The Alert Analysis tab shows you an overview of the alerts in your environment.
To access this page in Workbench, select Dashboards > Alert Analysis.
Notice
As of August 1, 2024, the Alerts Analysis Dashboard will show the total number of Raw Events Ingested from all your security devices. This number more accurately reflects the true volume of data Expel receives and processes from customer environments for use in threat detection and investigation. Some existing customers may notice a significant change in the event volume reflected.
What caused this significant change?
In prior versions, the “Source Alerts And Events Analyzed” number on the far left of the funnel represented a combination of third-party security alerts and an aggregation of data generated by Expel for certain integrations. We heard your feedback that this was confusing, and it made it difficult to understand how much data you were sending to Expel.
In the new model, we count the grand total of Raw Events Ingested, which includes third-party alerts and all event telemetry that Expel processes and analyzes. As a result of this change, customers with certain integrations can expect to see major increases following the change. For example, technologies such as Microsoft365 (M365) and AWS CloudTrail generate a high volume of event telemetry but a low volume (if any) of security alerts. As such, M365 and AWS CloudTrail customers (among others) can expect a major difference between the old “Source Alerts And Events Analyzed” and the new “Raw Events Ingested.” Please know this is fully expected based on the changes to what data we are counting.
Alert Analysis Dashboard Funnel
Raw Events Ingested
This count shows the total number of events we ingest from your connected security devices, including both security alerts and events.
The following is included in this count:
- Alerts
- Events
- Logs
Please be aware that the count presented here may not match one-to-one with your device’s console. This is expected because Expel only ingests relevant security data curated by our Detection and Response team.
Expel Alerts
Expel alerts are vendor alerts that appear in Workbench for analysts to triage, investigate, and respond to. An Expel alert is created when one or more vendor alerts satisfy the rule logic in our detection engines. Learn more about Expel alerts.
Investigations
An Expel alert becomes an investigation if a SOC Analyst determines that more in-depth analysis of the activity is needed. In this case, the Expel alert that raised suspicion becomes the “lead Expel alert”. During Investigations, SOC Analysts can perform additional actions (investigative actions) to uncover more information to help determine the scope and nature of the activity that occurred proximate to the time of the Expel alert. Learn more about Investigations.
Incidents
If the SOC Analysts determine there’s a threat in an organization’s environment, an Incident is created, or an Investigation is promoted to an Incident. Incidents are similar to Investigations in that they include investigative actions and have a similar look and feel. Incidents, however, include findings. Learn more about Incidents.
Security Device Totals
Active Devices
This view provides an overview of all of your Security Devices that are currently active within Workbench. Within this view, you can get more information regarding your alert traffic by opening the row expander to view information such as Raw Events Ingested by security device.
Device Totals
This view gives an overview of how your technologies are contributing to Expel detections at an aggregated level.
Devices with No Expel Alerts
This view shows all security devices that have not contributed to an Expel alert. You can use this section to understand which technologies may need some tuning.