Grab some popcorn – it’s movie time!


It may not have as much action and adventure as this year’s leading box-office movie, Black Panther, but our new Workbench tips and tricks videos take less than three minutes of your time. Next time you log into Workbench you’ll see a new alert view – the alert grid. We’ve created two videos to help explain how to find an alert and the features and functionality of the new view.


1. Workbench tips and tricks: Alerts grid

2. Workbench tips and tricks: Alerts grid features and functionality

Search, sort, and filter alerts with the alerts grid

Expel Workbench alerts grid

If you want to find an alert, Workbench has a new alert view — the alerts grid. This view lets you see alerts in a table format and gives you much more control over sorting, filtering and searching. The alerts grid is useful if you’re trying to find out what Expel did with a particular alert, or if you want to close (or investigate) multiple alerts in bulk. Check out our Workbench tips and tricks videos to learn more.

Assembler supports HyperV

We now support running the Assembler on HyperV. To get the HyperV image, contact your Engagement Manager. Self-service from Workbench is coming soon – stay tuned!

New investigation capabilities

We’re constantly adding new detection and investigative capabilities to Workbench to speed up investigation and response times. This release has a bumper crop of new capabilities.

  • Query IP: We’ve added the capability to query for IP evidence from Okta and Cisco ASA. The Query IP investigative action lets you specify an IP and a time range to return any events relating to that IP over the provided UTC time period.
  • Query Netflow: If you have Cisco ASA, you can request netflow data with the Query Netflow investigative action. This capability lets you specify an IP and time range to return connection logs over the requested UTC time period. When netflow data are returned, you can view and analyze the data in the Data Viewer.
  • Query User: Okta users can request user information with the Query User investigative action. This capability lets you search for any IPs observed in Okta authentication logs within the requested UTC time period.

Other enhancements

  • Remediation actions are now automatically closed when the security incident is closed. This prevents open remediations from lingering in the system long after the incident has been resolved.
  • We’ve changed the default sort order on the Activity > Security Incidents and Activity > Investigations pages. Now they are sorted in the order they were created, with Critical Security Incidents always being sorted above regular severity Security Incidents.

Other fixes (and a few odds and ends)

  • We fixed an issue that prevented scrolling in some Data Viewer tables (scroll away!).
  • Fixed a few styling and spacing issues in the banner for closed investigations and in the investigation tile.
  • Fixed an issue in investigative actions where really long filenames were extending past the edge of the box (everything is neat and tidy now).
  • Fixed a problem where some investigative actions were not able to be created.
  • Improved the styling in the time range selector to make it more consistent with the rest of the UI.
  • We added in the closed and investigating information that was missing from some of the alert detail popups.
  • Fixed an issue that prevented the browser Back button from working on the Settings > Assemblers page.
  • Fixed an issue where the UI would upload a file to the wrong investigative action if there were two Upload File actions present.
  • Fixed a problem that caused Upload to CSV on the investigation timeline to fail.
  • We added closed information to the info icon on the investigation tile.
  • There was a confusing behavior in the investigative actions screen that caused the Add Investigative Action form to persist even after the action was created. Now, you might see a loading message after you click Add Action, if it’s going to take a few moments to create the action (we appreciate your patience!).
  • There was some inconsistency in the wording inside time range filters. These should all be We standardized the wording and time ranges in the time range filter—for example; you’ll now see Past 7 days instead of Past week (or, in some cases Last week).
  • Fixed a problem in the Investigate and Response modals in the alert details that caused the form elements to load at different rates.
  • Fixed a problem that caused the CSV export of alerts to fail. Go forth and download!