Gravityzone ASim parsers#13330
Conversation
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2025-12-16T13:18:38.466Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2025-12-16T13:22:46.444Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2025-12-16T13:57:55.516Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2025-12-19T11:45:44.889Z |
v-atulyadav
added
SafeToRun
v-atulyadav
added
the
SafeToRun
v-atulyadav
removed
the
SafeToRun
|
hello. any updates on this one? |
|
Hi @gbarbieru, |
|
hi @v-atulyadav . done! |
v-atulyadav
added
the
SafeToRun
|
hi @v-atulyadav ! |
|
The task "Run ASim Template Validation tests" seems stuck and fails |
|
Hi @gbarbieru, Please review the above comments and act accordingly. Thanks |
|
🔒 Security Re-approval Required
For security, a maintainer must:
This simple process ensures that all commits have been properly reviewed before testing with repository secrets. 🤖 Automated security check • Updated: 2026-04-27T08:07:36.572Z |
|
@v-atulyadav @yummyblabla hello! after implementing the suggested changes the filter seems to no longer work as expected: 
the additionalFields filed no longer contains data, no mater the value of the 'pack' parameter. i've also observed that not all entries contain the TimeGenerated value. is this normal ? (filtering by time seems to work correctly) |
|
@gbarbieru the command you issued was incorrect. Please try again. Examples are: and |
|
🔒 Security Re-approval Required
For security, a maintainer must:
This simple process ensures that all commits have been properly reviewed before testing with repository secrets. 🤖 Automated security check • Updated: 2026-04-28T08:03:46.382Z |
|
🔒 Security Re-approval Required
For security, a maintainer must:
This simple process ensures that all commits have been properly reviewed before testing with repository secrets. 🤖 Automated security check • Updated: 2026-04-28T09:57:59.280Z |
|
fixed the pack & timegenerated issue |
|
🔒 Security Re-approval Required
For security, a maintainer must:
This simple process ensures that all commits have been properly reviewed before testing with repository secrets. 🤖 Automated security check • Updated: 2026-04-28T12:08:21.920Z |
| let parser=(pack:bool=false){ | ||
| union isfuzzy=true | ||
| vimAlertEventEmpty, | ||
| ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers)))), |
There was a problem hiding this comment.
Please pass pack as a parameter here as well
| { | ||
| union isfuzzy=true | ||
| vimAlertEventEmpty, | ||
| vimAlertEventBitdefenderGravityZone (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertBitdefenderGravityZone' in (DisabledParsers)))), |
There was a problem hiding this comment.
Please pass pack as a parameter here.
| | where module == "new-incident" | ||
| | extend d = data | ||
| | extend | ||
| EventStartTime = start_time, |
There was a problem hiding this comment.
It looks like EventStartTime = start_time and EventEndTime is the same for all the tables and can be extended at the end.. Same for the vim parser.
|
Afterwards, please run the script "DirectoryOfAzureSentinel\.script\kqlFuncYaml2Arm.ps1" in the root folder of the repo to have it generate the necessary ARM templates as "Convert kql function yaml to ARM template" can't run on forked repos |
5 participants
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Before going into this topic I want to disclose that development in my team is done on Linux workstations and the available tooling and guides offered by Microsoft kinda lack in this department. Due to time constraints additional effort in making them work on Linux environments was abandoned and testing was eventually done on Microsoft Sentinel accounts via end-to-end testing.