Investigations are Expel alerts where Ruxie or our SOC analysts are gathering and looking at additional information to determine if the alert is malicious activity or benign activity. These investigative actions use the security devices’ APIs to acquire and format additional data, as well as gather other information. SOC analysts also use our bots to get more information. They review all this information to understand the alert.
Sometimes we find something that looks suspicious, like an unexpected or impossible geographic login. We send you a verification action and you get a notification about this activity.
You need to review and decide if this is ok or not. In Workbench, click Investigations.
You can click any listed investigation to see more details. If we determine the Expel alert is malicious, the SOC analysts declare a security incident and focus on determining the scope of the compromise. At all times, you see what we are working on and what we know.
The SOC analysts discover what the compromise might be, when it started and how many hosts, if any, are affected. Messages are sent to your notification channels for the organization and, depending on the personal notification settings, you and your teams can also get an email.
You and your team should take an incident seriously and respond quickly. A confirmed threat impacts your business and requires you and your team to act. We also provide details about exactly what happened and what you specifically need to do to remediate the incident.
In many screens in Workbench, you can download what you see as a CSV file. This is useful to move the content into other tools, such as Excel, for further analysis or charting, for example.
You can specify the dates for the content you want to download.
To download the content, locate the Download icon and click it. Specify the date range you want and click Download.
Watch the following videos to learn more about investigations and incidents in Workbench: