Investigative actions are steps an analyst and/or automation take to aid in the investigation. Most commonly used investigative actions are steps that a given security technology supports. For example,

  • acquiring a file can be accomplished by asking Workbench to retrieve it.

  • Workbench navigates for the SOC analysts, indicating how to acquire the file from any number of EDRs.

Investigative actions can also describe manual steps. This is less common, but an investigative action can be created, for example, tasking you to upload a file that Expel doesn’t have access to but needs to complete the investigation.

Investigative actions come in many forms, but can be grouped into 2 categories: triage support and communications. Triage support consists of gathering additional data from customer devices, enriching data from external data sources, and fetching data sources from multiple locations. Communications involves sending out verify actions or notifications.