Add TrendAI Vision One CCF-based Microsoft Sentinel Data Connector#14454
Closed
V1ManagedServices wants to merge 1 commit into
Closed
Add TrendAI Vision One CCF-based Microsoft Sentinel Data Connector#14454V1ManagedServices wants to merge 1 commit into
V1ManagedServices wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Trend Vision One CCF/CCP-based Microsoft Sentinel connector implementation (Workbench + OAT), including modular ARM templates (DCE/DCR/table/connector-definition/poller), parser functions, and end-user documentation to support deployment and migration from legacy Azure Function connectors.
Changes:
- Added modular ARM template sets for Workbench and OAT connectors (orchestrator + nested components), including DCR-based transforms and optional deploy-time poller creation.
- Added Log Analytics parser functions and accompanying KQL sources for normalized (“universal”) querying across legacy + CCF-ingested data.
- Added extensive documentation (concepts, permissions, deployment, usage, migration, troubleshooting) and maintainer/publishing artifacts.
Reviewed changes
Copilot reviewed 45 out of 46 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/TrendAI Vision One/templates/workbench/mainTemplate.json | Workbench orchestrator template deploying Sentinel enablement, table, DCE/DCR, connector definition, parser, rule, workbook, and optional poller |
| Solutions/TrendAI Vision One/templates/workbench/createUiDefinition.json | Azure Portal UI definition for Workbench deployment parameters |
| Solutions/TrendAI Vision One/templates/workbench/components/workbook.json | Component template deploying the Workbench workbook resource |
| Solutions/TrendAI Vision One/templates/workbench/components/table.json | Component template creating the Workbench custom table schema |
| Solutions/TrendAI Vision One/templates/workbench/components/sentinel-solution.json | Component template enabling Sentinel (SecurityInsights solution) on the workspace |
| Solutions/TrendAI Vision One/templates/workbench/components/parser-function.json | Component template creating the Workbench parser saved search/function |
| Solutions/TrendAI Vision One/templates/workbench/components/dcr.json | Component template creating the Workbench DCR with ingestion-time transformation |
| Solutions/TrendAI Vision One/templates/workbench/components/dce.json | Component template creating the Workbench DCE |
| Solutions/TrendAI Vision One/templates/workbench/components/data-connector.json | Component template creating the Workbench RestApiPoller data connector instance (when apikey provided) |
| Solutions/TrendAI Vision One/templates/workbench/components/connector-definition.json | Component template creating the Workbench dataConnectorDefinition UI/metadata |
| Solutions/TrendAI Vision One/templates/workbench/components/analytic-rule.json | Component template defining the scheduled analytic rule for incident creation |
| Solutions/TrendAI Vision One/templates/oat/mainTemplate.json | OAT orchestrator template deploying Sentinel enablement, table, DCE/DCR, connector definition, parser, and optional poller |
| Solutions/TrendAI Vision One/templates/oat/createUiDefinition.json | Azure Portal UI definition for OAT deployment parameters |
| Solutions/TrendAI Vision One/templates/oat/components/table.json | Component template creating the OAT custom table schema |
| Solutions/TrendAI Vision One/templates/oat/components/sentinel-solution.json | Component template enabling Sentinel (SecurityInsights solution) on the workspace for OAT |
| Solutions/TrendAI Vision One/templates/oat/components/parser-function.json | Component template creating the OAT parser saved search/function |
| Solutions/TrendAI Vision One/templates/oat/components/dcr.json | Component template creating the OAT DCR with ingestion-time transformation and optional third-party exclusion |
| Solutions/TrendAI Vision One/templates/oat/components/dce.json | Component template creating the OAT DCE |
| Solutions/TrendAI Vision One/templates/oat/components/data-connector.json | Component template creating the OAT RestApiPoller data connector instance (when apikey provided) |
| Solutions/TrendAI Vision One/templates/oat/components/connector-definition.json | Component template creating the OAT dataConnectorDefinition UI/metadata |
| Solutions/TrendAI Vision One/templates/legacy/deploy-parser-function.json | Legacy standalone Workbench parser deployment template (archived) |
| Solutions/TrendAI Vision One/templates/legacy/deploy-parser-function-oat.json | Legacy standalone OAT parser deployment template (archived) |
| Solutions/TrendAI Vision One/templates/legacy/arm-template-oat-newSchema.json | Archived legacy monolithic OAT template variant |
| Solutions/TrendAI Vision One/templates/legacy/README.md | Documentation describing legacy/archived templates and migration note |
| Solutions/TrendAI Vision One/templates/ARCHITECTURE.md | Architecture/deep-dive doc for modular connector design and deployment flow |
| Solutions/TrendAI Vision One/scripts/publish-templates.sh | Script to publish templates to Azure Blob storage for “test deploy” while repo is private |
| Solutions/TrendAI Vision One/functions/Parser-Workbench.kql | Source KQL for Workbench universal parser function |
| Solutions/TrendAI Vision One/functions/Parser-OAT.kql | Source KQL for OAT universal parser function |
| Solutions/TrendAI Vision One/docs/internal/test-deploy.md | Internal maintainer doc for private-repo test deploy & blob publishing |
| Solutions/TrendAI Vision One/docs/README.md | Documentation landing page and navigation |
| Solutions/TrendAI Vision One/docs/06-troubleshooting.md | Troubleshooting guide |
| Solutions/TrendAI Vision One/docs/05-migration.md | Migration guide from legacy Azure Function connector |
