What Changed
Trend Micro Cloud App Security solution bumped to v3.0.0 (major) to adopt the V3 packaging tool format (contentTemplates ARM layout). This PR introduces two substantive changes:
New CCF Data Connector – TrendMicroCASConnector.json + supporting DCR.json, PollingConfig.json, and table_TrendMicroCASV2.json files define a Codeless Connector Framework connector that ingests into a new custom table TrendMicroCASV2_CL. The legacy Azure Functions connector (TrendMicroCAS_API_FunctionApp.json) is retained unchanged.
Dual-schema parser – TrendMicroCAS.yaml (v1.1.1) is rewritten to union both tables:
- CLv1 leg: reads TrendMicroCAS_CL using column_ifexists() against type-suffixed column names (e.g., message_affected_user_s, log_item_id_g) produced by the Functions connector.
- CLv2 leg: reads TrendMicroCASV2_CL using clean column names (e.g., AffectedUser, LogItemId) produced by the CCF connector.
- Both legs project an identical normalised schema then are combined with union.
Data Connector – CCF Path
The new CCF connector polls the Trend Micro Cloud App Security REST API and ingests via DCR to TrendMicroCASV2_CL. The DCR.json defines the stream Custom-TrendMicroCASV2_CL with column-level transforms. Authentication and polling parameters are declared in PollingConfig.json.
Parser Impact
The parser function TrendMicroCAS previously only read TrendMicroCAS_CL. After this change it transparently unions both tables. Existing Analytic Rules, hunting queries, and workbooks that reference the TrendMicroCAS function require no changes – they will automatically see events from both the legacy Functions connector and the new CCF connector.
Field type handling was also tightened in the CLv1 leg: tostring() wrappers added for GUID columns (log_item_id_g, message_mail_message_id_g); datetime defaults changed from empty string to datetime(null); dynamic columns default to dynamic(null) – correcting silent type mismatches that could cause union failures or null coercion errors when both legs are active.
Analytic Rule / Hunting Query Changes
Three content files received description-only typo fixes (recieved to received) with version bumps (1.0.0 to 1.0.1). No KQL detection logic was modified.
Workbook
WorkbooksMetadata.json updated to add TrendMicroCASV2_CL as a data type dependency (workbook version 1.0.1). No workbook logic changed.
Affected Files
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml
Solutions/Trend Micro Cloud App Security/Data Connectors/TrendMicroCAS_API_FunctionApp.json
Solutions/Trend Micro Cloud App Security/Data Connectors/TrendMicroCAS_CCF/DCR.json
Solutions/Trend Micro Cloud App Security/Data Connectors/TrendMicroCAS_CCF/PollingConfig.json
Solutions/Trend Micro Cloud App Security/Data Connectors/TrendMicroCAS_CCF/TrendMicroCASConnector.json
Solutions/Trend Micro Cloud App Security/Data Connectors/TrendMicroCAS_CCF/table_TrendMicroCASV2.json
Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRareFilesRecievedViaEmail.yaml
Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASTopFilesRecievedViaEmail.yaml
Solutions/Trend Micro Cloud App Security/Package/testParameters.json
Solutions/Trend Micro Cloud App Security/Parsers/TrendMicroCAS.yaml
Solutions/Trend Micro Cloud App Security/Workbooks/TrendMicroCAS.json
Workbooks/Images/Logos/akamai-guardicore.svg
Workbooks/Images/Preview/GuardicoreNotebookBlack.png
Workbooks/Images/Preview/GuardicoreNotebookBlack2.png
Workbooks/Images/Preview/GuardicoreNotebookWhite.png
Workbooks/Images/Preview/GuardicoreNotebookWhite2.png
Workbooks/Images/Preview/IncidentAnalysisBlack.png
Workbooks/Images/Preview/IncidentAnalysisWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Trend Micro Cloud App Security.json, createUiDefinition.json, mainTemplate.json)