Views:

Check the individual events detected in your environment that might trigger a Workbench alert.

Trend Vision One detects events through use of granular predefined or custom detection filters that make up the detection models that trigger alerts. Events that Trend Vision One lists on the Observed Attack Techniques screen might not result in a Workbench insight or Workbench alert. You can use the data in the Trend Vision One app to further investigate Workbench insights and evaluate individual detections.
The following table outlines the actions available in the Observed Attack Techniques app.
Action
Description
Filter event data
Use the drop-down lists to locate specific event data.
  • Risk level: The risk assigned to the detection filter as determined by Trend Micro threat experts
    Trend Micro experts continuously assess threats and may update the risk level of a detection at any time based on the latest information available.
  • Detected: When the detection occurred
  • Data source / processor: The product that detected the event
  • Detection filter: Select from Detection filter, Tactic ID, or Technique ID to locate specific filter or MITRE data
You can also search by endpoint or container name in the search field.
Create a Search query from filters
To create a query in Search based on your specified filters, click Query in Search app.
Hide detection filters from the list
If you receive a lot of detections on particular detection filters that do not interest you, you can temporarily hide the data for specific filters.
Right-click the unwanted Detection filter name and click Hide Value. After adding all unwanted filters to the Hidden objects list, click Apply to reload the screen.
Note
Note
You cannot save the Hidden objects list. If you leave the screen, the list resets.
View event details in Search app
Locate an event, click the options button (options.png) at the end of the row and select View Event in Search to open the Search app in a new tab.
Add event to case
Locate an event, click the options button (options.png) at the end of the row and select Add to Case to add the event as evidence of a case.
View detailed information about an associated entity
Click the Show Detailed Profile icon (details-icon.png) to open the Detailed Profile panel.
View more details
Expand any row to see more details related to the detection and associated entities.
Chat with Companion
Click companion-icon.png to start a conversation with Trend Vision One - Companion.
Tip
Tip
  • You can right-click a CLI command element (parentCmd, processCmd, and objectCmd) and choose Explain Command to learn about the commands executed in an event.
Related information