Azure · gbarbieru · Dec 11, 2025 · Dec 8, 2025 · Dec 11, 2025 · Dec 11, 2025
@@ -0,0 +1,29 @@
+{
+  "Name": "GzSecurityEvents_CL",
+  "Properties": [
+    {
+      "name": "TimeGenerated",
+      "type": "DateTime"
+    },
+    {
+      "name": "start_time",
+      "type": "DateTime"
+    },
+    {
+      "name": "end_time",
+      "type": "DateTime"
+    },
+    {
+      "name": "company_id",
+      "type": "String"
+    },
+    {
+      "name": "module",
+      "type": "String"
+    },
+    {
+      "name": "data",
+      "type": "Dynamic"
+    }
+  ]
+}
@@ -102,6 +102,7 @@
   "GoogleSCCDefinition",
   "GWorkspaceRAPI",
   "GoogleWorkspaceReportsAPI",
+  "GravityZoneDataConnector",
   "GreyNoise2SentinelAPI",
   "IdentityInfo",
   "ImpervaWAFCloudAPI",

@@ -0,0 +1,48 @@
+id: 73c803aa-1188-45dd-8379-62a3319d3d9f
+name: NRT GravityZone Incident Alerts
+description: The query identifies incident-level events received from the GravityZone Data Connector
+version: 1.0.0
+kind: NRT
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: GravityZoneDataConnector
+    dataTypes:
+      - ASimAlertEventBitdefenderGravityZone
+tactics: [LateralMovement]
+relevantTechniques: [T1210]
+query: |
+  ASimAlertEventBitdefenderGravityZone
+    | extend IncidentType = case(
+        AdditionalFields.Module == "new-incident", "EDR Incident",
+        AdditionalFields.Module == "new-extended-incident", "XDR Incident",
+        AdditionalFields.Module == "ransomware-mitigation", "Ransomware Mitigation",
+        AdditionalFields.Module == "network-sandboxing", "Sandbox Analyzer Detection",
+        AdditionalFields.Module == "exchange-malware", "Exchange Malware Detection",
+        "Incident"   // fallback value if null or unmatched
+      ),
+      Tactics = AdditionalFields.AttackTypes
+    | project EventUid, EventSeverity, EventStartTime, IncidentType, Tactics, EventVendor, EventProduct, DvcId, DvcIpAddr, DvcHostname, DvcAction, DvcFQDN
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: DvcHostname
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: DvcIpAddr
+alertDetailsOverride:
+  alertSeverityColumnName: EventSeverity
+  alertDisplayNameFormat: 'GravityZone: {{IncidentType}}'
+  alertDescriptionFormat: |
+    Alert generated on {{EventStartTime}} in Bitdefender GravityZone.\n\nGravityZone Incident ID / Alert GUID: {{EventUid}}\n\nPlease check the source for more information and investigate further.
+  alertTacticsColumnName: Tactics
+  alertDynamicProperties:
+    - alertProperty: ProductName
+      value: EventProduct
+    - alertProperty: ProviderName
+      value: EventVendor
+
@@ -0,0 +1,93 @@
+{
+    "id": "GravityZoneDataConnector",
+    "title": "GravityZone Data Connector",
+    "publisher": "Bitdefender",
+    "descriptionMarkdown": "This connector enables integration between **Bitdefender GravityZone** and **Microsoft Sentinel** through the **Event Push Service API**. Once configured, it streams all GravityZone event types directly into your Microsoft Sentinel workspace, where they are stored as logs in the `GzSecurityEvents_CL` table.\n\nKey event categories such as **EDR, XDR, ransomware mitigation, network sandboxing, and Exchange malware events** can be automatically correlated and generate incidents through the **NRT GravityZone Incident Alerts** analytics rule.",
+    "graphQueries": [
+        {
+            "metricName": "Total events received",
+            "legend": "Events",
+            "baseQuery": "GzSecurityEvents_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "Get Sample Events",
+            "query": "GzSecurityEvents_CL\n | take 10"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "GzSecurityEvents_CL",
+            "lastDataReceivedQuery": "GzSecurityEvents_CL\n | summarize Time = max(TimeGenerated)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "GzSecurityEvents_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.Insights/DataCollectionRules",
+                "permissionsDisplayText": "read and write permissions to create data collection rules are required.",
+                "providerDisplayName": "Data Collection Rule",
+                "scope": "ResourceGroup",
+                "requiredPermissions": {
+                    "Write": true,
+                    "Read": true,
+                    "Delete": false
+                }
+            },
+            {
+                "provider": "Microsoft.Insights/DataCollectionEndpoints",
+                "permissionsDisplayText": "read and write permissions to create data collection endpoints are required.",
+                "providerDisplayName": "Data Collection Endpoint",
+                "scope": "ResourceGroup",
+                "requiredPermissions": {
+                    "Write": true,
+                    "Read": true,
+                    "Delete": false
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Azure App Registration",
+                "description": "Microsoft Entra App Registration with the following details retained Directory (Tenant) ID, Application (Client) ID, Managed Service Principal Object ID (from the Enterprise Applications entry of the app), Client Secret (generated under Certificates & secrets)."
+            },
+            {
+                "name": "GravityZone Cloud Account",
+                "description": "A GravityZone Cloud account with a generated API key for the Event Push Service endpoint."
+            },
+            {
+                "name": "Read our guide",
+                "description": "Follow this step-by-step article to set up the integration. [Customers](https://www.bitdefender.com/business/support/en/77209-1455218-integrate-gravityzone-with-azure-sentinel.html) | [Partners](https://www.bitdefender.com/business/support/en/77211-1455218-integrate-gravityzone-with-azure-sentinel.html)"
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": "1. Click the **Deploy to Azure** button below and fill in the required parameters. \n\n\t\n\n[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-gravityzone-azuredeploy)\n\n2. Collect the **Logs Ingestion** URL from `gz-sentinel-dce` [Data Collection Endpoint](https://portal.azure.com/#view/HubsExtension/BrowseResource.ReactView/resourceType/microsoft.insights%2Fdatacollectionendpoints)\n\n3. Collect the **Immutable ID** from `gz-sentinel-dcr` [Data Collection Rule](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules)\n\n4. Go to your GravityZone Cloud account and navigate to **My Account**. Create an API key with **Event Push Service** permissions.\n\n5. Configure your **Event Push Service** settings using this article. [Customers](https://www.bitdefender.com/business/support/en/77209-1455218-integrate-gravityzone-with-azure-sentinel.html#UUID-5e8bbfa1-7892[%E2%80%A6]-2427-abd6f930e8c2) | [Partners](https://www.bitdefender.com/business/support/en/77211-1455218-integrate-gravityzone-with-azure-sentinel.html#UUID-5e8bbfa1-7892[%E2%80%A6]-2427-abd6f930e8c2).\n\n**Please note that after the successful deployment of the Data Connector & successful setup of GravityZone's Event Push Service, the system will receive Activity Log data in near-real-time. A short delay may occur between data transmission and its appearance in the Microsoft Sentinel Logs section.**"
+        }
+    ]
+}