Unlike Aquaman, you don’t have to wait for this release!

We’re constantly adding to our “league” of partner integrations and we’re happy to announce our latest additions. We now support Devo (formerly Logtrust) and have expanded our Darktrace “via SIEM” integration to include Darktrace via Devo. We’ve also made some updates to our Endgame integration to support the latest version. Read on to learn more about our integrations and other action-packed enhancements.


We’re constantly adding to our list of partner integrations and are excited to announce support for Devo (formerly Logtrust) and Endgame (for version 2.5+).

Devo (formerly Logtrust)

  • Although Devo doesn’t generate security alerts natively, our integration includes custom queries against log sources that we can alert on in Workbench. Analysts can also create custom queries and view the results directly in Workbench.
  • We’ve also expanded our Darktrace “via SIEM” integration to include Darktrace via Devo. Previous integrations include Darktrace via Sumo Logic and via Splunk.


  • In full transparency, we already integrate with Endgame, but they made some significant enhancements to their product; as a result, we made some updates on our end to support these enhancements. With this integration, Expel evaluates Endgame’s native rules and generates prioritized alerts in Workbench with detailed information about the event. Analysts can also request file listings, process listings, and registry listings from hosts with the Endgame agent via automated actions within Workbench.

Other enhancements

  • On the Resilience dashboard, the number of incidents associated with a recommendation is now a link. It takes you to a custom filtered list on the Activity > Security Incidents page.
  • Let’s get straight to the point. We removed some confusing messaging from our device health notifications. Now if your device is having problems, our emails more accurately describe the issue.
  • We added a hover state to the progress pie charts at the top of the security incident/findings page so you know which ones which.
  • We improved the logic around what actions caused the “last activity” timestamp to update.
  • We added the ID number to the info popup in the investigation and incident banner to make it easier to find.
  • When someone adds or updates a comment on a resilience recommendation, we’ve added a little audit trail to show who made the update and when.
  • We’ve disabled the Event Timeline tab from the alert detail and are exploring more effective ways to surface up related vendor alerts.

Other fixes (and a few odds and ends)

  • Fixed a bug that was preventing users from updating their Resilience recommendations from the Situation Report dashboard.
  • We fixed an issue where lightning fast mouse users were sometimes causing requests to be submitted twice.
  • Fixed an issue where our UI was giving congratulatory high-fives (success banners) for a whole lot of nothing.
  • Fixed an issue where alert details were missing for Darktrace alerts.
  • We removed references to our back-end services in the UI. While we think we have some pretty cool names, we realized it was not necessary to include them in the UI.
  • We tweaked the visual alignment in the top bar of the resilience recommendation tiles and cleaned up a few other styling issues in the UI.