Check here to learn about Expel's latest features, enhancements, fixes, and other improvements.

• January 2025
• February 2025
• March 2025
• April 2025
• May 2025
• June 2025
• July 2025
• August 2025
• October 2025
• November 2025
• December 2025

December 2025

New Features

• Manual fallback: Customers enrolled in manual fallback will gain additional remediation support. With manual fallback enabled, in the event that an automated action fails and Expel has console access, our SOC will attempt to manually perform remediation. Manual fallback is currently available for the following auto remediations: Cortex XDR: Contain Hosts, Crowdstrike: Contain Hosts, and Microsoft Defender for Endpoint: Contain Hosts.
• Disable Account with Defender Auto Remediation: This release adds the Microsoft Defender for Endpoints integration to our Disable Accounts auto-remediation, allowing Expel to automatically remediate user accounts in hybrid and on-prem Active Directory environments. 

November 2025

New Features

• LLM Close Comment Generation for Benign Comments: Customers can now see a button in Workbench to leverage an LLM to generate comprehensive close comments for benign alerts.
• Identity Classification: Expel Analysts leverage machine learning (ML) to automatically close low-risk, high-volume security alerts so they can focus on the alerts that will help stop incidents.
• Hunt Service Offering: Threat Hunters will now be proactively recommending what hunt techniques a customer could get, or which one they will deliver (if customer has opted in to being a “Hunter’s Choice customer”) and the justification of why they selected that hunt. Customers will have 3 business days to accept or change. The Threat Hunters will work to delivery the hunt findings within 3-4 business days, when possible, after the official selection/confirmation of the hunt technique.

• AI generated summary of the User Details workflow: improves consumability and explainability of user insights, enabling SOC analysts to more quickly orient on the situation and accelerate Mean Time to Triage.

New and Updated integrations

• Wiz Cloud via Webhook: Expel’s integration with Wiz Cloud has been updated to improve performance.

October 2025

New Features

• User Details workflow: When Expel Analysts need information about users during triage, they can now use a workflow to display an LLM generated summary of user details.

New and Updated integrations

• Microsoft Defender: Expel has streamlined the Microsoft Defender XDR integration for enhanced operational clarity and simpler alert management. If you use this integration already, Expel automated this migration on your behalf, and you will now see a separate plug-in for Microsoft Defender XDR, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity in Workbench.
  • The scope of the core Microsoft Defender XDR integration is now focused exclusively on ingesting M365 Defender alerts.
  • Alerts originating from Cloud Apps and Identity surfaces are ingested via dedicated, direct integrations with Microsoft Defender for Cloud Apps and Microsoft Defender for Identity.

September 2025

New Features

• CrowdStrike One-Way Status Syncing: Expel's one-way status syncing for CrowdStrike has been improved! If a CrowdStrike alert becomes an Expel Alert, Workbench maps state changes to that Expel Alert back to the CrowdStrike alert and appends a comment for every state change or action taken by Expel Analysts. If you had the legacy status syncing enabled, the updated status syncing has been enabled for you. Review the onboarding guide to learn more about status syncing. Syncing can be enabled by editing your CrowdStrike device in Workbench.

• Findings reports: Expel SOC analysts leverage LLM-generated summaries to assist in writing comprehensive findings reports for customers. The model has been updated to improve specificity on privileged accounts when relevant to the incident, and the format has been update to more closely match analyst writing style.

New and Updated integrations

• Palo Alto Strata Logging Service: Expel now integrates with Palo Alto Networks Strata Logging Service, including out-of-the-box rules.
• AWS CloudTrail update: The AWS CloudTrail integration now allows filtering CloudTrail data by sub-organization.

Updates

• Fix for Phishing error message: The Phishing error message related to Microsoft O365 and the Remove Malicious Email Auto Remediation Action has been fixed.

