Files
claudetools/.claude/skills/bitdefender/references/api-reference.md
Howard Enos 4cf34f5221 feat(bitdefender): doc-verify assignPolicy/push + add full-API build-out tracker
- assign_policy: add inheritFromAbove option; mark VERIFIED via official docs
  (policyId/targetIds/forcePolicyInheritance/inheritFromAbove; not applied to
  ENFORCED-policy targets).
- setPushEventSettings: documented serviceType (splunk/cef/jsonRPC), TLS 1.2+
  receiver requirement, subscribeToEventTypes event-flag map; webhook receiver
  pattern noted.
- api-reference.md: cite GravityZone Support Center as authoritative source.
- add references/BUILDOUT.md — master checklist to implement every API method
  module-by-module; seeded with current done/todo/dead state.
- memory: reference_gravityzone_support (+ index).

selftest 42/42.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 10:14:23 -07:00

15 KiB

Bitdefender GravityZone Cloud Public API Reference

Authoritative product + API docs: GravityZone Support Center — https://www.bitdefender.com/business/support/en/77211-79436-welcome-to-gravityzone.html (everything about the product and the Public API). Use it to confirm any UNVERIFIED method/param below before relying on it.

Verified spec for the methods used by this skill. Sourced from Bitdefender's archived Public API documentation. Methods are flagged VERIFIED (signature confirmed and exposed in the CLI) or UNVERIFIED (signature not confirmed — callable only via the generic raw subcommand, never exposed as a dedicated CLI command).


Connection

  • Base URL: https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc
  • Module endpoint: <base>/<module> (e.g. .../jsonrpc/network)
  • Auth: HTTP Basic. Username = API key, password = empty string "".
  • Transport: HTTPS POST, Content-Type: application/json.

JSON-RPC envelope (request)

{
  "id": "1",
  "jsonrpc": "2.0",
  "method": "<methodName>",
  "params": { ...method params... }
}

Response

  • Success: body has a result field. The skill returns body["result"].
  • Error: body has an error object. The skill surfaces error.data.details if present, else error.message.
{ "error": { "code": -32602, "message": "...", "data": { "details": "..." } } }

ACG tenant IDs (hardcoded, partner root)

Constant Value Meaning
ACG_ROOT_COMPANY_ID 5c4280716c0318f3478b456a ACG partner company root
ACG_COMPANIES_CONTAINER_ID 5c4280716c0318f3478b456e Container holding all client companies

In getNetworkInventoryItems results, type == 1 denotes a company node.


general (/general)

Method Params Status Notes
getApiKeyDetails {} VERIFIED Key scopes / rights.

licensing (/licensing)

Method Params Status Notes
getLicenseInfo {} VERIFIED Seats, expiry, usage.

companies (/companies)

Method Params Status Notes
getCompanyDetails {} or {companyId} VERIFIED Own company when no arg; a specific company when companyId given.
getCompanyDetailsByUser uncertain UNVERIFIED Param shape not confirmed. Use raw if needed.

network (/network)

Method Params Status Notes
getNetworkInventoryItems parentId?, page?, perPage?, filters? VERIFIED Inventory tree: companies/groups/endpoints. type==1 = company.
getEndpointsList parentId?, page?, perPage<=100, filters?, options? VERIFIED Endpoint list under a parent. filters supports name / OS / security status / policy.
getManagedEndpointDetails endpointId, options? VERIFIED Full detail: malwareStatus, agent{productVersion,engineVersion,signatureOutdated,productOutdated,lastUpdate}, modules, state, policy, companyId, lastSeen.
getScanTasksList name?, status?, page?, perPage? VERIFIED List scan tasks.
createScanTask targetIds[], type, name?, customScanSettings? VERIFIED Start a scan. type: 1=Quick, 2=Full, 3=Memory, 4=Custom (verify against console).
moveEndpoints endpointIds[], groupId VERIFIED Move endpoints into a group.
createCustomGroup name, parentId? VERIFIED Create a custom group; returns new group id.
deleteEndpoint endpointId VERIFIED (destructive) Remove an endpoint from inventory. CLI-gated behind --confirm.
deleteCustomGroup groupId VERIFIED (destructive) Delete a custom group. CLI-gated behind --confirm.
moveCustomGroup groupId, newParentId VERIFIED Re-parent a custom group.
assignPolicy uncertain UNVERIFIED Assigns an EXISTING policy to endpoints. Param names not confirmed (likely policyId + a targets list). Do NOT use blindly — confirm against archived docs first. raw only.
createReconfigureClientTask uncertain UNVERIFIED Param shape not confirmed. raw only.
createUninstallTask uncertain UNVERIFIED Destructive; param shape not confirmed. raw only.
setEndpointLabel uncertain UNVERIFIED Param shape not confirmed. raw only.

packages (/packages)

