AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Microsoft Azure Monitoring

24x7 detection and response for Azure workloads using built-in Azure API’s and services

Managed detection
and response for Microsoft Azure

(is it weird that Azure is a “cloud” but it means “sky blue”?)

Microsoft provides a boat load of great security capabilities. So, if you’ve already moved your data or built some apps in Azure, it’s a great place to be. But knowing how to sift through Azure logs or chase down alerts in Security Center isn’t always obvious. Expel helps your security strategy keep up by detecting and running security risks to ground in Microsoft Azure.

Detections designed for your
Azure environment

Our Azure detection strategy uses built-in APIs and services:

  • Analyzes Security Center alerts
  • Adds Azure-specific detections for high-risk activities
  • Tunes detections to match your apps and workloads

What we do

24x7 Azure monitoring

Our analysts chase down your Azure alerts so you can focus on building new features, products and services.

Investigations in Azure

We’ll connect the dots from suspicious alerts in Azure back to their root cause and tell you what they mean.

Fixes “written in Azure”

Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.

It’s not very often that you’ve got a Slack channel with your CSO, your analyst and your managed security provider all talking together at 2:00 AM … It’s a great feeling. It feels like our analysts aren’t alone in the middle of the night.

— Amanda Fennell, Chief Security Officer

What we look for

(updated at Azure speed)

Microsoft is constantly primping and preening (and often renaming) the security capabilities available within Azure. As Microsoft rolls out new services to protect your data and workloads, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in sync. Here are a few examples of things we’ll look for:

Suspicious logins and
unauthorized access

Disabling or changing Azure
security capabilities

Unauthorized sharing or access to
sensitive data

Evidence of an
account compromise

Unusual or risky interaction
with Azure management plane


Risky violations of Azure best

How we use native Azure capabilities

(hint: it’s a lot more than chasing Security Center alerts)

Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication via an Azure Active Directory app. To collect data, Expel communicates directly with APIs including the Microsoft Graph API for services like Security Center, Azure Activity Logs and Microsoft Cloud App Security (MCAS).

How Expel uses Azure services for detection, investigation and response

Azure service Examples of how we use them Detect Investigate
Azure Active Directory Monitors who’s accessing your environment
Azure Platform Logs Provides insight into events in the Azure infrastructure
Azure ATP Uses behavioral analytics to flag suspicious behavior
Azure Active Directory Identity Protection Flags risky sign-ons
Microsoft Cloud App Security (MCAS) Gives us a comprehensive alerting based on activity in your Azure environment
Azure Security Center Sends us alerts which we analyze and run to ground
Azure Sentinel Azure’s cloud-native SIEM looking for things that go bump


Getting a grip on your
cloud security strategy

Understanding how to think about cloud security differently is half the battle. We’ve thought a lot about it and we’ve identified three key points that should inform your cloud strategy.


Why the cloud is
probably more secure
than your on-prem environment

Is your data really saveer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.


Four habits of highly
effective security

If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.

Give us 30 minutes to show you how we can protect your data and workloads in Azure.

Back To Top