An Expel alert becomes an investigation if the SOC analysts think a more in-depth analysis of the activity is needed. In this case, the Expel alert that raised suspicion is called the lead Expel alert.
Investigations are where the SOC analysts can perform additional actions (investigative actions) to uncover more information to help determine the scope and nature of the activity that occurred proximate to the time of the Expel alert.
In an investigation, you and the SOC analysts can collaborate and share information in Workbench to reach a conclusion through comments, findings, and investigative actions.
If the activity is determined to be benign, the investigation is closed with an explanation. If not, the investigation is promoted to an incident.
Article is closed for comments.