TL;DR
- This is a monthly recap of everything our product team shipped in the last 30 days
- Questions? Reach out to your Expel contact, or if you don’t have one, connect with us here
- This month we’re featuring three updates: three new threat hunts added to the catalog, a new alert grid view in Expel Workbench, and a new blocked malware triage agent powered by Ruxie
Live this month
New threat hunts
What it is: We’ve added three new hypothesis-based hunts to the Expel Threat Hunting catalog this month, spanning SaaS, endpoint, and identity coverage. For endpoint environments: suspicious Msiexec.exe activity, which looks at time-based aggregations of commands and network activity to identify attackers leveraging the binary for proxy execution, process injection, privilege escalation, persistence, and more. On the identity and SaaS side: Office 365 self-service app anomalies, which profiles Entra ID sign-in events by source ASN against your organizational baseline to surface unusual authentication patterns; and Microsoft SharePoint exfiltration activity, which breaks SharePoint activity down per user, per session, and per hour to flag anomalies in how users are accessing and interacting with files.
Why it matters: Threat hunting is a proactive service—you’re not waiting for an alert to fire. Each new hunt is a hypothesis about how an attacker might be moving through an environment that hasn’t yet been caught by a detection rule. Adding these to the catalog means our threat hunters can proactively test for this activity across your environment, not just react to it.
New alert grid view
What it is: The new grid view in Expel Workbench™ is an enhanced alert triage experience designed to help analysts connect the dots across their toolset. You can group alerts from different sources—endpoint, cloud, network—by common indicators to quickly build the full picture of an attack. Views are shareable with other users and saveable to your account, so you can reference different triage configurations or pull up historical alerts without starting from scratch. Phishing submissions are now triageable directly in the grid view, and the view comes with additional columns, sort options, and filters to shape the data how you need it.
Why it matters: Alert triage has always suffered from a fragmentation problem. The endpoint tool sees one thing, the cloud tool sees another, and the analyst has to manually stitch them together to understand whether they’re looking at isolated noise or a coordinated attack. The grid view closes that gap. By grouping alerts from across your environment by common indicators, you get the full attack picture in one place instead of having to build it by hand across multiple consoles.
Blocked malware triage agent
What it is: The blocked malware triage agent is a new Ruxie agent, accessible in Workbench via an investigative action. It’s a human-in-the-loop agent that automates the roughly five-minute manual triage workflow analysts run for blocked malware alerts. When triggered, the agent enriches the file using VirusTotal, VMRay sandbox analysis, prior Workbench history, and process and host data from Microsoft Defender. It then runs that data through a deterministic seven-rule decision engine and surfaces an approve or escalate recommendation directly to the analyst.
Why it matters: Blocked malware alerts are frequent and repetitive—and the manual triage workflow, while important, follows a consistent enough pattern that it’s a good candidate for automation. This agent doesn’t remove the analyst from the loop; it does the legwork of enrichment and evaluation so the analyst can focus on the decision itself. Five minutes per alert adds up fast across a full queue. Getting that time back—without sacrificing the quality of the triage—is the point.
