You can view investigations in Workbench. After an investigation is complete and no evidence of malicious activity was found, the investigation is closed. You can view closed investigations and see why they were closed.
Use the filter options at the top of the Activity page to select status as Closed. You can also filter on several specific closed reasons. Select the closed investigation you want to see.
Review the information in the investigation.
When you view an investigation, you have access to all the information the SOC analysts have. Scroll through the areas to see what notes the SOC analysts made. Select the text on the left to see specific information about timeline, involved hosts, and more. You may be assigned a remediation action.
You can add notes about this investigation by selecting the Add Comment on the Investigative Actions screen. You can also add information to the Timeline screen by selecting Add Timeline Event. These additions can be seen by the SOC analysts, too.
You can reopen the investigation after you review it; perhaps you don't agree with this investigation being closed or simply want more information. Select Update Investigation at the top of the page. Select Reopen and then select Save.
After you reopen the investigation, you should add comments or other notes about why you reopened the investigation. If you want the SOC analysts to help, you can assign the investigation to them. Select Update Investigation at the top of the page.