Elevate is triggered directly from a Broad Context Detection in Elements Security Center. You escalate the specific detection you want WithSecure’s threat hunters to investigate — not your environment as a whole.

Find the detection to escalate

1. Log in to Elements Security Center ↗ and go to Detection and Response > Detections in the sidebar.
2. Select the Broad Context Detection you want to escalate. Look for detections you are uncertain about — where the risk is unclear or the consequences of acting (or not acting) incorrectly are significant.
3. On the detection detail page, select Elevate to WithSecure.

Add context before submitting

When submitting, provide as much context as you can. This directly speeds up the analyst’s response:

• Describe why this detection caught your attention
• Note anything specific you want the analyst to validate
• Mention any relevant background about the device or user involved

How tokens are consumed

• If the detection is less than 7 days old, a Validation Token is used. The analyst begins with a Threat Validation.
• If the detection is 7 days old or older, an Investigation Token is used directly, as deeper analysis is needed to reconstruct the event.

Once your request is submitted, a WithSecure analyst begins the Threat Validation phase. This is a collaborative process — your responses to analyst questions are an important part of reaching a fast, accurate result.

Threat Validation

The analyst reviews the detection using up to 7 days of telemetry from your environment alongside WithSecure’s global threat intelligence. A dialogue takes place via the Elevate case in Elements Security Center — monitor the case and respond promptly to any questions.

The detection will be categorized as one of the following:

• Genuine threat — A confirmed attack. The analyst explains findings and provides immediate response guidance.
• Suspicious — act upon — Suspicious activity that warrants action. The analyst recommends next steps.
• Suspicious — acceptable risk — Suspicious but consistent with known risky behaviour in your environment.
• False positive — The detection is a result of benign activity triggering a rule incorrectly.

Requesting a Threat Investigation (optional)

If the Threat Validation confirms a genuine threat or leaves significant questions unanswered, you can request a Threat Investigation. This uses an Investigation Token and involves deeper analysis: examining telemetry anomalies, process behaviour, and cross-referencing against global threat intelligence to build a full timeline and suggest containment actions.

Results from both phases appear immediately in Elements Security Center once complete.