Expel Status

Identified: On May 19, Wiz made a change to its API that impacted Expel’s ability to sync alert statuses from Workbench back to Wiz. As a result, we have temporarily disabled the status syncing feature while we work on a fix.

Importantly, this issue does not affect Expel’s ability to deliver MDR services for Wiz. Workbench continues to ingest alerts from Wiz as expected, and our SOC is actively monitoring and responding to those alerts.

We’re actively collaborating with Wiz to update the integration and restore status syncing functionality. While we don’t have a specific timeline to share yet, we’ll provide an update as soon as the fix is deployed and syncing is re-enabled.

Thank you for your understanding.

Resolved: The incident has been resolved, and all previously-available assemblers are once again fully available.

Monitoring: We have implemented a fix and believe the incident to be resolved. We are monitoring the health of the infrastructure as individual assemblers come back online, and will resolve this if there are no outstanding issues. Please let us know if you are experiencing any problems. We will provide another update by 4:30pm EDT.

Identified: We have identified a further cause and are working on a remediation. Individual assemblers are coming back online. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 12:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Individual assemblers are coming back online. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 11:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 10:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 9:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 8:30 EDT.

Identified: We are continuing to work on a fix for this issue.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 8:00 EDT.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 7:30 EDT.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 7:00 EDT.

Investigating: At approximately 4am EDT, we began experiencing a problem with our assembler VPN system that is preventing alerts from being ingested through assemblers. Alert ingestion is delayed for some devices behind an assembler. We will provide an update by 6:30am EDT.

Monitoring: We are continuing to monitor for any further issues.

Monitoring: As part of a previously communicated Microsoft deprecation, Expel is no longer ingesting Microsoft Defender for Identity alerts (via the Microsoft Defender for Cloud Apps integration). Any customers who have onboarded a Microsoft Defender XDR device have coverage and alerts are being processed.

We recommend that customers who have the Microsoft Defender for Cloud Apps integration, but have not yet onboarded Microsoft XDR to Workbench, complete the onboarding as soon as possible (https://support.expel.io/hc/en-us/articles/38928860545299-Microsoft-Defender-XDR-Setup-for-Workbench).

Please contact your Customer Success Manager if you need assistance with onboarding or if you have additional questions.

Resolved: The incident has been resolved, and all previously-available assemblers are once again fully available.

Monitoring: We have implemented a fix and believe the incident to be resolved. We are monitoring the health of the infrastructure as individual assemblers come back online, and will resolve this if there are no outstanding issues. Please let us know if you are experiencing any problems. We will provide another update by 4:30pm EDT.

Identified: We have identified a further cause and are working on a remediation. Individual assemblers are coming back online. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 12:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Individual assemblers are coming back online. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 11:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 10:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 9:30 EDT.

Identified: We have identified a further cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 8:30 EDT.

Identified: We are continuing to work on a fix for this issue.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 8:00 EDT.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 7:30 EDT.

Identified: We have identified the root cause and are working on a remediation. Alert ingestion via some assemblers continues to be delayed. SOC operations are not affected. We will provide another update by 7:00 EDT.

Investigating: At approximately 4am EDT, we began experiencing a problem with our assembler VPN system that is preventing alerts from being ingested through assemblers. Alert ingestion is delayed for some devices behind an assembler. We will provide an update by 6:30am EDT.

Identified: Microsoft is rolling out deprecation of legacy Exchange tokens that may prevent your users from being able to report emails using the Expel custom Office 365 Phishing button.

Expel is working on development and testing of an updated Expel O365/M365 Phishing button for web and desktop applications that will work with the NAA authentication scheme.

Until Expel is able to deploy the newly developed Phishing button, you should follow the instructions from Microsoft (https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/turn-exchange-tokens-on-off) to enable legacy tokens for your tenant. It can take up to 24 hours for this change to take effect.

Contact support if you need assistance with this process.