Views:
  • How do I create wildcard exception in Workbench App/Observed Attack Techniques App?

    Special characters in the whole URI should contain escape character "\" before each special character itself. These special characters are:

    \ { } ( ) [ ] . + * ? ^ $ |

    This will indicate that they are ordinary characters that have no special meaning. Then, the wildcard symbol(.*) is added.

    Below are examples:

    Original command:

    curl --silent -X POST -F upload=@/tmp/manager/apps/applications.zip -F kouzmmxuznok=afjzknsxltag -F deviceudid=4C4B98D1-53F8-5DA2-A87B-257170A011A6 https://sch-14167.mosyle.com/services/dyuqworeinac.php

    Add escape character ("\"):

    curl --silent -X POST -F upload=@/tmp/manager/apps/applications\.zip -F kouzmmxuznok=afjzknsxltag -F deviceudid=4C4B98D1-53F8-5DA2-A87B-257170A011A6 https://sch-14167\.mosyle\.com/services/dyuqworeinac\.php

    Add wildcard symbol:

    curl --silent -X POST -F upload=@/tmp/manager/apps/applications\.zip -F kouzmmxuznok=afjzknsxltag -F deviceudid=.* https://sch-14167\.mosyle\.com/services/dyuqworeinac\.php

     

  • How do I get Company ID without any Workbench alerts (API Key management)?

    The SOAR platform has many Trend Vision One tenants connected to it and receives Workbench alerts from them. All Workbench alerts have Company ID in them but no customer name (tenant name). The customer would map the Company ID to the customer name so it will be displayed in every ticket in the ticketing system.

    Module state

    The Company ID is needed so we can map the incidents to the right customer. At the moment, we cannot perform this because we get the company ID only when the first Workbench alerts come from a new tenant (At time there are no Workbench alerts for weeks/months).

    Company ID is for internal use, and one company ID may be duplicated in a different region. Right now there is no way to get a company ID unless the Workbench is completed.

  • How do I troubleshoot Workbench events issues? Why can't I see some special events from Workbench?

    Follow these steps:

    1. Get the Company ID, then go to the sLog. Search if they triggered the SAE rules.

      Module state

    2. If some of the events are not shown in the customer's WB, check the specific SAE rules attributes. If visibleLevel is equal to 51, it means that it is internal only and not visible to customers.

      Module state

    3. For SRE members, you may visit the Operation Portal to search it use the SAE rules name.

      Module state

       
      • If the Visible Level equals 51, it indicates that the rules that were used for the beta test will still send the events to Workbench, but will not show in the customer's Workbench. It is internal for Trend Micro only. (Someone with high-level permission may be able to see Workbench alerts from the dashboard.)
      • If Silent also equals true, that means it will not send the events to Workbench, just SAE internal only. (Someone who with high-level permission will not be able to see the Workbench alerts from the dashboard.)
       
  • Can a Workbench alert be triggered again after I mark it as "Closed - False Positive"?

    No. Workbench team sends the data to SAE API. However, currently there is no processing done from SAE perspective for this particular Workbench alert.

  • The iES is not enabled but still triggered the Workbench alert. Why is this?

    Some SAE model depend on the detection log of the hosts such as the Hacking Tool Detection model. Even if you do not enable the iES but it matched with the model in SAE, you will still receive an alert.

  • Which Tenable.io APIs does Trend Vision One use?

    Here are the APIs that are being used:

    https://developer.tenable.com/reference/exports-vulns-request-export
    https://developer.tenable.com/reference/exports-vulns-download-chunk
    https://developer.tenable.com/reference/exports-assets-request-export
    https://developer.tenable.com/reference/exports-assets-download-chunk

    These two pairs of APIs require ADMINISTRATOR[64] permission.

  • What is the format of a Workbench ID?

    The format is:

    WB-<unique per each company>-<date created>-<order of WB per day>

    The new format recommended by our team is:

    WB-{companyId}-{yyyyMMdd}-{workbench defined rbac_role_group_id} {4 digit sequence per day}

    *companyId: the 4 to 5 digit mapping of customer_id in Workbench
    *yyyyMMdd: Workbench created day
    *1 digit workbench defined rbac_role_group_id

     

    Module state

  • Why is Observed Attack Techniques empty after I click "View Event" in a Workbench alert?

    Module state

    XDL data are only kept for 30 days, so there will be no data for the Workbench ID older than 30 days. (The date can be found from the Workbench ID.)

  • Why is there a one-day delay in the detection of "Anomalous User Account Sign-In from Unknown Agent"?

    Our alert examines a batch of historical sign-ins before making decisions, so the detection is currently designed to run once per day. For this kind of daily batch job, today's data are processed on the next day.

  • Why is there no OAT/OAT Link for "Possible Spear Phishing Attack via Link" Workbench alerts?

    Workbench does not support OAT events, while the alert is from Jaguar for now.

  • Why do some objects not list the hash value?

    The sensor only sends the EXE file hash.

  • According to Trend Micro documentation and technical communication, the Workbench alert and every data associated with it has a retention period of 6 months/180 days for investigation and reporting. Why is my Workbench alert and data deleted within x amount of days?

    The retention period for workbench alerts is six months. However, the PRCA node data's retention period is based on their license. If a customer wants to keep the same time retention period with WB, customer must buy a license with 180 days of data retention.

Keywords: workbench vision one, vision one workbench, workbench config