Alert Details

Workbench provides detailed alert information in a unified view for more effective investigations.

The following tables describe different elements that compose alert details.

Table 1. Left panel of the alert details screen

Element

Description

Summary

Provides basic information of the alert that you investigate

  • Status icon: The current status of the alert or investigation triggered in Workbench

    • New: The alert is new and not currently under investigation

    • In progress: A user has begun investigating the alert

    • Closed: A user completed the investigation for the alert

    • Closed - false positive: After completing the investigation, the user concluded that this alert is a false positive and has decided to close the alert

  • Score: The severity assigned to a model that triggered the alert

  • The name and description of the matched detection model

  • Impact scope: The number of entities that the alert affects within the company network

  • Created: The date and time Trend Vision One generated the alert

  • Automated Response: The status or number of automated response tasks associated with the alert

If the alert is triggered by the Threat Intelligence Sweeping model, the following fields also appear:

  • Campaign: The associated threat campaign

  • Industry: The industry that the threat campaign belongs to

  • Intelligence source: The data source that provides the matched intelligence report

  • First seen: The date and time the Threat Intelligence Sweeping model first identified IoCs

  • Last seen: The date and time the Threat Intelligence Sweeping model last identified IoCs

Highlights

Displays a list of the event objects that triggered the alert with contextually enriched information

Each event consists of the following information:

  • The filter that detected suspicious behaviors

  • The matched MITRE technique and the related link

  • The date and time the detection occurred

  • The product that is providing the data to the Workbench app

  • Objects involved in the event, such as endpoints, command lines, email messages, and registries

    Note:

    There are two types of objects involved in an event:

    • Highlighted objects that triggered the current filter

    • Entities included in the impact scope

If the alert is triggered by the Threat Intelligence Sweeping model, the Highlights section shows the identified IoCs, data source / processor, and the related objects instead.
Table 2. Right panel of the alert details screen

Element

Description

Timeline

Displays the date and time the detection occurred

Observable Graph

Provides more detailed context for the alert in a visualized form

Click any of the events in the Highlights section to highlight the specific objects in the Observable Graph.

Each node in the graph refers to an object, and each link reflects the relationship between one node and the adjacent node.

  • Each line () represents the association between the two objects, for example, a user account associated with an endpoint.

  • Each arrow () indicates the direction of the transaction between the two objects, for example, the direction from the email sender to the recipient.

  • The Connection Details icon () indicates the connection between the two objects, for example, the connection between an endpoint and a website.

    Note:

    Click the Connection Details icon () to view more information.
Parent topic: Performing an Alert Investigation