Ruxie Library
Years of SOC work.
Built into Ruxie.
Each capability targets a specific friction point between detecting a threat and acting on it. Built from years of watching where analysts lose time.
Context
AI alert analysis
Generates a full alert context summary from actual event data, giving analysts the picture they need to act in seconds rather than minutes.
Context
AI user context summaries
Generates plain-language user context summaries - role, recent activity, risk indicators - attached to every identity-related alert at triage time.
Triage
AI-generated alert summaries
Produces a concise, plain-language summary for every incoming alert so analysts can assess severity and priority at a glance.
Reporting
AI-generated close comments
Produces a plain-language explanation of what happened and why on every alert resolution, automatically generated, no analyst time required, every time.
Reporting
AI-generated detection rule descriptions
Translates complex detection rule code into plain-English descriptions for every rule in Workbench, revealing the specific sub-detections inside logical containers so customers understand exactly what behavior each rule monitors.
Context
AI-generated related alert context
Surfaces related alerts from across the environment with AI-generated context so analysts see the full picture without manual correlation work.
Reporting
AI-powered incident narratives
Synthesizes alert details and key findings into a plain-English attack narrative covering what happened, how it was handled, and what changed, for every closed incident.
Context
Alert similarity
Flags incoming alerts that match cases your analysts have already resolved, surfacing the prior outcome before they open the queue so repeat decisions take seconds.
Context
Asset & identity contextualization
Maps alerts to known assets and identities, surfacing ownership, role, and risk context so analysts have the full picture before making a triage decision.
Triage
Auto-close based on long-term memory
Auto-closes high-confidence benign alerts matched against historical analyst decisions; routes lower-confidence cases to analysts with a close recommendation and supporting evidence.
Collaboration
Automated customer verifications
Generates context-aware prompts asking users to confirm suspicious activity, auto-closing alerts if authorized or escalating if denied, so verification loops close without analyst-driven back-and-forth.
Investigation
Automated event timelining
Automatically constructs event timelines from endpoint, identity, and cloud telemetry - eliminating manual log correlation and giving analysts a sequenced view of attacker activity.
Collaboration
Bi-directional chat
Syncs Expel Workbench investigations directly with Slack and Microsoft Teams so customers collaborate with their Expel team in context, without switching platforms.
Response
Block bad hash
Adds confirmed malicious file hashes to block lists across endpoint controls to prevent re-execution across the environment.
Investigation
Blocked malware investigation agent
Automatically investigates blocked malware alerts and delivers a ready-made recommendation with supporting evidence directly in Workbench, so analysts make the call instead of running down the data.
Reporting
Centralized evidence archive
Maintains a complete, auditable history of all chat threads, alert data, and automated Ruxie actions in one centralized incident record for audit, compliance, and future reference.
Triage
Cloud identity & authentication analysis
Analyzes cloud identity and authentication signals to distinguish legitimate access patterns from credential-based attacks.
Detection
Cloud perimeter monitoring
Monitors cloud perimeter activity for anomalous access patterns, configuration changes, and credential-based threats across cloud environments.
Enrichment
Cloud telemetry analysis
Analyzes cloud provider telemetry to enrich alerts with identity, resource, and configuration context specific to cloud-based threats.
Response
Contain host
Isolates compromised hosts from the network to stop lateral movement and limit breach scope the moment a confirmed threat is identified.
Investigation
CrowdStrike identity protection investigation agent
Automatically gathers source-process context, identity and role data, LDAP detail, and host timelines for CrowdStrike IDP alerts; produces a close/verify/escalate recommendation with full rationale and counter-evidence before the analyst opens the alert.
Response
Delete malicious file
Removes confirmed malicious files from endpoints as part of automated remediation, preventing re-execution and persistence.
Response
Delete registry key
Removes malicious registry keys identified during investigation as part of automated endpoint remediation.
Detection
Detection gap analysis agent
Evaluated newly seen vendor alerts against current Expel detection strategies and rules to identity gaps in coverage.
Detection
Detection rule generation agent
Generates detection alerts from vendor telemetry using agentic analysis, expanding coverage beyond static detection rules to surface threats that rule-based systems miss.
Response
Disable access key
Revokes compromised API and access keys to cut off attacker persistence in cloud environments immediately after confirmation.
Response
Disable user account
Automatically disables compromised user accounts in response to confirmed identity-based threats, cutting off attacker access without waiting for manual action.
Context
Dynamic context creation
Builds dynamic alert context from live telemetry and event data, giving analysts a complete, investigation-ready picture at first glance.
