Get Alert
Retrieves information about the specified alert.
Required API key role permissions:
Workbench - view, filter, search
External Documentation
To learn more, visit the Trend Vision One documentation.
Parameters
| Parameter | Description |
|---|---|
| Alert ID | The ID of the alert. For example: WB-14-20190709-00003.Can be obtained by using the List Alerts action. |
Example Output
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00025",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://THE_WORKBENCH_URL",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Possible Credential Dumping via Registry",
"modelType": "preset",
"description": "A user obtained account logon information that can be used to access remote systems via Windows Registry.",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:33Z",
"updatedDateTime": "2022-09-06T02:49:52Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/loki",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "objectCmd",
"value": "c:\\windows\\system32\\reg.exe save hklm\\security security.hive /y",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc .......wasqbfafga",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "parentCmd",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "fullpath",
"field": "processFilePath",
"value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "text",
"field": "endpointHostName",
"value": "Nimda",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"f4b062e6-f363-4620-8473-eb929bc9f134"
],
"provenance": [
"Alert"
]
}
],
"matchedRules": [
{
"id": "b23bc903-ecfb-4052-90a0-167adb93abb7",
"name": "Potential Credential Dumping via Registry",
"matchedFilters": [
{
"id": "f4b062e6-f363-4620-8473-eb929bc9f134",
"name": "Possible Credential Dumping via Registry Hive",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"mitreTechniqueIds": [
"V9.T1003.004",
"V9.T1003.002",
"T1003"
],
"matchedEvents": [
{
"uuid": "79c65387-271b-4335-a02d-06aa12b7c5c6",
"matchedDateTime": "2022-09-05T03:38:48.000Z",
"type": "TELEMETRY_PROCESS"
}
]
}
]
}
]
}
Workflow Library Example
Get Alert with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop