Alert Details

Workbench provides detailed alert information in a unified view for more effective investigations.

The following tables describe different elements that compose alert details.

Table 1. Left panel of the alert details screen

Element

Description

Summary section

Provides basic information of the alert that you investigate

  • Status icon: The current status of the alert or investigation triggered in Workbench

    • New: The alert is new and not currently under investigation

    • In progress: A user has begun investigating the alert

    • Closed: A user completed the investigation for the alert

    • Closed - false positive: A user completed investigation and identified this alert as a false positive

  • Score: The severity assigned to a model that triggered the alert

  • The name and description of the matched detection model

  • Impact scope: The number of entities that the alert affects within the company network

  • Created: The date and time Trend Micro Vision One generated the alert

If the alert is triggered by the Threat Intelligence Sweeping model, the following fields also appear:

  • Campaign: The associated threat campaign

  • Industry: The industry that the threat campaign belongs to

  • Intelligence source: The data source that provides the matched intelligence report

  • First seen: The date and time the Threat Intelligence Sweeping model first identified IoCs

  • Last seen: The date and time the Threat Intelligence Sweeping model last identified IoCs

Highlights section

Displays a list of the event objects that triggered the alert with contextually enriched information

Each event consists of the following information:

  • The filter that detected suspicious behaviors

  • The matched MITRE technique and the related link

  • The date and time the detection occurred

  • Objects involved in the event, such as endpoints, command lines, email messages, and registries

If the alert is triggered by the Threat Intelligence Sweeping model, the Highlights section shows the identified IoCs and the related objects instead.

Table 2. Right panel of the alert details screen

Element

Description

Timeline banner on the top

Displays the date and time the detection occurred

Observable Graph section

Provides more detailed context for the alert in a visualized form

Click any of the events in the Highlights section to highlight the specific objects in Observable Graph.

Each node in the graph refers to an object, and each link reflects the relationship between one node and the adjacent node.

  • Each line () represents the association between the two objects, for example, a user account is associated with an endpoint.

  • Each arrow () indicates the direction of the transaction between the two objects, for example, from the source to destination or from the email sender to recipient.