Product · 4 MIN READ · GARRETT STEPHENS AND BRANDON KIRKLEN · MAR 14, 2025 · TAGS: Integrations
TL;DR
- Security providers need to collect telemetry to secure an organization’s environment and limit threats
- API connections are a great way to do so, because they’re easy to set up, stable, fast, and bi-directional
- Expel utilizes a broad, deep library of API integrations to provide our customers complete attack surface coverage and peace of mind
Leading security providers deliver meaningful outcomes for their customers by understanding the specifics of their unique environment. Previously, this was focused on endpoints, and was managed by endpoint detection and response (EDR) providers. As the market evolved and more attack surfaces became targets, that transitioned to managed detection and response (MDR) providers.
Without telemetry from these security tools, security at scale is impossible. The speed and accuracy of retrieving this data is crucial for a solution like MDR to be effective, and this data plus a provider’s detection and response expertise ultimately defines the quality of service a customer receives.
Data collection
There are three main ways that MDR providers collect security telemetry from customer technology: push, pull, or stream. This isn’t a new process; EDR—and now MDR—providers have been using these traditional methods for a long time. But newer, more modern methods have emerged that provide additional benefits to these traditional methods.
| Collection method | Traditional approach | Modern approach |
|---|---|---|
| Push | Syslog, email | API, webhook |
| Pull | SIEM, collector | API |
| Stream | n/a | S3/GCP bucket ingest |
Traditional push connections enable teams to collect and interpret telemetry from across their environment and correlate events across multiple systems. Examples include data being sent directly to a target from a security solution, data sent via transmission control protocol (TCP), or data sent via email. These are common and well-established methods of sending telemetry. However, they’re difficult to evaluate the health of the connection to the source with, and can’t be followed up with additional queries for new or different data if needed.
Traditional pull connections refer to a collector or EDR sensor, but often mean collection via a security information and event management (SIEM) solution. All of the data is sent to an aggregation source and can be accessed and acted upon from one central location. There can be challenges in maintaining the quality of these connections and extracting the relevant data when needed. Changes from the original source can greatly impact the accuracy of the data if the connection isn’t healthy or not operating as expected.
API connections are flexible and bi-directional, enabling data to flow both ways, which allows additional information and context to be accessed via querying. These connections have security measures built in to mitigate the risk of compromise and enable additional actions, such as remediations, to be taken that help mitigate security risks.
Benefits of API connections
There are many benefits to using API connections to analyze security data, especially when delivering detection and response services. Using primarily API connections enables MDR providers to deliver the best detection and response capabilities the quickest.
- Setup: API connections are easier to set up and configure than traditional data collection methods. This means data ingestion and analysis can begin within hours or days instead of weeks, minimizing gaps in coverage when adding or replacing technologies.
- Stability: The health of an API connection is more transparent than a direct Syslog or SIEM connection. Teams can quickly understand the quality and frequency of data being received and know if the integration is acting as it should.
- Speed: Data sent via API connection is real-time. Other connection types are often sent on a regular interval or when a specific action occurs, meaning there may be gaps between a threat appearing and action being taken.
- Bi-directional: Telemetry from API connections can be pulled in from the source, but additional queries can also be sent back in the other direction. This enables the gathering of additional intel for event correlation, or taking action (if the source is capable), speeding up the analyzation and remediation timeline for threats.
- Remediation and notifications: Using an API enables certain remediation actions to be automatic (depending on user preference and the specific technology) based on information received, and can also automate forwarding investigations to IT management solutions.
How Expel uses API connections to deliver outcomes
MDR providers need the most recent information available to maximize security outcomes. The way an organization goes about both acquiring this telemetry and applying it via automation, AI, and other vectors determines what level of service a customer receives, and modern API connections are usually the right answer to this question.
Expel has been API-first in its tech integration philosophy since our founding. We believe it’s critical to have a high-quality, real-time connection with the key security tools our customers use on a daily basis. We aim to provide as many integrations as possible via API, enabling us to ensure the health of data ingested from customer environments (and execute response actions when applicable). We also use other methods (such as a webhook or SIEM integration) to ensure we get the necessary data to power our detection rules engine if an API connection isn’t an option.
Benefits of Expel’s integration approach
Quick visibility
Expel begins evaluating your security data for indicators and anomalies as soon as your tech is added, enabling your team to adopt new technologies with no gaps in coverage.
A unified view
Expel collects and correlates data from your entire infrastructure, and maps it to the MITRE ATT&CK Framework, providing you with complete coverage and a centralized view across your environment.
Meaningful alerting
Expel automates hundreds of analyst investigations—turning hours into seconds via the telemetry of connected devices—and reduces false positives by surfacing only the items that teams need to focus on.
Time savings
Expel takes advantage of our real-time API-based telemetry and applies automation and machine learning (ML) to weed through the noise in your environment, surface the right information at the right time, and speed up response times.
API expertise
Expel’s API expertise empowers us to enable automations, create and update detections for various technologies, and correlate data across any environment to rapidly detect and respond to incidents with a mean time to remediate (MTTR) of 17 minutes.
