Gravityzone Solution v3.0.0

[gbarbieru]

Change(s):
- Creating a Sentinel solution for Bitdefender GravityZone. This solution uses a push-based approach using just a DCR, a DCE, custom table and an App registration with credentials to push data to Sentinel. An analytic rule that uses custom ASIM parsers is used to generate Incidents.

Reason for Change(s):

• New Sentinel solution

Version Updated:

• No. Version is 3.0.0 is the initial version.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:
Before going into this topic I want to disclose that development in my team is done on Linux workstations and the available tooling and guides offered by Microsoft kinda lack in this department. Local YAML testing was eventually achieved, but KQL validation failed. Due to time constraints additional effort in making them work Linux environments was abandoned and testing was eventually done on Microsoft Sentinel accounts via end-to-end testing.

• KQL: Tested using smoke tests directly on a Microsoft Sentinel account. No issues so far. Failed to test locally.
• YAML: Some issues are reported on the JSON that was compiled from bicep (data connector deployment template), but no issues were present when actually deploying and using the data connector.

**Notes**
- If/when the PR is approved for merge please hold off for an approval from us. We want the solution to actually go to market with something on our part (GravityZone).

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-11T13:56:42.474Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-12T03:15:51.630Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[v-atulyadav]

Hi @gbarbieru,
Please raise a separate PR for ASIM. Also, please revert (uncommit) the changes made to the tools. Thanks

[gbarbieru]

@v-atulyadav i will open a separate PR for the ASIM rules
i would also greatly appreciate it if you could tweak the github actions to not do commits on my behalf when it shouldn't (talking about the commit you want me to revert - that wasn't actually mine).
it seems they currently do more harm than good in their current state (not sure if it's a general problem or just when working with forks)

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:29:05.729Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:31:01.249Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[github-actions]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

1. 📝 Review the code changes carefully
2. ✅ Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

---

🤖 Automated security check • Created: 2025-12-16T12:31:28.024Z
Learn more: GitHub Security Lab - Preventing PWN Requests

[gbarbieru]

#13330 PR for ASim parsers

[v-atulyadav]

Hi @gbarbieru,
Since you’ve already opened a new PR for the ASIM files, please remove these files from this PR. Thanks

[gbarbieru]

hi @v-atulyadav
i'm removed the asim related files from this PR

[gbarbieru]

Qs about: https://github.com/Azure/Azure-Sentinel/actions/runs/20306048443/job/58524457107

1. should i simply add the connector name tot that list ?
2. regarding the tactics fields. how to pass that validation? it is wanted that the tactics actually get fetched from a column value (alertDetailsOverride.alertTacticsColumnName), not hardcoded in the definition

[gbarbieru]

hi @v-atulyadav

1. are you sure we don't need the ASIM PR to get merged first ? I see the same kind of functions (e.g.:ASimAlertEventMicrosoftDefenderXDR) that don't have a file defined in that path

2. working on a non-test offer id

3. fixed

4. fixed

5. fixed

[rvirjoghe-bd]

Minor fix for tactics field

[v-atulyadav]

Hi @gbarbieru,

1. For detection template schema validation, please modify the tactics and techniques in the rule to match the required format below.

2. Logo validation failed for the item(s) below. Please review and update accordingly

3. Solution validation: Could you please update the Sentinel keyword to Microsoft Sentinel? The same change should also be applied inside the ZIP file.

[rvirjoghe-bd]

Fixed branding issue

[rvirjoghe-bd]

Can you please trigger another test run?

[rvirjoghe-bd]

@v-atulyadav Seems like we still get the following error even though we added a GUID like id to the log
"Logo Validation Failed. File path: Logos/Bitdefender.svg. Error message: Id should be GUID format and uniquely identifiable."

[v-atulyadav]

Hi @gbarbieru, @rvirjoghe-bd, please remove the id properties from the tag below.

[v-atulyadav]

Hi @gbarbieru,
Could you please grant me access to your branch so I can push a few commits to fix the validation issues? Meanwhile, please upload the custom function as mentioned earlier in the path below for resolving kql error.
https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomFunctions

[gbarbieru]

hi @v-atulyadav,
i've requested the IT department to add you to our fork.

regarding the custom function part: i've asked a question that i didn't get an answer to:

if you missed the question and i truly have to create that file, i will

[v-atulyadav]

hi @v-atulyadav, i've requested the IT department to add you to our fork.

regarding the custom function part: i've asked a question that i didn't get an answer to:

if you missed the question and i truly have to create that file, i will

No need to merge ASIM PR before this PR.

[gbarbieru]

@v-atulyadav added the CustomFunctions file

[gbarbieru]

@v-atulyadav you should have received an invite to our fork, please check your email or github notifications

[v-atulyadav]

Hi @gbarbieru,
All checks have been cleared, and I’ve accepted the branch access invitation. I’ll verify whether I’m able to commit now and will also test the content. Meanwhile, could you please share a screenshot of a successfully running connector along with the invocation logs? Also, please confirm that the analytical rule is running successfully. Thanks

[gbarbieru]

@v-atulyadav working on those screenshots. please note that this PR depends on #13330 which is still failing due to various errors not in our control

[gbarbieru]

screenshots from data connector and incidents generated by analytic rule.

could you be more precise on what do you mean by invocation logs ? or where to find them ? so far i only have deployment logs saved

[gbarbieru]