August 2025

New and Updated integrations

• Wiz Defend: Expel now integrates with Wiz Defend, including support for out-of-the-box rules.
• Wiz Cloud update: Expel’s integration with Wiz Cloud has been updated to improve performance.
• Sublime Defend: Expel now integrates with Sublime Defend, expanding MDR for Email, Expel's comprehensive MDR coverage against email-based attacks.
• Vectra AI NDR: Expel now integrates with Vectra AI NDR, including support for custom rules.
• Google SecOps: Expel now integrates with Google SecOps, including support for custom rules.
• Imperva WAF: Expel now integrates with Imperva WAF, including investigative access.

Updates

• Fix for AWS error messages: The issue related to AWS error messages persisting across pages has been fixed.

July 2025

New Features

• Alert Details: The Alert Details for 1password alerts are easier to use. These alerts now have standardized data fields and collapsable columns to make details more readable.

Updates

• Fix for Slack issue: The issue related to the Slack error message channel_not_found has been fixed.

June 2025

New Features

• Detection Strategy Export: Stay up-to-date on Expel's detection strategy for your integrations. From our detection strategy guides on the Help Center, select the link to view detections for this integration in Workbench. From the Detections page, you can download a filtered list of detections related to the integration.
• Notify and Verify Actions include Author: Verify Actions now includes author information so you can see if it was initiated by an Analyst or by automation. When activity is authorized, the investigation will auto-close. When activity is not authorized, the investigation will be promoted to an incident.
• Template updates: Expel updated the way we classify and describe certain types of incidents in Workbench to provide clearer insights into attacker activity.
  • Credential Compromise is now called Credential Theft: Expel Analysts use this classification when usernames and passwords are stolen but no successful login or malicious activity occurs. The recommended action for Credential Theft is resetting credentials.
  • Account Compromise is a new classification: Expel Analysts use this new classification when usernames and passwords have been stolen and a successful login has occurred, but there’s no evidence of malicious activity. The recommended action for Account Compromise is resetting credentials and disabling the account.
  • Business Email Compromise remains the same: Expel Analysts use this classification when usernames and passwords have been stolen, a successful login occurred, and malicious activity verified. The recommended action for Account Compromise is resetting credentials and disabling the account.

New and Updated integrations

• Exabeam SecOps (Threat Center): Expel now integrates with Exabeam SecOps, including custom rules.
• Zscaler ZIA: Expel now integrates directly with Zscaler ZIA.
• SentinelOne Singularity Data Lake: Expel now integrates with SentinelOne Singularity Data Lake to collect, ingest, and forward Windows Event Logs to Expel for AD On Prem infrastructure.

Updates

• Device Health Check updated to fix issue with unhealthy connection error messages.

May 2025

New Features

• MDR for Email including Proofpoint and Abnormal AI integrations: Two new integrations expand Expel's comprehensive MDR coverage against email-based attacks. By integrating with Abnormal AI Inbound Email Security and Proofpoint TAP, Expel has the ability to apply our detection strategy to:
  • Reduce alert fatigue and escalate the most important alerts.
  • Correlate IOCs across security devices to provide a clear picture of the entire attack blast radius.
  • Automatically remove malicious emails and block threats across all user inboxes.
  • Learn more in our blog and on our Help Center.
• Updated Identity Alert Decision Support: Expel Analysts now have even more support to quickly triage identity alerts. Any identity alerts associated with SaaS applications containing authentication behaviors and events and user activity in the cloud with log data from Office365, Okta, or Duo will have this updated decision support. Identity alerts are automatically classified as benign, likely benign, inconclusive, suspicious, or malicious. Alerts classified as benign will be automatically closed. Analysts also have access to reference information in the workflow to learn about the factors that led to that classification and its predicted probability to use in triage and resolution.

New Integrations

• Palo Alto Cortex XSIAM: Expel now integrates with Palo Alto Cortex XSIAM, including custom rules.

Updates

• Fix for Microsoft 365 Phishing button: The button to submit phishing emails has been updated to work with recent Microsoft updates. The first time you use the button, you'll need to accept permissions for the button to work.

