optional

Description

Example

Endpoint IDs

Required

The IDs of the endpoints to delete. Endpoint IDs can be obtained using the List Endpoints command.

Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

JSON

[
  "*****",
  "*****"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Endpoints failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Invalid value for 'endpointId' parameter.

Error Sample Data

Delete Endpoints failed.

Status Code: 400.

Message: Invalid value for 'endpointId' parameter.

Download Reports

Downloads report files.

READER NOTE

Report IDs is a required parameter to run this command.

Run the List Reports command to obtain the Report IDs. Report IDs can be found in the raw data at the path $result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Report IDs	Required	The IDs of the reports to download. Report IDs can be obtained using the List Reports command.	JSON `[ "***", "***" ]`

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Download Reports failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: "Invalid value for 'reportId' parameter.

Error Sample Data

Download Reports failed.

Status Code: 400.

Message: "Invalid value for 'reportId' parameter.

Get Managed Endpoint Details

Retrieves detailed information for the specified managed endpoints.

READER NOTE

Managed Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Managed Endpoint IDs. Managed Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

Input

Input Parameter

Required/Optional

Description

Example

Managed Endpoint IDs

Required

The IDs of the managed endpoints for which to retrieve details. Managed Endpoint IDs can be obtained using the List Endpoints command.

Providing an unmanaged endpoint ID or an entry with "networkItemTypeName": "Group" will result in an error.

JSON

[
  "*****",
  "*****"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Managed Endpoint Details failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: This endpoint cannot be queried.

Error Sample Data

Get Managed Endpoint Details failed.

Status Code: 403.

Message: This endpoint cannot be queried.

Isolate Endpoints

Creates tasks to isolate the specified managed endpoints.

READER NOTE

Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

Input

Input Parameter

Required/Optional

Description

Example

Endpoint IDs

Required

The IDs of the endpoints to isolate. Endpoint IDs can be obtained using the List Endpoints command.

Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

JSON

[
  "*****",
  "*****"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Isolate Endpoints failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 422.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Invalid value for this 'endpointId'. The endpoint is not managed.

Error Sample Data

Isolate Endpoints failed.

Status Code: 422.

Message: Invalid value for this 'endpointId'. The endpoint is not managed.

List Block List

Retrieves all existing items from the blocklist.

Input

Input Parameter	Required/Optional	Description	Example
Page	Optional	The results page number.	1
Page Size	Optional	The maximum number of items to display per page. The allowed range is 1 to 100.	5

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Block List failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The value for parameter (Page Size) is invalid.

Error Sample Data

List Block List failed.

Status Code: 400.

Message: The value for parameter (Page Size) is invalid.

List Endpoints

Retrieves available endpoints.

READER NOTE

Company or Group ID is an optional parameter to run this command.

Run the List Endpoints command with Endpoint Type set to Active Directory Endpoints to obtain the Company or Group ID. Company or Group IDs can be found in the raw data at the path $.result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Company or Group ID	Optional	The ID of the company or group for which to retrieve endpoints. Company or Group ID can be obtained using the List Endpoints command with the Endpoint Type set to Active Directory Endpoints. Leave this parameter blank and the End Type set to Endpoints to return only endpoints under the Computers and Groups group.	*****
Page	Optional	The results page number.	1
Page Size	Optional	The number of items per page. The allowed range is 1 to 100.	10
Endpoint Type	Required	The type of endpoints to retrieve. Available options are: Endpoints Active Directory Endpoints	Endpoints
Is Managed	Optional	Whether to return only managed endpoints. When True, unmanaged endpoints are excluded. This parameter is only applicable if Endpoint Type is set to Endpoints. By default, the value is set to False.	True
Filters	Optional	The Apache Lucene syntax string to filter endpoints. Each field is joined with the AND operator. Available Shared Fields These fields apply across all endpoint types: security.management.managedWithBest: True or False security.management.managedExchangeServers: True or False security.management.managedRelays: True or False security.management.securityServers: True or False details.ssid details.macs (e.g., details.macs in (123456, 1234456)) details.name (minimum 3 characters; supports wildcard prefix ) Active Directory Endpoint Only Fields* These fields apply only when Endpoint Type is Active Directory: type.groups: True or False type.ec2Instances: True or False type.computers: True or False type.virtualMachines: True or False Refer to the sample data for the syntax.	security.management.managedWithBest:True AND security.management.managedRelays:True AND details.name:*PC1 AND details.macs in (123456, 1234456)

