Expel alerts are the representation of one or more vendor alerts that appear in Workbench for analysts to triage, investigate, and respond to. An Expel alert is created when one or more vendor alerts satisfy the rule logic in our detection engines.
Each Expel alert is assigned a severity, which may not always match the severity of the originating vendor alert(s). Expel alerts are de facto tier 1 when mapping back to the traditional security operations center (SOC) process. New Expel alerts trigger Ruxie, our automated workflow service, which creates new investigative actions, looks for similar Expel alerts, and even closes the alert in certain circumstances.
As our SOC analysts and Ruxie triage Expel alerts, they can end up proceeding in 3 different ways:
Closed: they can be closed if the vendor alert is benign or doesn’t fall into a category we can investigate further. For example, potentially unwanted programs (PUP) or potentially unwanted applications (PUA).
Escalated to investigation : if there’s a potential of malicious behavior or our SOC analysts need more information, we create an investigation from that Expel alert.
Escalated to incident: in very specific circumstances where an Expel alert is explicitly malicious, it can be immediately escalated to an incident.
In the case of phishing Expel alerts, instead of a vendor alert being both the source/cause of the Expel alert, it’s a phishing submission.
It's possible at the Expel alert/triage phase that Ruxie contacts your organization to ask “did you expect this?” through Slack.
In both cases, Expel alerts are closed with a reason and a comment if they are determined to be benign in nature.