April 2025

New Features

• New Welcome Dashboard including Context: Onboarding is even easier with the new Welcome Dashboard. The Welcome Dashboard will be your default dashboard, unless you already have a different default set. The Welcome Dashboard improves the onboarding workflow by giving you up-front access to important onboarding steps:
  • You can now add Context from the Get Started with Context section of the Welcome Dashboard. You still can add context by going to Organization Settings > Context.
  • Connect your Tech has moved from the Alert Analysis Dashboard into the Welcome Dashboard.

Updates

• Fix for Getting Started Guide link: The Microsoft XDR Getting Started Guide link has been updated to redirect to the guide on the Help Center.

March 2025

New Features

• Kill Processes Auto-Remediation for Microsoft Defender for Endpoint: When your environment is threatened, Expel analysts can now leverage the Kill Processes Auto-Remediation for Microsoft Defender for Endpoint to instantly terminate a malicious process, preventing further execution of harmful code, and significantly reducing the dwell time an attacker has in an environment. Learn how to configure this action for your environment.
• Delete Malicious Files for Microsoft Defender for Endpoint: Expel Analysts can now quickly delete harmful files with the Delete Malicious Files Auto-Remediation for Microsoft Defender for Endpoint. Learn how to configure this action for your environment.
• Delete Registry Key Auto-Remediation for Crowdstrike: Expel analysts can now nullify threats with the Crowdstrike Delete Registry Key Auto Remediation, when deleting a malicious registry key is necessary. Learn how to configure this action for your environment.
• Identity Alert Decision Support: Expel Analysts now have more information to quickly triage identity alerts. Any identity alerts associated with SaaS applications containing authentication behaviors and events and user activity in the cloud with log data from Office365, Okta, or Duo will have this new decision support. Identity alerts are automatically classified as benign or malicious, and alert severity is updated based on the classification to help route potential threats for quick action. Analysts also have access to reference information in the workflow to learn about the factors that led to that classification and its predicted probability to use in triage and resolution.

• Phishing Outcome Emails for Alerts Closed as Other: You already receive outcome emails on Phishing alerts that are closed as Benign or Malicious. Now, you will also receive outcome emails when a Phishing alert is closed as Other, so you have visibility through email into all of your closed Phishing alerts.

February 2025

New Integrations

• Crowdstrike Falcon LogScale: Expel now integrates with Crowdstrike Falcon LogScale, including custom rules.
• Update to SumoLogic Cloud SIEM: Expel's integration with SumoLogic Cloud SIEM now includes custom rules.

New Features

• Emerging Threats: You can now view Threat Bulletins in Workbench, including what Expel is doing to protect you and what you may need to do to protect your organization, by going to Threats > Emerging Threats. Learn more about Threat Bulletins and Emerging Threats.

January 2025

New Integrations

• Check Point Quantum Network Security: Expel now integrates with Check Point Quantum as a Network Security Gateway device to bring AI-powered threat prevention, real time global threat intelligence, unified policy management, and hyper scale networking into Expel Workbench.
• Oracle Cloud Infrastructure: Expel now integrates with Oracle Cloud Infrastructure to add detection and response efforts on Oracle Cloud’s Audit Events to Expel Workbench.

New Features

• New Beta Device Performance UI: You now have two ways to monitor device performance: in the updated device panel on the Security Device page and in the new Beta Device Performance page. The Device Performance page within Organization Settings combines the best of the side panel and Alerts Analysis Dashboard so the data is available in one spot. The new UI provides:
  • Quick filters to view unhealthy devices or inactive devices.
  • An enlarged side panel with more performance metadata.
  • A new Potential Issue device health status to highlight ingestion lapses.
• Security Device Preferences for Auto-Remediations: Customers can now set one or more devices as preferred when configuring the device setup for an auto-remediation. When you set preferred devices for auto remediations, Workbench provides decision support to Expel's SOC Analysts, improving your overall security posture. Learn more about Auto Remediations.