Views:

Workbench provides detailed alert information for more effective investigations.

The following table describes the basic information Workbench provides about alerts.
Element
Description
Status
Status: The current status of the alert or investigation triggered in Workbench
  • Workbench_status_new=GUID-ECE0863A-AFD9-43A7-9245-9ECD4E1D18AB=1=en-us=Low.png Open: The alert is new and not currently under investigation
  • Workbench_status_in_progress=GUID-E3AF045A-35FC-489C-A753-DE2960F7D022=1=en-us=Low.png In progress: The alert is under investigation.
  • Workbench_status_closed=GUID-25658551-3D98-49BC-AE83-48B6710C2065=1=en-us=Low.png Closed: The alert investigation is complete.
Score
The overall severity assigned to the alert
Trend Vision One calculates the score based on the severity of the matched detection model and the impact scope of the alert.
Note
Note
Starting on January 18, 2021, Trend Vision One adjusted the scoring model and redefined the maximum alert score as 99. The new scoring model only affects new alerts.
The new scoring model takes the severity of the matched model as the dominant factor in calculation and defines a certain threshold for the impact scope value.
Workbench ID
The unique identifier for the alert
Model name
The detection model that triggered the alert
Model severity
The severity assigned to a model that triggered the alert
Impact scope
The number of entities that the alert affects within the company network
Data source / processor
The product that is providing the data to the Workbench app
Created
The date and time Trend Vision One generated the alert
Findings
Findings: The findings of the alert investigation.
Available values:
  • True positive: The investigation confirmed the occurrence of threats or malicious activities.
  • Benign true positive: The investigation has confirmed the presence of a genuine threat that poses no risk to the organization.
    Benign true positives are the result of penetration test or other legitimate activities in your environment.
  • False positive: No malicious activity found.
  • Noteworthy: Unusual activity that requires more investigation has been detected.
  • Other findings: There is not enough data to validate the findings.
Case
The ID of the case assigned to the alert.
Owner
The user assigned to the alert.
Associated insight
The Workbench insight associated with the alert
Automated response
The status of the automated response tasks associated with the alert
The following table describes the alert information displayed on the alert details screen.
Element
Description
Summary
Basic information of the alert you investigate
If the alert is triggered by the Threat Intelligence Sweeping model, the following information displays:
  • Campaign: The associated threat campaign
  • Industry: The industry that the threat campaign belongs to
  • Intelligence source: The data source that provides the matched intelligence report
  • First seen: The date and time indicators of compromise were first identified in the environment
  • Last seen: The date and time indicators of compromise were last identified in the environment
Highlights
The list of the event objects that triggered the alert with contextually enriched information.
Events consist of the following information:
  • The filter that detected suspicious behavior
  • Technique: The detected MITRE technique
  • Detection: The detected malware
  • Data source / processor: The product that sent the alert data to Workbench
  • Emerging threats: The emerging threats associated with the detection
  • Threat actors: The threat actors associated with the detection
  • Exploited CVE: The detected CVE and additional information about the campaigns actively exploiting the vulnerability
  • Malware/Tool: The tools or malware detected in the alert
  • The date and time the detection occurred
  • The objects involved in the event, such as endpoints, commands, email messages, and registry values
    Note
    Note
    • There are two types of objects involved in an event:
      • Highlighted objects that triggered the current filter
      • Entities included in the impact scope
    • If the alert is triggered by the Threat Intelligence Sweeping model, the Highlights section shows the identified IoCs, data source/processor, and the related objects instead.
Timeline
Displays the date and time the detection occurred
Observable Graph
Provides more detailed context for the alert in a visualized form
Click any of the events in the Highlights section to highlight the specific objects in the Observable Graph.
Each node in the graph refers to an object, and each link reflects the relationship between one node and the adjacent node.
  • Each line (observable_graph_line=GUID-4074BA53-A2FA-4435-ABD2-64D558508C9B=1=en-us=Low.jpg) represents the association between the two objects, for example, a user account associated with an endpoint.
  • Each arrow (Workbench_analysis_chain_-_event=GUID-CBD67C27-A3BF-4E1C-B046-C21D9E2D42D4=1=en-us=Low.png) indicates the direction of the transaction between the two objects, for example, the direction from the email sender to the recipient.
  • The Connection Details icon (Workbench_alert_observable_graph_doubleheaded_arrow=GUID-20230116113939=1=en-us=Low.png) indicates the connection between the two objects, for example, the connection between an endpoint and a website.
    Note
    Note
    Click the Connection Details icon (Workbench_alert_observable_graph_doubleheaded_arrow=GUID-20230116113939=1=en-us=Low.png) to view more information.
Related assets
Displays the most recent endpoints and users that communicated with the assets involved in the event