AgentSkillsCN

Workbench Alerts

工作台告警

SKILL.md

Workbench Alerts

Investigate and analyze security alerts from Trend Micro Vision One Workbench. This skill provides read-only access to alert data for SOC analysts and incident responders.

Instructions

  1. When the user asks about security alerts, incidents, or wants to investigate suspicious activity, use this skill to query the Workbench.

  2. Start with alert listing: Use list_workbench_alerts to get an overview of alerts matching the user's criteria (severity, time range, status).

  3. Get alert details: When investigating a specific alert, use get_workbench_alert with the alert ID to retrieve full context including affected entities, indicators, and timeline.

  4. Search for patterns: Use get_workbench_alerts_list when you need to search across multiple alerts or correlate activity.

  5. Prioritize by severity: When presenting alerts, organize by severity (critical > high > medium > low) and highlight actionable items.

  6. Correlate entities: Look for common entities (IPs, domains, users, endpoints) across alerts to identify attack patterns.

  7. Provide context: For each alert, explain the detection rule, potential impact, and recommended response actions.

Tools

This skill uses the following Vision One MCP tools (all read-only):

ToolPurpose
list_workbench_alertsList alerts with filtering by severity, status, time range
get_workbench_alertGet detailed information for a specific alert by ID
get_workbench_alerts_listSearch and retrieve multiple alerts with advanced filters

Common Workflows

Daily Alert Review

  1. List alerts from the last 24 hours filtered by critical/high severity
  2. For each alert, get details and summarize the threat
  3. Group alerts by attack pattern or affected system

Incident Investigation

  1. Get the specific alert details
  2. Search for related alerts involving the same entities
  3. Build a timeline of the attack progression

Alert Triage

  1. List unresolved alerts by severity
  2. Categorize by alert type (malware, phishing, lateral movement, etc.)
  3. Prioritize based on affected asset criticality

Output Format

When presenting alerts, use this format:

code
## Alert Summary

**Alert ID**: [ID]
**Severity**: [Critical/High/Medium/Low]
**Status**: [New/In Progress/Resolved]
**Detected**: [Timestamp]

### Description
[Brief description of the alert]

### Affected Entities
- Endpoints: [list]
- Users: [list]
- IPs: [list]

### Indicators of Compromise
- [IOC type]: [value]

### Recommended Actions
1. [Action item]
2. [Action item]

Security Considerations

  • This skill provides read-only access to alert data
  • Alert data may contain sensitive information about your environment
  • Use alert IDs when referencing specific alerts in reports
  • Do not share raw alert data outside authorized channels