All Alerts | Trend Micro Service Central

Views:

Investigate and understand the extent and severity of any alert to further decide response actions.

The All Alerts screen (XDR Threat Investigation → Workbench) displays all the standalone alerts triggered by detection models.

The following table outlines the actions available on the Alert View screen.

Action

Description

Investigate an alert

Open a new case

Locate a Workbench alert and click Open new case to create a new case to handle the alert.

Opening a case for standalone alerts disables the Workbench alert note functionality and transfers all related Workbench notes to the case.

You can only add new notes can directly to the case.

View alert details

Filter alert data

Use the search box and the dropdown lists to filter alert data.

Status: The current status of the alert or investigation triggered in Workbench
- Open: The alert is new and not currently under investigation
- In progress: The alert is under investigation.
- Closed: The alert investigation is complete.
Created: The time when Trend Vision One generated the alert
Model name: The detection model that triggered the alert
Model type: Whether the detection model that triggered the alert is a custom model.
Data source / processor: The product that sent the alert data to Workbench
Findings: The findings of the alert investigation.

Available values:
- Confirmed incident: The investigation confirmed the occurrence of threats or malicious activities.
- False positive: No malicious activity found.
- Benign true positive: The investigation has confirmed the presence of a genuine threat that poses no risk to the organization.
  
  Benign true positives are the result of penetration test or other legitimate activities in your environment.
- Noteworthy: Observations have identified suspicious activity that requires more investigation.
- -: The investigation has no findings.
Owners: Whether the alert has assigned owners.
Case status: Whether you opened a case in Case Management to investigate the alert.

Change the view

Select an option from the View menu:

All: Shows all the alerts that match the filter criteria
Group by
- Model: Groups the alerts by the detection model name
- Endpoint: Groups the alerts by the endpoint name
Tip

Click the right arrow () of each row to expand the alerts grouped by a specific model or endpoint name.

Change the alert status

Select one or more alerts and click Change Status to update the progress of alerts or investigations.

Change alert findings

Select one or more alerts and click Change Findings to update the findings of the case.

Assign owner

Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts.

Move alerts across Workbench insights

Select one or more alerts and select any of the following options:

Associate with insight: Moves the alerts to the specified Workbench insight.
Remove from insight: Removes alerts from their current Workbench insights.

Workbench no longer attempts to correlate the alerts you move with any new alerts.
Alerts can only belong to one Workbench insight.

See Automated Response Playbooks

Click Automated Response Playbooks to display the Automated Response playbooks available in the Security Playbooks app