Views:

Review the individual events detected in your environment that might trigger a Workbench alert.

Trend Vision One detects events through use of granular predefined or custom detection filters that make up the detection models that trigger alerts. Events that Trend Vision One lists on Observed Attack Techniques might not result in a Workbench insight or Workbench alert. You can use the data in the Trend Vision One app to further investigate Workbench insights and evaluate individual detections.
The following table outlines the actions available in the Observed Attack Techniques app:
Action
Description
Filter event data
Use the lists to locate specific event data.
  • Risk level: The risk assigned to the detection filter as determined by Trend Micro threat experts
    Trend Micro experts continuously assess threats and may update the risk level of a detection at any time based on the latest information available.
  • Detected: When the detection occurred
  • Data source / processor: The product that detected the event
  • Detection filter: Select from Detection filter, Tactic ID, or Technique ID to locate specific filter or MITRE data
You can also search by endpoint or container name in the search bar.
Create a query from filters
To create a query in XDR Data Explorer based on your specified filters, click Query in XDR Data Explorer.
Hide detection filters from the list
If you receive a lot of detections on particular detection filters that do not interest you, you can temporarily hide the data for specific filters.
Right-click the unwanted Detection filter name and click Hide Value. After adding all unwanted filters to the Hidden objects list, click Apply to reload the list.
Note
Note
You cannot save the Hidden objects list. If you leave the Observed Attack Techniques, the list resets.
View event details in XDR Data Explorer
Locate an event, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row and select View Event in XDR Data Explorer to open XDR Data Explorer in a new browser tab.
Add event to case
Locate an event, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row and select Add to Case to add the event as evidence of a case.
Add event to Workbench insight
Locate and right-click an event, then select Add to Workbench Insight.
Adding events to Workbench insights updates the insight information, including impact scope and highlighted object.
View detailed information about an associated entity
Click the Show Detailed Profile icon (details_icon=f45ada04-b746-40a7-a5f4-2166c059213c.png) to view detailed information about the associated entity.
View more details
Expand any row to see more details related to the detection and associated entities.
Chat with Trend Companion
  • Click newCompanionIcon=GUID-20240819112525.jpg to start a conversation with Trend Companion.
  • Right-click a CLI command element (parentCmd, processCmd, and objectCmd) and choose Explain Command to learn about the commands executed in an event.
  • To learn about an event, you can right-click an event or click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and choose Explain Event. Trend Companion cannot explain events that only contain custom filters.
Related information