Views:

Deploy the connector using Azure Functions to enable alert data collection from Trend Vision One.

Procedure

  1. Install the Trend Vision One solution in Microsoft Sentinel
    1. In your Microsoft Sentinel workspace, go to Content managementContent hub (Preview).
    2. Search for Trend Vision One and click Install.
    3. Choose your workspace and click Start.
  2. Install the Trend Vision One data connector:
    1. In your Microsoft Sentinel workspace, go to ConfigurationData connectors.
    2. Search for Trend Vision One (using Azure Function) and click Open connector page.
    3. On the connector page, go to Instructions.
    4. Copy the Workspace ID and Workspace Key.
    5. Click Deploy to Azure.
      The deployment process redirects to the Microsoft Azure portal.
    6. Configure the settings on the Custom deployment page:
      Setting
      Configuration Notes
      Subscription
      Manages deployed resources
      Resource group
      Where to deploy the connector
      Function Name
      Must be a unique name
      Workspace ID and Workspace Key
      The information you copied from the Instructions section of the connector page.
      You can also access the information from Log Analytics.
      1. Go to your Workspace in Log Analytics.
      2. Go to Settings Agents management.
      3. The information is on Windows servers, under Download agent.
      API Key
      An API key from a Trend Vision One user account
      Important
      Important
      The Microsoft Sentinel connector requires an API key from a Trend Vision One user account with the SIEM role or a user role with greater permissions. The user account access level must include APIs.
      Region Code
      The region code that corresponds to the location of your Trend Vision One instance
      Allowed values:
      • au
      • eu
      • in
      • jp
      • sg
      • us
      • mea
      Storage prefix
      Ensure the storage prefix adheres to the Azure resource naming conventions.
    7. Click Review + create.
  3. Configure the Python version the connector uses.
    1. In the Microsoft Azure console, find the resource group of the Trend Vision One connector.
    2. Under Resources, click the Function App in your resource group.
    3. Go to ConfigurationGeneral Settings.
    4. Select Python 3.9 from the Python Version menu.
    5. Click Save.
  4. If you use custom detection models or hypersensitive mode, configure the connector to pull the related alert data.
    By default, the Trend Vision One connector does not pull data created by custom detection models or hypersensitive mode. You need to configure additional settings to ensure the connector ingests related alert data.
    1. In the Microsoft Azure console, find the resource group of the Trend Vision One connector.
    2. Under Resources, click the Function App in your resource group.
    3. Go to SettingsEnvironment variablesApp settings.
    4. If you want to send custom detection models to Microsoft Sentinel, click Add and configure the following settings:
      • Name: queryCustomWorkbench
      • Value: True
    5. If you want to send custom detection models to Microsoft Sentinel, click Add and configure the following settings:
      • Name: queryAggressiveWorkbench
      • Value: True
    6. Click Apply.
    7. In the confirmation dialog, click Confirm.
After successful deployment, Microsoft Sentinel retrieves new alert data generated by Trend Vision One. The connector does not pull preexisting alert data.