Integrations
- Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- AlienVault OTX
- AlienVault USM
- Anodot
- Ansible
- Anvilogic
- Any Run
- Apex One
- ArcSight ESM
- Area 1
- Asana
- Asset Panda
- Atlassian User Management
- Atlassian User Provisioning
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Cato Networks
- Censys
- Check Point Harmony
- Check Point Infinity Events
- Check Point XDR-XPR
- Check Point Management
- Checkmarx One
- Checkmarx SAST
- Chorus
- Chronicle
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cobalt
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- CredStash
- Cribl
- CrowdStrike
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Delighted
- Delinea
- Devo
- Discord
- Docusign
- Domo
- Drata
- Dropbox
- Dropbox Business
- Druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5 BIG IP
- Falcon LogScale
- Falcon Surface
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Looker
- Google Meet
- Google Sheets
- Google Workspace
- Grafana
- Grip Security
- GYTPOL
- Have I Been Pwned
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM Cloud
- IBM NS1 Connect
- IBM X Force
- Imperva
- incident.io
- Infoblox Cloud Services Portal
- Integrations
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ironscales
- Ivanti RiskSense
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- Linear
- Litmos
- LogicMonitor
- LogRhythm
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- New Relic
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto Cloud NGFW
- Palo Alto Firewall
- Panther
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Postman
- Postman SCIM
- Power BI
- PowerShell
- Prisma Access
- Prisma Cloud CSPM
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint Threat Response Auto Pull
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Red Hat IdM
- Rippling
- runZero
- SafeBase
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe-IT
- Snowflake
- Snyk
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- TheHive
- Thinkst Canary
- ThreatQuotient
- Trellix Email Security
- Trello
- Trend Vision One
- Trend Vision One
- Actions
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VirusTotal
- VMware Carbon Black
- VMware vSphere
- WeChat
- WhatsApp
- Whois
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
Actions
List Alerts
Gets a list of workbench alerts.
Required API key role permissions:
Workbench - view, filter, search
To learn more, visit the Trend Vision One documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| End Time | The end time that indicates the end of the data retrieval time range. |
| Filter | Filter for retrieving a subset of the alert list.For example: indicatorValue eq '8.8.8.8'.For further information, please refer to Trend Vision One Documentation. |
| Return All Pages | Automatically fetch all resources, page by page. |
| Start Time | The start time that indicates the start of the data retrieval time range. |
| Time Target | The time range to be used for retrieving Workbench alert data. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Order By | Specifies the fields by which the results are sorted. |
| Skip Token | The pagination token that’s used for retrieving the next page of results.It is returned in nextLink, as a query parameter named skipToken. |
Example Output
{ "totalCount": 1, "count": 1, "items": [ { "schemaVersion": "1.12", "id": "WB-9002-20220906-00022", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://THE_WORKBENCH_URL", "alertProvider": "SAE", "modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8", "model": "Privilege Escalation via UAC Bypass", "modelType": "preset", "score": 64, "severity": "high", "firstInvestigatedDateTime": "2022-10-06T02:30:31Z", "createdDateTime": "2022-09-06T02:49:31Z", "updatedDateTime": "2022-09-06T02:49:48Z", "incidentId": "IC-1-20230706-00001", "caseId": "CL-1-20230706-00001", "ownerIds": [ "12345678-1234-1234-1234-123456789012" ], "impactScope": { "desktopCount": 1, "serverCount": 0, "accountCount": 1, "emailAddressCount": 1, "containerCount": 1, "cloudIdentityCount": 1, "entities": [ { "entityType": "account", "entityValue": "shockwave\\sam", "entityId": "shockwave\\sam", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "host", "entityValue": { "guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "name": "nimda", "ips": [ "10.10.58.51" ] }, "entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248", "managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee", "managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79", "relatedEntities": [ "shockwave\\sam" ], "relatedIndicatorIds": [ 1, 2, 3, 4, 5, 6, 7, 8 ], "provenance": [ "Alert" ] }, { "entityType": "emailAddress", "entityValue": "support@pctutordetroit.com", "entityId": "SUPPORT@PCTUTORDETROIT.COM", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "container", "entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0", "entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "cloudIdentity", "entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", "entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] } ] }, "description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.", "matchedRules": [ { "id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc", "name": "(T1088) Bypass UAC via shell open registry", "matchedFilters": [ { "id": "ac200e74-8309-463e-ad6b-a4c16a3a377f", "name": "Bypass UAC Via Shell Open Default Registry", "matchedDateTime": "2022-09-05T03:53:49.802Z", "mitreTechniqueIds": [ "T1112", "V9.T1112", "V9.T1548.002" ], "matchedEvents": [ { "uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00", "matchedDateTime": "2022-09-05T03:53:49.802Z", "type": "TELEMETRY_REGISTRY" } ] }, { "id": "857b6396-da29-44a8-bc11-25298e646795", "name": "Bypass UAC Via Shell Open Registry", "matchedDateTime": "2022-09-05T03:53:49.802Z", "mitreTechniqueIds": [ "T1112", "T1088", "V9.T1112", "V9.T1548.002" ], "matchedEvents": [ { "uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01", "matchedDateTime": "2022-09-05T03:53:49.802Z", "type": "TELEMETRY_REGISTRY" } ] } ] } ], "indicators": [ { "id": 1, "type": "command_line", "field": "processCmd", "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 2, "type": "command_line", "field": "parentCmd", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 3, "type": "command_line", "field": "processCmd", "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 4, "type": "command_line", "field": "parentCmd", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 5, "type": "registry_key", "field": "objectRegistryKeyHandle", "value": "hkcr\\ms-settings\\shell\\open\\command", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 6, "type": "registry_key", "field": "objectRegistryKeyHandle", "value": "hkcr\\ms-settings\\shell\\open\\command", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 7, "type": "registry_value", "field": "objectRegistryValue", "value": "delegateexecute", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 8, "type": "registry_value_data", "field": "objectRegistryData", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] } ] } ]}
Workflow Library Example
List Alerts with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop