Investigate and understand the extent and severity of any alert to further determine response actions.
The Alert View screen (XDR Threat Investigation > Workbench) displays alerts triggered by detection models and allows you to further investigate each alert.
The following table outlines the actions available on the Alert View screen.
Action |
Description |
---|---|
Investigate an alert |
Understand the extent and severity of any alert to further determine response actions |
View alert details |
Locate a Workbench alert and click the Workbench ID to view the summary, highlights and observable graph of the alert. |
Filter alert data |
Use the search box and the dropdown lists to filter alert data.
|
View and sort alerts |
View the table to check all the alerts. Click column headings to sort alerts, for example, click Score to prioritize the alerts for further investigation. |
Change the view |
Select an option from the View menu:
|
Change the alert status |
Select one or more alerts and click Change Status to update the progress of alerts or investigations. Important:
If you select Closed - false positive, you need to specify why you think this alert was false. |
Assign owner |
Select one or more alerts and click Assign Owner to assign accounts within your organization to the alerts. |
Link alerts to an incident |
After performing an alert investigation, select one or more alerts and click Link to Incident or Link to Another Incident to associate the selected alerts with the specified incident. Note:
|
Unlink alerts from an incident |
After performing an alert investigation, select one or more alerts and click Unlink from Incident. Note:
If an alert is manually linked to an incident or unlinked from an incident, Trend Vision One does not correlate the alert if a new alert is received. |
See Automated Response Playbooks |
Click Automated Response Playbooks to display the Automated Response playbooks available in the Security Playbooks app |