Gravityzone Decoders
26 views
Skip to first unread message
Brenno Garcia
Apr 22, 2026, 6:02:30 PM (5 days ago) Apr 22
to Wazuh | Mailing List
Hello
I have some decoders to logs from Gravityzone Bitdefender.
Im facing a problem where the child decoders only works if their names was the same (except "gravityzone_malware")
<decoder name="gravityzone">
<program_name>CEF</program_name>
<prematch>GravityZone</prematch>
</decoder>
<decoder name="gravityzone_malware">
<parent>gravityzone</parent>
<prematch type="pcre2">.*(AntiMalware).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZMalwareType=(\S+) BitdefenderGZMalwareName=(.*) BitdefenderGZMalwareHash=(\S+)</prematch>
<regex type="pcre2">.*(AntiMalware).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZMalwareType=(\S+) BitdefenderGZMalwareName=(.*) BitdefenderGZMalwareHash=(\S+) act=(\S+) filePath=(\S+) BitdefenderGZDetectionTime=(\S+).*BitdefenderGZCleanedMalwareCnt=(\d+) BitdefenderGZBlockedMalwareCnt=(\d+) BitdefenderGZDeletedMalwareCnt=(\d+) BitdefenderGZQuarantinedMalwareCnt=(\d+) BitdefenderGZIgnoredMalwareCnt=(\d+) BitdefenderGZPresentMalwareCnt=(\d+) suser=(\S+).*</regex>
<order>Module,host,srcip,MalwareType,MalwareName,MalwareHash,Action,FilePath,DetectionTime,CleanedMalwareCount,BlockedMalwareCount,DeletedMalwareCount,QuarantinedMalwareCount,IgnoredMalwareCount,PresentMalwareCount,User</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(.*) BitdefenderGZDetectionName=(.*) request=(\S+) spt=(\S+) .*src=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,DeviceIP,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,dstip,dstport,srcip,IncidentProcess,IncidentMITRE,IncidentDate,IncidentCompany,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(\S+) BitdefenderGZDetectionName=(.*) fname=(\S+) filePath=(.+) fileHash=(\S+) BitdefenderGZFileHashSha256=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,srcip,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,filename,filePath,fileHash,fileSha256,IncidentProcess,IncidentMITRE,IncidentDate,CompanyId,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(\S+) BitdefenderGZDetectionName=(.*) fname=(\S+) filePath=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,srcip,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,filename,filePath,IncidentProcess,IncidentMITRE,IncidentDate,CompanyId,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*Module=(\S+) BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+) deviceExternalId=(\S+) BitdefenderGZEventType=(\S+) request=(\S+) act=(\S+) end=(\S+) cnt=(\d+) suser=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,DeviceId,eventtype,dstip,action,end,events,srcuser</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">BitdefenderGZModule=(\S+).*BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+).*BitdefenderGZStatus=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,status</order>
</decoder>
<program_name>CEF</program_name>
<prematch>GravityZone</prematch>
</decoder>
<decoder name="gravityzone_malware">
<parent>gravityzone</parent>
<prematch type="pcre2">.*(AntiMalware).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZMalwareType=(\S+) BitdefenderGZMalwareName=(.*) BitdefenderGZMalwareHash=(\S+)</prematch>
<regex type="pcre2">.*(AntiMalware).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZMalwareType=(\S+) BitdefenderGZMalwareName=(.*) BitdefenderGZMalwareHash=(\S+) act=(\S+) filePath=(\S+) BitdefenderGZDetectionTime=(\S+).*BitdefenderGZCleanedMalwareCnt=(\d+) BitdefenderGZBlockedMalwareCnt=(\d+) BitdefenderGZDeletedMalwareCnt=(\d+) BitdefenderGZQuarantinedMalwareCnt=(\d+) BitdefenderGZIgnoredMalwareCnt=(\d+) BitdefenderGZPresentMalwareCnt=(\d+) suser=(\S+).*</regex>
