New investigative features

Export more data! We’ve expanded the investigative data available for export and added a new feature to make it easy to add a file for us to investigate. We’ve also made it easier to share a file for us to review or to add to an investigative data. Read more to learn about these new features in further detail.

Improved Alert Grid

We’ve improved our Alert Grid behavior. Now when you click on a row, the alert details will open in a popup window on the grid rather than navigating away from the grid. This update enhances your ability to analyze the important alert details without leaving the page.

Investigation export updates

We’ve expanded the information available for export. Now when you export investigative data you’ll receive the following additional details:

  • Investigation GUID
  • Initial Lead Alert Timestamp (UTC)
  • Expel Investigation Last Updated Timestamp (UTC)
  • Expel Investigation Closed Timestamp (UTC)
  • Expel Investigation Close Reason
  • Expel Investigation Close Comment
  • Lead Description


To access the Investigation Export feature, navigate to the Activity page and click the download icon located in the top-right corner. Select the date range of the investigations you’d like to view or define a custom range.

Investigative action enhancements

We’ve made it easier to upload files to investigative actions. You’ll now see a paperclip icon in the investigative action section. If there’s a file that you would like us to look in to or that you’d like to add to an investigation, use the icon to upload the file.

Other Enhancements

  • More context. Our “Investigative action closed” email notification now displays the reason rather than instructions.
  • On the “Acquire file” investigative action we renamed the “Upload file” button to “Save.”
  • We’ve removed the count of hunting investigations from the Alert Analysis dashboard to provide more accurate and consistent information across Workbench.
  • We’ve improved the behavior of the evidence dump popup window to enable users to interact with investigative actions while the window is open to improve investigation workflow.
  • We’ve added additional input validation to our investigative actions to help provide more relevant information. These improvements along with other behavior changes will help decrease investigative action failures due to syntax errors.
  • We’ve added minor styling updates to our “Security device health” Slack notifications.
  • We’ve improved behavior on the Alert Grid. Now when you click on a row, the alert details will open in a popup window on the grid rather than navigating away from the grid.

Other fixes (and a few odds and ends)

  • Home is where the alerts are. If you’d like to set the Alerts page as your homepage, no problem! While on the page, click the dropper in the top-right corner beside your display name and select the “Make this my homepage” option.
  • On-click interactions with our “Add Security Device” window had been disabled for a brief period, but we quickly hopped on the issue and fixed it.
  • Closing investigative actions would cause some of our automatic investigative actions to lose their data, but we’ve fixed this issue.
  • I spy a little error with our “Add User” option. The “Add User” popup window would sneakily change itself to the “Edit User” when navigating away from the window. We’ve updated this so it stays true to itself.
  • Our Security Devices grid would sometimes hide the last device in the grid for Workbench users, but we fixed that issue.
  • Some of our security devices listed in the “Add Security Device” window weren’t being properly organized, but we’ve fixed that issue.
  • The default open size for our Evidence Dump popup window was way too large and interacting with the window would break the page, so we made the necessary fixes for these issues.
  • We ‘ve made styling improvements to enhance our “New feature highlight” popover display. We also made styling improvements to the “Contain infected removable media” remediation action that better map the “Mounted as” and “Device serial number” columns.
  • We’ve fixed an issue with our O365 onboard re-consent page that would unexpectedly send users to an error page.
  • When two Workbench users closed the same alert, the alert would fail to return who last updated the alert. We’ve fixed this issue so the alerts continue to display this useful information.
  • The link to reset a Workbench account password would send users directly back to our login page which made it impossible to update the user’s account successfully. We’ve fixed this.