Get Alert
Retrieves information about the specified alert.
Required API key role permissions:
Workbench - view, filter, search
External Documentation
To learn more, visit the Trend Vision One documentation.
Parameters
| Parameter | Description |
|---|---|
| Alert ID | The ID of the alert. For example: WB-14-20190709-00003.Can be obtained by using the List Alerts action. |
Example Output
Copy
Ask AI
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00025",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://THE_WORKBENCH_URL",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Possible Credential Dumping via Registry",
"modelType": "preset",
"description": "A user obtained account logon information that can be used to access remote systems via Windows Registry.",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:33Z",
"updatedDateTime": "2022-09-06T02:49:52Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "objectCmd",
"value": "c:\\windows\\system32\\reg.exe save hklm\\security security.hive /y",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc .......wasqbfafga",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "parentCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "fullpath",
"field": "processFilePath",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "text",
"field": "endpointHostName",
"value": "Nimda",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
}
],
"matchedRules": [
{
"id": "b23bc903-ecfb-4052-90a0-167adb93abb7",
"name": "Potential Credential Dumping via Registry",
"matchedFilters": [
{
"id": "f4b062e6-f363-4620-8473-eb929bc9f134",
"name": "Possible Credential Dumping via Registry Hive",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"mitreTechniqueIds": [
"V9.T1003.004",
"V9.T1003.002",
"T1003"
],
"matchedEvents": [
{
"uuid": "79c65387-271b-4335-a02d-06aa12b7c5c6",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"type": "TELEMETRY_PROCESS"
}
]
}
]
}
]
}
Workflow Library Example
Get Alert with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop
Assistant
Responses are generated using AI and may contain mistakes.
Was this page helpful?
On this page
Case Management
Automated Case Management
Case Management Dashboard
Case Management Interface
- Managing Cases
- Cases
- Observables
- Alerts
- Attachments
- Tasks
Triggers & Actions
- Actions
- Triggers
Case Management Settings
Get Alert
Retrieves information about the specified alert.
Required API key role permissions:
Workbench - view, filter, search
External Documentation
To learn more, visit the Trend Vision One documentation.
Parameters
| Parameter | Description |
|---|---|
| Alert ID | The ID of the alert. For example: WB-14-20190709-00003.Can be obtained by using the List Alerts action. |
Example Output
Copy
Ask AI
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00025",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://THE_WORKBENCH_URL",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Possible Credential Dumping via Registry",
"modelType": "preset",
"description": "A user obtained account logon information that can be used to access remote systems via Windows Registry.",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:33Z",
"updatedDateTime": "2022-09-06T02:49:52Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "objectCmd",
"value": "c:\\windows\\system32\\reg.exe save hklm\\security security.hive /y",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc .......wasqbfafga",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "parentCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "fullpath",
"field": "processFilePath",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "text",
"field": "endpointHostName",
"value": "Nimda",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
}
],
"matchedRules": [
{
"id": "b23bc903-ecfb-4052-90a0-167adb93abb7",
"name": "Potential Credential Dumping via Registry",
"matchedFilters": [
{
"id": "f4b062e6-f363-4620-8473-eb929bc9f134",
"name": "Possible Credential Dumping via Registry Hive",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"mitreTechniqueIds": [
"V9.T1003.004",
"V9.T1003.002",
"T1003"
],
"matchedEvents": [
{
"uuid": "79c65387-271b-4335-a02d-06aa12b7c5c6",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"type": "TELEMETRY_PROCESS"
}
]
}
]
}
]
}
Workflow Library Example
Get Alert with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop
Assistant
Responses are generated using AI and may contain mistakes.
Was this page helpful?
On this page