Just in time for the holidays — pie… charts!

Just in time for the holidays — pie… charts! The main dashboard now includes a set of Activity metrics along the top that summarize everything going on in the Workbench for the past month… or week or quarter. Popping open the drawer displays the (fancy new) pie charts, shutting the drawer saves space but keeps the metrics in sight. The sharp-eyed might notice that we also changed the name of this dashboard to Situation Report, which is much more sexy accurate.

Open the drawer — ta da! — and see your pie charts

expel activity metrics open drawer


Close the drawer and save space

expel activity metrics closed drawer

  • We’re also excited to announce support for two additional security technologies — Crowdstrike and QRadar. If you need help getting either of these device types configured, please contact your engagement manager.
  • Even more transparency: When you view a closed alert, you’ll now be able to see the Closed Reason at the top of the alert detail. There are three types of closed alerts:
    • Closed (FP) = This alert was closed because it’s a false positive, or it was added to an investigation that turned out to be a false positive.
    • Closed (Other) = This alert is legitimate, but is not something your organization considers malicious or concerning.
    • Closed (Incident) = This alert was added to a security incident that has been resolved.
  • Similarly, the investigation tiles on the main dashboard have been redesigned to include more meaningful high-level information.

If the investigation is open, you’ll see:

  • Started date
  • Date of last activity
  • Initial lead
  • Most recent action

If the investigation is closed, you’ll see:

  • Started date
  • Closed date
  • Initial lead
  • Closed reason
  • We’ve refined the banner area on all investigations and security incidents. Closed investigations and incidents display with a grey background, whereas resolved security incidents display with a green background.
  • At long last, you can now edit the name of an investigation or security incident. This is particularly useful when the scope of the investigation changes or you just want to name it something more descriptive.
  • Good news for the fat-fingered: You can now edit remediation actions or delete them entirely from the security incident if they were added in error.
  • You can also edit a closed or completed investigative action—this is mainly to let analysts fix typos or clean up formatting.
  • Remediation actions now use the same formatting as investigative actions.
  • We changed the workflow to disassociate an alert from a closed investigation if that alert is re-opened.


  • Pink is now green. We changed the default styling of “pre” and “code” syntax in markdown to match the Expel brand colors. You’ll see the new styling in investigative actions.
  • Removed the non-functional “Request a new device integration” link from the Add Security Devicemodal. Please talk to your engagement manager if you have new tech you need an integration for.
  • Reconfigured the Assembler’s Last status change timestamp so that it messages changes to the Assembler’s lifecycle, rather than just its connection status.
  • Fixed a problem that prevented manual investigative actions from being edited or previewed.
  • Fixed an issue where newly created users were only visible in the Users list after a page refresh. Now they appear right away when the Add User modal is saved.
  • Cleaned up some awkward layout on the Involved Hosts tab of the investigation that occurred when there were 0 involved hosts.
  • Fixed a small styling issue that caused the Expel logo used for assignments to be too wide.
  • Fixed a bug that prevented the dropdown menu for each security device to close automatically. It was previously possible to have a whole bunch of these open at once, which was not very useful.