Engineering | 8 min readThe power of orchestration: how we automated enrichments for AWS alerts
Automation is key when it comes to helping analysts focus on doing what they do best – investigating legitimate threats. Find out how we use orchestration to automate enrichments for AWS alerts.
Engineering | 8 min readTerraforming a better engineering experience with Atlantis
To build something useful you must first understand your users. Find out how Expel used Terraform and Atlantis to build a platform that makes self-service provisioning in cloud infrastructure easy. % %
Tips | 6 min readPrioritizing suspicious PowerShell activity with machine learning
Attackers love to look to PowerShell to enact their evil plans. Expel’s senior data scientist tells us how she used machine learning to help analysts spot malicious activity in PowerShell quickly.
Tips | 6 min readHow to create and maintain Jupyter threat hunting notebooks
We got a lot of questions about configuring Jupyter notebooks after presenting at Infosec Jupyterthon 2020. See our response along with some tips for incorporating this tech into infosec processes.
Security operations | 8 min readSpotting suspicious logins at scale: (Alert) pathways to success
Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.
Security operations | 9 min readObfuscation, reflective injection and domain fronting; oh my!
During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.
Tips | 7 min read10 tips for protecting computer security and privacy at home
Many of us recently became remote workers. Now, more than ever, it’s important for us to understand how to keep our at home networks safe. Here are 10 tips to stay secure at home.
Security operations | 5 min readCreating data-driven detections with DataDog and JupyterHub
Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.
Security operations | 8 min readUsing JupyterHub for threat hunting? Then you should know these 8 tricks.
Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.
Security operations | 5 min readBetter web shell detections with Signal Sciences WAF
Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.
Security operations | 5 min readMFA is not a silver bullet to secure your cloud email
Learn how dual or multi-factor authentication (MFA) are not an entirely secure solution for cloud email security on the Expel blog.
Security operations | 7 min readGenerate Strong Security Signals with Sumo Logic & AWS Cloudtrail
Looking to get more or better security signals from AWS Cloudtrail? Learn how with Expel.io. See how we use the Sumo Logic SIEM for actionable data.
Security operations | 6 min readHow to make your org more resilient to common Mac OS attacks
Got Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.
Security operations | 6 min readHow to find anomalous process relationships in threat hunting
Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.
Security operations | 7 min readHow to choose the right security tech for threat hunting
How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.
Security operations | 7 min readHow to build a useful (and entertaining) threat emulation exercise for AWS
Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.
Tips | 6 min readFive tips for improving your data ingestion and auditing process
You’re processing loads of data every day...but are you catching it all? Here are tips from our pros for rocking your data auditing.
Tips | 8 min readHow to find Amazon S3 bucket misconfigurations and fix them ASAP
Why do Amazon S3 bucket breaches happen and how can you protect your own org from making this mistake? We’ve got all the AWS pro tips for you in our latest post.
Tips | 6 min readEvaluating GreyNoise: what you need to know and how it can help you
We use technologies behind the scenes to make Expel Workbench and our analysts more efficient. GreyNoise is one of those -- here's how we use it and why you might find it useful too.
Tips | 10 min readSeven ways to spot a business email compromise in Office 365
Learn what business email compromise is, BEC scams categories, and how to prevent or identify these spam phishing attacks in Office 365 including mailbox rule examples and more.
Tips | 8 min readWhy we love threat emulation exercises (and how to get started with one of your own)
If your team doesn’t have lots of incident response practice under their belt (yet!), a threat emulation exercise is the perfect way to help them flex...
Tips | 4 min readFive quick checks to prevent attackers from weaponizing your website
Here are some of the most frequent ways attackers can use your website and your web presence to harm your company, your users and the public at large.
Tips | 10 min readInvestigating Darktrace alerts for lateral movement
Learn how Darktrace works and read an Expel review and features guide for Darktrace to decide if this AI cybersecurity platform is right for you.
Security operations | 8 min readWhat “I Love Lucy” teaches us about SOC performance
A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation.
Tips | 7 min readFrom webshell weak signals to meaningful alert in four steps
A practical example of how you can make a weak signal actionable by combining events from your endpoint and network security tech into one meaningful alert.