24x7 detection and response for Azure workloads using built-in Azure API’s and services
and response for Microsoft Azure
(is it weird that Azure is a “cloud” but it means “sky blue”?)
Microsoft provides a boat load of great security capabilities. So, if you’ve already moved your data or built some apps in Azure, it’s a great place to be. But knowing how to sift through Azure logs or chase down alerts in Security Center isn’t always obvious. Expel helps your security strategy keep up by detecting and running security risks to ground in Microsoft Azure.
Detections designed for your
Our Azure detection strategy uses built-in APIs and services:
- Analyzes Security Center alerts
- Adds Azure-specific detections for high-risk activities
- Tunes detections to match your apps and workloads
What we do
24x7 Azure monitoring
Our analysts chase down your Azure alerts so you can focus on building new features, products and services.
Investigations in Azure
We’ll connect the dots from suspicious alerts in Azure back to their root cause and tell you what they mean.
Fixes “written in Azure”
Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.
What we look for
(updated at Azure speed)
Microsoft is constantly primping and preening (and often renaming) the security capabilities available within Azure. As Microsoft rolls out new services to protect your data and workloads, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in sync. Here are a few examples of things we’ll look for:
How we use native Azure capabilities
(hint: it’s a lot more than chasing Security Center alerts)
Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication via an Azure Active Directory app. To collect data, Expel communicates directly with APIs including the Microsoft Graph API for services like Security Center, Azure Activity Logs and Microsoft Cloud App Security (MCAS).
How Expel uses Azure services for detection, investigation and response
|Azure service||Examples of how we use them||Detect||Investigate|
|Azure Active Directory||Monitors who’s accessing your environment|
|Azure Platform Logs||Provides insight into events in the Azure infrastructure|
|Azure ATP||Uses behavioral analytics to flag suspicious behavior|
|Azure Active Directory Identity Protection||Flags risky sign-ons|
|Microsoft Cloud App Security (MCAS)||Gives us a comprehensive alerting based on activity in your Azure environment|
|Azure Security Center||Sends us alerts which we analyze and run to ground|
|Azure Sentinel||Azure’s cloud-native SIEM looking for things that go bump|
Understanding how to think about cloud security differently is half the battle. We’ve thought a lot about it and we’ve identified three key points that should inform your cloud strategy.
Is your data really saveer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.
If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.