Investigation Workbench
A premium SOC analyst workspace for alert triage, evidence review, IOC context, investigation notes, case escalation, and human approval handoff.
A premium SOC analyst workspace for alert triage, evidence review, IOC context, investigation notes, case escalation, and human approval handoff.
Identity alert from admin account. Multiple failed logins followed by MFA setting change.
Cloud finding shows port 22 open to 0.0.0.0/0 on production-tagged resource.
Mobile fraud signal contains OTP request, APK link, suspicious domain, and urgency language.
Click Load Investigation to start analyst workflow.
| Evidence | Source | Risk | Meaning |
|---|---|---|---|
| admin_login_failure | Identity logs | High | Repeated failures before admin setting change. |
| mfa_disabled | IAM event | Critical | Privileged control weakened. |
| suspicious_ip | Threat Intel | High | IP reputation linked with scanning activity. |
| new_country_login | Geo context | Medium | Unusual location for admin account. |
Review severity, confidence, affected asset, identity context, and alert source.
Use threat intelligence, cloud context, fraud signals, and evidence correlation.
Promote validated alerts into incident cases with timeline and evidence.
Risky response actions require owner/admin approval before safe simulation.
Detection agent created critical identity alert.
Suspicious IP reputation added to evidence board.
Analyst should promote this alert to incident case and request containment approval.
Collect identity logs, MFA change event, IP context, and session metadata.
Confirm whether the admin activity was legitimate or suspicious.
Disabling user or revoking session must go through human approval workflow.