Add Trend Vision One Workbench and OAT data connectors using CCF#14535
Open
V1ManagedServices wants to merge 1 commit into
Open
Add Trend Vision One Workbench and OAT data connectors using CCF#14535V1ManagedServices wants to merge 1 commit into
V1ManagedServices wants to merge 1 commit into
Conversation
v-atulyadav
added
Solution
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new TrendAI Vision One Microsoft Sentinel solution that uses the Codeless Connector Framework (CCF) with DCR-based ingestion to collect Workbench Alerts and OAT Detections, plus supporting content for visualization and detections.
Changes:
- Added CCF connector definitions and deployment artifacts (ARM/template spec, DCR/DCE, custom tables).
- Added parser functions to normalize legacy + CCF tables into consistent schemas.
- Added a workbook and an analytic rule to visualize/use ingested Workbench data.
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/TrendAI Vision One(Via CCF)/Workbooks/TrendAIVisionOneWorkbenchOverview.json | Adds workbook visualizations using the Workbench parser function. |
| Solutions/TrendAI Vision One(Via CCF)/README.md | Documents installation, configuration, tables, and sample queries. |
| Solutions/TrendAI Vision One(Via CCF)/Parsers/TrendAIWorkbench_Complete.yaml | Adds Workbench normalization parser (legacy + CCF). |
| Solutions/TrendAI Vision One(Via CCF)/Parsers/TrendAIOAT_Complete.yaml | Adds OAT normalization parser (legacy + CCF). |
| Solutions/TrendAI Vision One(Via CCF)/Package/mainTemplate.json | Adds the deployable ARM template creating tables, DCR/DCE, connector definitions, parsers, and solution package. |
| Solutions/TrendAI Vision One(Via CCF)/Package/createUiDefinition.json | Adds Azure Marketplace UI definition for solution deployment. |
| Solutions/TrendAI Vision One(Via CCF)/Data/Solution_TrendAIVisionOne.json | Adds solution metadata referencing included artifacts. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneWorkbench_ccp/table.json | Defines the Workbench custom table schema. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneWorkbench_ccp/connectorDefinition.json | Defines the Workbench connector UI/metadata. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneWorkbench_ccp/PollerConfig.json | Defines Workbench RestApiPoller configuration. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneWorkbench_ccp/DCR.json | Defines Workbench DCR stream + transform for CCF pipeline. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneOAT_ccp/table.json | Defines the OAT custom table schema. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneOAT_ccp/connectorDefinition.json | Defines the OAT connector UI/metadata. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneOAT_ccp/PollerConfig.json | Defines OAT RestApiPoller configuration. |
| Solutions/TrendAI Vision One(Via CCF)/Data Connectors/TrendAIVisionOneOAT_ccp/DCR.json | Defines OAT DCR stream + transform for CCF pipeline. |
| Solutions/TrendAI Vision One(Via CCF)/Analytic Rules/TrendAIVisionOneWorkbenchIncident.yaml | Adds scheduled analytic rule to create incidents from Workbench alerts. |
Comment on lines
+377
to
+389
| "name": "[[concat(parameters('workspace'), '/Microsoft.SecurityInsights/TrendAIWorkbench-', uniqueString(parameters('apiDomain')))]", | ||
| "apiVersion": "2023-02-01-preview", | ||
| "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", | ||
| "location": "[parameters('workspace-location')]", | ||
| "kind": "RestApiPoller", | ||
| "properties": { | ||
| "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", | ||
| "dataType": "TrendAI_XDR_WORKBENCH_V2_CL", | ||
| "dcrConfig": { | ||
| "streamName": "Custom-TrendAI_XDR_WORKBENCH_V2_CL", | ||
| "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", | ||
| "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" | ||
| }, |
Comment on lines
+86
to
+93
| { | ||
| "parameters": { | ||
| "label": "API Token", | ||
| "placeholder": "Paste your TrendAI Vision One™ API token here", | ||
| "type": "password", | ||
| "name": "apitoken", | ||
| "required": true | ||
| }, |
Comment on lines
+14
to
+17
| "dataType": "TrendAI Vision One Workbench API", | ||
| "auth": { | ||
| "type": "APIKey", | ||
| "ApiKey": "[[concat('Bearer ', parameters('apitoken'))]", |
| "dataTypes": [ | ||
| { | ||
| "name": "TrendAI_XDR_OAT_V2_CL", | ||
| "lastDataReceivedQuery": "TrendMicro_XDR_OAT_V2_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" |
| "Data Connectors/TrendAIVisionOneOAT_ccp/connectorDefinition.json" | ||
| ], | ||
| "Metadata": "Data/Solution_TrendAIVisionOne.json", | ||
