Skip to content

Gravityzone solution v3.0.0 #13264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gbarbieru wants to merge 95 commits into from
Closed

Gravityzone solution v3.0.0 #13264

gbarbieru wants to merge 95 commits into from

Conversation

@gbarbieru
Copy link

@gbarbieru gbarbieru commented Dec 8, 2025

Change(s):
- Creating a Sentinel solution for Bitdefender GravityZone. This solution uses a push-based approach using just a DCR, a DCE, custom table and an App registration with credentials to push data to Sentinel. An analytic rule that uses custom ASIM parsers is used to generate Incidents.

Reason for Change(s):

  • New Sentinel solution

Version Updated:

  • No. Version is 3.0.0 is the initial version.

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:
Before going into this topic I want to disclose that development in my team is done on Linux workstations and the available tooling and guides offered by Microsoft kinda lack in this department. Local YAML testing was eventually achieved, but KQL validation failed. Due to time constraints additional effort in making them work Linux environments was abandoned and testing was eventually done on Microsoft Sentinel accounts via end-to-end testing.

  • KQL: Tested using smoke tests directly on a Microsoft Sentinel account. No issues so far. Failed to test locally.
  • YAML: Some issues are reported on the JSON that was compiled from bicep (data connector deployment template), but no issues were present when actually deploying and using the data connector.
**Notes**
- If/when the PR is approved for merge please hold off for an approval from us. We want the solution to actually go to market with something on our part (GravityZone).

CrashCringle12 and others added 30 commits November 14, 2025 09:28
@CrashCringle12
Fix typos in AbuseIPDB Enrichment Playbook
5807e32 
The azuredeploy.json referred to AbuseIPDB as AuseIPDB.
@CrashCringle12
Update logo image source in azuredeploy.json
b8b88e5 
Previous link was no longer available, use updated img url for logo
@CrashCringle12
Update logo image source in azuredeploy.json
9e07f20
@Yaniv-Shasha
commit 13 files
3576a8f 
3 new playbook to the sentinel soar solution
@v-maheshbh
solution packaged
fcc090f 
Added three new playbooks (Http-Trigger-Entity-Analyzer, Incident-Trigger-Entity-Analyzer, Url-Trigger-Entity-Analyzer) to the solution. Updated solution version to 3.0.4, incremented playbook and workbook counts, and included the new package zip. Also updated workbook version and playbook template descriptions to reflect the new release.
@v-maheshbh
Merge branch 'master' into pr/13139
e4a27cc
@averbn
socprime_connector_first_commit
73f21cc
@bdudnyk-varonis
Add Informational severity level to VaronisSaaS solution
30a84a0 
- Added 'Informational' severity level with value 3 to SeverityMap
- Updated deployment templates (azuredeploy.json, azuredeploy.bicep)
- Updated function app configuration and data connector metrics
- Updated mainTemplate.json with Informational severity alerts query
- Updated ReleaseNotes.md with version 3.0.3
@bdudnyk-varonis
version updated to 3.0.3
13fc1d4
@bdudnyk-varonis
updated zipped binaries Varonis.Sentinel.Functions.zip
cdde345
@averbn
socprime_connector_26_11_25_fixes_commit
63c64ad
@averbn
socprime_connector_27_11_25_fixes_commit
6e5240b
@averbn
socprime_connector_27_11_25_fixes_commit_2
1bb8380
@v-shukore
Rename and update SOC Prime CCF data connector files
7890fb1
Adding schemas for related parsers
be2ead0
kqlvalidation fails
3e183bd
@kostiantyn-yevdiukhin-cyera
Update Cyera DSPM solution metadata and configuration files
02d217c 
- Changed publisherId in SolutionMetadata.json to a new identifier.
- Updated logo URL in Solution_Cyera.json and createUiDefinition.json to point to the correct image.
- Modified data collection endpoint ID and workspace resource ID parameters in CyeraDSPM_DCR.json and mainTemplate.json for better resource referencing.
- Corrected spelling of "received" in multiple descriptions for clarity.
- Removed outdated install-pack-v0_7_3.zip file.
- Updated solutionId in mainTemplate.json to reflect the new publisherId.
@kostiantyn-yevdiukhin-cyera
Re-adding install-pack-v0_7_3.zip file.
13a3361
Update PoD conenctor polling file to remove start and end time and to…
b75c38b 
… enable WebSocket conenction, as per dicussion with PoD engineering team, this is causing data duplication
Merge branch 'fixPodDuplicateDataIssue' of https://github.com/shubhan…
636abb9 
…gipagar-gh/Azure-Sentinel into fixPodDuplicateDataIssue
@github-actions
chore: Update Solutions Analyzer CSV files [skip ci]
218528d
@averbn
socprime_connector_3_12_25_partner
fe6725e
@averbn
Merge branch 'socprime_connector_24_11_25' of https://github.com/socp…
50d6a4d 
…rime/Azure-Sentinel into socprime_connector_24_11_25
@CrashCringle12
Fix title and description in azuredeploy.json
3182105 
Fix additional typos in AbuseIPDB Teams playbook
@CrashCringle12
Rename playbook folder - Previous name included a typo and fragment
9d16ddf
@CrashCringle12
Apply name change throughout playbook
26824f6
@CrashCringle12
Use consistent casing for types, additional typo fixes
e7b34f1
@CrashCringle12
Update ReadMe
adc2f78
@CrashCringle12
Replace cases of Abuse"LPDB" with Abuse"IPDB"
dfacaee
@CrashCringle12
Use consistent naming and casing
2e7e5ec
v-dvedak and others added 16 commits December 10, 2025 10:59
@v-dvedak
Merge pull request Azure#13139 from Yaniv-Shasha/master
8ed24ff 
3 new playbooks for the sentinel SentinelSOARessentials solution
@oshezaf
Solutions Analyzer V3
b95b15d
@oshezaf
Update v3 to render correctly also permissions
21d447f
@v-shukore
Fix arm-ttk failures
ded9edd
@v-dvedak
Merge pull request Azure#13283 from Azure/v-shukore/ProofpointTAP-arm…
1b9d629 
…-ttk

Fix arm-ttk failures for ProofpointTAP
@oshezaf
Fix autoupdate
330d7b6
revert basepath change
c9571d1
@v-dvedak
Merge pull request Azure#13275 from Azure/v-sabiraj-fixingpath
85655a3 
Fix Azure Firewall template URI casing in deployment
@v-dvedak
Merge pull request Azure#13186 from socprime/socprime_connector_24_11_25
8fc5f23 
socprime_connector_first_commit
@rahul0216
Remove hidden-SentinelWorkspaceId from MDTI playbook templates (Azure…
28416ac 
…#13285)

Deleted the 'hidden-SentinelWorkspaceId' tag from azuredeploy.json files in all Microsoft Defender Threat Intelligence playbooks. This streamlines template metadata and removes hardcoded workspace references.
@oshezaf
Merge pull request Azure#13282 from Azure/tools/map-connectors-to-tables
1ed870c 
Solutions Analyzer V3
@v-atulyadav
Merge pull request Azure#13262 from shubhangipagar-gh/fixPodDuplicate…
ef1490a 
…DataIssue

Fix pod duplicate data issue
@v-atulyadav
Merge pull request Azure#13265 from kingwil/wiking-agentless118
e5c460d 
Heartbeat v2 & user exclusions
@v-atulyadav
Merge pull request Azure#13190 from bdudnyk-varonis/feature/varonis-i…
0c51175 
…nformational-severity

Added support of Informational alerts severity
@github-actions @gbarbieru
chore: Update Solutions Analyzer CSV files and documentation (#16)
644266d 
Co-authored-by: gbarbieru <[email protected]>
CR
bb70f32
@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-12-11T13:23:47.021Z
Learn more: GitHub Security Lab - Preventing PWN Requests

@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-12-11T13:31:55.590Z
Learn more: GitHub Security Lab - Preventing PWN Requests

@gbarbieru gbarbieru requested review from a team as code owners December 11, 2025 13:34
@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-12-11T13:34:23.033Z
Learn more: GitHub Security Lab - Preventing PWN Requests

@ashantyk
Copy link

ashantyk commented Dec 11, 2025

just did a rebase and it seems github just went crazy with this PR. i'll have to delete the branch and PR and start over.

on the topic of keeping the ASIM modification separate. how important is it for the first release?
we are using a private repo for the actual code and the CI/CD pipeline just creates a branch on the forked repo on an action.
in order to alter it to make detections/decisions and create separate PRs would take time and i'm not sure the time is justified if we just keep an eye out for next PRs just to be punctual

@gbarbieru
Copy link
Author

gbarbieru commented Dec 11, 2025

new PR: #13299

@gbarbieru gbarbieru closed this Dec 11, 2025
@gbarbieru gbarbieru deleted the gravityzone-solution-v3.0.0 branch December 11, 2025 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@v-atulyadav v-atulyadav

Labels

ASIM New Solution For new Solutions which are new to Microsoft Sentinel

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.