When you’re working with Workbench, you see notifications about Expel alerts, investigations, and incidents. Understanding the differences and what you need to do for each one helps your organization stay secure. As Workbench consumes log data and alerts from your environment, we run things past our bot named Josie and they look for information that should be reviewed by humans. Josie normalizes and adds context enrichment to alerts to help people make better decisions.
These items to be reviewed are called Expel alerts. An Expel alert is something unusual that requires one of our bots or a human to review and make decisions about. Our bot Ruxie can close an alert, get more information about the alert, or flag it for a human to review to make a determination.
You can see Expel alerts in Workbench on the Alerts page.
If we determine the Expel alert is malicious, the SOC analysts declare a security incident and focus on stopping the bleeding. The SOC analysts discover what the compromise can be, when it started and how many hosts, if any, are affected. Messages are sent to your notification channels for the organization and, depending on the personal notification settings, you and your teams can also get an email. If there's a compromise, you get instructions on what to do.
In many screens in Workbench, you can download what you see as a CSV file. This is useful to move the content into other tools, such as Excel, for further analysis or charting, for example.
You can specify the dates for the content you want to download.
To download the content, locate the Download icon and click it. Specify the date range you want and click Download.
Watch our Navigating Alerts in Workbench video for a walkthrough and to learn more.