You’ve got mail!

If your idea of a good notification is an email in your inbox then this one’s for you!  We’ve added two new email lists that you can subscribe to. One tells you when actions are assigned to your organization while the other updates you about security device health. Update the notifications settings in your profile to start receiving these notices. We’ve also made some other enhancements that’ll make it easier to tell when investigations occurred.


Email notifications

We added two new email notifications to keep you informed about what’s going on. You can now subscribe to:

  • Actions assigned to my org: With this notification, you’ll receive an email when an Expel analyst assigns an investigative action or remediation action to your team. You can also sign up for notifications when an action is specifically assigned to you.
  • Security device health: This one will send you an email when there’s a change in the health status of one of your security devices.

You can subscribe to email notifications from Settings > My profile > Edit notification in Workbench.

Other enhancements

  • Now you can reset your Google Authenticator token without having to reset your password. To do so, log into Workbench using your current credentials and then go to Settings > My profile and click the Reset Google Authenticator link.
  • In the last release, we added columns for Source IP and Dest IP to the involved hosts tab in the alert details. In this release, we’ve added a Last Updated column so you can tell when the host was involved in other investigations.
  • We’ve added more capabilities to our FireEye HX integration. Without leaving Workbench, you can acquire a file, a file listing, process listing, registry listing, persistence listing or acquire a triage package.
  • For customers with hunting capabilities, you’ll now see a new tab on the  Activity page for Hunting investigations.
  • We updated the columns for viewing registry listing data in the Data Viewer.
  • We’ve added full timestamps to investigations and security incidents on the Activity page — previously, we only showed the relative (“time ago”) time.

Other fixes (and a few odds and ends)

  • Fixed a bug that briefly caused Workbench tabs to display with URLs.
  • Fixed a bug that prevented certain investigations from loading.
  • Fixed a button alignment issue and some display issues in the Update Status drawer, including a problem where the Close button label was changing to Save when it was clicked.
  • We improved the responsiveness of the Update Status drawer — it should open and close a little faster now.
  • Fixed a display issue in the info popup for new investigative actions.
  • Fixed a display issue that happened when switching among the Close, Investigate, and Respond buttons on the Alerts screen.
  • Added a loading message and indicator in the Activity page tabs.
  • Fixed a validation issue in the Update Status drawer for security incidents. Before you were able to close an incident without specifying values for Detection Type and Attack Timing. These are now required.