TL;DR
- This is a monthly recap of everything our product team shipped in the last 30 days
- Questions? Reach out to your Expel contact, or if you don’t have one, connect with us here
- This month we’re featuring four updates and two new integrations: two new threat hunts added to the catalog, AI-powered DUET and verify summaries in beta, SentinelOne and Zendesk status syncing now available, and direct integrations for Cloudflare Zero Trust and Cisco ASA via syslog
Live this month
New threat hunts
What it is: We’ve added two new hypothesis-based hunts to the Expel Threat Hunting catalog this month, spanning SaaS and endpoint coverage. On the SaaS side: suspicious Microsoft Intune device management scope grants. For endpoint and on-prem environments: suspicious Rundll32.exe execution.
Why it matters: Threat hunting is a proactive service—you’re not waiting for an alert to fire. Each new hunt is a hypothesis about how an attacker might be moving through an environment that hasn’t yet been caught by a detection rule. Adding these to the catalog means our threat hunters can proactively test for this activity across your environment, not just react to it.
Ruxie power-up: DUET + verify summaries (beta)
What it is: We’re upgrading DUET notifications and automated verify actions with an LLM-powered summarization engine. Instead of static, one-size-fits-all notification templates, the system now dynamically analyzes each alert’s actual event data and writes a unique summary. It also includes a confidence note that flags any critical fields that couldn’t be found in the log data, so you know upfront if something relevant might be missing.
Why it matters: DUET only works if the notification you receive gives you enough to make a call without pivoting somewhere else. The old templates gave you a data dump. This gives you the story, the evidence, and the gaps.
SentinelOne status syncing
What it is: Customers running SentinelOne Singularity Endpoint can now sync alert statuses and analyst comments from Expel Workbench™ back to SentinelOne in real time. As our SOC triages and investigates alerts in Workbench, those status changes and comments flow automatically into the corresponding SentinelOne alerts.
Why it matters: If you’re working out of SentinelOne and Expel is working out of Workbench, you’ve been maintaining two separate views of the same investigation—and manually bridging the gap. Status syncing closes that. You don’t need to reconcile what our analysts did with what SentinelOne is showing; the context travels with the alert.
Zendesk syncing for Slack & Teams
What it is: Customers can now create, comment on, and attach files to Zendesk support tickets directly from their Slack or Teams channels by interacting with @Ruxie, eliminating the need to log into Zendesk separately. Comments are synced bidirectionally, so replies in Slack/Teams post to the Zendesk ticket and responses added in Zendesk are reflected back in the channel thread. (Note: ticket visibility follows existing Zendesk org permissions, and resolving tickets from Slack/Teams is planned as a future enhancement.)
Why it matters: There’s no need to make creating tickets any harder than it needs to be. You no longer need to work out of Zendesk and then share updates with your team via Slack or Teams—you can just do it all from one place, and see comments in the same place.
New integrations
Expel now supports Cloudflare Zero Trust
Expel now supports Cloudflare Zero Trust Network Access (ZTNA), Cloudflare’s network security solution that replaces traditional VPNs with secure, context-aware access to internal and SaaS applications. Log ingestion is via webhook; investigative actions run via API.
Zero trust architectures generate continuous streams of access and authentication signals—who’s connecting, from where, to what application, under what context. Pulling that data into Workbench lets our analysts correlate those access events against suspicious activity across the rest of your environment. An unusual access pattern in Cloudflare Zero Trust that lines up with something else firing on identity or endpoint is exactly the kind of cross-signal connection that matters for faster response.
Cisco ASA via syslog
We’ve added a direct syslog integration for Cisco ASA—Cisco’s firewall, VPN concentrator, and intrusion prevention system for monitoring and controlling traffic at the network perimeter. Expel already supported Cisco ASA via SIEM, but this direct-ingest path removes that dependency for customers who want a simpler setup.
Network perimeter telemetry gives our analysts visibility into what’s entering and leaving the environment—traffic patterns, connection attempts, policy violations—that complements what endpoint and identity tools surface. Direct integration means fresher data and fewer hops between signal and investigation.
