Things that make you go hmmm

No, we are not talking about the confusion around OAR at this years Olympics. (Psst: It’s not a new country, it stands for Olympic athletes of Russia.) We are referring to unusual remote desktop protocol (RDP) connections that our analysts are keeping an eye out for when they hunt in your environment. Attackers use this technique to move latterly, and we’ve added it to the list of techniques we look for while hunting in your environment. Not familiar with our hunting service? Reach out to your engagement manager for more details.


New hunting technique: remote desktop protocol (RDP)

We’ve added a hunting technique that looks for anomalies in remote desktop protocol connections. This technique helps us understand what typical behavior looks like so we can spot unusual activity and investigate it. Every month we kick off a new investigation. You can track its progress in Workbench, view the raw results in Data Viewer, and see a detailed report of our work and conclusions in the investigation Findings. If you’re interested in Expel’s hunting service, talk to your engagement manager.

Help for lost passwords

We know that you would never forget your Workbench password, but just in case… we now have a Forgot password? link on the login page. Click the link to receive a sympathetic, non-shaming reset email with a link that is good for 30 minutes. NOTE: When you reset your password, you’ll also need to reset your Google Authenticator token.

Report unexpected outages

We hope you never have to use it, but we’ve set up our hotline email just in case you have to report an outage and loss of service: We also encourage you to subscribe to updates from our System Status page ( so you’re aware of planned maintenance and downtime.

Other enhancements

  • We’ve cleaned up the styling of “info” popups and buttons to make them more consistent.
  • Added a message in the UI to indicate that a new user cannot be created when their email is already associated with another account.
  • Strengthened the security of two-factor authentication in the enrollment workflow.


  • Fixed a spacing issue on the Activity page header.
  • Fixed the Users page and the Security Devices page to remove an unnecessary internal scrollbar.
  • Fixed a problem on the Users page where the Lock and Unlock options were both available at the same time, regardless of the user’s locked status.
  • Fixed sort order and capitalization issues in the All vendors dropdown on the Security Devices page.
  • Fixed a styling issue in the user dropdown.
  • Fixed a problem that prevented an investigation from being closed in some situations.
  • Fixed a problem that caused some CSV uploads to the investigation timeline to fail.
  • Fixed an issue that prevented an investigation from being edited when it was assigned to an inactive user.
  • Fixed a problem that prevented some users from being able to assign an investigation to themselves.
  • Fixed a problem in the Activity > Actions board where filtering by assignment returned a 500 error.
  • Fixed an issue on the Security Devices page where the status wasn’t being displayed when the device was unhealthy.