Performing an Alert Investigation

After a detection model triggers an alert, you can begin an in-depth investigation by drilling into the alert details.

  1. In the Workbench app, click the Alert View tab.
  2. Click the Workbench ID link of the alert you want to investigate.

    The alert details screen appears.

    For more information, see Alert Details.

  3. Check and analyze the Summary, Highlights, and Observable Graph of the alert.
    1. In the Summary section, perform any of the following actions:

      • Check the information about the matched model.

      • To learn details about the entities that the alert affects, click each icon next to Impact scope.

      • To change the status of the alert or investigation, click the status icon.

      • To add notes to the current alert or investigation or check the existing notes, click the Notes icon ().

    2. In the Highlights section, perform any of the following actions:

      The Highlights section lists the specific detection filters that triggered the alert. Detection models use filters to detect suspicious behaviors that match MITRE techniques and reported threat indicators. Every event in the Highlights section starts with the name of a triggered detection filter.

      • To learn more about a MITRE technique, click the related link next to the technique.

      • To learn about an event and the relationship among objects, click any of the events to highlight the specific objects in the Observable Graph section.

      • To create a new search query with the event UUID in the Search app, click Search Event UUID.

      • To open the context menu, right-click an object and select any of the available actions.

        For details, see Step 3.

        Note:

        The context menu varies according to the object you select and only shows the available tasks for the selected object.

    3. In the Observable Graph section, perform any of the following actions:

      • To check the related nodes of a single node, click the node you are interested in.

      • To check the association and all the objects included in a node group, click the node marked with the total number of grouped objects and view the details on the side panel that appears.

        Note:

        Objects of the same type are grouped together only when they share the same association.

      • To move a node to your preferred direction, drag the node around in the graph.

      • To zoom in or zoom out, click the icons in the lower-right corner.

  4. After identifying an object of interest, right-click the object to access the context menu in Highlights or Observable Graph, which allows you to perform advanced analysis or take direct action, if available.

    For more information, see Context Menu and Advanced Analysis Actions.

    Note:

    The context menu varies according to the object you select and only shows the available tasks for the selected object.

  • Alert Details
    Workbench provides detailed alert information in a unified view for more effective investigations.
  • Context Menu
    Trend Vision One provides a context menu that provides you additional actions directly related to the console location and object type.
  • Advanced Analysis Actions
    You can further investigate workbench data using context menus to access to execution profiles and network analytics reports.
Parent topic: Alert View