Skip to content

feat: add parser for Trend Micro Vision One Risk Events#910

Open
wentao-trendmicro wants to merge 20 commits into
chronicle:mainfrom
wentao-trendmicro:feat/trendmicro-vision-one-risk-events-parser
Open

feat: add parser for Trend Micro Vision One Risk Events#910
wentao-trendmicro wants to merge 20 commits into
chronicle:mainfrom
wentao-trendmicro:feat/trendmicro-vision-one-risk-events-parser

Conversation

@wentao-trendmicro

Copy link
Copy Markdown

Summary

  • Add community parser for TRENDMICRO_VISION_ONE_RISK_EVENTS log type
  • Parses Trend Micro Vision One risk event logs into UDM format
  • Maps risk scores to severity levels (CRITICAL/HIGH/MEDIUM/LOW/INFORMATIONAL)
  • Maps resolve flags (new, accepted, resolved, close, system_remediation, system_remediated) to security actions
  • Extracts principal, target, cloud, and additional fields from risk event data

Test plan

  • Validate parser against sample risk event logs
  • Verify UDM field mapping correctness
  • Pass "Validate Parsers" automated check
  • Pass "Validate Google & Parsers" SecOps instance check

🤖 Generated with Claude Code

Add community parser for TRENDMICRO_VISION_ONE_RISK_EVENTS log type.
Parses risk event logs from Vision One into UDM format, mapping risk
scores to severity levels, resolve flags to security actions, and
extracting principal/target/cloud fields.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@wentao-trendmicro wentao-trendmicro requested a review from a team as a code owner June 4, 2026 08:07
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new community parser for Trend Micro Vision One Risk Event logs. The parser enables the transformation of these logs into the Unified Data Model (UDM) format, facilitating better security visibility by mapping risk-specific data points such as severity levels, security actions, and various cloud and asset-related metadata.

Highlights

  • New Parser Implementation: Added a community parser for Trend Micro Vision One Risk Events to support log ingestion and normalization.
  • UDM Mapping: Implemented comprehensive mapping for risk scores to severity levels and resolve flags to security actions.
  • Data Extraction: Configured extraction for principal, target, and cloud-related fields, including dynamic parsing of metaInfo.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@google-cla

google-cla Bot commented Jun 4, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new parser for Trend Micro Vision One Risk Event logs, including the Logstash configuration, metadata, and test data. The review identified two critical issues in the Logstash configuration: first, converting riskScore (which can be a float) directly to an integer will cause failures, so it should be converted to a float instead; second, nested fields within the parsed JSON (such as meta.appName) must be referenced using bracket notation (e.g., %{[meta][appName]}) rather than dot notation, and should be protected with if guards to avoid mapping literal template strings when the fields are missing.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

wentao-trendmicro and others added 4 commits June 4, 2026 16:36
…eta fields

- Convert riskScore to float instead of integer to handle values like 42.0
- Use bracket notation %{[meta][appName]} for nested field references
- Add if guards around meta.appName and meta.request to prevent literal
  template strings when fields are missing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The log_type must be a valid registered LogType enum value.
Remove it since TRENDMICRO_VISION_ONE_RISK_EVENTS is not yet registered.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CBN parser fails when if-condition references non-existent nested fields.
Revert to unconditional mutate with on_error handler while keeping
bracket notation for field references.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use snake_case field names (read_only_udm, event_timestamp, etc.)
- Use flat additional fields instead of nested fields array
- Fix riskScore string representation from "42.0" to "42"
- Add event.timestamp field
- Remove meta_preventativeMeasures (array values not iterated)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
wentao-trendmicro and others added 7 commits June 12, 2026 15:17
- Remove deprecated UDM fields (cloud.environment, cloud.project.id,
  cloud.availability_zone, cloud.project.name,
  cloud.project.resource_subtype) and move cloud data to additional.fields
- Remove customerId from additional fields (PII data)
- Add has_principal/has_target/has_user flags for dynamic event_type
- Add principal.asset.hostname and principal.asset.ip mappings
- Change else-if to independent if for separate field mappings (L242)
- Add email regex validation before mapping
- Fix osName mapping: platform_version -> principal.platform
- Use 'in' array syntax for resolveFlag conditions
- Add null checks for meta.appName and meta.request
- Use meta.appName/meta.request dot syntax instead of [meta][appName]
- Rename meta_key/meta_value to metakey/metavalue (avoid underscores)
- Remove extra blank line (L11)
- Map preventativeMeasures array to security_result.category_details