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Endpoints failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Wrong syntax string provided in parameter 'Filters', please refer to the parameter description and sample data.

Error Sample Data

List Endpoints failed.

Status Code: 400.

Message: Wrong syntax string provided in parameter 'Filters', please refer to the parameter description and sample data.

List Groups

Retrieves the list of groups under a specified parent group.

READER NOTE

Parent ID is an optional parameter to run this command.

Run the List Groups command with the Parent ID filled to obtain the Parent ID. Parent IDs can be found in the raw data at the path $.result[*].id.
Users must fill the Parent ID parameter to retrieve custom groups using the List Groups command. Refer to the following section for details.

Bitdefender GravityZone does not provide a native method to retrieve all custom groups in a single call using the List Groups command. One approach to retrieve all custom groups is as follows:

Run the List Groups command without specifying a Parent ID.
This will return the system-defined groups, such as Computers and Groups and Deleted.
Run the List Groups command again using the ID of each returned system group as the Parent ID.
This retrieves any custom groups that are directly nested under those system folders.
For each custom group retrieved, run the command again using its ID as the Parent ID.
This step is necessary to identify additional custom groups nested under those groups.
Repeat step 3 until no further subgroups are returned.

Input

Input Parameter

Required/Optional

Description

Example

Parent ID

Optional

The ID of the parent group for which to retrieve subgroups. By default, the Computers and Groups and Deleted system groups of the current user will be returned when no Parent ID is provided.

Bitdefender GravityZone does not support retrieving all custom groups in a single call. A workaround is to run the List Groups command multiple times.

Begin by running it without a Parent ID to retrieve the top-level system groups. Then, use the ID of each returned group as the Parent ID in subsequent calls. Repeat this process recursively for each nested group until all levels of custom groups have been discovered.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Groups failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Invalid value for 'parentId' parameter.

Error Sample Data

List Groups failed.

Status Code: 400.

Message: Invalid value for 'parentId' parameter.

List Quarantine Items

Retrieves a list of quarantined items from the endpoints.

READER NOTE

Endpoint IDs is an optional parameter to run this command.

Run the List Endpoints command to obtain the Endpoint ID. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Endpoint ID	Optional	The ID of the endpoint for which to filter quarantined items. Endpoint ID can be obtained using the List Endpoints command.	*****
Start Date	Optional	The earliest quarantined date to include.	05/19/2022 02:00 AM
End Date	Optional	The latest quarantined date to include.	05/31/2022 02:00 AM
Quarantine Item Service	Required	The service from which to retrieve quarantine items. Available options are: Computers and Virtual Machines Security for Exchange	Computers and Virtual Machines
Threat Name	Optional	The full or partial threat name to filter results.	Trojan
Action Status	Optional	The action status to filter results. Applicable values depend on the selected Quarantine Item Service. Available options are: None - 0 Pending remove - 1 Pending restore - 2 Remove failed - 3 Restore failed - 4 Pending Save (Security for Exchange only) - 16 Failed Save (Security for Exchange only) - 17	Pending remove - 1
Page	Optional	The results page number.	1
Page Size	Optional	The maximum number of items displayed per page. The allowed range is 1 to 100.	5

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Quarantine Items failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Start Time cannot be greater than End Time.

Error Sample Data

List Quarantine Items failed.

Status Code: 400.

Message: Start Time cannot be greater than End Time.

List Reports

Retrieves a list of reports.

