feat: add parser for Trend Micro Vision One Risk Events#910
feat: add parser for Trend Micro Vision One Risk Events#910wentao-trendmicro wants to merge 20 commits into
Conversation
Add community parser for TRENDMICRO_VISION_ONE_RISK_EVENTS log type. Parses risk event logs from Vision One into UDM format, mapping risk scores to severity levels, resolve flags to security actions, and extracting principal/target/cloud fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a new community parser for Trend Micro Vision One Risk Event logs. The parser enables the transformation of these logs into the Unified Data Model (UDM) format, facilitating better security visibility by mapping risk-specific data points such as severity levels, security actions, and various cloud and asset-related metadata. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces a new parser for Trend Micro Vision One Risk Event logs, including the Logstash configuration, metadata, and test data. The review identified two critical issues in the Logstash configuration: first, converting riskScore (which can be a float) directly to an integer will cause failures, so it should be converted to a float instead; second, nested fields within the parsed JSON (such as meta.appName) must be referenced using bracket notation (e.g., %{[meta][appName]}) rather than dot notation, and should be protected with if guards to avoid mapping literal template strings when the fields are missing.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…eta fields
- Convert riskScore to float instead of integer to handle values like 42.0
- Use bracket notation %{[meta][appName]} for nested field references
- Add if guards around meta.appName and meta.request to prevent literal
template strings when fields are missing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The log_type must be a valid registered LogType enum value. Remove it since TRENDMICRO_VISION_ONE_RISK_EVENTS is not yet registered. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CBN parser fails when if-condition references non-existent nested fields. Revert to unconditional mutate with on_error handler while keeping bracket notation for field references. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use snake_case field names (read_only_udm, event_timestamp, etc.) - Use flat additional fields instead of nested fields array - Fix riskScore string representation from "42.0" to "42" - Add event.timestamp field - Remove meta_preventativeMeasures (array values not iterated) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove deprecated UDM fields (cloud.environment, cloud.project.id, cloud.availability_zone, cloud.project.name, cloud.project.resource_subtype) and move cloud data to additional.fields - Remove customerId from additional fields (PII data) - Add has_principal/has_target/has_user flags for dynamic event_type - Add principal.asset.hostname and principal.asset.ip mappings - Change else-if to independent if for separate field mappings (L242) - Add email regex validation before mapping - Fix osName mapping: platform_version -> principal.platform - Use 'in' array syntax for resolveFlag conditions - Add null checks for meta.appName and meta.request - Use meta.appName/meta.request dot syntax instead of [meta][appName] - Rename meta_key/meta_value to metakey/metavalue (avoid underscores) - Remove extra blank line (L11) - Map preventativeMeasures array to security_result.category_details Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…on framework Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ional containers These UDM container fields are auto-created by CBN when sub-fields are set. No other community parser initializes them. Only security_result needs init since it's used as a merge source. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Reviewer noted that description was mapped to both metadata.description and security_result.summary. Keep only security_result.summary as it is the more semantically appropriate field for risk event descriptions. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
meta.appName and meta.request may not exist in metaInfo JSON. Using if [meta][appName] != "" causes CBN error 'not found in state data' when the field is absent. Switch to on_error pattern: attempt the replace and use the error flag to guard has_target. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Restore container field inits (event/metadata/principal/target/additional) as CBN requires them for 'if [field] != ""' conditionals in final assembly - Remove preventativeMeasures from init block so JSON-parsed map is preserved - Fix preventativeMeasures iteration: use replace to intermediate var before merge (direct merge of for-loop variable into category_details doesn't work) - Verified via secops parser run against live SecOps instance - all fields match Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Use 'in' syntax for resolveFlag new/accepted: in ["new", "accepted"] - Add QUARANTINE action for resolveFlag quarantine - Change assetName back to else-if to avoid overriding hostName, map to both principal.hostname and principal.asset.hostname - Add IP regex validation for hostIp, set has_principal via on_error check - Remove has_principal from user fields (userPrincipalName/email), has_principal is only for machine data (IP, hostname, MAC) - Set has_user via on_error check pattern for email - Map osName to platform ENUM values (LINUX/WINDOWS/MAC) with regex - Remove has_target from URL/application (only for machine data) - Remove empty cloud field has_target blocks (data goes to additional.fields) - Change event_type to NETWORK_CONNECTION when has_principal + has_target - Add comment explaining on_error pattern for meta sub-fields - Verified via secops parser run against live SecOps instance Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- declare meta.appName and meta.request in state data init - drop has_target flag from containerImageId (not an IP/MAC/hostname target) - remove now-dead NETWORK_CONNECTION event_type branch Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rror
CBN throws "not found in state data" when a conditional reads a nested key
(meta.appName/meta.request) that the parsed metaInfo JSON does not contain.
Pre-initializing meta.* at the top does not help because json{target=>meta}
replaces the whole map. Guard on [metaInfo] (always in state data) instead and
let on_error skip absent nested keys.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
riskScore_str is only assigned when riskScore is present, so logs without a riskScore would hit "not found in state data" at the additional-field conditional. Declare it "" in the init block. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Declare meta.appName/meta.request in state data; null-check the extracted nested value via scratch fields instead of only [metaInfo] (bracket guard [meta][appName] drops the event when the key is absent) - Add key null checks in the addition and meta dynamic field loops - Gate USER_UNCATEGORIZED on has_user AND has_principal so the event always carries an indexable user+machine identifier; machine-only events map to STATUS_UPDATE - Fix expected_events.json to camelCase to match parser output and the repo convention (validation now passes) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
TRENDMICRO_VISION_ONE_RISK_EVENTSlog typeTest plan
🤖 Generated with Claude Code