Analyst Workbench
此内容尚未提供中文翻译。
The Analyst Workbench is a unified investigation workspace that combines alert/incident details, response actions, and investigation tools in a single view. It is the primary workspace for SOC analysts performing triage and response.
Core Features
Alert & Incident Investigation
- View detailed alert or incident information in context
- Switch between alerts and incidents from the same workspace
- Access evidence, timeline, raw data, and MITRE ATT&CK mappings
Ownership & Lifecycle
| Action | Description |
|---|---|
| Take Ownership | Assign the alert/incident to yourself for investigation |
| Escalate | Escalate to a higher-tier analyst or create an incident from an alert |
| Close Case | Mark as resolved with a resolution summary |
Response Actions
Response actions allow analysts to take direct containment and remediation steps:
| Action | License | Description |
|---|---|---|
| Isolate Host | NDR | Network-isolate a compromised endpoint |
| Block IP | NDR | Block a malicious IP at the perimeter |
| Disable Account | — | Disable a compromised user account |
| Kill Process | EDR | Terminate a malicious process on an endpoint |
| Scan Endpoint | EDR | Trigger an on-demand endpoint scan |
| Collect Forensics | EDR | Collect forensic artifacts from an endpoint |
Actions marked with EDR or NDR require the corresponding license to be active. Without the license, these buttons display a lock icon and link to the upgrade page.
Timeline & Related Alerts
- Timeline: Activity log showing all actions taken on the alert/incident (assignments, status changes, comments)
- Related Alerts: Similar alerts correlated by rule, source, or MITRE technique
Access Requirements
The Analyst Workbench requires the Respond (MDR) tier or above.