| "BasePath": "https://raw.githubusercontent.com/trendmicro/TrendAI_Sentinel_public_data_Connector/main/Solutions/TrendAI Vision One", |
Comment on lines
+7
to
+10
| requiredDataConnectors: | ||
| - connectorId: TrendAI_XDR_Workbench | ||
| dataTypes: | ||
| - TrendAI_XDR_WORKBENCH_V2_CL |
| "dataFlows": [{ | ||
| "streams": ["Custom-TrendAI_XDR_WORKBENCH_V2_CL"], | ||
| "destinations": ["clv2ws1"], | ||
| "transformKql": "source | extend TimeGenerated = todatetime(createdDateTime) | extend SourceSystem = 'RestAPI' | extend Computer = '' | extend MG = '' | extend ManagementGroupName = '' | extend RawData = tostring(indicators) | extend workbenchId_s = tostring(id) | extend schemaVersion_s = tostring(schemaVersion) | extend investigationStatus_s = tostring(investigationStatus) | extend alertStatus_s = tostring(status) | extend investigationResult_s = tostring(investigationResult) | extend workbenchLink_s = tostring(workbenchLink) | extend alertProvider_s = tostring(alertProvider) | extend modelId_g = tostring(modelId) | extend modelId_s = tostring(modelId) | extend model_s = tostring(model) | extend workbenchName_s = tostring(model) | extend modelType_s = tostring(modelType) | extend priorityScore_d = todouble(score) | extend severity_s = tostring(severity) | extend createdTime_t = todatetime(createdDateTime) | extend updatedTime_t = todatetime(updatedDateTime) | extend alertTriggerTimestamp_t = todatetime(createdDateTime) | extend workbenchCompleteTimestamp_t = todatetime(updatedDateTime) | extend incidentId_s = tostring(incidentId) | extend description_s = tostring(description) | extend desktopCount_d = todouble(impactScope.desktopCount) | extend serverCount_d = todouble(impactScope.serverCount) | extend accountCount_d = todouble(impactScope.accountCount) | extend emailAddressCount_d = todouble(impactScope.emailAddressCount) | extend containerCount_d = todouble(impactScope.containerCount) | extend cloudIdentityCount_d = todouble(impactScope.cloudIdentityCount) | extend cloudWorkloadCount_d = todouble(impactScope.cloudWorkloadCount) | extend indicators_dynamic = indicators | extend indicators_s = tostring(indicators) | extend impactScope_s = tostring(impactScope) | extend impactScope_Summary_s = tostring(impactScope) | extend entities = impactScope.entities | extend matchedRules_dynamic = matchedRules | extend matchedRules_s = tostring(matchedRules) | extend xdrCustomerID_g = '' | extend FileName_s = '' | extend FileHashValue_s = '' | extend DomainName_s = '' | extend FileDirectory_s = '' | extend IPAddress = '' | extend URL_s = '' | extend HostHostName_s = '' | extend ProcessCommandLine_s = '' | extend RegistryKey_s = '' | extend RegistryValue_s = '' | extend RegistryValueName_s = '' | extend UserAccountNTDomain_s = '' | extend UserAccountName_s = '' | extend MailboxPrimaryAddress_s = '' | extend MalwareName_s = '' | extend indicators = indicators_dynamic | extend matchedRules = matchedRules_dynamic | project-away id, schemaVersion, investigationStatus, status, investigationResult, workbenchLink, alertProvider, modelId, model, modelType, score, severity, createdDateTime, updatedDateTime, incidentId, description, impactScope, indicators_dynamic, matchedRules_dynamic", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Added a new Trend Vision One Microsoft Sentinel data connector based on the Common Connector Framework (CCF).
Added ARM templates and deployment artifacts required for connector deployment.
Added DCR-based ingestion configuration and transformation logic for Workbench data ingestion.
Added custom table schema and supporting resources required for data collection.
Added parser/query support to transform ingested Workbench data into the expected Sentinel schema.
Reason for Change(s):
Introduce a CCF-based implementation of the Trend Vision One connector aligned with Microsoft's modern ingestion architecture.
Reduce dependency on the legacy Azure Function-based connector model.
Enable DCR-based ingestion-time transformations and simplify deployment for Microsoft Sentinel customers.
Provide a foundation for future enhancements while maintaining compatibility with existing Trend Vision One data consumption scenarios.
Version Updated:
N/A
Testing Completed:
Yes
Successfully deployed the ARM template in a Microsoft Sentinel test environment.
Verified connector deployment and data ingestion from Trend Vision One APIs.
Verified records are written to the target Log Analytics table.
Verified transformation/query logic produces the expected output schema.
Checked that the validations are passing and have addressed any issues that are present:
Yes