Product · 3 MIN READ · PAUL LAWRENCE · JUN 5, 2025 · TAGS: Guidance
TL;DR
- You can onboard new attack surfaces to Expel MDR and immediately begin monitoring them in less than seven minutes
- This includes time to validate the connection within our platform, Expel Workbench™, and to test the connection by generating an alert
- To check all of your integration options with Expel MDR, explore our list here
What can you do with seven minutes? Quick things that come to mind are taking out the trash, putting dishes away, or switching over your laundry. And what about during your work day? There’s not much you can do in that same amount of time–maybe you can respond to one email, or send a meeting invite…and from there the list dwindles.
But what you can do in seven minutes (or less) is onboard Expel Managed Detection and Response (MDR). No, that isn’t a typo. Seven minutes is all it takes to get up and running in our platform, Expel Workbench, with our easy self-service setup. We even timed it ourselves with a stopwatch (seriously).
How it works
In our most recent onboarding example, we walk through the setup process for three different attack surfaces:
- Cloud: AWS CloudTrail
- EDR: CrowdStrike Falcon
- SaaS: Microsoft Office365
To get started, you’ll need to navigate to Organization Settings > Security Devices in Workbench. From there, you’ll click the + Add Security Device button in the top right corner, and get started.
In this specific example, we start with AWS CloudTrail. We have some built-in cheat codes here: we can walk through a quick wizard and leverage tools you’re probably already using to automate things in AWS like CloudFormation and Terraform. Simply select it from the available integrations list and answer three questions about your AWS setup. Then paste in your AWS ID, and continue the integration in your AWS account. While the setup is finishing in AWS, you can jump back into Workbench and continue onboarding your next attack surface. While it’s loading, the AWS CloudTrail integration might show a warning sign, but don’t panic until it’s done. You’re all clear to keep working!
Time stamp check: 47 seconds.
Next up, we’ll move to CrowdStrike Falcon, which is an endpoint detection and response (EDR) tool. (Fun fact: EDRs are commonly used in auto remediations, and you can learn more about that here.)
For this EDR, you’ll start by labeling your tool with a name and location, and then drop in your ID, just like with AWS. You’ll also need your secret and API access key handy, and from there it’s just a few prompted questions about alert preferences. You can also choose to set up your console access for CrowdStrike now, or later.
It’s possible the CloudFormation stack will show healthy before Workbench shows the same, and that’s okay. You’re good to move forward, and we’ll keep an eye on how long CloudTrail takes to finish setup in the meantime.
Time stamp check: 2 minutes and 14 seconds.
In less than three minutes, we’ve successfully connected two* attack surfaces—one in the cloud and one endpoint—to Expel MDR. For our third and final act (this time around, at least), we’re connecting Expel MDR to Office365.
(*Technically, one is still in progress, but c’est la vie.)
Just like before, you’ll search for and select Office365, and choose the right account and grant the necessary permissions for connection. Paste in your Tenant ID, answer the prompted questions, and ta-da: another healthy connection!
Time stamp check: 2 minutes and 55 seconds.
At this point, AWS CloudTrail’s connection is showing as successful on the AWS side, and we’re refreshing and waiting for the successful connection to appear in Workbench. Once it does, we’re about four minutes into setup, and you may be wondering what we’re going to spend the next three minutes doing.
Time stamp check: 4 minutes and 48 seconds.
Well, you have two options: you can call it a day and mark it off your to-do list, or you can test the connection yourself, which is what we chose to do in this example. And how do you do that? With some sketchy, nefarious PowerShell commands, of course. Within one minute of running some nonsense on PowerShell, Workbench has generated one alert from CrowdStrike Falcon. Connection confirmed!
Time stamp check: 6 minutes and 10 seconds.
So in under seven minutes, Expel is connected to and immediately monitoring three new attack surfaces for Lumon Industries in this example (if you know, you know).
Now you have 473 minutes left in your work day to do anything else. You can spend that time adding more attack surfaces…or maybe just make another cup of coffee, because it’s going to be hard to beat that efficiency the rest of the day.
Watch the full video example here.