<order>Module,host,srcip,MalwareType,MalwareName,MalwareHash,Action,FilePath,DetectionTime,CleanedMalwareCount,BlockedMalwareCount,DeletedMalwareCount,QuarantinedMalwareCount,IgnoredMalwareCount,PresentMalwareCount,User</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(.*) BitdefenderGZDetectionName=(.*) request=(\S+) spt=(\S+) .*src=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,DeviceIP,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,dstip,dstport,srcip,IncidentProcess,IncidentMITRE,IncidentDate,IncidentCompany,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(\S+) BitdefenderGZDetectionName=(.*) fname=(\S+) filePath=(.+) fileHash=(\S+) BitdefenderGZFileHashSha256=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,srcip,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,filename,filePath,fileHash,fileSha256,IncidentProcess,IncidentMITRE,IncidentDate,CompanyId,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*(.ew..ncident).*dvchost=(\S+) \S+ dvc=(\S+) \S+ BitdefenderGZIncidentId=(\S+) BitdefenderGZIncidentNumber=(\S+) BitdefenderGZSeverityScore=(\S+) BitdefenderGZAttackEntry=(\S+) BitdefenderGZMainAction=(\S+) BitdefenderGZDetectionName=(.*) fname=(\S+) filePath=(\S+) sproc=(.*) BitdefenderGZAttackTypes=.* BitdefenderGZAttCkId=(\S+) start=(\S+) BitdefenderGZCompanyId=(\S+) BitdefenderGZEndpointId=(\S+)</regex>
<order>Module,host,srcip,IncidentId,IncidentNumber,IncidentScore,IncidentAttackEntry,action,IncidentName,filename,filePath,IncidentProcess,IncidentMITRE,IncidentDate,CompanyId,IncidentEndpointId</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">.*Module=(\S+) BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+) deviceExternalId=(\S+) BitdefenderGZEventType=(\S+) request=(\S+) act=(\S+) end=(\S+) cnt=(\d+) suser=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,DeviceId,eventtype,dstip,action,end,events,srcuser</order>
</decoder>
<decoder name="gravityzone_incident">
<parent>gravityzone</parent>
<regex type="pcre2">BitdefenderGZModule=(\S+).*BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+).*BitdefenderGZStatus=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,status</order>
</decoder>
Log sample for the last decoder, if your name was bitdefender_new_endpoint for example, he doesnt work:
Apr 17 19:20:13 teste-teste CEF:0|Bitdefender|GravityZone|6.72.0-1|70000|Registration|3|BitdefenderGZModule=registration BitdefenderGZPreviousEventData={} BitdefenderGZCompanyId=test dvchost=test BitdefenderGZComputerFQDN=test.br dvc=1.1.1.1 deviceExternalId=test BitdefenderGZStatus=registered
Javier Adán Méndez Méndez
Apr 22, 2026, 6:19:38 PM (5 days ago) Apr 22
to Wazuh | Mailing List
Hi Brenno
I'm currently investigating the issue with your GravityZone decoders. Let me look into the hierarchy and the naming logic, and I’ll get back to you with a solution shortly.
I'm currently investigating the issue with your GravityZone decoders. Let me look into the hierarchy and the naming logic, and I’ll get back to you with a solution shortly.
Javier Adán Méndez Méndez
Apr 22, 2026, 7:32:45 PM (5 days ago) Apr 22
to Wazuh | Mailing List
Hi Brenno
<regex type="pcre2">BitdefenderGZModule=(\S+).*BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+).*BitdefenderGZStatus=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,status</order>
</decoder>
some useful resources:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/sibling-decoders.html
Try adding both use_own_name and a specific prematch to that child decoder:
<decoder name="gravityzone_registration">
<parent>gravityzone</parent>
<use_own_name>true</use_own_name>
<prematch>BitdefenderGZModule=registration</prematch>
<decoder name="gravityzone_registration">
<parent>gravityzone</parent>
<use_own_name>true</use_own_name>
<prematch>BitdefenderGZModule=registration</prematch>
<regex type="pcre2">BitdefenderGZModule=(\S+).*BitdefenderGZCompanyId=(\S+) dvchost=(\S+) BitdefenderGZComputerFQDN=(\S+) dvc=(\S+).*BitdefenderGZStatus=(\S+)</regex>
<order>Module,CompanyId,host,HostFQDN,srcip,status</order>
</decoder>
Wazuh can handle multiple child decoders with the same name, but if you change the child name, it’s better to add <use_own_name>true</use_own_name> so it keeps that specific decoder name. A specific <prematch> also helps Wazuh identify the right child faster before running the full regex.
Also, if any rule uses <decoded_as>gravityzone_incident</decoded_as>, you need to update it to the new decoder name as well.
some useful resources:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/sibling-decoders.html
Reply all
Reply to author
Forward
0 new messages