As the SOC analysts watch your environment, they can surface alerts to you as investigations, which you can view in Workbench. If you set your notifications to alert you, you get a notification with enough information to generally know what's going on. If you see something you think warrants an investigation, you can create one. You can also reopen an investigation about which you want more information or whose resolution you disagree with.
You can use the filter options at the top of the page to view investigations you're interested in. For example, by status or assignment.
Every investigation has a number associated with it. You can search for the number using the Search field. Click the blue name of the investigation to open it. Your specific investigation screen may look different than our example below.
Use the filter options at the top of the page to view what you're interested in. For example, by status or date.
When you view an investigation, you have access to all the information the SOC analysts have. Scroll through the areas to see what notes the SOC analysts made. Click the text on the left to see specific information about timeline, or involved hosts, or others. You may be assigned a remediation action.
You can add notes about this investigation by clicking the + Add Comment button on the Investigative Actions screen. You can also add information to the Timeline screen by clicking the + Add Timeline Event button. These additions can be seen by the SOC analysts, too.
You can also update the investigation after you review it. Click the Update Investigation button at the top of the page.