Context
Email risk & forensics context
Extracts email headers, links, and forensic indicators to build pre-enriched context for phishing and email-based alert types before triage begins.
Enrichment
Endpoint & EDR telemetry automation
Automatically retrieves endpoint and EDR telemetry to build pre-correlated context for host-based alerts, eliminating manual tool pivots.
Context
Enhanced customer context
Puts context management directly in your hands and connects IAM user group data to Expel, so triage decisions reflect your environment accurately without requiring Expel intervention to keep it current.
Triage
Enterprise-wide email scoping
Scopes phishing and email threats across the full enterprise to identify campaign reach and all affected users before escalation decisions are made.
Context
Historical activity baselines
Compares incoming alert activity against historical behavioral baselines to surface anomalies and relevant prior detections as part of alert context.
Investigation
Identity investigation agent
Automatically consolidates evidence, applies structured reasoning, and delivers a full disposition recommendation on identity-based alerts before your analyst opens the queue.
Triage
Identity triage agent
An agentic workflow that applies structured AI reasoning (OSCAR methodology) to identity alerts, returning a disposition verdict - Known Good, Known Bad, or Needs More Info - with full evidence.
Investigation
Key findings generation
Synthesizes investigation evidence into plain-language key findings, giving analysts a summary-first view of what happened, what the attacker did, and why it matters.
Response
Kill process
Terminates malicious or suspicious processes on endpoints as part of active threat response during confirmed incidents.
Context
Long-term memory (semantic cache)
Captures and indexes every analyst triage decision, creating a persistent knowledge base that gets more accurate as more alerts are resolved.
Phishing
Marketing email triage for phishing
Classifies submitted emails as legitimate marketing versus phishing attempts, reducing false-positive volume in the phishing queue.
Triage
ML identity alert classification
Applies machine learning classification to identity alerts to separate known-benign patterns from potential threats before analyst review.
Enrichment
Network & web traffic analysis
Pulls network and web traffic data into alert context to surface lateral movement indicators and suspicious communications before investigation begins.
Detection
Network behavior pattern analysis
Analyzes network behavior patterns across the environment to identify lateral movement indicators and command-and-control communications.
Investigation
On-demand deep investigations
Runs structured, multi-source investigations on demand for complex or high-priority alerts, applying AI reasoning across endpoint, identity, and cloud evidence simultaneously.
Phishing
Phishing & URL analysis
Detonates URLs and analyzes phishing infrastructure to extract indicators, classify threat type, and surface investigation-ready findings before the analyst opens the case.
Phishing
Phishing campaign clustering
Groups related phishing emails into campaigns so your analysts review one alert per attack wave, with subsequent matching emails resolving automatically based on that decision.
Phishing
Phishing email encoder
Runs an ML classifier on every phishing email at ingestion and delivers a high-confidence benign or malicious score before your analyst starts their review.
Phishing
Phishing HTML clustering model
Groups submitted phishing emails by HTML structure and observable attributes to detect campaign patterns, enabling campaign-level disposition rather than alert-by-alert triage.
Reporting
Real-time automation visibility
Displays the live status and progress of all automated investigation and remediation steps directly within Expel Workbench so customers see exactly what Ruxie is doing as it happens.
Collaboration
Real-time multi-channel escalation
Escalates confirmed threats through multiple channels simultaneously - Workbench, email, Slack, and phone - so critical alerts reach the right people immediately, every time.
Response
Remove malicious email
Pulls confirmed phishing and malicious emails from user inboxes across the enterprise to limit exposure after initial delivery.
Response
Reset credentials
Forces credential reset for compromised accounts to eliminate attacker access while preserving user continuity.
Triage
SaaS alert triage
Applies AI-driven triage logic to SaaS platform alerts, reducing manual review time across cloud productivity environments.
Enrichment
SIEM telemetry aggregation
Aggregates telemetry from SIEM sources to surface relevant signal patterns across the environment and reduce time-to-context for analysts.
Enrichment
Third-party alert enrichment
Automatically pulls enrichment data from third-party threat intelligence and security tools to add context to incoming alerts before they reach the analyst queue.
Enrichment
Third-party alert enrichment
Automatically pulls enrichment data from third-party threat intelligence and security tools to add context to incoming alerts before they reach the analyst queue.
Detection
Threat view
Correlates signals across endpoint, cloud, and network into a unified attack picture, reducing time to understand scope and confirm a real threat.
Response
Undo alert-driven auto containment
Reverses containment actions when investigation confirms a false positive, restoring normal operation without requiring manual intervention.