Professor Plum, the candlestick, in the ballroom – see who did it

While it’s fun to play detective to solve a mystery, it’s also time-consuming — we’ve made some updates to make it is easier for you to see what took place and when in Workbench. The investigation and security incident page now includes who closed the investigation or incident and when it was closed. We’ve also made it easier to check the status of Workbench features.


Enhanced status page

In the spirit of transparency, we’ve made the Workbench status page open to the public. In this release, we’ve updated the page to provide even more visibility by providing the status of individual Workbench features such as; investigative actions, email notifications, and alert ingestion.

See who closed the investigation

The information icon on the investigation or security incident page contains details about who created the investigation and when it was created. Now it also includes who closed the investigation and when it was closed.

Investigation details

Assignment filter on alerts

We’ve added a new assignment filter on the Alerts screen so you can narrow your view to alerts assigned to Expel or to your own organization. By default, you’ll see all assigned alerts.

Assignment filter

Other fixes (and a few odds and ends)

  • Fixed a display issue that caused the sidebar in investigations and incidents to end before the bottom of the page
  • Fixed an issue where nameless investigations could be created from alerts. The investigation name is now required
  • Fixed an issue that caused an investigation to fail to upgrade to a security incident when the Detection tag was set to Expel
  • Fixed a problem where no results were returned in the Assign To dropdown in some situations
  • Fixed two issues in the Situation Report > Activity metrics where counts were being calculated based on a misleading timestamp, and closed incidents were being counted as Closed (Other) investigations
  • Fixed an issue on the Resilience dashboard where the progress pie charts didn’t reflect the proportion of completed recommendations
  • Fixed a problem on the Add Investigative form where there was no feedback that an action was being created. Now you’ll see a spinner in the Save button on click