Skip to main content

List Alerts

Gets a list of workbench alerts.

Required API key role permissions:

  • Workbench - view, filter, search
External Documentation

To learn more, visit the Trend Vision One documentation.

Basic Parameters

ParameterDescription
End TimeThe end time that indicates the end of the data retrieval time range.
FilterFilter for retrieving a subset of the alert list.For example: indicatorValue eq '8.8.8.8'.For further information, please refer to Trend Vision One Documentation.
Return All PagesAutomatically fetch all resources, page by page.
Start TimeThe start time that indicates the start of the data retrieval time range.
Time TargetThe time range to be used for retrieving Workbench alert data.

Advanced Parameters

ParameterDescription
Order BySpecifies the fields by which the results are sorted.
Skip TokenThe pagination token that's used for retrieving the next page of results.It is returned in nextLink, as a query parameter named skipToken.

Example Output

{
"totalCount": 1,
"count": 1,
"items": [
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00022",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://THE_WORKBENCH_URL",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Privilege Escalation via UAC Bypass",
"modelType": "preset",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:31Z",
"updatedDateTime": "2022-09-06T02:49:48Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5,
6,
7,
8
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.",
"matchedRules": [
{
"id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc",
"name": "(T1088) Bypass UAC via shell open registry",
"matchedFilters": [
{
"id": "ac200e74-8309-463e-ad6b-a4c16a3a377f",
"name": "Bypass UAC Via Shell Open Default Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
},
{
"id": "857b6396-da29-44a8-bc11-25298e646795",
"name": "Bypass UAC Via Shell Open Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"T1088",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
}
]
}
],
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 6,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 7,
"type": "registry_value",
"field": "objectRegistryValue",
"value": "delegateexecute",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 8,
"type": "registry_value_data",
"field": "objectRegistryData",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
}
]
}
]
}

Workflow Library Example

List Alerts with Trend Vision One and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop