If you are an Expel customer, we recommend logging into Workbench to ensure you can access all of the linked content on this page.
- Assembler
- Auto Remediation
- Context
- Detection Strategy
- Event
- Expel Alert
- Finding
- Incident
- Investigation
- Investigative Action
- Josie
- Lookout
- Remediation Action
- Ruxie
- Situation Report
- Suppression
- Workbench Notifications
Assembler
The Expel Assembler serves as a network proxy to allow our SOC analysts to access the security devices that live on internal networks. It is only needed if your security device lives on a private network where a direct external connection cannot be established.
Learn more about the Expel Assembler or find it in Workbench at Settings > Organization Settings > Assemblers.
Auto Remediation
An auto remediation enables Expel to automate certain response capabilities within your vendor technology so that attacks can be rapidly contained without requiring any intervention from you. If an auto remediation occurs, you will see it listed as a Remediation Action in Workbench. There are a variety of auto remediations to choose from and they can be enabled or disabled individually at any time.
Learn more about Auto Remediations or edit them in Workbench at Settings > Organization Settings > My Organizations > select an organization if multiple exist > Auto Remediations.
Context
Expel uses the term Context to refer to stored reference information about your environment. Context can be added by you or may be added proactively by our SOC analysts. You can use Context to help tailor your alerts and to improve reporting.
Learn more about Context or find it in Workbench at Settings > Organization Settings > Context.
Detection Strategy
Expel's Detection Strategy automates certain types of decisions related to Events and triage, creates associated Expel Alerts when required, or marks an Event as benign. The specific detection strategy employed for a piece of vendor technology varies based on the type of technology it is, but in general the strategy always focuses on where fidelity is higher and we also still have time to act.
Learn more about Detection Strategy or find it in Workbench at Tools > Detections > Detection Strategy.
Event
Expel refers to the signals coming from the integrations you connected to Workbench as Events. These signals may take the form of actual alerts from security technologies, logs and signals from cloud and SaaS integrations, or audit events produced by other software that Expel monitors. Not all Events will require action from Expel (in the form of an associated Expel Alert), but every Event will be associated with a specific security device in Workbench.
Events do not have a status and we do not assign them to anyone; you can search your Events via at the bottom left of Workbench.
Expel Alert
An Expel Alert is created when a security event - typically an Event or on-demand investigation request - merits further research or investigation on our part. Expel Alerts may be generated automatically because of detection strategy or created manually at any time by our SOC team. Expel Alerts are given a severity rating of Critical, High, Medium, or Low. The severity is determined by a combined approach that considers alert fidelity, alert impact, and security product fidelity.
Find Expel Alerts in Workbench at Activity > Alerts.
Finding
A Finding is where our SOC analysts document answers to questions like: What is it? Where is it? When did it get here? How did it get here? Findings are only used for Investigations that have been flagged as an Incident. You may see text-only findings or more detailed evidence findings.
Find Findings in Workbench in your Findings report (Activity > Incidents > select an incident > select the Findings link) or in Hunting (Activity > Hunting > Hunts > select an investigation > select the Findings link).
Incident
An Incident is simply a flag on an Investigation that enables Expel to document Findings and create Remediation Actions. Every Investigation is eventually either flagged as an Incident because there is a potential threat to your environment, or closed as benign with no further action needed. Anything that is especially urgent will be categorized as a Critical Security Incident.
Although an Incident is not actually a separate entity (each Incident is simply an Investigation that was flagged as a threat), you can quickly view all Investigations flagged as Incidents in Workbench at Activity > Incidents.
Investigation
The SOC analyst may decide to create an Investigation based on an Expel Alert, which means they believe there is a need for more in-depth analysis. The Investigation is where Expel can perform additional actions (labeled Investigative Actions) to uncover more information and help determine the scope and nature of the activity that created the initial Expel Alert. Some Investigations will be flagged as Incidents, and some will be closed as benign with no further action needed. Customers with MDR contracts can also create on-demand investigations if the suspicious activity meets certain criteria.
Find Investigations in Workbench at Activity > Investigations.
Investigative Action
An Investigative Action is how Expel tracks its activities and research related to an Expel Alert or to an open Investigation. An Investigative Action may capture an automated process or it may result in a notification to you, asking you to complete a manual process. You may see either of the following notification labels in Workbench:
- Verify Action - when we identify something that is highly suspicious, and ask you to verify whether or not the activity is authorized for business reasons.
- Notify Action - when we identify something that is not entirely malicious but is highly suspicious or a potential policy violation, and recommend an action for you to take (such as gathering device data or uploading a file for our SOC analysts).
Find Investigative Actions in Workbench at Activity > Actions.
Josie
Josie is a bot that assists our SOC analysts with the alert triage process by leveraging detection strategies to automatically classify certain Events and then trigger the necessary Expel Alerts. Josie runs in the background and is not managed in Workbench.
Lookout
A Lookout is a type of supplemental rule that complements our Detection Strategy. There are two types of Lookout Rules that can be applied: automatically create an Expel Alert, or automatically create an Investigation. Lookouts are used to process certain types of Events that meet very specific internal criteria, and the two Lookout Rule types can be used separately or together to override the behavior of our detection engine.
Learn more about Lookout Rules or find Lookouts in Workbench at Tools > Detections > Lookouts.
Remediation Action
A Remediation Action contains the SOC analyst's recommendations on the best next actions to take to mitigate threats to your environment. The analyst will provide this guidance when they do not have sufficient access to your system and/or are not able to perform the task themselves based on the technology. You may also choose to enable one or more Auto Remediations to instruct our platform to perform certain SOC recommendations automatically, and to grant Expel with the necessary access to do so. Remediation Actions are only used for Investigations that have been flagged as an Incident.
Find Remediation Actions in Workbench at Activity > Actions and in your Findings report (Activity > Incidents > locate an incident and select the Findings link).
Ruxie
Ruxie is a bot that assists our SOC analysts with the process of creating new Investigative Actions due to Expel Alerts or open Investigations. Ruxie runs in the background and is not managed in Workbench.
Situation Report
The Situation Report shows an overview of all security activity at your organization, including open action items that may need to be addressed by you.
Learn more about the Situation Report or find it in Workbench at Dashboards > Situation Report.
Suppression
A Suppression is a type of supplemental rule that complements our Detection Strategy. It refers to a manual rule that our SOC analysts have added to help filter out known benign issues from Expel Alerts, and to automatically close an Expel Alert if it meets very specific internal criteria before it comes to a SOC analyst. Suppression Rules can be created for your organization, for multiple organizations, or for all Expel customers.
Learn more about Suppression Rules or find Suppressions in Workbench at Tools > Detections > Suppressions.
Workbench Notifications
Expel Workbench has two types of notifications: an email notification is configured at the user level and sent to an individual email address, and an organization notification is configured at the organization level and sent to a communications platform like Slack® or Microsoft Teams™.
Learn more about notifications or find them in Workbench at Settings > Organization Settings > My Organizations > select an organization if multiple exist > Notifications or Settings > Organization Settings > Users > View and edit a user > Email notifications.