Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NRT GravityZone Incident Alerts

NRT GravityZone Incident Alerts

Back
Id73c803aa-1188-45dd-8379-62a3319d3d9f
RulenameNRT GravityZone Incident Alerts
DescriptionThe query identifies incident-level events received from the GravityZone Data Connector
SeverityMedium
TacticsLateralMovement
TechniquesT1210
Required data connectorsGravityZoneDataConnector
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GravityZone/Analytic Rules/Incidents.yaml
Version1.0.0
Arm template73c803aa-1188-45dd-8379-62a3319d3d9f.json
Deploy To Azure
ASimAlertEventBitdefenderGravityZone(pack=true)
  | extend IncidentType = case(
      AdditionalFields.Module == "new-incident", "EDR Incident",
      AdditionalFields.Module == "new-extended-incident", "XDR Incident",
      AdditionalFields.Module == "ransomware-mitigation", "Ransomware Mitigation",
      AdditionalFields.Module == "network-sandboxing", "Sandbox Analyzer Detection",
      AdditionalFields.Module == "exchange-malware", "Exchange Malware Detection",
      "Incident"   // fallback value if null or unmatched
    ),
    Tactics = AdditionalFields.AttackTypes
  | project EventUid, EventSeverity, EventStartTime, IncidentType, Tactics, EventVendor, EventProduct, DvcId, DvcIpAddr, DvcHostname, DvcAction, DvcFQDN

query: |
  ASimAlertEventBitdefenderGravityZone(pack=true)
    | extend IncidentType = case(
        AdditionalFields.Module == "new-incident", "EDR Incident",
        AdditionalFields.Module == "new-extended-incident", "XDR Incident",
        AdditionalFields.Module == "ransomware-mitigation", "Ransomware Mitigation",
        AdditionalFields.Module == "network-sandboxing", "Sandbox Analyzer Detection",
        AdditionalFields.Module == "exchange-malware", "Exchange Malware Detection",
        "Incident"   // fallback value if null or unmatched
      ),
      Tactics = AdditionalFields.AttackTypes
    | project EventUid, EventSeverity, EventStartTime, IncidentType, Tactics, EventVendor, EventProduct, DvcId, DvcIpAddr, DvcHostname, DvcAction, DvcFQDN  
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GravityZone/Analytic Rules/Incidents.yaml
description: The query identifies incident-level events received from the GravityZone Data Connector
tactics:
- LateralMovement
alertDetailsOverride:
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: ProviderName
    value: EventVendor
  alertDisplayNameFormat: 'GravityZone: {{IncidentType}}'
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: |
        Alert generated on {{EventStartTime}} in Bitdefender GravityZone.\n\nGravityZone Incident ID / Alert GUID: {{EventUid}}\n\nPlease check the source for more information and investigate further.
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DvcIpAddr
requiredDataConnectors:
- connectorId: GravityZoneDataConnector
  dataTypes:
  - ASimAlertEventBitdefenderGravityZone
kind: NRT
relevantTechniques:
- T1210
version: 1.0.0
name: NRT GravityZone Incident Alerts
id: 73c803aa-1188-45dd-8379-62a3319d3d9f
severity: Medium