Method Params Status Notes
getPackagesList page?, perPage<=100 VERIFIED List installation packages.
createPackage packageName, companyId?, description?, language?, modules?, scanMode?, settings?, roles?, deploymentOptions? VERIFIED Create an installer package. Returns the new package id.
getInstallationLinks packageName, companyId? VERIFIED Returns Windows / Mac / Linux installer download URLs for a package.
deletePackage packageName, companyId? VERIFIED (destructive) Delete a package. CLI-gated behind --confirm.

policies (/policies) — FULL READ + ASSIGN (authoring is console-only)

Corrected 2026-06-21: the earlier "shallow only" claim was WRONG. getPolicyDetails returns the COMPLETE granular module configuration (general/antimalware/firewall/content-control/etc.), confirmed live on a real policy. You CAN: list policies, read the full config, and assign an existing policy to endpoints/groups (network.assignPolicy, param shape now verified). You still CANNOT create / edit / clone a policy body via the Public API — authoring stays in the GravityZone console.

Method Params Status Notes
getPoliciesList page?, perPage? VERIFIED List policies (id, name).
getPolicyDetails policyId VERIFIED Full granular config (not shallow).
assignPolicy (/network) policyId, targetIds[], forcePolicyInheritance?, inheritFromAbove? VERIFIED (official docs + probe) Assign existing policy to endpoints/containers. NOT applied to targets with an ENFORCED policy. CLI assign-policy, gated. STATE-CHANGING. Docs: 77212-924802-assignpolicy.html

reports (/reports) — VERIFIED LIVE

Method Params Status Notes
getReportsList page?, perPage? VERIFIED LIVE List saved reports. CLI reports.
createReport name, type, targetIds, ... param name required (probed) Not yet a dedicated CLI command — raw only.
getDownloadLinks reportId (candidate) UNVERIFIED param Report download links. Client helper get_report_links.

accounts (/accounts) — VERIFIED LIVE (read)

Method Params Status Notes
getAccountsList page?, perPage? VERIFIED LIVE List console accounts/users. CLI accounts.
getNotificationsSettings {} VERIFIED LIVE Notification config. CLI notif-settings.
createAccount / updateAccount / deleteAccount uncertain UNVERIFIED (state-changing) Not exposed; raw only after confirming shape.

push (/push) — event push service (VERIFIED reachable)

Powers event-driven alerting (GravityZone POSTs security events to a receiver you specify) instead of polling sweep. get/stats error with "…were not set" until configured — that is an EXPECTED unconfigured state, handled cleanly by the CLI (rc0 + INFO), NOT a failure.

Method Params Status Notes
getPushEventSettings {} VERIFIED LIVE Current settings. CLI push-settings.
getPushEventStats {} VERIFIED LIVE Delivery stats. CLI push-stats.
setPushEventSettings status (req), serviceType, serviceSettings{url,requireValidSslCertificate,authorization}, subscribeToEventTypes{<event flags>} VERIFIED (official docs + probe) Configure the service. serviceTypesplunk/cef/jsonRPC. Receiver MUST support TLS 1.2+. subscribeToEventTypes is a map of event flags (av, fw, aph, registration, task-status, modules, network-sandboxing, antiexploit, dp, uc, …) set true to subscribe. Returns bool. CLI push-set, gated. STATE-CHANGING. Needs a receiver URL. Docs: 77209-135319-setpusheventsettings.html

Receiver pattern for the webhook (Phase-2): stand up an HTTPS endpoint (TLS 1.2+, valid cert) that accepts GravityZone's event POSTs — a coord-API route or an RMM ingest route — then push-set --status 1 --url <that-endpoint> --confirm. serviceType jsonRPC posts JSON-RPC event batches.

quarantine (/quarantine)

Method Params Status Notes
getQuarantineItemsList parentId, page, perPage, filters? VERIFIED List quarantined items under a parent.
createRemoveQuarantineItemTask uncertain UNVERIFIED (destructive) Param shape not confirmed. raw only.
createRestoreQuarantineItemTask uncertain UNVERIFIED Param shape not confirmed. raw only.

incidents (/incidents) — EDR / incident response

The incidents module backs the EDR controls: endpoint isolation, the hash blocklist, and the incident list. READ methods are safe; the state-changing methods (isolate / restore / blocklist add+remove) are CLI-gated behind --confirm. isolate and addToBlocklist / removeFromBlocklist are NEW destructive verbs — the raw subcommand also gates any method whose name contains isolat, addtoblocklist, or removefromblocklist.

Method Params Status Notes
getBlocklistItems companyId?, page?, perPage? VERIFIED LIVE Returns {total, page, perPage, pagesCount, items:[{id, source, sourceInfo, hashType, hash, companyId}]}. Returned 26 items live. perPage defaults to 100 in the CLI. companyId scopes to one company; omit for the whole tenant.
getIncidentsList parentId, page?, perPage (500-10000), filters? UNVERIFIED / possibly unavailable parentId = a company/group id and is REQUIRED. perPage must be 500-10000 (the API rejected 100 with "Invalid value for 'perPage' parameter. The value should be between 500 and 10000"); the CLI defaults it to 500. However, live re-testing on 2026-05-30 returned Method not found for this method on the /incidents module, while getBlocklistItems on the SAME module succeeds in the same request — so this is NOT rate-limiting or a bad key. The method is likely gated behind an EDR/incidents license feature that is OFF on this tenant, or is named differently in this API version. The CLI incidents subcommand is wired up but will surface Method not found until the feature is enabled / the correct name is confirmed.
createIsolateEndpointTask endpointIds[] VERIFIED (destructive) v1.2: takes an ARRAY endpointIds (max 1000), returns an array of task ids. Cuts the endpoint off the network. CLI-gated behind --confirm; the client enforces the 1000-id cap.
createRestoreEndpointFromIsolationTask endpointIds[] VERIFIED (destructive) v1.2: takes an ARRAY endpointIds (max 1000), returns an array of task ids. Un-isolates (reverses createIsolateEndpointTask). CLI-gated behind --confirm; the client enforces the 1000-id cap.
addToBlocklist companyId, hashType, hashList[], sourceInfo, operatingSystems? VERIFIED (destructive) hashType is an int (1 is the common value seen live; see the console / API docs for the full mapping). hashList is an array of hash strings. sourceInfo is a free-text description. CLI-gated behind --confirm.
removeFromBlocklist hashItemId (UNVERIFIED param name) VERIFIED method, UNVERIFIED param Removes one blocklist entry. The param name hashItemId is UNVERIFIED — the id field from getBlocklistItems is the candidate. Confirm against the official API reference before relying on it. CLI-gated behind --confirm; the CLI --id value comes from blocklist output.
changeIncidentStatus uncertain UNVERIFIED Not implemented. raw only.
updateIncidentNote uncertain UNVERIFIED Not implemented. raw only.
createCustomRule uncertain UNVERIFIED Not implemented. raw only.
getCustomRulesList uncertain UNVERIFIED Not implemented. raw only.
deleteCustomRule uncertain UNVERIFIED (destructive) Not implemented. raw only.

Dead / unavailable modules on this tenant (probed 2026-06-21)

In the API-key scope but NOT usable — calls return "not available" / "method not found". Do not build against these without a license/feature change:

  • patchmanagement — license OFF (managePatchManagement: false). "not available".
  • phasr — license/feature OFF. getStatus → method not found.
  • maintenancewindowsgetMaintenanceWindows(List) → "not available".
  • integrationsgetPSAIntegrationList → method not found (correct method name unconfirmed).
  • incidents.getIncidentsList — "Method not found" (yet getBlocklistItems and the isolate tasks on the SAME module work — likely an EDR sub-feature gate).

Verified vs Unverified summary

VERIFIED (CLI-exposed): general.getApiKeyDetails, licensing.getLicenseInfo, companies.getCompanyDetails, network.getNetworkInventoryItems, network.getEndpointsList, network.getManagedEndpointDetails, network.getScanTasksList, network.createScanTask, network.createCustomGroup, network.moveEndpoints, network.moveCustomGroup, network.deleteEndpoint (gated), network.deleteCustomGroup (gated), packages.getPackagesList, packages.createPackage, packages.getInstallationLinks, packages.deletePackage (gated), policies.getPoliciesList, policies.getPolicyDetails, quarantine.getQuarantineItemsList, incidents.getBlocklistItems, incidents.createIsolateEndpointTask (gated), incidents.createRestoreEndpointFromIsolationTask (gated), incidents.addToBlocklist (gated), incidents.removeFromBlocklist (gated; param name UNVERIFIED), network.getScanTasksList, network.assignPolicy (gated; param shape verified 2026-06-21), reports.getReportsList, accounts.getAccountsList, accounts.getNotificationsSettings, push.getPushEventSettings, push.getPushEventStats, push.setPushEventSettings (gated; status verified, nested shape UNVERIFIED).

NOTE: incidents.getIncidentsList is wired into the CLI (incidents subcommand) but returned Method not found on live re-test (2026-05-30) — see the incidents module table. Likely a license-gated EDR feature that is OFF on this tenant. Not counted as VERIFIED LIVE.

UNVERIFIED (raw subcommand only — do NOT trust the param shape): network.assignPolicy, network.createReconfigureClientTask, network.createUninstallTask, network.setEndpointLabel, companies.getCompanyDetailsByUser, quarantine.createRemoveQuarantineItemTask, quarantine.createRestoreQuarantineItemTask, incidents.changeIncidentStatus, incidents.updateIncidentNote, incidents.createCustomRule, incidents.getCustomRulesList, incidents.deleteCustomRule (destructive). Whole modules raw-only/UNVERIFIED: patchmanagement (license OFF), integrations, maintenancewindows.

Confirm any UNVERIFIED signature against the official Bitdefender API reference before relying on it. The generic raw --module M --method m --params '<json>' subcommand can call any method once you know the correct params.