AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

MDR
for cloud
infrastructure

24x7 monitoring and response for AWS, Azure and GCP

Detection and response
built for the cloud

Getting signal from the cloud is easy, it’s what we do with it that’s unique. Our detection and response strategies are specific to AWS, Azure and GCP. We’ll let you know when we discover anomalous activity, the investigative details and next steps to fix it.

24x7 monitoring and response for …

How we work with each cloud provider

Examples of things we monitor across cloud services
Suspicious logins
Resource sharing
Unusual admin activity
Unusual changes to virtual private clouds (VPC)
Examples of unique things we monitor for each cloud service
Suspicious or unusual activity

Suspicious commands via AWS SSM

Deleted or disabled CloudTrail or GuardDuty

AWS EC2 credential compromise

Publicly accessible S3 buckets

Suspicious AWS CloudWatch event rule creation

Unauthorized resource sharing

Use of lambda to backdoor AWS accounts

Creation of public resources

Credential dumping via runbook

Disabling or downgrading Windows Defender ATP

Suspicious RDP activity

Suspicious modification to resource hierarchy

Suspicious interactions with Service Accounts

Deleted or exported GCP MySQL logs

Publicly accessible Cloud Storage buckets

Suspicious creation of VPC firewall rules

Publicly accessible BigQuery dataset

How we ingest signal
Expel uses data from the following cloud-specific services and APIs

GuardDuty

CloudTrail

CloudWatch

Elastic Block Storage

EC2

EKS

Lambda

Lightsail

RDS

Redshift

S3

AWS System Managers

VPC

Security Center

Platform Logs

Sentinel

MCAS

AD Identity Protection

Virtual Machines

Functions

Blog Storage

Azure Log Analytics

Key Vault

Resource Manager

App Service

SQL Service

Cosmos DB

Event Threat Detection (ETD)

Admin Activity Audit Logs

Cloud iAM

Cloud Compute

Cloud Endpoint

Cloud Function

Cloud App Engine

Cloud SQL

Cloud VPC

KMS

BigQuery

Blog

Behind the scenes in the Expel SOC: Alert-to-fix in AWS

What does detection and response look like in the cloud? Our SOC team shares an example of detecting a real threat in AWS and how they helped our customer remediate it.

Video

Inside an investigation: compromised AWS access keys

Hear how we caught an attacker that used a developer’s machine to gain access to AWS.

Blog

Making sense of Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.

Three questions other MDR
and MSSP providers are hoping you won’t ask them

Is your detection strategy tailored to each cloud service?

Do you treat log data from cloud services differently than other logs?

How do you train your analysts to investigate incidents that originate in the cloud?

Ready to
talk to a human?

When you tell us you’re ready, we won’t waste your time. Let us know what you’re looking for and we’ll have someone get in touch who can talk tech.

Back To Top