Less steps, more productivity

Managed Phishing

Spoiler alert, the new year is bringing automated remediation actions to our Managed Phishing service. To help set the capability up for success, we’ve added remediation actions to the investigation page. Previously, we included these tasks as investigative actions.

Speaking of remediation, if we’re connected to your EDR as part of our Phishing service, we can automatically block known bad hashes. To enable this capability in Workbench, go to My Organization > Auto Remediations. Note, if you’ve already completed this as part of your MDR service, you’re good to go!

Finally, out with the old and in with the new. We’ve made updates to our system to fix an issue that was blocking email subscriptions.


The countdown to even easier onboarding continues. Now it takes 5 -10 minutes to connect to your Microsoft Office 365 with Azure AD Identity Protect. The new onboarding wizard streamlines the process so you don’t lose productivity.

The Welcome view now shows the tuning status of a device, so you’re able to see if tuning is in progress or completed. When the view shows as completed, you can confidently navigate to the next onboarding steps. No guesswork here!

Last, we’ve removed the console access field from devices that don’t require or don’t support console access.

Expel Hunting

I see a new IOC hunt. Expel Hunting now includes hunting techniques focused on IOCs. This new hunting involves our crew running queries for the most relevant IOCs, think file hashes, process names, IP addresses and domains. Which means you get a head start when industry-wide attacks occur or other previously unknown threats are reported. We currently can run this technique on the following endpoint technologies: VMware Carbon Black Response, VMware Carbon Black Cloud, Microsoft Defender for Endpoint, and SentinelOne. Interested in a complementary hunt? Reach out to your engagement manager.