AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Take a tour of Expel Managed Phishing | Study reveals 610% ROI for Expel customers.  Calculate your potential.


for cloud

24x7 monitoring and response for AWS, Azure and GCP

Detection and response
built for the cloud

Getting signal from the cloud is easy, it’s what we do with it that’s unique. Our detection and response strategies are specific to AWS, Azure and GCP. We’ll let you know when we discover anomalous activity, the investigative details and next steps to fix it.

24x7 monitoring and response for …

How we work with each cloud provider

Examples of things we monitor across cloud services
Suspicious logins
Resource sharing
Unusual admin activity
Unusual changes to virtual private clouds (VPC)
Examples of unique things we monitor for each cloud service
Suspicious or unusual activity

Suspicious commands via AWS SSM

Deleted or disabled CloudTrail or GuardDuty

AWS EC2 credential compromise

Publicly accessible S3 buckets

Suspicious AWS CloudWatch event rule creation

Unauthorized resource sharing

Use of lambda to backdoor AWS accounts

Creation of public resources

Credential dumping via runbook

Disabling or downgrading Windows Defender ATP

Suspicious RDP activity

Suspicious modification to resource hierarchy

Suspicious interactions with Service Accounts

Deleted or exported GCP MySQL logs

Publicly accessible Cloud Storage buckets

Suspicious creation of VPC firewall rules

Publicly accessible BigQuery dataset

How we ingest signal
Expel uses data from the following cloud-specific services and APIs




Elastic Block Storage








AWS System Managers


Defender for Cloud (Security Center)

Platform Logs



AD Identity Protection

Virtual Machines


Blog Storage

Azure Log Analytics

Key Vault

Resource Manager

App Service

SQL Service

Cosmos DB

Event Threat Detection (ETD)

Admin Activity Audit Logs

Cloud iAM

Cloud Compute

Cloud Endpoint

Cloud Function

Cloud App Engine

Cloud SQL

Cloud VPC




Behind the scenes in the Expel SOC: Alert-to-fix in AWS

What does detection and response look like in the cloud? Our SOC team shares an example of detecting a real threat in AWS and how they helped our customer remediate it.


Inside an investigation: compromised AWS access keys

Hear how we caught an attacker that used a developer’s machine to gain access to AWS.


Making sense of Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.

Three questions other MDR
and MSSP providers are hoping you won’t ask them

Is your detection strategy tailored to each cloud service?

Do you treat log data from cloud services differently than other logs?

How do you train your analysts to investigate incidents that originate in the cloud?

Ready to
talk to a human?

When you tell us you’re ready, we won’t waste your time. Let us know what you’re looking for and we’ll have someone get in touch who can talk tech.

Back To Top