| Solutions/TrendAI Vision One/docs/04-using-the-connector.md | Day-to-day usage guide (queries, rules, workbooks, filtering, tokens) |
| Solutions/TrendAI Vision One/docs/03-deployment.md | Deployment instructions (portal + CLI) |
| Solutions/TrendAI Vision One/docs/02-permissions.md | Required permissions explanation (Azure + Trend) |
| Solutions/TrendAI Vision One/docs/01-concepts.md | Concepts overview and connector architecture explanation |
| Solutions/TrendAI Vision One/SECURITY.md | Security policy and vulnerability reporting instructions |
| Solutions/TrendAI Vision One/README.md | Top-level solution README including deploy buttons, usage, and docs links |
| Solutions/TrendAI Vision One/LICENSE | MIT license file for solution content |
| Solutions/TrendAI Vision One/CONTRIBUTING.md | Contribution guidelines, local validation steps, and security guidance |
| Solutions/TrendAI Vision One/CODE_OF_CONDUCT.md | Contributor Covenant code of conduct |
| Solutions/TrendAI Vision One/CODEOWNERS | Code owners configuration for the solution subtree |
Comment on lines
+38
to
+44
| "apikey": { | ||
| "type": "securestring", | ||
| "defaultValue": "", | ||
| "metadata": { | ||
| "description": "Trend Vision One API token (without 'Bearer' prefix). Required to deploy the active poller. Leave empty to deploy only the connector definition + table + DCR + parser, and attach credentials later via the Sentinel portal." | ||
| } | ||
| }, |
Comment on lines
+38
to
+44
| "apikey": { | ||
| "type": "securestring", | ||
| "defaultValue": "", | ||
| "metadata": { | ||
| "description": "Trend Vision One API token (without 'Bearer' prefix). Required to deploy the active poller. Leave empty to deploy only the connector definition + table + DCR and connect later via the Sentinel portal." | ||
| } | ||
| }, |
| "description": "This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.", | ||
| "displayName": "Trend Vision One - Create Incident for Workbench Alerts", | ||
| "enabled": false, | ||
| "query": "TrendMicroWorkbench_Complete\n| extend Severity = case(severity_s == \"low\", \"Informational\",\n severity_s == \"medium\", \"Low\",\n severity_s == \"high\", \"Medium\",\n \"High\"\n )", |
| "kind": "shared", | ||
| "properties": { | ||
| "displayName": "[variables('workbookName')]", | ||
| "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Trend Vision One - Workbench Alerts\\n---\\n[Trend Micro Success Portal](https://success.trendmicro.com)\\n\\nIf you have any feedback, please send to <xdrfeedback@trendmicro.com>\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TrendMicroWorkbench_Complete\\n| summarize Alerts = count() by bin(TimeGenerated,1d), severity_s\\n| where TimeGenerated >= ago(7d)\\n| render columnchart kind=stacked\",\"size\":0,\"title\":\"Workbench Alerts Last 7 days\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"}]}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TrendMicroWorkbench_Complete\\n| summarize Alerts = count() by bin(TimeGenerated,1d), severity_s\\n| where TimeGenerated >= ago(30d)\\n| render columnchart kind=stacked\",\"size\":0,\"title\":\"Workbench Alerts Last 30 days\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"}]}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TrendMicroWorkbench_Complete\\n| summarize Alerts = count() by bin(TimeGenerated,1d), model_s\\n| where TimeGenerated >= ago(30d)\\n| render columnchart kind=stacked\",\"size\":0,\"title\":\"Detection Models in Last 30 Days\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TrendMicroWorkbench_Complete\\n| summarize Alerts = count() by severity_s\\n| render piechart\",\"size\":0,\"title\":\"Alerts by Severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"}]}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TrendMicroWorkbench_Complete\\n| where isnotempty(HostHostName_s) and HostHostName_s != '[]'\\n| summarize Alerts = count() by HostHostName_s\\n| top 10 by Alerts desc\",\"size\":0,\"title\":\"Top 10 Affected Hosts\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 5\"}],\"styleSettings\":{},\"fromTemplateId\":\"sentinel-TrendVisionOneWorkbench\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}", |
| "rateLimitQPS": 1, | ||
| "queryWindowInMin": 5, | ||
| "httpMethod": "GET", | ||
| "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", |
Comment on lines
+1
to
+11
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "workspace": { | ||
| "type": "string" | ||
| }, | ||
| "workspace-location": { | ||
| "type": "string" | ||
| } | ||
| }, |
Comment on lines
+53
to
+55
| "variables": { | ||
| "baseUrl": "https://raw.githubusercontent.com/trendmicro/trendai-sentinel-ccf-data-connector/main/templates/workbench/components" | ||
| }, |
Comment on lines
+1
to
+6
| # 🔒 INTERNAL — Test-deploy & publishing notes | ||
|
|
||
| > **Audience: Trend Micro maintainers only.** | ||
| > This page documents the temporary test-deploy plumbing used **while the repository is private**. It references internal hosts and an internal storage account. | ||
| > | ||
| > **Before the repo goes public, this `internal/` folder should be removed (or the test-deploy section pruned)** and the README's "Test Deploy (Azure Storage-hosted…)" block deleted. See the [Go-Live Checklist](../../.github/GO_LIVE_CHECKLIST.md). |
Contributor
|
Hi @V1ManagedServices, kindly implement the changes recommended by Copilot if required and commit them once completed. Thanks! |
Contributor
Author
|
Closing this PR for now. After further review, we identified several structural changes that are required to align with the Microsoft Sentinel repository guidelines and validation feedback. We are currently updating the implementation and repository structure accordingly. A new PR will be submitted once the changes have been completed and reviewed. Thank you for the feedback and review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: