I spy with my little eye… a big list of little enhancements

If things look a little different next time you login to the Workbench… but you can’t quite figure out why… that’s by design (heh!). We’re kicking off the new year with housekeeping. We’ve buttoned up (and straightened up) some of the lines and put things – like the reason investigations are closed – where you’d expect to find them (spoiler alert: on the investigation page).

If you’re a picture straightener you’ll find lots to enjoy starting with the list of Fixed items, which is a real page turner scroller this week!

Closed Reason… now in more places

You know how you can easily view the Closed Reason to the investigation title on the dashboard and activity page? Well, we decided to take it a step further and add the Closed Reason to the investigation page. Ta-da! Now you have all the details in one place.

When an analyst closes an investigation you’ll see why in the top-right corner of the banner on the investigation page. If the analyst provided additional details about why they closed the investigation, you’ll see a link that you can click to get the full explanation.

We also changed the button label in the banner from Reopen to Update Status. We thought that made more sense since this button also gives you access to edit the detailed reason text, in case you need to fix a typo or make a change.

Investigation closed reason


Filter by organization assignment

Tag, you’re it!  We’ve made it easier to filter the entire Activity > Actions board by who owns the action – your organization or Expel. When viewing actions assigned to your organization, you’ll see actions that are assigned both to an analyst (represented by a blue icon with initials) and those that aren’t (represented by a grey icon).

assigned to

Other enhancements

  • The analyst user role is more tightly locked down. Analysts have access to the Settings > Users page but they can’t create new users, alter other users’ profiles or preferences, delete or lock their own account or change their username (email).
  • We made improvements to the security of stored customer data.
  • We’ve made layout, spacing and contrast improvements to the banner UI on investigations and security incidents.
  • The What’s urgent? section of the Situation Report dashboard now only shows open security incidents, to truly reflect what’s urgent. You can still see all security incidents, including ones that have been closed. Just navigate over to the Activity page.
  • Updates to the Assemblers and backend infrastructure for operating system updates, including patches for Meltdown and Spectre vulnerabilities.


  • Standardized page margins across the whole app.
  • Fixed a missing configuration that prevented users from receiving SMS notifications from the Workbench status page.
  • Fixed a layout issue that caused a dropdown to appear beneath a table element instead of above it.
  • Fixed an issue with the maintenance page that caused images to not be displayed.
  • Fixed some wording issues in the notification emails for remediation actions.
  • Fixed a display issue in the investigation Initial Lead that caused the contents to display awkwardly at narrow browser widths.
  • Fixed a problem where URLs were not wrapping inside the info popup for an investigative action.
  • Fixed an issue in alert details where the Involved Hosts tab sometimes showed zero even when a source or destination IP was included in the alert.
  • Fixed an issue in alert details where the Investigate and Respond buttons were incorrectly active for closed alerts.
  • Fixed a display problem in the investigation tile where the Expel logo was not being shown when the initial lead was an Expel correlated alert.
  • Removed the Critical severity from Activity metrics because there are no rules generating alerts at that severity. High severity is bad enough for us, it turns out.
  • Fixed a display problem in the investigation tile that caused markdown to not be displayed when it was used in the Closed Reason. Because every now and then one of our analysts really needs to format the hell out of the closed reason text.