1. Expel Help Center
  2. Getting Started with Expel
  3. Activity

Create an On-Demand Investigation

This guide is for on-demand investigations covered under your managed detection and response (MDR) contract.

On-demand investigations are service requests for deeper analysis that customers submit to the Expel Security Operations Center (SOC). They are based on activity seen outside integrated vendor technologies or detection strategies. You can also use on-demand investigations without Expel support to track your internal investigations.

Note
Expel support for on-demand investigations varies based on your license.

Prerequisites

  1. You must be a Workbench organization admin user to request Expel support. If you are not an organization admin, you may create an investigation for your own tracking but Expel will not be notified.

Quick Links

  1. What Qualifies as an On-Demand Investigation?
  2. How to Submit an On-Demand Investigation
  3. Investigation Process

What Qualifies as an On-Demand Investigation?

Qualified on-demand investigations are for suspicious or malicious activity that did not cause an Expel alert or may have occurred in technologies partially or not integrated with Expel Workbench. Expel may be unable to complete investigations for non-integrated or inaccessible technologies. We may use other tools for further analysis; however, it is important to note that limitations exist in these cases.

On-demand investigations are not for follow-up questions about alerts, investigations, incidents, or detections. Instead, contact support with these questions.

Expel responds to on-demand investigations ranging from alerts to incidents. Your requests should be based on a suspected security issue or compromise not already found by Expel and supported by direct evidence you submit.

How to Submit an On-Demand Investigation

Your on-demand investigation request should provide the required detail (as described below) and proper system access (to enable us to begin the investigation from your initial lead). Your active involvement throughout the process will help the investigation.

See the Reference for examples of on-demand investigations that provide sufficient detail.

Step 1: Prepare the Required Information

Your request should have a clear goal or question. Answering the questions “What?”, “Where?”, and “When?” are good starting points for your submission.

The evidence you must submit varies based on your request. Collect as much of the following evidence as possible to ensure a quick and successful investigation:

  • Logs (such as SIEM, network, Windows)
  • Screenshots
  • Videos
  • Suspected malicious files

If you need to send Expel a file that may be malicious, compress it into a password-protected ZIP file (we recommend using the password "infected") before attaching it to your investigation. Limit requests to files found in your environment and do not upload folders.

Also, prepare as much of the following relevant information as possible:

  • The earliest evidence of the activity or when it was first known
  • The time period of interest
  • The events and/or alerts with your suspected security concerns
  • The affected environment assets (usernames, hostnames, IPs, devices, and cloud resources)
  • The relationship to a previous or active investigation or suspected incident

Step 2: Create the On-Demand Investigation in Workbench

You can create an on-demand investigation or incident in Workbench at any time.

  1. Log in to Workbench.
  2. In the side menu, navigate to Activity > Investigations.
  3. Select Add Investigation.
  4. Choose a radio button for an investigation or incident.
    • Select Investigation if you have noticed suspicious or unusual activity but are unsure if it is malicious. Continue to step 5.
    • Select Incident if you have identified and confirmed malicious activity. Skip to step 6.
  5. For investigations, complete the fields as follows:
    • Name - enter a descriptive name for your investigation.
    • Upload - add logs, screenshots, videos, or other files you prepared. Remember to limit requests to files found in your environment and do not upload folders; if you need to upload a file that may be malicious, compress it into a password-protected ZIP file (we recommend using the password “infected”) and enter the password in the Additional information area.
    • Additional information - describe what you found and explain any potentially malicious files; you can provide passwords to your files here.
    • Assign to - if you want Expel to begin an on-demand investigation (organization admins only), select Expel from the dropdown list; if you do not need Expel support at this time, choose your organization or a user in your organization.
    • Initial lead - choose how the investigation was first started.
    • Select Next.
    • Skip to step 7.
  6. For incidents, complete the fields as follows:
    • Threat type - select the type of threat you identified; if unsure, select Unknown.
    • Name - enter a descriptive name for your incident.
    • Upload - add logs, screenshots, videos, or other files you prepared. Remember to limit requests to files found in your environment and do not upload folders; if you need to upload a file that may be malicious, compress it into a password-protected ZIP file (we recommend using the password “infected”) and enter the password in the Additional information area.
    • Additional information - describe what you found and explain any potentially malicious files; you can provide passwords to your files here.
    • Assign to - if you want Expel to begin an on-demand investigation (organization admins only), select Expel from the dropdown list; if you do not need Expel support at this time, choose your organization or a user in your organization.
    • Initial lead - choose how the investigation was first started.
    • Select Next.
  7. Use the radio buttons to choose an Expel support option.
    • If you do not want support, select No Expel SOC support needed.
    • If you want support, select Yes, request Expel SOC support. You may be required to accept terms and conditions for using on-demand investigation hours based on your Workbench license.
  8. Select Save to create the investigation or incident.

Investigation Process

Expel's detection and response analysts handle on-demand investigation requests per Expel’s service level objectives (SLO). They prioritize requests related to security compromises first, followed by all other security issues and alerts.

The following is an overview of what you can expect after submitting your investigation in Workbench:

  1. Our analysts receive a notification immediately.
  2. An analyst reviews the investigation or incident and then:
    • Adds updates to the Workbench investigation (labeled “investigative actions”).
    • Contacts you through Slack®, Microsoft Teams™, or Workbench notifications (based on your configurations) if more information is needed.
  3. During or after the investigation, one of the following actions is taken:
    • If the initial lead shows a compromise or we find evidence of one, the analyst promotes the investigation to an incident. They also assign remediation actions and continue investigating until a resolution is achieved.
    • If the investigation shows no evidence of malicious activity, the analyst releases the findings or closes the investigation.

Reference

The following examples of qualified on-demand investigations explain concerns, ask questions, and provide supporting information so Expel can quickly act on your requests.

Example 1: Unsurfaced Vendor Alert From an Integrated Technology

What happened: You received a vendor alert on your computer for a threat blocked by your endpoint detection and response (EDR) platform.

How to submit a good on-demand investigation request: This activity is supported by Expel, so you should add a Workbench investigation with the following information:

  1. Your suspected security concerns based on the EDR alert
  2. The affected hostname (the name of your computer)
  3. A screenshot of the EDR alert with the time and malicious filename
  4. A request for clarification on the alert and why you received it

The details (alert, hostname, and time) allow Expel to start a search, determine if the host is compromised, and identify other potentially infected hosts. Based on your evidence, Expel can then answer your questions.

Example 2: Business Email Compromise (BEC)

What happened: You noticed that someone changed an address on an email thread after you received no response from the recipient.

How to submit a good on-demand investigation request: This activity is supported by Expel, so you should add a Workbench investigation with the following information:

  1. Your suspected security concerns based on the email thread
  2. The timeline of the email events
  3. The emails (as uploads) related to the suspected compromise
  4. An ask if the internal user who responded to the BEC is compromised

Your evidence (order of events and suspicious emails) can launch an Expel investigation to answer your question.

Related articles