Retrieves information about the specified alert. Required API key role permissions:
  • Workbench - view, filter, search
External DocumentationTo learn more, visit the Trend Vision One documentation.

Parameters

ParameterDescription
Alert IDThe ID of the alert. For example: WB-14-20190709-00003.

Can be obtained by using the List Alerts action.

Example Output

{
	"schemaVersion": "1.12",
	"id": "WB-9002-20220906-00025",
	"investigationStatus": "New",
	"status": "Open",
	"investigationResult": "No Findings",
	"workbenchLink": "https://THE_WORKBENCH_URL",
	"alertProvider": "SAE",
	"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
	"model": "Possible Credential Dumping via Registry",
	"modelType": "preset",
	"description": "A user obtained account logon information that can be used to access remote systems via Windows Registry.",
	"score": 64,
	"severity": "high",
	"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
	"createdDateTime": "2022-09-06T02:49:33Z",
	"updatedDateTime": "2022-09-06T02:49:52Z",
	"incidentId": "IC-1-20230706-00001",
	"caseId": "CL-1-20230706-00001",
	"ownerIds": [
		"12345678-1234-1234-1234-123456789012"
	],
	"impactScope": {
		"desktopCount": 1,
		"serverCount": 0,
		"accountCount": 1,
		"emailAddressCount": 1,
		"containerCount": 1,
		"cloudIdentityCount": 1,
		"entities": [
			{
				"entityType": "account",
				"entityValue": "shockwave\\sam",
				"entityId": "shockwave\\sam",
				"relatedEntities": [
					"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
				],
				"relatedIndicatorIds": [],
				"provenance": [
					"Alert"
				]
			},
			{
				"entityType": "host",
				"entityValue": {
					"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
					"name": "nimda",
					"ips": [
						"10.10.58.51"
					]
				},
				"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
				"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
				"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
				"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
				"relatedEntities": [
					"shockwave\\sam"
				],
				"relatedIndicatorIds": [
					1,
					2,
					3,
					4,
					5
				],
				"provenance": [
					"Alert"
				]
			},
			{
				"entityType": "emailAddress",
				"entityValue": "support@pctutordetroit.com",
				"entityId": "SUPPORT@PCTUTORDETROIT.COM",
				"relatedEntities": [],
				"relatedIndicatorIds": [],
				"provenance": [
					"Alert"
				]
			},
			{
				"entityType": "container",
				"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
				"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
				"relatedEntities": [],
				"relatedIndicatorIds": [],
				"provenance": [
					"Alert"
				]
			},
			{
				"entityType": "cloudIdentity",
				"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
				"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
				"relatedEntities": [],
				"relatedIndicatorIds": [],
				"provenance": [
					"Alert"
				]
			}
		]
	},
	"indicators": [
		{
			"id": 1,
			"type": "command_line",
			"field": "objectCmd",
			"value": "c:\\windows\\system32\\reg.exe save hklm\\security security.hive /y",
			"relatedEntities": [
				"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
			],
			"filterIds": [
				"f4b062e6-f363-4620-8473-eb929bc9f134"
			],
			"provenance": [
				"Alert"
			]
		},
		{
			"id": 2,
			"type": "command_line",
			"field": "processCmd",
			"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc .......wasqbfafga",
			"relatedEntities": [
				"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
			],
			"filterIds": [
				"f4b062e6-f363-4620-8473-eb929bc9f134"
			],
			"provenance": [
				"Alert"
			]
		},
		{
			"id": 3,
			"type": "command_line",
			"field": "parentCmd",
			"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x",
			"relatedEntities": [
				"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
			],
			"filterIds": [
				"f4b062e6-f363-4620-8473-eb929bc9f134"
			],
			"provenance": [
				"Alert"
			]
		},
		{
			"id": 4,
			"type": "fullpath",
			"field": "processFilePath",
			"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
			"relatedEntities": [
				"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
			],
			"filterIds": [
				"f4b062e6-f363-4620-8473-eb929bc9f134"
			],
			"provenance": [
				"Alert"
			]
		},
		{
			"id": 5,
			"type": "text",
			"field": "endpointHostName",
			"value": "Nimda",
			"relatedEntities": [
				"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
			],
			"filterIds": [
				"f4b062e6-f363-4620-8473-eb929bc9f134"
			],
			"provenance": [
				"Alert"
			]
		}
	],
	"matchedRules": [
		{
			"id": "b23bc903-ecfb-4052-90a0-167adb93abb7",
			"name": "Potential Credential Dumping via Registry",
			"matchedFilters": [
				{
					"id": "f4b062e6-f363-4620-8473-eb929bc9f134",
					"name": "Possible Credential Dumping via Registry Hive",
					"matchedDateTime": "2022-09-05T03:38:48.000Z",
					"mitreTechniqueIds": [
						"V9.T1003.004",
						"V9.T1003.002",
						"T1003"
					],
					"matchedEvents": [
						{
							"uuid": "79c65387-271b-4335-a02d-06aa12b7c5c6",
							"matchedDateTime": "2022-09-05T03:38:48.000Z",
							"type": "TELEMETRY_PROCESS"
						}
					]
				}
			]
		}
	]
}

Workflow Library Example

Get Alert with Trend Vision One and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop