Gravityzone Solution v3.0.0

[gbarbieru]

Change(s):
- Creating a Sentinel solution for Bitdefender GravityZone. This solution uses a push-based approach using just a DCR, a DCE, custom table and an App registration with credentials to push data to Sentinel. An analytic rule that uses custom ASIM parsers is used to generate Incidents.

Reason for Change(s):

• New Sentinel solution

Version Updated:

• No. Version is 3.0.0 is the initial version.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:
Before going into this topic I want to disclose that development in my team is done on Linux workstations and the available tooling and guides offered by Microsoft kinda lack in this department. Local YAML testing was eventually achieved, but KQL validation failed. Due to time constraints additional effort in making them work Linux environments was abandoned and testing was eventually done on Microsoft Sentinel accounts via end-to-end testing.

• KQL: Tested using smoke tests directly on a Microsoft Sentinel account. No issues so far. Failed to test locally.
• YAML: Some issues are reported on the JSON that was compiled from bicep (data connector deployment template), but no issues were present when actually deploying and using the data connector.

**Notes**
- If/when the PR is approved for merge please hold off for an approval from us. We want the solution to actually go to market with something on our part (GravityZone).

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-11T13:56:42.474Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-12T03:15:51.630Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[v-atulyadav]

Hi @gbarbieru,
Please raise a separate PR for ASIM. Also, please revert (uncommit) the changes made to the tools. Thanks

[gbarbieru]

@v-atulyadav i will open a separate PR for the ASIM rules
i would also greatly appreciate it if you could tweak the github actions to not do commits on my behalf when it shouldn't (talking about the commit you want me to revert - that wasn't actually mine).
it seems they currently do more harm than good in their current state (not sure if it's a general problem or just when working with forks)

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:29:05.729Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:31:01.249Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:31:28.024Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[gbarbieru]

#13330 PR for ASim parsers

[v-atulyadav]

Hi @gbarbieru,
Since you’ve already opened a new PR for the ASIM files, please remove these files from this PR. Thanks

[gbarbieru]

hi @v-atulyadav
i'm removed the asim related files from this PR

[gbarbieru]

Qs about: https://github.com/Azure/Azure-Sentinel/actions/runs/20306048443/job/58524457107

1. should i simply add the connector name tot that list ?
2. regarding the tactics fields. how to pass that validation? it is wanted that the tactics actually get fetched from a column value (alertDetailsOverride.alertTacticsColumnName), not hardcoded in the definition

[gbarbieru]

not sure what to do about this one https://github.com/Azure/Azure-Sentinel/actions/runs/20306048361/job/58524455490?pr=13299 . should i wait for the ASIM pr merge ?

[v-atulyadav]

Hi @gbarbieru,

1. For the KQL failure, please add the table definition in the path mentioned below. Thanks

https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomFunctions

2. The offer ID must include the sentinel word and must not mention any test offer.

3. Logo validation failed for the following item(s).

4. Detection validation also failed for the following. Please add the connector ID to the path specified below.

https://github.com/Azure/Azure-Sentinel/blob/master/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

5. Tactics and relevant Techniques should not be blank, please refer below for the same.

https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide

[gbarbieru]

hi @v-atulyadav

1. are you sure we don't need the ASIM PR to get merged first ? I see the same kind of functions (e.g.:ASimAlertEventMicrosoftDefenderXDR) that don't have a file defined in that path

2. working on a non-test offer id

3. fixed

4. fixed

5. fixed

[rvirjoghe-bd]

Minor fix for tactics field

[v-atulyadav]

Hi @gbarbieru,

1. For detection template schema validation, please modify the tactics and techniques in the rule to match the required format below.

2. Logo validation failed for the item(s) below. Please review and update accordingly

3. Solution validation: Could you please update the Sentinel keyword to Microsoft Sentinel? The same change should also be applied inside the ZIP file.

[rvirjoghe-bd]

Fixed branding issue