Now supporting Zscaler integration

W00t! Expel support for the Zscaler platform is good to go, and we think that’s a pretty big deal. If you need help getting this configured, please contact your engagement manager.


  • In the Add Security Device UI, you can now add “proxy” devices by clicking on the Proxy icon. Proxy devices are additional tech you have that don’t have an API integration with Workbench. What’s the benefit of adding these devices? It helps analysts see what tech is available in your environment and gives them a quick link to the device console via the Access UI action.
  • We’re gradually redesigning the User / My Profile page. Most recently, we added an Edit User button to this page so that editing happens in a modal, not on the page itself.
  • When you create a new user, the system will now automatically specify the invite token instead of you having to puzzle over what that form field is for. The invite token is used to create the unique enrollment link that new users see in their welcome email.
  • In order to keep the alert details readable, we’ve moved some of the enrichment data into popups. If you see an “info” icon next to a URL or IP address, click it to see additional context. Pro tip: Did you know, double-clicking on the alert detail window shows the complete alert evidence?
  • We increased the file size limit for uploads to an investigative action to 1GB.



  • Fixed a problem that caused some Tanium alerts to contain an invalid “alert at” timestamp.
  • Fixed an issue that caused Palo Alto Networks alerts to display without URL evidence.
  • In the details for Expel alerts, the Device alert details tab is now renamed Vendor alert details, so it’s  consistent with the rest of the interface. Vendor alerts are alerts your security devices generate that’ve been processed by the Expel rules engine and displayed in the Workbench.
  • Another terminology fix: the In Progress filter on the investigative actions page changed to a Job Running filter. This filter lets you view only the automatic investigative actions where the acquisition job is still running.
  • Fixed an issue in the Edit User screen that prevented changes from being saved.