Expel alerts are vendor alerts that appear in Workbench for analysts to triage, investigate, and respond to. An Expel alert is created when one or more vendor alerts satisfy the rule logic in our detection engines. You can view Expel alerts on the Alerts analysis dashboard.

Each Expel alert is assigned a severity, which may not always match the severity of the originating vendor alert. Expel alerts are de facto tier 1 when mapping back to the traditional security operations center (SOC) process. New Expel alerts trigger Ruxie, our automated workflow bot. Ruxie creates new investigative actions, looks for similar Expel alerts, and even closes the alert in certain circumstances.

As our SOC analysts and Ruxie triage Expel alerts, they can end up proceeding in 3 different ways:

  • Closed: Expel alerts are closed if the vendor alert is benign or doesn’t fall into a category we can investigate further. For example, potentially unwanted programs (PUP) or potentially unwanted applications (PUA).

  • Escalated to investigation: if there’s a potential of malicious behavior or our SOC analysts need more information, we create an investigation from that Expel alert.

  • Escalated to incident: if an Expel alert is explicitly malicious, it is immediately escalated to an incident.

In the case of phishing Expel alerts, instead of a vendor alert being both the source and cause of the Expel alert, it’s a phishing submission.

In the Expel alert/triage phase Ruxie may contact your organization to ask “did you expect this?”.

In both cases, Expel alerts are closed with a reason and a comment, if they are determined to be benign in nature.