1. Expel Help Center
  2. Getting Started with Expel
  3. How to Use Event Search in Workbench

How to Use Event Search in Workbench

Event Search enables you to check that Expel has seen an event from an enabled technology. You can search all events that were processed by Josie in the past 14 days, including those that were tuned or became Expel alerts. 

For example, you can use Event Search to ensure Josie processed an EDR alert about a departing employee yesterday at 8:30am.

Note
Each user can run a maximum of 100 searches in 24 hours.

 

Quick Links

Search for Events

  1. In the main menu, click Search for an Event.

  2. Select the parameters.

    • Click Select parameter...

    • Select a parameter for your search and enter a value.

      Screenshot_2023-09-11_at_2_35_52_PM.png

    • To add another parameter to your search, click Add another parameter.

      For example, you can find events for a specific user that came from a specific IP address.


      Note
      To speed up your search, use multiple parameters to create a more targeted search. The search uses the logical 'AND' operator, so results must match all parameters.

  1. Select the technology

    In the from list, select one or more technologies that generated the event.

  2. Select the time period.

    In the in list, select a time period for the search. You can select a preset time period, or define a custom time period within the last 14 days.

  3. Click Search.

    Workbench searches for alerts in the evidence database, and then displays the 100 most recent results.

    If the search takes longer than 1 minute, it times out. Try to make your search more specific, then run it again. For example, try adding another parameter or reducing the time period.

  4. From the search results, you can view details of the event or open the related Expel alert.

    • To view details of the event, in the Time column, click Event Details.

    • If the event is linked to an Expel alert, in the Related Expel Alerts column, click the alert name to open it.

About Event Details

The Event Details screen has the following tabs:

  • What happened?

    Shows an activity timeline for the event. For example, you can see the time that the event occurred in the originating technology and the work performed by Expel Analysts to investigate it.

    Screenshot_2023-09-11_at_2_36_13_PM.png

  • Evidence

    Shows the information used to determine the alert or raise an Expel alert.

    Screenshot_2023-09-11_at_2_36_52_PM.png

 

Related articles