ASIM AlertEvent Support Added for Bitdefender GravityZone Security Platform

What Changed

Added comprehensive ASIM AlertEvent parsers for Bitdefender GravityZone security platform, including both full (ASimAlertEventBitdefenderGravityZone) and filtering (vimAlertEventBitdefenderGravityZone) variants. This integration enables normalization of five distinct GravityZone event modules into the Microsoft Sentinel ASIM AlertEvent schema.

Parser Impact

The parsers normalize data from the GzSecurityEvents_CL custom table into standardized ASIM fields. Event modules covered:

• new-incident: Core security incidents with device context, file hashes, and process details
• new-extended-incident: Enhanced incident data with kill chain phases and correlation mapping
• ransomware-mitigation: Anti-ransomware protection events from endpoint agents
• network-sandboxing: Malware analysis results from network-based file inspection
• exchange-malware: Email threat detection from Exchange integration

Key normalized fields include EventUid, EventSeverity, DvcHostname, DvcAction, with packed mode preserving additional forensic metadata (file paths, process trees, MITRE ATT&CK mappings).

MITRE Mapping

Parser extracts MITRE ATT&CK technique IDs from GravityZone incident data via the att_ck_id field, supporting techniques T1002 (Data Compressed), T1012 (Query Registry), T1036 (Masquerading), T1059 (Command and Scripting Interpreter).

Detection Surface Unlocked

Organizations using Bitdefender GravityZone can now leverage normalized alert data for:

• Cross-vendor incident correlation using ASIM-based detections
• Unified threat hunting across GravityZone and other security tools
• Standardized severity mapping from GravityZone low/medium/high scale to ASIM conventions
• Integration of endpoint, email, and network sandbox alerts into Microsoft Sentinel investigations

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/GzSecurityEvents_CL.json
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventBitdefenderGravityZone/ASimAlertEventBitdefenderGravityZone.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventBitdefenderGravityZone/README.md
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
Parsers/ASimAlertEvent/ARM/vimAlertEventBitdefenderGravityZone/README.md
Parsers/ASimAlertEvent/ARM/vimAlertEventBitdefenderGravityZone/vimAlertEventBitdefenderGravityZone.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventBitdefenderGravityZone.md
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventBitdefenderGravityZone.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/ASimAlertEventBitdefenderGravityZone.yaml
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventBitdefenderGravityZone.yaml
Sample Data/ASIM/Bitdefender_GravityZone_AlertEvent_IngestedLogs.csv
Sample Data/ASIM/GzSecurityEvents_CL_Schema.csv