Alert View

Investigate and understand the extent and severity of any alert to further determine response actions.

The Alert View screen (XDR Threat Investigation > Workbench) displays alerts triggered by detection models and allows you to further investigate each alert.

The following table outlines the actions available on the Alert View screen.

Action

Description

Investigate an alert

Understand the extent and severity of any alert to further determine response actions

View alert details

Locate a Workbench alert and click the Workbench ID to view the summary, highlights and observable graph of the alert.

Filter alert data

Use the search box and the dropdown lists to filter alert data.

  • Status: The current status of the alert or investigation triggered in Workbench

    • New: The alert is new and not currently under investigation

    • In progress: A user has begun investigating the alert

    • Closed: A user completed the investigation for the alert

    • Closed - true positive: After completing the investigation, the user concluded that this alert is a genuine threat to the organization and has decided to close the alert

    • Closed - false positive: After completing the investigation, the user concluded that this alert is a false positive and has decided to close the alert

    • Closed - benign true positive: After completing the investigation, the user concluded that this alert is a genuine threat but does not pose any risk to the organization, and has decided to close the alert

  • Created: The time when Trend Vision One generated the alert

  • Model name: The detection model that triggered the alert

  • Model type: Allows you to filter custom detection models.

  • Data source / processor: The product that sent the alert data to Workbench

  • Search: Allows you to search by Workbench ID, endpoint, user, email, container, cloud identity or highlighted object.

View and sort alerts

View the table to check all the alerts. Click column headings to sort alerts, for example, click Score to prioritize the alerts for further investigation.

Change the view

Select an option from the View menu:

  • All: Shows all the alerts that match the filter criteria

  • Group by

    • Model: Groups the alerts by the detection model name

    • Endpoint: Groups the alerts by the endpoint name

    Tip:

    Click the right arrow () of each row to expand the alerts grouped by a specific model or endpoint name.

Change the alert status

Select one or more alerts and click Change Status to update the progress of alerts or investigations.

Important:

If you select Closed - false positive, you need to specify why you think this alert was false.

Assign owner

Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts.

Link alerts to an incident

After performing an alert investigation, select one or more alerts and click Link to Incident or Link to Another Incident to associate the selected alerts with the specified incident.

Note:
  • If an alert is manually linked to an incident or unlinked from an incident, Trend Vision One does not correlate the alert if a new alert is received.

  • An alert can only be associated with one incident.

Unlink alerts from an incident

After performing an alert investigation, select one or more alerts and click Unlink from Incident.

Note:

If an alert is manually linked to an incident or unlinked from an incident, Trend Vision One does not correlate the alert if a new alert is received.

See Automated Response Playbooks

Click Automated Response Playbooks to display the Automated Response playbooks available in the Security Playbooks app