Detection and response
built for the cloud
Getting signal from the cloud is easy, it’s what we do with it that’s unique. Our detection and response strategies are specific to AWS, Azure and GCP. We’ll let you know when we discover anomalous activity, the investigative details and next steps to fix it.
24x7 monitoring and response for …
How we work with each cloud provider
 |
 |
 |
|
|---|---|---|---|
| Examples of things we monitor across cloud services | |||
| Suspicious logins | |||
| Resource sharing | |||
| Unusual admin activity | |||
| Unusual changes to virtual private clouds (VPC) | |||
| Examples of unique things we monitor for each cloud service | |||
| Suspicious or unusual activity |
Suspicious commands via AWS SSM Deleted or disabled CloudTrail or GuardDuty AWS EC2 credential compromise Publicly accessible S3 buckets Suspicious AWS CloudWatch event rule creation Unauthorized resource sharing Use of lambda to backdoor AWS accounts |
Creation of public resources Credential dumping via runbook Disabling or downgrading Windows Defender ATP Suspicious RDP activity |
Suspicious modification to resource hierarchy Suspicious interactions with Service Accounts Deleted or exported GCP MySQL logs Publicly accessible Cloud Storage buckets Suspicious creation of VPC firewall rules Publicly accessible BigQuery dataset |
| How we ingest signal | |||
| Expel uses data from the following cloud-specific services and APIs |
GuardDuty CloudTrail CloudWatch Elastic Block Storage EC2 EKS Lambda Lightsail RDS Redshift S3 AWS System Managers VPC |
Defender for Cloud (Security Center) Platform Logs Sentinel MCAS AD Identity Protection Virtual Machines Functions Blog Storage Azure Log Analytics Key Vault Resource Manager App Service SQL Service Cosmos DB |
Event Threat Detection (ETD) Admin Activity Audit Logs Cloud iAM Cloud Compute Cloud Endpoint Cloud Function Cloud App Engine Cloud SQL Cloud VPC KMS BigQuery |
Blog
Behind the scenes in the Expel SOC: Alert-to-fix in AWS
What does detection and response look like in the cloud? Our SOC team shares an example of detecting a real threat in AWS and how they helped our customer remediate it.
Video
Inside an investigation: compromised AWS access keys
Hear how we caught an attacker that used a developer’s machine to gain access to AWS.
Blog
Making sense of Amazon GuardDuty alerts
What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.
Three questions other MDR
and MSSP providers are hoping you won’t ask them
Is your detection strategy tailored to each cloud service?
Do you treat log data from cloud services differently than other logs?
How do you train your analysts to investigate incidents that originate in the cloud?