Views:

Investigate and understand the extent and severity of any alert to further decide response actions.

The All Alerts screen (Agentic SIEM & XDRWorkbench) displays all the standalone alerts triggered by detection models.
The following table outlines the actions available on the Alert View screen.
Action
Description
Investigate an alert
Understand the extent and severity of any alert to further decide response actions.
Open a new case
Locate a Workbench alert and click Open new case to create a new case to handle the alert.
Important
Important
Opening a case for standalone alerts disables the Workbench alert note functionality and transfers all related Workbench notes to the case.
You can only add new notes can directly to the case.
View alert details
Click the ID of an alert to view the summary, highlights, and observable graph of the alert.
Filter alert data
Use the drop-down menus to filter alert data by alert Status, Case status in Case Management, alert Created time, and investigation Findings.
Note
Note
The following investigation findings are available:
  • -: The investigation has no findings.
  • Benign true positive: The investigation confirmed the presence of a genuine threat that poses no risk to the organization. Benign true positives are the result of penetration tests or other legitimate activities in your environment.
  • False positive: No malicious activity found.
  • Noteworthy: Trend Vision One detected unusual activity that requires more investigation.
  • True positive: The investigation confirmed the occurrence of threats or malicious activities.
Click Add filter and select an option from the drop-down menu to filter by Asset group, Custom tag, Criticality, Data source / processor, Endpoint group, Model name, Model type, and Owners.
You can also use the search box to filter alert data.
Change the view
Change the view by selecting one of the following options from the View drop-down menu:
  • All: Shows all the alerts that match the filter criteria
  • Group by
    • Model: Groups the alerts by the detection model name
    • Endpoint: Groups the alerts by the endpoint name
    Tip
    Tip
    Click the right arrow (Workbench_right_arrow=GUID-086A3484-09C5-4182-8C88-8B5D59C8E61F=1=en-us=Low.png) of each row to expand the alerts grouped by a specific model or endpoint name.
Change the alert status
Select one or more alerts and click Change Status to update the progress of alerts or investigations.
Change alert findings
Select one or more alerts and click Change Findings to update the findings of the case.
Assign owner
Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts.
Move alerts across Workbench insights
Select one or more alerts and select any of the following options:
  • Associate with insight: Moves the alerts to the specified Workbench insight.
  • Remove from insight: Removes alerts from their current Workbench insights.
Important
Important
  • Workbench no longer attempts to correlate the alerts you move with any new alerts.
  • Alerts can only belong to one Workbench insight.
See Automated Response Playbooks
Click Automated Response Playbooks to display the Automated Response playbooks available in Security Playbooks.