An Expel alert becomes an investigation if the SOC analysts think a more in-depth analysis of the activity is needed. In this case, the Expel alert that raised suspicion is called the lead Expel alert.
Investigations are where the SOC analysts can perform additional actions (investigative actions) to uncover more information to help determine the scope and nature of the activity that occurred proximate to the time of the Expel alert.
If the activity is determined to be benign, the investigation is closed with an explanation. If not, the investigation is promoted to an incident.