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…on framework

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ional containers

These UDM container fields are auto-created by CBN when sub-fields are set.
No other community parser initializes them. Only security_result needs init
since it's used as a merge source.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Reviewer noted that description was mapped to both metadata.description
and security_result.summary. Keep only security_result.summary as it is
the more semantically appropriate field for risk event descriptions.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
meta.appName and meta.request may not exist in metaInfo JSON. Using
if [meta][appName] != "" causes CBN error 'not found in state data'
when the field is absent. Switch to on_error pattern: attempt the
replace and use the error flag to guard has_target.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Restore container field inits (event/metadata/principal/target/additional)
  as CBN requires them for 'if [field] != ""' conditionals in final assembly
- Remove preventativeMeasures from init block so JSON-parsed map is preserved
- Fix preventativeMeasures iteration: use replace to intermediate var before
  merge (direct merge of for-loop variable into category_details doesn't work)
- Verified via secops parser run against live SecOps instance - all fields match

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
wentao-trendmicro and others added 3 commits June 15, 2026 10:29
- Use 'in' syntax for resolveFlag new/accepted: in ["new", "accepted"]
- Add QUARANTINE action for resolveFlag quarantine
- Change assetName back to else-if to avoid overriding hostName,
  map to both principal.hostname and principal.asset.hostname
- Add IP regex validation for hostIp, set has_principal via on_error check
- Remove has_principal from user fields (userPrincipalName/email),
  has_principal is only for machine data (IP, hostname, MAC)
- Set has_user via on_error check pattern for email
- Map osName to platform ENUM values (LINUX/WINDOWS/MAC) with regex
- Remove has_target from URL/application (only for machine data)
- Remove empty cloud field has_target blocks (data goes to additional.fields)
- Change event_type to NETWORK_CONNECTION when has_principal + has_target
- Add comment explaining on_error pattern for meta sub-fields
- Verified via secops parser run against live SecOps instance

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
wentao-trendmicro and others added 4 commits June 22, 2026 09:46
- declare meta.appName and meta.request in state data init
- drop has_target flag from containerImageId (not an IP/MAC/hostname target)
- remove now-dead NETWORK_CONNECTION event_type branch

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rror

CBN throws "not found in state data" when a conditional reads a nested key
(meta.appName/meta.request) that the parsed metaInfo JSON does not contain.
Pre-initializing meta.* at the top does not help because json{target=>meta}
replaces the whole map. Guard on [metaInfo] (always in state data) instead and
let on_error skip absent nested keys.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
riskScore_str is only assigned when riskScore is present, so logs without a
riskScore would hit "not found in state data" at the additional-field
conditional. Declare it "" in the init block.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tpi-aigc tpi-aigc requested a review from a team as a code owner June 29, 2026 02:08
- Declare meta.appName/meta.request in state data; null-check the
  extracted nested value via scratch fields instead of only [metaInfo]
  (bracket guard [meta][appName] drops the event when the key is absent)
- Add key null checks in the addition and meta dynamic field loops
- Gate USER_UNCATEGORIZED on has_user AND has_principal so the event
  always carries an indexable user+machine identifier; machine-only
  events map to STATUS_UPDATE
- Fix expected_events.json to camelCase to match parser output and the
  repo convention (validation now passes)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants