Online Help Center Home
Privacy and Personal Data Collection Disclosure
- Pre-release Disclaimer
- Pre-release Sub-feature Disclaimer
Trend Vision One Data Privacy, Security, and Compliance
What's New
- What's New by Date
- What's New by App Group
- Release Notes
  - Service Gateway
Introduction
- Trend Vision One
- Checking the Trend Vision One Service Status
  - SERVICE LEVEL OBJECTIVES FOR TREND VISION ONE (herein this “SLO”)
Getting Started
- Getting Started with Trend Vision One
- Getting Started with Vulnerability Assessment
Risk Insights
- Executive Dashboard
- Attack Surface Discovery
- Operations Dashboard
- Cloud Posture
Dashboards and Reports
- Security Dashboard
  - Customizing the Security Dashboard
  - Protocol Groups in the Scanned Traffic Summary Widget
- Reports
XDR Threat Investigation
- Detection Model Management
- Workbench
  - Alert View
  - Incident View
    - Incident Details
      - Alerts (Incident View)
      - Incident-based Execution Profile
    - Assigning Incidents
- Search App
- Observed Attack Techniques
- Targeted Attack Detection
- Forensics
- Managed Services
- Companion
Threat Intelligence
- Campaign Intelligence
  - Threat Information Screen
- Intelligence Reports
- Suspicious Object Management
  - Suspicious Object List
  - Exception List
    - Adding Exceptions
- Sandbox Analysis
- Third-Party Intelligence
  - TAXII Feeds
    - Configuring a TAXII Feed
  - MISP Feeds
Workflow and Automation
- Security Playbooks
- Response Management
- Third-Party Integration
- API Automation Center
- Service Gateway Management
Zero Trust Secure Access
- Getting Started with Zero Trust Secure Access
- Secure Access Overview
- Secure Access Rules
- Secure Access Resources
- Secure Access History
- Secure Access Configuration
- Troubleshooting Zero Trust Secure Access
Assessment
- Cyber Risk Assessment
Endpoint Security Operations
- Endpoint Inventory 2.0
- Endpoint Inventory
  - Getting Started with XDR for Endpoints
  - Managing the Endpoint List in Endpoint Inventory 1.0
    - Endpoint List Settings in Endpoint Inventory 1.0
- Endpoint Policies
- Trend Cloud One - Endpoint & Workload Security
Endpoint Security Operations (for Standard Endpoint and Server & Workload Protection)
- Getting Started with Trend Vision One Endpoint Security
- Endpoint Inventory
- Standard Endpoint Protection
- Server & Workload Protection
Cloud Security Operations
- Trend Vision One Container Security
- XDR for Containers
  - Getting Started with XDR for Containers
Network Security Operations
- Network Inventory
- Network Intrusion Prevention
Email Security Operations
- Email Account Inventory
  - Email Sensor Management
Mobile Security Operations
- Getting Started with Mobile Security
- Using Mobile Security in Conjunction with MDM Solutions or Azure AD
- Using Mobile Device Director
Service Management
- Product Connector
  - Connecting a Product
  - Required Settings on Supported Products
- Product Instance
- Cloud Accounts
Administration
- User Accounts, Roles, and Single Sign-On (Legacy)
- User Accounts, Identity Providers, and User Roles (July 2023 update)
- Notifications
- Audit Logs
  - User Logs
    - User Log Data
  - System Logs
    - System Log Data
- Console Settings
- License Information
- Credit Usage
- Support Settings
  - Enabling Hypersensitive Mode
Getting Help and Troubleshooting
- Help and Support
  - Creating a Support Case
- Self-Diagnosis

Alert View

Investigate and understand the extent and severity of any alert to further determine response actions.

The Alert View screen (XDR Threat Investigation > Workbench) displays alerts triggered by detection models and allows you to further investigate each alert.

The following table outlines the actions available on the Alert View screen.

Action	Description
Investigate an alert	Understand the extent and severity of any alert to further determine response actions
View alert details	Locate a Workbench alert and click the Workbench ID to view the summary, highlights and observable graph of the alert.
Filter alert data	Use the search box and the dropdown lists to filter alert data. Status: The current status of the alert or investigation triggered in Workbench New: The alert is new and not currently under investigation In progress: A user has begun investigating the alert Closed: A user completed the investigation for the alert Closed - true positive: After completing the investigation, the user concluded that this alert is a genuine threat to the organization and has decided to close the alert Closed - false positive: After completing the investigation, the user concluded that this alert is a false positive and has decided to close the alert Closed - benign true positive: After completing the investigation, the user concluded that this alert is a genuine threat but does not pose any risk to the organization, and has decided to close the alert Created: The time when Trend Vision One generated the alert Model name: The detection model that triggered the alert Model type: Allows you to filter custom detection models. Data source / processor: The product that sent the alert data to Workbench Search: Allows you to search by Workbench ID, endpoint, user, email, container, cloud identity or highlighted object.
View and sort alerts	View the table to check all the alerts. Click column headings to sort alerts, for example, click Score to prioritize the alerts for further investigation.
Change the view	Select an option from the View menu: All: Shows all the alerts that match the filter criteria Group by Model: Groups the alerts by the detection model name Endpoint: Groups the alerts by the endpoint name Tip: Click the right arrow () of each row to expand the alerts grouped by a specific model or endpoint name.
Change the alert status	Select one or more alerts and click Change Status to update the progress of alerts or investigations. Important: If you select Closed - false positive, you need to specify why you think this alert was false.
Assign owner	Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts.
Link alerts to an incident	After performing an alert investigation, select one or more alerts and click Link to Incident or Link to Another Incident to associate the selected alerts with the specified incident. Note: If an alert is manually linked to an incident or unlinked from an incident, Trend Vision One does not correlate the alert if a new alert is received. An alert can only be associated with one incident.
Unlink alerts from an incident	After performing an alert investigation, select one or more alerts and click Unlink from Incident. Note: If an alert is manually linked to an incident or unlinked from an incident, Trend Vision One does not correlate the alert if a new alert is received.
See Automated Response Playbooks	Click Automated Response Playbooks to display the Automated Response playbooks available in the Security Playbooks app