Workbench - view, filter, search
To learn more, visit the Trend Vision One documentation.
Parameters
| Parameter | Description |
|---|---|
| Alert ID | The ID of the alert. For example: WB-14-20190709-00003.Can be obtained by using the List Alerts action. |
Example Output
{ "schemaVersion": "1.12", "id": "WB-9002-20220906-00025", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://THE_WORKBENCH_URL", "alertProvider": "SAE", "modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8", "model": "Possible Credential Dumping via Registry", "modelType": "preset", "description": "A user obtained account logon information that can be used to access remote systems via Windows Registry.", "score": 64, "severity": "high", "firstInvestigatedDateTime": "2022-10-06T02:30:31Z", "createdDateTime": "2022-09-06T02:49:33Z", "updatedDateTime": "2022-09-06T02:49:52Z", "incidentId": "IC-1-20230706-00001", "caseId": "CL-1-20230706-00001", "ownerIds": [ "12345678-1234-1234-1234-123456789012" ], "impactScope": { "desktopCount": 1, "serverCount": 0, "accountCount": 1, "emailAddressCount": 1, "containerCount": 1, "cloudIdentityCount": 1, "entities": [ { "entityType": "account", "entityValue": "shockwave\\sam", "entityId": "shockwave\\sam", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "host", "entityValue": { "guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "name": "nimda", "ips": [ "10.10.58.51" ] }, "entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248", "managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee", "managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79", "relatedEntities": [ "shockwave\\sam" ], "relatedIndicatorIds": [ 1, 2, 3, 4, 5 ], "provenance": [ "Alert" ] }, { "entityType": "emailAddress", "entityValue": "support@pctutordetroit.com", "entityId": "SUPPORT@PCTUTORDETROIT.COM", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "container", "entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0", "entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "cloudIdentity", "entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki", "entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] } ] }, "indicators": [ { "id": 1, "type": "command_line", "field": "objectCmd", "value": "c:\\windows\\system32\\reg.exe save hklm\\security security.hive /y", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "f4b062e6-f363-4620-8473-eb929bc9f134" ], "provenance": [ "Alert" ] }, { "id": 2, "type": "command_line", "field": "processCmd", "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc .......wasqbfafga", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "f4b062e6-f363-4620-8473-eb929bc9f134" ], "provenance": [ "Alert" ] }, { "id": 3, "type": "command_line", "field": "parentCmd", "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "f4b062e6-f363-4620-8473-eb929bc9f134" ], "provenance": [ "Alert" ] }, { "id": 4, "type": "fullpath", "field": "processFilePath", "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "f4b062e6-f363-4620-8473-eb929bc9f134" ], "provenance": [ "Alert" ] }, { "id": 5, "type": "text", "field": "endpointHostName", "value": "Nimda", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "f4b062e6-f363-4620-8473-eb929bc9f134" ], "provenance": [ "Alert" ] } ], "matchedRules": [ { "id": "b23bc903-ecfb-4052-90a0-167adb93abb7", "name": "Potential Credential Dumping via Registry", "matchedFilters": [ { "id": "f4b062e6-f363-4620-8473-eb929bc9f134", "name": "Possible Credential Dumping via Registry Hive", "matchedDateTime": "2022-09-05T03:38:48.000Z", "mitreTechniqueIds": [ "V9.T1003.004", "V9.T1003.002", "T1003" ], "matchedEvents": [ { "uuid": "79c65387-271b-4335-a02d-06aa12b7c5c6", "matchedDateTime": "2022-09-05T03:38:48.000Z", "type": "TELEMETRY_PROCESS" } ] } ] } ]}
Workflow Library Example
Get Alert with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop