Views:

Review the individual events detected in your environment that might trigger a Workbench alert.

Trend Vision One detects events through use of granular predefined or custom detection filters that make up the detection models that trigger alerts. Events listed in Observed Attack Techniques (Agentic SIEM & XDRObserved Attack Techniques) might not generate a Workbench insight or Workbench alert. You can use the data in Trend Vision One to further investigate Workbench insights and evaluate individual detections.
The following table outlines the actions available in Observed Attack Techniques:
Action
Description
Filter event data
Use the drop-down menus to filter by Event severity and last Detected time.
Note
Note
Click Add filter and select an option from the drop-down menu to filter by Asset group, Custom tag, Data source / processor, Detection filter, Endpoint group, Tactic ID, or Technique ID.
You may also use the search box to filter insights by endpoint or container name.
Create a query from filters
To create a query in XDR Data Explorer based on your specified filters, click Query in XDR Data Explorer.
Hide detection filters from the list
If you receive a lot of detections on particular detection filters that do not interest you, you can temporarily hide the data for specific filters.
Right-click the unwanted Detection filter name and click Hide Value. After adding all unwanted filters to the Hidden objects list, click Apply to reload the list.
Note
Note
You cannot save the Hidden objects list. If you leave the Observed Attack Techniques, the list resets.
View event details in XDR Data Explorer
Locate an event, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row and select View Event in XDR Data Explorer to open XDR Data Explorer in a new browser tab.
Add event to case
Locate an event, click the options icon (options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png) at the end of the row and select Add to Case to add the event as evidence of a case.
Add event to Workbench insight
Locate and right-click an event, then select Add to Workbench Insight.
Adding events to Workbench insights updates the insight information, including impact scope and highlighted object.
View detailed information about an associated entity
Click the Show Detailed Profile icon (details_icon=f45ada04-b746-40a7-a5f4-2166c059213c.png) to view detailed information about the associated entity.
View more details
Expand any row to see more details related to the detection and associated entities.
Chat with Trend Companion
  • Click newCompanionIcon=GUID-20240819112525.jpg to start a conversation with Trend Companion.
  • Right-click a CLI command element (parentCmd, processCmd, and objectCmd) and choose Explain Command to learn about the commands executed in an event.
  • To learn about an event, you can right-click an event or click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and choose Explain Event. Trend Companion cannot explain events that only contain custom filters.