AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

your cloud(s)

24x7 monitoring and response for AWS, Azure and SaaS apps including O365

If any of these sound like you, chances are we can help.


You’re “moving to the cloud” but don’t (yet) have the tech or people to watch it


Developers with credit cards are building things in the cloud that you can’t see


You just rolled out O365 but aren’t able to implement 2FA to lock it down


You’ve built a custom app in AWS and it’s time to get serious about securing it

24x7 monitoring and response for …

Cloud infrastructure


SaaS applications


The cloud isn’t just one thing. What you need to look for depends what you’re looking at. Expel’s cloud detection strategy is tailored to the cloud apps and infrastructure we monitor.

Examples of things we monitor across cloud services
Suspicious logins
Resource sharing
Unusual super user activity
Suspicious inbox rules
Examples of unique things we monitor for each cloud service

Suspicious or unusual activity

Suspicious commands via AWS SSM

Deleted or disabled CloudTrail or GuardDuty

AWS EC2 credential compromise

Publicly accessible S3 buckets

Suspicious AWS CloudWatch event rule creation

Unauthorized resource sharing

Use of lambda to backdoor AWS accounts

Creation of public resources

Credential dumping via runbook

Disabling or downgrading Windows Defender ATP

Suspicious RDP activity

Activity from a suspicious IP or location

Unusual volume of file deletion

Creation of suspicious inbox rules or privileges

Mass account lockouts

Unusual mailbox permissions

How we ingest signal

Expel uses data from the following cloud-specific services and APIs

AWS CloudTrail


Amazon GuardDuty

AWS Lambda

Amazon Macie

Amazon Redshift audit logs


Azure Activity Log

Azure Active Directory

Azure Log Analytics

Azure Security Center

Azure Identity Protection

Microsoft Graph API

Office 365 audit log

Microsoft Cloud Application Security

Security and Compliance alerts

Azure Active Directory

Azure Identity Protection


What does 24x7 monitoring and response for AWS, Azure and SaaS apps include?

Expel ingests your events and log data from your AWS, Azure and SaaS apps and enriches it with context that’s specific to your environment. Then, we continuously look for indicators of attacker behavior.

When something’s suspicious, we investigate and tell you what happened and what you need to do about it (in plain English).

More on what we do >

Getting a grip on your cloud security strategy

Understanding how to think about cloud security differently is half the battle. Here are three key points that should inform your cloud strategy.

White Paper

Seven ways to spot a business email compromise in O365

It’s getting trickier to protect against BEC attacks. Here are some telltale signs you can look for that are tip-offs that something’s amiss.


Making sense of Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.


Three questions other MDR
and MSSP providers are hoping you won’t ask them

Is your detection strategy tailored to each cloud service?

Do you treat log data from cloud services differently than other logs?

How do you train your analysts to investigate incidents that originate in the cloud?

Ready to talk to a human?

When you tell us you’re ready, we won’t waste your time. Let us know what you’re looking for and we’ll have someone get in touch who can talk tech.


Back To Top