Bitdefender GravityZone Solution v3.0.1 Adds Incident Analytics for Endpoint and Email Protection

What Changed

Released comprehensive Microsoft Sentinel solution for Bitdefender GravityZone v3.0.1, introducing a new NRT (Near Real Time) analytic rule template that leverages ASIM-normalized alert data. The solution uses a push-based DCR architecture with custom table GzSecurityEvents_CL for direct log ingestion from GravityZone deployments.

Data Source

Bitdefender GravityZone is an enterprise security platform providing:

• Endpoint Detection and Response (EDR): Host-based threat hunting and incident response
• Extended Detection and Response (XDR): Cross-domain correlation and kill chain analysis
• Anti-ransomware protection: Real-time file system monitoring and process blocking
• Network sandbox analysis: Dynamic malware inspection of suspicious files
• Exchange security: Email-borne threat detection and mitigation

Ingestion Mechanism

DCR-based push ingestion using Azure App Registration authentication. GravityZone agents and sensors forward security events directly to Microsoft Sentinel via Data Collection Endpoint, populating the GzSecurityEvents_CL custom table with structured incident data.

Detection Surface Unlocked

The solution enables detection of lateral movement activities via the included analytic rule NRT GravityZone Incident Alerts:

• Query scope: Leverages ASimAlertEventBitdefenderGravityZone parser with packed field extraction
• Incident correlation: Groups events by result with dynamic severity mapping from GravityZone ratings
• Entity mapping: Automatically extracts host and IP entities for investigation pivoting
• Multi-vector coverage: Normalizes EDR incidents, XDR correlations, ransomware mitigations, sandbox detections, and Exchange malware alerts

The rule provides tactical classification via AdditionalFields.AttackTypes integration and supports MITRE technique T1210 (Exploitation of Remote Services) detection through GravityZone behavioral analysis.

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/ASimAlertEventBitdefenderGravityZone.json
Solutions/GravityZone/Analytic Rules/Incidents.yaml
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_GravityZone.json, createUiDefinition.json, mainTemplate.json)