Workbench email notifications and new tech integrations (“You better bring it.”)


Email notifications

We’re happy to announce email notifications from Workbench! No matter where you are, you’ll be alerted immediately via email when Expel has identified a new security incident or launched an investigation in your organization. You’ll also know when a remediation action or investigative action has been assigned to you. Expel notification emails have just enough detail to help you quickly decide if any action is necessary and if so, what action to take.

Expel Workbench alert email notification

For the initial release of this feature we’ve enabled three triggers:

1. New security incident

2. New investigation

3. Actions assigned to me

We’ve turned on these three notifications for all user accounts by default, and you can customize your notification preferences anytime by navigating to your User Profile page in Workbench. We’ll be adding more notification options in upcoming releases so please let your engagement manager know if there’s something specific you want to be alerted about.

Known issue: At release time, we are aware that investigative alerts “assigned to me” are only triggering a notification for the acquire step in a manual acquire action. This will be fixed in the next release.

Data viewer

Evidence analysis and reporting just got a little easier. Whenever you retrieve a process listing or file listing in Workbench, you’ll see the option to View data. Clicking this link launches our new Data Viewer interface where you can filter, sort, and re-order columns to find activity of interest. Filters support include and exclude syntax, for example:

Data viewer

This filter will show all filenames that include dll but exclude dll.mui:

Once you’ve identified suspicious events, select those rows and add them to the investigative Timeline with a single click. We’ll continue to add support for more data types in upcoming releases.

Improvements to the Actions board

We’ve made some enhancements to the Activity > Actions board that make it easier for managers to see everything that’s happening, who’s responsible for what, and how much work has been completed. The whole board can be filtered by time range and type of action, plus we’ve added a third filter for assignment that lets you see what Expel owns and what your organization owns. In addition, analysts now have a quick way to see their to-do list by clicking the Assigned to me checkbox in the center column.

If you’re not familiar with this screen, here’s a refresher:

  • The New column shows all open, unassigned actions—that is, actions owned by either Expel or your organization that haven’t been assigned out to a particular analyst.
  • The Assigned column shows—you guessed it—actions that have been assigned to an analyst but that aren’t completed yet.
  • The Completed or Closed column shows all actions that were either completed or were closed manually or automatically when the investigation was closed.

FireEye HX integration

How ’bout them apples! Workbench now integrates directly with your FireEye HX endpoint device. If you have HX deployed in your environment, add it to Workbench by navigating to the Settings > Security Devices tab and clicking the Add Security Device button. Hopefully this will be a breeze, but if you encounter any difficulties please reach out to your engagement manager. And don’t forget that Expel never charges for additional device support—we want you to add more devices because the more visibility we have into your environment, the better we’re able to detect and respond to attackers.

Darktrace-via-SIEM integration

We’ve also added integration with Darktrace—for customers who also have the Sumologic SIEM. Unlike our direct integrations, in this case you must send your Darktrace alerts to Sumologic and Workbench will ingest them from there. To add this security device to Workbench, select the Darktrace logo in the Add Security Device modal. In the form, make sure you enter the Sumologic Access ID and Access Key, and enter the Source Category as “Darktrace”.

Darktrace integration

Enrollment email expiration date

When new users receive their welcome email they now have three days to set up their account before their invitation expires. If they fail to set up their account during this period, their account will be locked. A manager can generate a new enrollment email at any time by navigating to the Users page and selecting the Resend Enrollment Email option from the action menu.

We also made the experience of resending an enrollment email a little more user friendly by:

  • Changing the name of the action from Reset Invite Token to plain language: Resend Enrollment Email.
  • Adding a confirmation message that the new email has been sent, so you’re not sitting there wondering.

Additional user statuses

In conjunction with the enrollment expiration email, you can now see a user’s enrollment status on the Users page—for example, if a user has received an enrollment email but the email expired before they set up their account. Here’s a breakdown of the possible user statuses:

Additional user statuses

Situation report updates

We’ve made some enhancements to the Situation Report dashboard, specifically:

  • Instead of showing unassigned investigative and remediation actions in the What’s urgent? section, we now show only open actions assigned to your organization. It’s a little easier to explain what you won’t see here: closed actions and actions assigned to Expel.
  • We’ve added links to View all investigative actions and View all remediation actions that land on the Activity > Actions board.
  • The Activity Metrics drawer looks more clickable thanks to the blue hover on the down arrow.

Edit the initial lead

You can now edit the initial lead for investigations that were kicked off using the Add Investigation button—that is, investigations that weren’t in response to an alert. This allows analysts to add more detail to the initial lead or make corrections after the investigation has been launched.

Default assignment of alerts

In our collaborative Workbench environment it’s important that every alert and action have a clear owner. Previously, new alerts were unassigned, but now all incoming alerts are assigned to Expel by default. You’ll notice this on the Alerts screen by the green X icon on each alert. Analysts at your organization still have the option to reassign any alert to themselves if they see something they want to work on.


  • Fixed an issue that prevented actions with an assignment for analysis to show up in the Assigned column of the Activity > Actions board.
  • Fixed an issue that prevented users from creating manual investigative actions if no automated actions were available.
  • Fixed the Add Investigation modal so that the “Investigation” option is selected by default.
  • Fixed a problem that caused the entire initial lead to be displayed in the investigation tile, for investigations that weren’t launched from an alert. Instead, the investigation tile shows the vendor icon of the initial lead alert or the Source Reason — hunting, customer reported, or discovery.
  • Fixed a regression bug so that new investigations and incidents are once again assigned to “Me” by default.
  • Fixed several minor formatting and display issues.