And the winner goes to…

The 61st GRAMMY Awards are in the books, but we’ve got some great hits to hear. In the notifications category, we’d like to introduce email notification for when an investigation is closed. Find out all the details related to when it closed, why it closed and who closed it. Read on to hear about the runner-ups like data export for investigation.


In the newest edition of our notification’s saga, we’d like to introduce the “Investigation Closed” email notification. If you sign up for this notification, we’ll let you know when an investigation closes, why it was closed, the initial lead of the investigation, and who closed the investigation. Update your notification preferences from your My Profile page to start receiving this notification.

New data export alert! Workbench now offers a CSV download of investigations. Navigate to the Activity page and click the download icon. You’ll be prompted to select a preset or a custom date range. Once downloaded, the CSV will display investigation information including the initial lead, the lead investigator, when the investigation was created, and other juicy details!

The Add Security Device modal has received a lot of love recently. We’ve made it even easier to add new security devices. The modal displays all devices currently supported and distinguishes between which devices are enabled based on your Expel service. If you don’t see your vendor technology listed or if you’re interested in adding a disabled device reach out to your engagement manager.

Other Enhancements

  • We made more updates to the My Organization page. We’ve renamed the “Nodes” field to “Endpoints,” and we’ve added a “Users” field.
  • The Expel Alert data export on the Alerts page now features two new columns. The columns display the number of investigative actions and remediation actions on an alert.
  • Alerts added to closed investigations will now adopt the assignee of the investigation rather than maintaining the alert assignee.
  • The “Security Devices” grid now displays how long a device has been unhealthy.

Other fixes (and a few odds and ends)

  • The Security Devices grid displayed unwanted underscores in vendor names for a brief period of time, but that issue has been fixed.
  • Our database was quitting every once in a while. We did some active listening to figure out why and resolved the issue.
  • The grammar police made justice of some inconsistencies within our “Service level changed,” “Data ready for analysis,” “Analysis complete” and “Assembler health” email notifications.
  • We felt inspired by New York Fashion Week, so we fixed some style issues with our “View and Edit Security Device” modal.