You can see Expel alerts in Workbench in the Alerts dashboard. To open the Alerts dashboard, click Alerts. Workbench shows different levels, or severity, of alerts: Critical, High, Medium, Low, and Tuning.
You can view the alerts by severity by clicking the tabs at the top of this dashboard. Pay attention to Critical or High alerts first. You can also sort the alerts by using the sorting options above the alerts.
An incident is critical when the impact to business is high, such as financial loss, reputation, or data loss. A critical alert can be an indicator of compromise, but not all critical alerts lead to an incident. Just because you have an alert listed in Workbench, it doesn’t mean you need to do anything.
If you want to dig deeper into this alert, you can scroll down to see more details. We include exactly what happened, when, by whom, and where. You can also click Evidence Summary. A resizable dialog box opens with all the code behind this alert. This can also help you understand why this alert was flagged.
To close this alert because you decide it's benign, click Close. Provide the reason to close it and click Close Alert. You can reopen closed alerts if you need to. If our analyst, or sometimes Ruxie, determines the alert isn’t malicious activity, we close the alert with a Close status and a close reason, too.
You can also add this alert to an existing investigation or incident. This is really helpful if you think the issues are related and want all the information in one place. Just click Add To and locate the investigation or incident.
In many screens in Workbench, you can download what you see as a CSV file. This is useful to move the content into other tools, such as Excel, for further analysis or charting, for example.
You can specify the dates for the content you want to download.
To download the content, locate the Download icon and click it. Specify the date range you want and click Download.