Input

Input Parameter	Required/Optional	Description	Example
Report Name	Optional	The full name of the report to retrieve.	Report1-Type_Antiphishing Activity
Report Type	Optional	The type of report by which to filter the results. Available options are: Antiphishing Activity – 1 Blocked Applications – 2 Blocked Websites – 3 Customer Status Overview – 4 Data Protection – 5 Device Control Activity – 6 Endpoint Modules Status – 7 Endpoint Protection Status – 8 Firewall Activity – 9 License Status – 10 Malware Status – 12 Monthly License Usage – 13 Network Status – 14 On demand scanning – 15 Policy Compliance – 16 Security Audit – 17 Security Server Status – 18 Top 10 Detected Malware – 19 Top 10 Infected Companies – 20 Top 10 Infected Endpoints – 21 Update Status – 22 Upgrade Status – 23 AWS Monthly Usage – 24 Email Security Usage – 29 Endpoint Encryption Status – 30 HyperDetect Activity – 31 Network Patch Status – 32 Sandbox Analyzer Failed Submissions – 33 Network Incidents – 34 MDR Service Status – 35	Antiphishing Activity - 1
Page	Optional	The results page number.	1
Page Size	Optional	The maximum number of items displayed per page. The allowed range is 1 to 100.	5

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Reports failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The value for parameter (Page Size) is invalid.

Error Sample Data

List Reports failed.

Status Code: 400.

Message: The value for parameter (Page Size) is invalid.

List Scan Tasks

Retrieves a list of current scan tasks.

Input

Input Parameter	Required/Optional	Description	Example
Scan Name	Optional	The name used to filter the scan tasks.	Scan 2022
Status	Optional	The status used to filter the scan tasks.	Finished - 3
Page	Optional	The results page number.	1
Page Size	Optional	The number of items to return per page. The allowed range is 1 to 100.	10

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Scan Tasks failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The value for parameter (Page) is invalid.

Error Sample Data

List Scan Tasks failed.

Status Code: 400.

Message: The value for parameter (Page) is invalid.

Move Endpoints

Moves endpoints to a specified custom group.

READER NOTE

Endpoint IDs and Group ID are required parameters to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
- Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.
Run the List Groups command with the Parent ID parameter filled to obtain the Group ID. Group IDs can be found in the raw data at the path $.result[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Endpoint IDs

Required

The IDs of the endpoints to move. Endpoint IDs can be obtained using the List Endpoints command.

Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

JSON

[
  "*****",
  "*****"
]

Group ID

Required

The ID of the custom group to which the endpoints will be moved. Group ID can be obtained using the List Groups command with the Parent ID parameter filled.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Move Endpoints failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 409.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: One or more endpoints do not belong to the same company with the target custom group.

Error Sample Data

Move Endpoints failed.

Status Code: 409.

Message: One or more endpoints do not belong to the same company with the target custom group.

Quarantine Files

Creates tasks to quarantine specified files on selected endpoints.

READER NOTE

Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Endpoint IDs	Required	The IDs of the endpoints on which to quarantine the file. Endpoint IDs can be obtained using the List Endpoints command.	JSON `[ "***", "***" ]`
File Path	Required	The full path of the file to be quarantined including the file name.	d:\taskSample\sample.dll

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Quarantine Files failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: No valid target provided.

Error Sample Data

Quarantine Files failed.

Status Code: 400.

Message: No valid target provided.

Remove From Block List

Removes specified items from the blocklist.

READER NOTE

Hash Item IDs is a required parameter to run this command.

Run the List Block List command to obtain the Hash Item IDs. Hash Item IDs can be found in the raw data at the path $result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Hash Item IDs	Required	The IDs of the hash entries to remove from the blocklist. Hash Item IDs can be obtained using the List Block List command.	JSON `[ "***", "***" ]`

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove From Block List failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The blocklisted file does not exist or you do not have enough rights to access this item.

Error Sample Data

Remove From Block List failed.

Status Code: 403.

Message: The blocklisted file does not exist or you do not have enough rights to access this item.

