List Alerts
Gets a list of workbench alerts.
Required API key role permissions:
Workbench - view, filter, search
External Documentation
To learn more, visit the Trend Vision One documentation.
Basic Parameters
Parameter | Description |
---|---|
End Time | The end time that indicates the end of the data retrieval time range. |
Filter | Filter for retrieving a subset of the alert list.For example: indicatorValue eq '8.8.8.8' .For further information, please refer to Trend Vision One Documentation. |
Return All Pages | Automatically fetch all resources, page by page. |
Start Time | The start time that indicates the start of the data retrieval time range. |
Time Target | The time range to be used for retrieving Workbench alert data. |
Advanced Parameters
Parameter | Description |
---|---|
Order By | Specifies the fields by which the results are sorted. |
Skip Token | The pagination token that's used for retrieving the next page of results.It is returned in nextLink , as a query parameter named skipToken . |
Example Output
{
"totalCount": 1,
"count": 1,
"items": [
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00022",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://THE_WORKBENCH_URL",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Privilege Escalation via UAC Bypass",
"modelType": "preset",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:31Z",
"updatedDateTime": "2022-09-06T02:49:48Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5,
6,
7,
8
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.",
"matchedRules": [
{
"id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc",
"name": "(T1088) Bypass UAC via shell open registry",
"matchedFilters": [
{
"id": "ac200e74-8309-463e-ad6b-a4c16a3a377f",
"name": "Bypass UAC Via Shell Open Default Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
},
{
"id": "857b6396-da29-44a8-bc11-25298e646795",
"name": "Bypass UAC Via Shell Open Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"T1088",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
}
]
}
],
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 6,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 7,
"type": "registry_value",
"field": "objectRegistryValue",
"value": "delegateexecute",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 8,
"type": "registry_value_data",
"field": "objectRegistryData",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
}
]
}
]
}
Workflow Library Example
List Alerts with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop