azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db6aa3683f2ace5e0e402e009356f7e8a1b6be88
claudetools/.claude/skills/bitdefender/references/api-reference.md
Howard Enos db6aa3683f fix(bitdefender): all-clients sweep, quarantine path, EDR controls, self-test 
Several bugs found and fixed during live testing against the ACG GravityZone
tenant:
- security_sweep_all_clients: iterate each company (the companies container is
  not a valid endpoint parent; passing it 400'd the whole sweep)
- list_quarantine: use service-scoped path quarantine/computers with companyId
  (bare quarantine module 404'd; param is companyId not parentId)
- rename GZEndpointSummary.detection_active -> threat_detected with corrected
  semantics (True = active threat, tracks with infected; not an engine-on flag)
- status: readable sectioned table renderer for the nested apiKey/license dict
- portable CLAUDETOOLS_ROOT resolution (derive from file path, not a Windows
  literal) so it works on the Mac/Linux fleet

Adds scripts/selftest.py: a 29-check read-only harness (all passing) covering
every read command, --json, error exit codes, and destructive-action gating.
EDR/incident commands (blocklist, isolate/unisolate, blocklist-add/remove) and
raw destructive-method gating are included from this session's work.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 07:29:55 -07:00

11 KiB
Raw Blame History

Bitdefender GravityZone Cloud Public API Reference

Verified spec for the methods used by this skill. Sourced from Bitdefender's archived Public API documentation. Methods are flagged VERIFIED (signature confirmed and exposed in the CLI) or UNVERIFIED (signature not confirmed — callable only via the generic raw subcommand, never exposed as a dedicated CLI command).

Connection

  • Base URL: https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc
  • Module endpoint: <base>/<module> (e.g. .../jsonrpc/network)
  • Auth: HTTP Basic. Username = API key, password = empty string "".
  • Transport: HTTPS POST, Content-Type: application/json.

JSON-RPC envelope (request)

{
  "id": "1",
  "jsonrpc": "2.0",
  "method": "<methodName>",
  "params": { ...method params... }
}

Response

  • Success: body has a result field. The skill returns body["result"].
  • Error: body has an error object. The skill surfaces error.data.details if present, else error.message.
{ "error": { "code": -32602, "message": "...", "data": { "details": "..." } } }

ACG tenant IDs (hardcoded, partner root)

Constant Value Meaning
ACG_ROOT_COMPANY_ID 5c4280716c0318f3478b456a ACG partner company root
ACG_COMPANIES_CONTAINER_ID 5c4280716c0318f3478b456e Container holding all client companies

In getNetworkInventoryItems results, type == 1 denotes a company node.

general (/general)

Method Params Status Notes
getApiKeyDetails {} VERIFIED Key scopes / rights.

licensing (/licensing)

Method Params Status Notes
getLicenseInfo {} VERIFIED Seats, expiry, usage.

companies (/companies)

Method Params Status Notes
getCompanyDetails {} or {companyId} VERIFIED Own company when no arg; a specific company when companyId given.
getCompanyDetailsByUser uncertain UNVERIFIED Param shape not confirmed. Use raw if needed.

network (/network)

