Hunting in Workbench

Other Contributors:

Joel Shindeldecker (Product Manager); Daren McCulley (Engineering Manager)

Hunting in Workbench was a HUGE project to tackle! Expel offers a threat hunting service that involves analysts (who we call “hunters” internally) combing through a customer’s data for anything that may have been missed by automated detection tools. Hunters provide finding reports that surface up notable, suspicious, and malicious behavior, as well as any other details or recommendations they think the customer should be aware of. Before this project, the service existed, but the hunters used a third-party tool for much of their workflow, which was limited in capabilities and caused a data silo that limited what we could display to a customer in Workbench. The goal of this project was twofold: the first was to completely eliminate the need for that third-party tool, and the second was to improve the service by adding capabilities that would have been impossible previously.

I had not worked on Expel’s hunting service previously, so I started this project by observing the existing process of the hunters to deliver their analyses. I created a process flow diagram to reference moving forward. We then broke the project down into discrete chunks, so that I could create mocks, iterate on them, and then hand them off to engineering so they could code that section while I started on the next one (and stayed ready on deck to answer questions as they worked.)

The first section that I worked on was Hunt Rules, a system for the hunters to automatically classify leads and speed up investigation. Previously, they were only able to automatically mark leads as benign, but after this project, they were able to add rules for potentially notable, suspicious, and malicious leads, as well. I utilized an existing Workbench pattern for a similar feature - suppressions, which our MDR analysts use - for consistency across the product and also ease of job transition, since our hunters often start their Expel careers as MDR analysts.

Next, I tackled the meatiest part of the project - the findings report. This involved a new way for our hunters to input their findings to the customer, as well as a refreshed look and feel to the page itself. Previously, the page was almost entirely text that was formatted by the hunters using markdown. It was difficult for customers to see at a glance what was actually found in the hunt - I prioritized making that question easier to answer by adding some count cards at the top to surface up how many findings were in each of the three categories used by the hunters. Each finding also now got its own card that visually stood out, had a section for notes from the hunters as well as a data table section, and could be downloaded as a CSV. Another huge win here was the ability to add multiple rows of data to a single finding - with the third-party tool, each row would count as its own finding, which could skew the data that the customer saw. Often, a hunter would find a pattern of behavior by a potential attacker that was the culmination of multiple events, rather than one individual event.

We showed the mocks for the findings report to one customer who said “I really like this a lot - it draws your attention to the right places at the right time.”

The last big chunk of the project was another mostly internal piece - the leads file investigative action. I know that may sound like some words that don’t make sense in that order, but the short version is that this was a place for our hunters to download a CSV of the leads for that hunt and start their analysis. The previous version of this had repetition that no one understood, an outcome comment section that was never used, and a “reason” section that did not add any value. The updated version removes the excess, adds new download capabilities that are more targeted for the hunter’s investigation, and provides a preview of the number of leads that were automatically categorized by the hunt rules mentioned above.

This project was released in June of 2024, and the hunters have been using the new process since then. Customers have been seeing the newly formatted findings report since shortly after that. We have received positive feedback on the new workflow saving time, as well as the new report format being preferred by customers.

Feedback

On the feature:

“Big fan of the new template. Lot easier to read and quicker to the important information with the extra contextual info available in other areas.” - Expel’s biggest Threat Hunting customer

“Download CSV option was fantastic…they were able to grab the data and produce a quick write up to email to the rest of their team…and close it out with great efficiency” - Expel Engagement Manager relaying feedback from a customer

“The updated hunt findings workflow saves us time and effort while providing customers with a clearer, more visually structured summary of our findings, highlighting the important details and key events for their review.” - Expel Threat Hunter

On my work:

After demoing the project to the whole company:

“That was excellent, here's why:

• Super clear description of problem

• Highlighting the what and why, and tying it back to the problem

• Very clear verbals - accessible language, explanations where necessary to bring everyone along

• Palpable excitement in your voice, makes it highly compelling. You weren't reading slides, you told a story.

Well done.”

- Expel CEO