Investigate and understand the extent and severity of any alert to further decide response actions.

The All Alerts screen (XDR Threat InvestigationWorkbench) displays all the standalone alerts triggered by detection models.
The following table outlines the actions available on the Alert View screen.
Investigate an alert
Understand the extent and severity of any alert to further decide response actions
Open a new case
Locate a Workbench alert and click Open new case to create a new case to handle the alert.
Opening a case for standalone alerts disables the Workbench alert note functionality and transfers all related Workbench notes to the case.
You can only add new notes can directly to the case.
View alert details
Click the ID of an alert to view the summary, highlights and observable graph of the alert.
Filter alert data
Use the search box and the dropdown lists to filter alert data.
  • Status: The current status of the alert or investigation triggered in Workbench
    • workbench-status-new.png Open: The alert is new and not currently under investigation
    • workbench-status-in-.png In progress: The alert is under investigation.
    • workbench-status-clo.png Closed: The alert investigation is complete.
  • Created: The time when Trend Vision One generated the alert
  • Model name: The detection model that triggered the alert
  • Model type: Whether the detection model that triggered the alert is a custom model.
  • Data source / processor: The product that sent the alert data to Workbench
  • Findings: The findings of the alert investigation.
    Available values:
    • Confirmed incident: The investigation confirmed the occurrence of threats or malicious activities.
    • False positive: No malicious activity found.
    • Benign true positive: The investigation has confirmed the presence of a genuine threat that poses no risk to the organization.
      Benign true positives are the result of penetration test or other legitimate activities in your environment.
    • Noteworthy: Observations have identified suspicious activity that requires more investigation.
    • -: The investigation has no findings.
  • Owners: Whether the alert has assigned owners.
  • Case status: Whether you opened a case in Case Management to investigate the alert.
Change the view
Select an option from the View menu:
  • All: Shows all the alerts that match the filter criteria
  • Group by
    • Model: Groups the alerts by the detection model name
    • Endpoint: Groups the alerts by the endpoint name
    Click the right arrow (workbench-right-arro.png) of each row to expand the alerts grouped by a specific model or endpoint name.
Change the alert status
Select one or more alerts and click Change Status to update the progress of alerts or investigations.
Change alert findings
Select one or more alerts and click Change Findings to update the findings of the case.
Assign owner
Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts.
Move alerts across Workbench insights
Select one or more alerts and select any of the following options:
  • Associate with insight: Moves the alerts to the specified Workbench insight.
  • Remove from insight: Removes alerts from their current Workbench insights.
  • Workbench no longer attempts to correlate the alerts you move with any new alerts.
  • Alerts can only belong to one Workbench insight.
See Automated Response Playbooks
Click Automated Response Playbooks to display the Automated Response playbooks available in the Security Playbooks app