Method Params Status Notes
getNetworkInventoryItems parentId?, page?, perPage?, filters? VERIFIED Inventory tree: companies/groups/endpoints. type==1 = company.
getEndpointsList parentId?, page?, perPage<=100, filters?, options? VERIFIED Endpoint list under a parent. filters supports name / OS / security status / policy.
getManagedEndpointDetails endpointId, options? VERIFIED Full detail: malwareStatus, agent{productVersion,engineVersion,signatureOutdated,productOutdated,lastUpdate}, modules, state, policy, companyId, lastSeen.
getScanTasksList name?, status?, page?, perPage? VERIFIED List scan tasks.
createScanTask targetIds[], type, name?, customScanSettings? VERIFIED Start a scan. type: 1=Quick, 2=Full, 3=Memory, 4=Custom (verify against console).
moveEndpoints endpointIds[], groupId VERIFIED Move endpoints into a group.
createCustomGroup name, parentId? VERIFIED Create a custom group; returns new group id.
deleteEndpoint endpointId VERIFIED (destructive) Remove an endpoint from inventory. CLI-gated behind --confirm.
deleteCustomGroup groupId VERIFIED (destructive) Delete a custom group. CLI-gated behind --confirm.
moveCustomGroup groupId, newParentId VERIFIED Re-parent a custom group.
assignPolicy uncertain UNVERIFIED Assigns an EXISTING policy to endpoints. Param names not confirmed (likely policyId + a targets list). Do NOT use blindly — confirm against archived docs first. raw only.
createReconfigureClientTask uncertain UNVERIFIED Param shape not confirmed. raw only.
createUninstallTask uncertain UNVERIFIED Destructive; param shape not confirmed. raw only.
setEndpointLabel uncertain UNVERIFIED Param shape not confirmed. raw only.

packages (/packages)

Method Params Status Notes
getPackagesList page?, perPage<=100 VERIFIED List installation packages.
createPackage packageName, companyId?, description?, language?, modules?, scanMode?, settings?, roles?, deploymentOptions? VERIFIED Create an installer package. Returns the new package id.
getInstallationLinks packageName, companyId? VERIFIED Returns Windows / Mac / Linux installer download URLs for a package.
deletePackage packageName, companyId? VERIFIED (destructive) Delete a package. CLI-gated behind --confirm.

policies (/policies) — READ ONLY, SHALLOW

Important limitation: The Public API exposes policies only at a shallow level. getPolicyDetails returns id / name / a limited subset of settings — NOT the granular module configuration shown in the console. There is no create / edit / clone policy method in the Public API. You can: list policies, read their names/ids, and (via the UNVERIFIED assignPolicy) assign an existing policy to endpoints. You CANNOT author or modify policy bodies programmatically.

Method Params Status Notes
getPoliciesList page?, perPage? VERIFIED List policies (id, name).
getPolicyDetails policyId VERIFIED Shallow detail only. Not the full config.

quarantine (/quarantine)

Method Params Status Notes
getQuarantineItemsList parentId, page, perPage, filters? VERIFIED List quarantined items under a parent.
createRemoveQuarantineItemTask uncertain UNVERIFIED (destructive) Param shape not confirmed. raw only.
createRestoreQuarantineItemTask uncertain UNVERIFIED Param shape not confirmed. raw only.

incidents (/incidents) — EDR / incident response

The incidents module backs the EDR controls: endpoint isolation, the hash blocklist, and the incident list. READ methods are safe; the state-changing methods (isolate / restore / blocklist add+remove) are CLI-gated behind --confirm. isolate and addToBlocklist / removeFromBlocklist are NEW destructive verbs — the raw subcommand also gates any method whose name contains isolat, addtoblocklist, or removefromblocklist.

Method Params Status Notes
getBlocklistItems companyId?, page?, perPage? VERIFIED LIVE Returns {total, page, perPage, pagesCount, items:[{id, source, sourceInfo, hashType, hash, companyId}]}. Returned 26 items live. perPage defaults to 100 in the CLI. companyId scopes to one company; omit for the whole tenant.
getIncidentsList parentId, page?, perPage (500-10000), filters? UNVERIFIED / possibly unavailable parentId = a company/group id and is REQUIRED. perPage must be 500-10000 (the API rejected 100 with "Invalid value for 'perPage' parameter. The value should be between 500 and 10000"); the CLI defaults it to 500. However, live re-testing on 2026-05-30 returned Method not found for this method on the /incidents module, while getBlocklistItems on the SAME module succeeds in the same request — so this is NOT rate-limiting or a bad key. The method is likely gated behind an EDR/incidents license feature that is OFF on this tenant, or is named differently in this API version. The CLI incidents subcommand is wired up but will surface Method not found until the feature is enabled / the correct name is confirmed.
createIsolateEndpointTask endpointIds[] VERIFIED (destructive) v1.2: takes an ARRAY endpointIds (max 1000), returns an array of task ids. Cuts the endpoint off the network. CLI-gated behind --confirm; the client enforces the 1000-id cap.
createRestoreEndpointFromIsolationTask endpointIds[] VERIFIED (destructive) v1.2: takes an ARRAY endpointIds (max 1000), returns an array of task ids. Un-isolates (reverses createIsolateEndpointTask). CLI-gated behind --confirm; the client enforces the 1000-id cap.
addToBlocklist companyId, hashType, hashList[], sourceInfo, operatingSystems? VERIFIED (destructive) hashType is an int (1 is the common value seen live; see the console / API docs for the full mapping). hashList is an array of hash strings. sourceInfo is a free-text description. CLI-gated behind --confirm.
removeFromBlocklist hashItemId (UNVERIFIED param name) VERIFIED method, UNVERIFIED param Removes one blocklist entry. The param name hashItemId is UNVERIFIED — the id field from getBlocklistItems is the candidate. Confirm against the official API reference before relying on it. CLI-gated behind --confirm; the CLI --id value comes from blocklist output.
changeIncidentStatus uncertain UNVERIFIED Not implemented. raw only.
updateIncidentNote uncertain UNVERIFIED Not implemented. raw only.
createCustomRule uncertain UNVERIFIED Not implemented. raw only.
getCustomRulesList uncertain UNVERIFIED Not implemented. raw only.
deleteCustomRule uncertain UNVERIFIED (destructive) Not implemented. raw only.

Other modules — raw-reachable only

The following modules are reachable via raw --module <name> but have no dedicated CLI methods and no verified signatures here:

  • patchmanagement — raw only. NOTE: the patchmanagement / PHASR license features are OFF on this tenant, so these calls will not return useful data.
  • integrations — raw only, UNVERIFIED.
  • maintenancewindows — raw only, UNVERIFIED.

Verified vs Unverified summary

VERIFIED (CLI-exposed): general.getApiKeyDetails, licensing.getLicenseInfo, companies.getCompanyDetails, network.getNetworkInventoryItems, network.getEndpointsList, network.getManagedEndpointDetails, network.getScanTasksList, network.createScanTask, network.createCustomGroup, network.moveEndpoints, network.moveCustomGroup, network.deleteEndpoint (gated), network.deleteCustomGroup (gated), packages.getPackagesList, packages.createPackage, packages.getInstallationLinks, packages.deletePackage (gated), policies.getPoliciesList, policies.getPolicyDetails, quarantine.getQuarantineItemsList, incidents.getBlocklistItems, incidents.createIsolateEndpointTask (gated), incidents.createRestoreEndpointFromIsolationTask (gated), incidents.addToBlocklist (gated), incidents.removeFromBlocklist (gated; param name UNVERIFIED).

NOTE: incidents.getIncidentsList is wired into the CLI (incidents subcommand) but returned Method not found on live re-test (2026-05-30) — see the incidents module table. Likely a license-gated EDR feature that is OFF on this tenant. Not counted as VERIFIED LIVE.

UNVERIFIED (raw subcommand only — do NOT trust the param shape): network.assignPolicy, network.createReconfigureClientTask, network.createUninstallTask, network.setEndpointLabel, companies.getCompanyDetailsByUser, quarantine.createRemoveQuarantineItemTask, quarantine.createRestoreQuarantineItemTask, incidents.changeIncidentStatus, incidents.updateIncidentNote, incidents.createCustomRule, incidents.getCustomRulesList, incidents.deleteCustomRule (destructive). Whole modules raw-only/UNVERIFIED: patchmanagement (license OFF), integrations, maintenancewindows.

Confirm any UNVERIFIED signature against the official Bitdefender API reference before relying on it. The generic raw --module M --method m --params '<json>' subcommand can call any method once you know the correct params.

Reference in New Issue View Git Blame Copy Permalink