Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NRT GravityZone Incident Alerts

NRT GravityZone Incident Alerts

Back
Id73c803aa-1188-45dd-8379-62a3319d3d9f
RulenameNRT GravityZone Incident Alerts
DescriptionThe query identifies incident-level events received from the GravityZone Data Connector
SeverityMedium
TacticsLateralMovement
TechniquesT1210
Required data connectorsGravityZoneDataConnector
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GravityZone/Analytic Rules/Incidents.yaml
Version1.0.0
Arm template73c803aa-1188-45dd-8379-62a3319d3d9f.json
Deploy To Azure
ASimAlertEventBitdefenderGravityZone(pack=true)
  | extend IncidentType = case(
      AdditionalFields.Module == "new-incident", "EDR Incident",
      AdditionalFields.Module == "new-extended-incident", "XDR Incident",
      AdditionalFields.Module == "ransomware-mitigation", "Ransomware Mitigation",
      AdditionalFields.Module == "network-sandboxing", "Sandbox Analyzer Detection",
      AdditionalFields.Module == "exchange-malware", "Exchange Malware Detection",
      "Incident"   // fallback value if null or unmatched
    ),
    Tactics = AdditionalFields.AttackTypes
  | project EventUid, EventSeverity, EventStartTime, IncidentType, Tactics, EventVendor, EventProduct, DvcId, DvcIpAddr, DvcHostname, DvcAction, DvcFQDN

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DvcIpAddr
tactics:
- LateralMovement
requiredDataConnectors:
- dataTypes:
  - ASimAlertEventBitdefenderGravityZone
  connectorId: GravityZoneDataConnector
alertDetailsOverride:
  alertDescriptionFormat: |
        Alert generated on {{EventStartTime}} in Bitdefender GravityZone.\n\nGravityZone Incident ID / Alert GUID: {{EventUid}}\n\nPlease check the source for more information and investigate further.
  alertTacticsColumnName: Tactics
  alertDisplayNameFormat: 'GravityZone: {{IncidentType}}'
  alertDynamicProperties:
  - value: EventProduct
    alertProperty: ProductName
  - value: EventVendor
    alertProperty: ProviderName
  alertSeverityColumnName: EventSeverity
id: 73c803aa-1188-45dd-8379-62a3319d3d9f
severity: Medium
status: Available
query: |
  ASimAlertEventBitdefenderGravityZone(pack=true)
    | extend IncidentType = case(
        AdditionalFields.Module == "new-incident", "EDR Incident",
        AdditionalFields.Module == "new-extended-incident", "XDR Incident",
        AdditionalFields.Module == "ransomware-mitigation", "Ransomware Mitigation",
        AdditionalFields.Module == "network-sandboxing", "Sandbox Analyzer Detection",
        AdditionalFields.Module == "exchange-malware", "Exchange Malware Detection",
        "Incident"   // fallback value if null or unmatched
      ),
      Tactics = AdditionalFields.AttackTypes
    | project EventUid, EventSeverity, EventStartTime, IncidentType, Tactics, EventVendor, EventProduct, DvcId, DvcIpAddr, DvcHostname, DvcAction, DvcFQDN  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GravityZone/Analytic Rules/Incidents.yaml
kind: NRT
name: NRT GravityZone Incident Alerts
description: The query identifies incident-level events received from the GravityZone Data Connector
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1210
version: 1.0.0