Remove Quarantine Files

Creates tasks to remove quarantined files from specified endpoints.

READER NOTE

Quarantine Item IDs is a required parameter to run this command.

Run the List Quarantine Items command to obtain the Quarantine Item IDs. Quarantine Item IDs can be found in the raw data at the path $.result.items[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Quarantine Item IDs

Required

The IDs of the quarantine items to remove. Quarantine item IDs can be obtained using the List Quarantine Items command.

JSON

[
  "*****",
  "*****"
]

Quarantine Item Service

Required

The service from which to remove the quarantine items. Available options are:

Computers and Virtual Machines
Security for Exchange

Computers and Virtual Machines

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove Quarantine Files failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: At least one specified target is invalid.

Error Sample Data

Remove Quarantine Files failed.

Status Code: 400.

Message: At least one specified target is invalid.

Restore Endpoints

Creates tasks to restore the specified managed endpoints from isolation.

READER NOTE

Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.
Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

Input

Input Parameter

Required/Optional

Description

Example

Endpoint IDs

Required

The IDs of the endpoints to restore. Endpoint IDs can be obtained using the List Endpoints command.

Entries with "networkItemTypeName": "Group" cannot be used as values for Endpoint IDs.

JSON

[
  "*****",
  "*****"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Restore Endpoints failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 409.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: This endpoint cannot be restored from isolation. It is either not isolated, cannot be isolated or a isolation task is already in progress.

Error Sample Data

Restore Endpoints failed.

Status Code: 409.

Message: This endpoint cannot be restored from isolation. It is either not isolated, cannot be isolated or a isolation task is already in progress.

Update Endpoint Labels

Sets or clears labels on the specified endpoints.

READER NOTE

Endpoint IDs is a required parameter to run this command.

Run the List Endpoints command to obtain the Endpoint IDs. Endpoint IDs can be found in the raw data at the path $.result.items[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Endpoint IDs	Required	The IDs of the endpoints for which to update labels. The IDs can designate endpoints or containers. Endpoint IDs can be obtained using the List Endpoints command.	JSON `[ "***", "***" ]`
Label	Optional	The label to apply to the endpoints. If this parameter is left blank, the existing label will be removed. The maximum length for a label is 64 characters. Characters beyond the limit will be removed.	Custom label.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Endpoint Labels failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Endpoint not found or not enough privileges to access this resource.

Error Sample Data

Update Endpoint Labels failed.

Status Code: 403.

Message: Endpoint not found or not enough privileges to access this resource.

Update Groups

Moves the specified custom groups to a new custom group parent or deletes them.

READER NOTE

Group IDs is a required parameter to run this command.

Run the List Groups command with the Parent ID parameter filled to obtain the Group IDs. Group IDs can be found in the raw data at the path $.result[*].id.

Parent ID is an optional parameter to run this command.

Run the List Groups command with the Parent ID parameter filled to obtain the Parent ID. Parent IDs can be found in the raw data at the path $.result[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Group IDs	Required	The IDs of the custom groups to update. Group IDs can be obtained using the List Groups command with the Parent ID parameter filled.	JSON `[ "***", "***" ]`
Parent ID	Optional	The ID of the destination custom group. This parameter is required when the Update Method is set to Move. Parent ID can be obtained using the List Groups command with the Parent ID parameter filled.	*****
Update Method	Required	The type of update action to perform. Available options are: Move Delete By default, the value is set to Move.	Move
Force Delete	Optional	Whether to force delete groups that are not empty. This parameter is only applicable when the update method is Delete. If set to True, non-empty groups will be removed. By default, the value is set to False.	False

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Groups failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Incorrect custom group specified through the 'groupId' parameter. Please provide the id of a custom group.

Error Sample Data

Update Groups failed.

Status Code: 400.

Message: Incorrect custom group specified through the 'groupId' parameter. Please provide the id of a custom group.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Bitdefender GravityZone portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 403.

Message: Unauthorized.