Integrations
- Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- AlienVault OTX
- AlienVault USM
- Anodot
- Ansible
- Anvilogic
- Any Run
- Apex One
- ArcSight ESM
- Area 1
- Asana
- Asset Panda
- Atlassian User Management
- Atlassian User Provisioning
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Cato Networks
- Censys
- Check Point Harmony
- Check Point Infinity Events
- Check Point XDR-XPR
- Check Point Management
- Checkmarx One
- Checkmarx SAST
- Chorus
- Chronicle
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cobalt
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- CredStash
- Cribl
- CrowdStrike
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Delighted
- Delinea
- Devo
- Discord
- Docusign
- Domo
- Drata
- Dropbox
- Dropbox Business
- Druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5 BIG IP
- Falcon LogScale
- Falcon Surface
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Looker
- Google Meet
- Google Sheets
- Google Workspace
- Grafana
- Grip Security
- GYTPOL
- Have I Been Pwned
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM Cloud
- IBM NS1 Connect
- IBM X Force
- Imperva
- incident.io
- Infoblox Cloud Services Portal
- Integrations
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ironscales
- Ivanti RiskSense
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- Linear
- Litmos
- LogicMonitor
- LogRhythm
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- New Relic
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto Cloud NGFW
- Palo Alto Firewall
- Panther
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Postman
- Postman SCIM
- Power BI
- PowerShell
- Prisma Access
- Prisma Cloud CSPM
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint Threat Response Auto Pull
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Red Hat IdM
- Rippling
- runZero
- SafeBase
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe-IT
- Snowflake
- Snyk
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- TheHive
- Thinkst Canary
- ThreatQuotient
- Trellix Email Security
- Trello
- Trend Vision One
- Trend Vision One
- Actions
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VirusTotal
- VMware Carbon Black
- VMware vSphere
- WeChat
- WhatsApp
- Whois
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
Actions
List Alerts
Gets a list of workbench alerts.
Required API key role permissions:
Workbench - view, filter, search
To learn more, visit the Trend Vision One documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| End Time | The end time that indicates the end of the data retrieval time range. |
| Filter | Filter for retrieving a subset of the alert list.For example: indicatorValue eq '8.8.8.8'.For further information, please refer to Trend Vision One Documentation. |
| Return All Pages | Automatically fetch all resources, page by page. |
| Start Time | The start time that indicates the start of the data retrieval time range. |
| Time Target | The time range to be used for retrieving Workbench alert data. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Order By | Specifies the fields by which the results are sorted. |
| Skip Token | The pagination token that’s used for retrieving the next page of results.It is returned in nextLink, as a query parameter named skipToken. |
Example Output
{ "totalCount": 1, "count": 1, "items": [ { "schemaVersion": "1.12", "id": "WB-9002-20220906-00022", "investigationStatus": "New", "status": "Open", "investigationResult": "No Findings", "workbenchLink": "https://THE_WORKBENCH_URL", "alertProvider": "SAE", "modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8", "model": "Privilege Escalation via UAC Bypass", "modelType": "preset", "score": 64, "severity": "high", "firstInvestigatedDateTime": "2022-10-06T02:30:31Z", "createdDateTime": "2022-09-06T02:49:31Z", "updatedDateTime": "2022-09-06T02:49:48Z", "incidentId": "IC-1-20230706-00001", "caseId": "CL-1-20230706-00001", "ownerIds": [ "12345678-1234-1234-1234-123456789012" ], "impactScope": { "desktopCount": 1, "serverCount": 0, "accountCount": 1, "emailAddressCount": 1, "containerCount": 1, "cloudIdentityCount": 1, "entities": [ { "entityType": "account", "entityValue": "shockwave\\sam", "entityId": "shockwave\\sam", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "host", "entityValue": { "guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "name": "nimda", "ips": [ "10.10.58.51" ] }, "entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248", "managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee", "managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79", "relatedEntities": [ "shockwave\\sam" ], "relatedIndicatorIds": [ 1, 2, 3, 4, 5, 6, 7, 8 ], "provenance": [ "Alert" ] }, { "entityType": "emailAddress", "entityValue": "support@pctutordetroit.com", "entityId": "SUPPORT@PCTUTORDETROIT.COM", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "container", "entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0", "entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] }, { "entityType": "cloudIdentity", "entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", "entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", "relatedEntities": [], "relatedIndicatorIds": [], "provenance": [ "Alert" ] } ] }, "description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.", "matchedRules": [ { "id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc", "name": "(T1088) Bypass UAC via shell open registry", "matchedFilters": [ { "id": "ac200e74-8309-463e-ad6b-a4c16a3a377f", "name": "Bypass UAC Via Shell Open Default Registry", "matchedDateTime": "2022-09-05T03:53:49.802Z", "mitreTechniqueIds": [ "T1112", "V9.T1112", "V9.T1548.002" ], "matchedEvents": [ { "uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00", "matchedDateTime": "2022-09-05T03:53:49.802Z", "type": "TELEMETRY_REGISTRY" } ] }, { "id": "857b6396-da29-44a8-bc11-25298e646795", "name": "Bypass UAC Via Shell Open Registry", "matchedDateTime": "2022-09-05T03:53:49.802Z", "mitreTechniqueIds": [ "T1112", "T1088", "V9.T1112", "V9.T1548.002" ], "matchedEvents": [ { "uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01", "matchedDateTime": "2022-09-05T03:53:49.802Z", "type": "TELEMETRY_REGISTRY" } ] } ] } ], "indicators": [ { "id": 1, "type": "command_line", "field": "processCmd", "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 2, "type": "command_line", "field": "parentCmd", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 3, "type": "command_line", "field": "processCmd", "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 4, "type": "command_line", "field": "parentCmd", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 5, "type": "registry_key", "field": "objectRegistryKeyHandle", "value": "hkcr\\ms-settings\\shell\\open\\command", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] }, { "id": 6, "type": "registry_key", "field": "objectRegistryKeyHandle", "value": "hkcr\\ms-settings\\shell\\open\\command", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 7, "type": "registry_value", "field": "objectRegistryValue", "value": "delegateexecute", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "857b6396-da29-44a8-bc11-25298e646795" ], "provenance": [ "Alert" ] }, { "id": 8, "type": "registry_value_data", "field": "objectRegistryData", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", "relatedEntities": [ "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" ], "filterIds": [ "ac200e74-8309-463e-ad6b-a4c16a3a377f" ], "provenance": [ "Alert" ] } ] } ]}
Workflow Library Example
List Alerts with Trend Vision One and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.