Azure · gbarbieru · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 19, 2025
@@ -0,0 +1,29 @@
+{
+  "Name": "GzSecurityEvents_CL",
+  "Properties": [
+    {
+      "name": "TimeGenerated",
+      "type": "DateTime"
+    },
+    {
+      "name": "start_time",
+      "type": "DateTime"
+    },
+    {
+      "name": "end_time",
+      "type": "DateTime"
+    },
+    {
+      "name": "company_id",
+      "type": "String"
+    },
+    {
+      "name": "module",
+      "type": "String"
+    },
+    {
+      "name": "data",
+      "type": "Dynamic"
+    }
+  ]
+}
@@ -27,10 +27,10 @@
         "displayName": "Alert Event ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimAlertEvent",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n  ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers)))),\n  ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n  ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }
     }
   ]
-}
+}
@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimAlertEventBitdefenderGravityZone')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Alert event ASIM parser for Bitdefender GravityZone",
+        "category": "ASIM",
+        "FunctionAlias": "ASimAlertEventBitdefenderGravityZone",
+        "query": "let parser=(disabled:bool=false){\n  let allEvents = GzSecurityEvents_CL\n    | where not(disabled);\n\n  let newIncidentEvents = allEvents\n    | where module == \"new-incident\"\n    | extend d = data\n    // --- Core ASIM fields ---\n    | extend\n      EventVendor = \"Bitdefender\",\n      EventProduct = \"GravityZone\",\n      EventSchema = \"AlertEvent\",\n      EventSchemaVersion = 1,\n      EventType = \"Alert\",\n      EventStartTime = start_time,\n      EventEndTime = end_time,\n      EventUid = tostring(d.incident_id),\n      EventSeverity = case(\n          d.severity == \"low\", \"Low\",\n          d.severity == \"medium\", \"Medium\",\n          d.severity == \"high\", \"High\",\n          \"Low\"   // fallback value if null or unmatched\n      ),\n      EventCount = 1,\n      DvcHostname = d.computer_name,\n      DvcFQDN = d.computer_fqdn,\n      DvcIpAddr = d.computer_ip,\n      DvcId = d.endpointId,\n      DvcAction = replace_string(tostring(d.main_action), \"_\", \" \")\n    // --- Additional (packed) fields ---\n    | extend AdditionalFields = bag_pack(\n      \"SeverityScore\", d.severity_score,\n      \"DetectionName\", d.detection_name,\n      \"FileName\", d.file_name,\n      \"FilePath\", d.file_path,\n      \"FileHashMd5\", d.file_hash_md5,\n      \"FileHashSha256\", d.file_hash_sha256,\n      \"URL\", d.url,\n      \"Port\", d.port,\n      \"Protocol\", d.protocol,\n      \"SourceIp\", d.source_ip,\n      \"ProcessPid\", d.process_pid,\n      \"ProcessPath\", d.process_path,\n      \"ParentProcessPid\", d.parent_process_pid,\n      \"ParentProcessPath\", d.parent_process_path,\n      \"AttackTypes\", d.attack_types,\n      \"AttCkId\", d.att_ck_id,\n      \"ProcessCommandLine\", d.process_command_line,\n      \"Username\", d.username,\n      \"UserSid\", d.user_sid,\n      \"CompanyId\", company_id,\n      \"Module\", module\n    )\n    // Final ASIM projection (keep core + AdditionalFields)\n    | project\n      EventVendor,\n      EventProduct,\n      EventSchema,\n      EventSchemaVersion,\n      EventType,\n      EventStartTime,\n      EventEndTime,\n      EventUid,\n      EventSeverity,\n      EventCount,\n      DvcHostname,\n      DvcFQDN,\n      DvcIpAddr,\n      DvcId,\n      DvcAction,\n      AdditionalFields;  \n\n  let newExtendedIncidentEvents = allEvents\n    | where module == \"new-extended-incident\"\n    | extend d = data\n    // --- Core ASIM fields ---\n    | extend\n      EventVendor = \"Bitdefender\",\n      EventProduct = \"GravityZone\",\n      EventSchema = \"AlertEvent\",\n      EventSchemaVersion = 1,\n      EventType = \"Alert\",\n      EventStartTime = start_time,\n      EventEndTime = end_time,\n      EventUid = tostring(d.incident_id),\n      EventSeverity = case(\n          d.severity == \"low\", \"Low\",\n          d.severity == \"medium\", \"Medium\",\n          d.severity == \"high\", \"High\",\n          \"Low\"   // fallback value if null or unmatched\n      ),\n      EventCount = 1,\n        DvcAction = replace_string(tostring(d.main_action), \"_\", \" \")\n    // --- Additional (packed) fields ---\n    | extend AdditionalFields = bag_pack(\n      \"SeverityScore\", d.severity_score,\n      \"IncidentNumber\", d.incident_number,\n      \"IncidentVersion\", d.version,\n      \"KillchainPhases\", d.killchain_phases,\n      \"LastKillchainPhase\", d.last_killchain_phase,\n      \"AttackTypes\", d.attack_types,\n      \"CorrelatedIncidentIds\", d.correlated_incidents,\n      \"Nodes\", d.nodes,\n      \"CompanyId\", company_id,\n      \"Module\", module\n    )\n    // Final ASIM projection (keep core + AdditionalFields)\n    | project\n      EventVendor,\n      EventProduct,\n      EventSchema,\n      EventSchemaVersion,\n      EventType,\n      EventStartTime,\n      EventEndTime,\n      EventUid,\n      EventSeverity,\n      EventCount,\n      DvcAction,\n      AdditionalFields;\n\n  let ransomwareMitigationEvents = allEvents\n    | where module == \"ransomware-mitigation\"\n    | extend d = data\n    // --- Core ASIM fields ---\n    | extend\n      EventVendor = \"Bitdefender\",\n      EventProduct = \"GravityZone\",\n      EventSchema = \"AlertEvent\",\n      EventSchemaVersion = 1,\n      EventType = \"Alert\",\n      EventStartTime = start_time,\n      EventEndTime = end_time,\n      EventUid = _ItemId,\n      EventSeverity = \"Informational\",\n      EventCount = 1,\n      DvcHostname = d.computer_name,\n      DvcFQDN = d.computer_fqdn,\n      DvcIpAddr = d.computer_ip,\n      DvcId = d.endpointId,\n      DvcAction = \"Blocked\"\n    // --- Additional (packed) fields ---\n    | extend AdditionalFields = bag_pack(\n      \"CompanyId\", company_id,\n      \"CompanyName\", d.company_name,\n      \"AttackType\", d.attack_type, // custom, not MITRE value\n      \"AttackTypes\", dynamic([]), // mandatory MITRE field\n      \"ItemCount\", d.item_count,\n      \"AttackSource\", d.attack_source,\n      \"EndpointProduct\", d.product_installed,\n      \"Module\", module\n    )\n    // Final ASIM projection (keep core + AdditionalFields)\n    | project\n      EventVendor,\n      EventProduct,\n      EventSchema,\n      EventSchemaVersion,\n      EventType,\n      EventStartTime,\n      EventEndTime,\n      EventUid,\n      EventSeverity,\n      EventCount,\n      DvcId,\n      DvcHostname,\n      DvcFQDN,\n      DvcIpAddr,\n      DvcAction,\n      AdditionalFields;\n\n  let networkSandboxingEvents = allEvents\n    | where module == \"network-sandboxing\"\n    | extend d = data\n    // --- Compute required fields for downstream mapping ---\n    | extend MaxRemediationAction = iff(array_length(d.remediationActions) > 0, todouble(array_sort_desc(d.remediationActions)[0]), double(3))\n    // --- Core ASIM fields ---\n    | extend\n      EventVendor = \"Bitdefender\",\n      EventProduct = \"GravityZone\",\n      EventSchema = \"AlertEvent\",\n      EventSchemaVersion = 1,\n      EventType = \"Alert\",\n      EventStartTime = start_time,\n      EventEndTime = end_time,\n      EventUid = tostring(d.submissionId),\n      \n      EventSeverity = case(\n          MaxRemediationAction == 3, \"Low\", // report only\n          MaxRemediationAction == 2, \"Medium\", // move\n          \"High\"// fallback - disinfect or delete\n      ),\n      EventCount = 1,\n      DvcHostname = d.computerName,\n      DvcIpAddr = d.computerIp,\n      DvcId = d.endpointId\n    // --- Additional (packed) fields ---\n    | extend AdditionalFields = bag_pack(\n      \"CompanyId\", company_id,\n      \"DeviceExternalId\", d.deviceExternalId,\n      \"ThreatType\", d.threatType,\n      \"FilePaths\", d.filePaths,\n      \"FileSizes\", d.fileSizes,\n      \"RemediationActions\", d.remediationActions,\n      \"Module\", module\n    )\n    // Final ASIM projection (keep core + AdditionalFields)\n    | project\n      EventVendor,\n      EventProduct,\n      EventSchema,\n      EventSchemaVersion,\n      EventType,\n      EventStartTime,\n      EventEndTime,\n      EventUid,\n      EventSeverity,\n      EventCount,\n      DvcId,\n      DvcHostname,\n      DvcIpAddr,\n      AdditionalFields;\n\n\n  let exchangeMalwareEvents = allEvents\n    | where module == \"exchange-malware\"\n    | extend d = data\n    // --- Core ASIM fields ---\n    | extend\n      EventVendor = \"Bitdefender\",\n      EventProduct = \"GravityZone\",\n      EventSchema = \"AlertEvent\",\n      EventSchemaVersion = 1,\n      EventType = \"Alert\",\n      EventStartTime = start_time,\n      EventEndTime = end_time,\n      EventUid = _ItemId,\n      EventSeverity = \"Informational\",\n      EventCount = 1,\n      DvcHostname = d.computer_name,\n      DvcFQDN = d.computer_fqdn,\n      DvcIpAddr = d.computer_ip,\n      DvcId = d.endpointId,\n      DvcAction = \"Blocked\"\n    // --- Additional (packed) fields ---\n    | extend AdditionalFields = bag_pack(\n      \"CompanyId\", company_id,\n      \"Malware\", d.malware,\n      \"Subject\", d.subject,\n      \"Recipients\", d.recipients,\n      \"Sender\", d.sender,\n      \"ServerName\", d.serverName,\n      \"EndpointProduct\", d.product_installed,\n      \"Module\", module\n    )\n    // Final ASIM projection (keep core + AdditionalFields)\n    | project\n      EventVendor,\n      EventProduct,\n      EventSchema,\n      EventSchemaVersion,\n      EventType,\n      EventStartTime,\n      EventEndTime,\n      EventUid,\n      EventSeverity,\n      EventCount,\n      DvcId,\n      DvcHostname,\n      DvcFQDN,\n      DvcIpAddr,\n      DvcAction,\n      AdditionalFields;\n\n  union newExtendedIncidentEvents, newIncidentEvents, ransomwareMitigationEvents, networkSandboxingEvents, exchangeMalwareEvents\n};\nparser(disabled=disabled)\n",
+        "version": 1,
+        "functionParameters": "disabled:bool=False"
+      }
+    }
+  ]
+}
@@ -0,0 +1,18 @@
+# Bitdefender GravityZone ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Bitdefender GravityZone.
+
+This ASIM parser supports normalizing the Bitdefender GravityZone logs to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventBitdefenderGravityZone%2FASimAlertEventBitdefenderGravityZone.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventBitdefenderGravityZone%2FASimAlertEventBitdefenderGravityZone.json)
@@ -38,6 +38,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAlertEventBitdefenderGravityZone",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventBitdefenderGravityZone/ASimAlertEventBitdefenderGravityZone.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -160,4 +180,4 @@
     }
   ],
   "outputs": {}
-}
+}