AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

your cloud(s)

24x7 monitoring and response for AWS, Azure and SaaS apps including O365

If any of these sound like you, chances are we can help.

You’re “moving to the cloud” but don’t (yet) have the tech or people to watch it

Developers with credit cards are building things in the cloud that you can’t see

You just rolled out O365 but aren’t able to implement 2FA to lock it down

You’ve built a custom app in AWS and it’s time to get serious about securing it

24x7 monitoring and response for …

Cloud infrastructure

SaaS applications

The cloud isn’t just one thing. What you need to look for depends what you’re looking at. Expel’s cloud detection strategy is tailored to the cloud apps and infrastructure we monitor.

Examples of things we monitor across cloud services
Suspicious logins
Resource sharing
Unusual admin activity
Unusual changes to virtual private clouds (VPC)
Examples of unique things we monitor for each cloud service

Suspicious or unusual activity

Suspicious commands via AWS SSM

Deleted or disabled CloudTrail or GuardDuty

AWS EC2 credential compromise

Publicly accessible S3 buckets

Suspicious AWS CloudWatch event rule creation

Unauthorized resource sharing

Use of lambda to backdoor AWS accounts

Creation of public resources

Credential dumping via runbook

Disabling or downgrading Windows Defender ATP

Suspicious RDP activity

Suspicious modification to resource hierarchy

Suspicious interactions with Service Accounts

Deleted or exported GCP MySQL logs

Publicly accessible Cloud Storage buckets

Suspicious creation of VPC firewall rules

Publicly accessible BigQuery dataset

How we ingest signal

Expel uses data from the following cloud-specific services and APIs

AWS CloudTrail


Amazon GuardDuty

AWS Lambda

Amazon Macie

Amazon Redshift audit logs


Azure Activity Log

Azure Active Directory

Azure Log Analytics

Azure Security Center

Azure Identity Protection

Audit Logs

Compute Engine

Event Threat Detection (ETD)

Cloud Functions

Virtual Private Cloud (VPC)


Cloud Storage

Cloud SQL

What does 24x7 monitoring and response for AWS, Azure, GCP and SaaS apps include?

Expel ingests your events and log data from your AWS, Azure and SaaS apps and enriches it with context that’s specific to your environment. Then, we continuously look for indicators of attacker behavior.

When something’s suspicious, we investigate and tell you what happened and what you need to do about it (in plain English).

More on what we do >

Getting a grip on your cloud security strategy

Understanding how to think about cloud security differently is half the battle. Here are three key points that should inform your cloud strategy.

Trial Expel Workbench™ for AWS

Strengthen your cloud security with Expel validated alerts and automate your investigations during our two-week free trial.

Making sense of Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.

Three questions other MDR
and MSSP providers are hoping you won’t ask them

Is your detection strategy tailored to each cloud service?

Do you treat log data from cloud services differently than other logs?

How do you train your analysts to investigate incidents that originate in the cloud?

Ready to talk to a human?

When you tell us you’re ready, we won’t waste your time. Let us know what you’re looking for and we’ll have someone get in touch who can talk tech.


Back To Top