Share the love… err work with new assignment options

New: Updates to assignments

We’ve made some improvements to how assignments work. For every assignable item, you now have the option to assign to:

  • Yourself
  • Another analyst on your team
  • Your organization
  • Expel

Because the Expel Workbench is a shared workspace, it’s critical to know who’s responsible for what. That’s what our assignment icons are for. You’ll see assignment icons in the top-right corner of alerts, investigative actions, remediation actions and next to the lead investigator’s name on the Investigative Actions tab.

In case you’re not familiar with these icons, here’s a rundown of what each of them means:

Assignment icons

Here are a few of the most common reasons you’d want to click on  the assignment icon:

  • Claim an unassigned alert and start working on it
  • Assign several alerts to a specific analyst on your team
  • Assign a remediation action to a specific analyst on your team
  • Escalate an alert to Expel
  • Take responsibility for an investigative action so you can decide later who to assign it to

Also new

  • For those of you using Tanium, you’ll notice we’ve updated Workbench to display their snazzy new logo.


  • Fixed the form validation in the Add Timeline Event so it’s clear what fields are required.
  • Added the missing “Expel” alert type to the filter on the Alerts page.
  • Fixed an issue that caused assigned investigative actions to appear unassigned on the Activity dashboard.
  • Fixed a problem that prevented Expel alerts from being assigned to Expel.
  • The Involved Hosts tab on the alert detail was missing text that helps explain what you’re looking at. In case you were wondering, the table lists open and closed investigations and security incidents that have any of the same involved hosts as the alert you’re looking at. This feature allows analysts to quickly add alerts to existing investigations, rather than create overlapping or duplicate investigations.
  • Fixed an issue that prevented users with a plus sign in their email address from completing signup.
  • Fixed an issue that caused alerts in the Investigating state to remain in that state after the investigation or incident was closed. Now, when you close an investigation, the alert is marked as Closed (FP) or Closed (Other) and when you resolve an incident, the alert is marked as Closed (Incident).
  • Fixed a display problem in the Initial Lead box on an investigation that made it hard to read enrichment data.
  • Fixed an issue that caused our integration with Carbon Black to fail if live response was not enabled on the device.