AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Q3 Threat Report. SOC trends to take action on | Take a tour of Expel MDR for Cloud Infrastructure


Microsoft Azure Monitoring

24x7 detection and response for Azure workloads using built-in Azure API’s and services

Managed detection
and response for Microsoft Azure

(is it weird that Azure is a “cloud” but it means “sky blue”?)

Microsoft provides a boat load of great security capabilities. So, if you’ve already moved your data or built some apps in Azure, it’s a great place to be. But knowing how to sift through Azure logs or chase down alerts in Defender for Cloud (Security Center) isn’t always obvious. Expel helps your security strategy keep up by detecting and running security risks to ground in Microsoft Azure.

Detections designed for your
Azure environment

Our Azure detection strategy uses built-in APIs and services:

  • Analyzes Defender for Cloud (Security Center) alerts
  • Adds Azure-specific detections for high-risk activities
  • Tunes detections to match your apps and workloads

What we do

24x7 Azure monitoring

Our analysts chase down your Azure alerts so you can focus on building new features, products and services.

Investigations in Azure

We’ll connect the dots from suspicious alerts in Azure back to their root cause and tell you what they mean.

Fixes “written in Azure”

Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.

What we look for

(updated at Azure speed)

Microsoft is constantly primping and preening (and often renaming) the security capabilities available within Azure. As Microsoft rolls out new services to protect your data and workloads, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in sync. Here are a few examples of things we’ll look for:

Suspicious logins and
unauthorized access

Disabling or changing Azure
security capabilities

Unauthorized sharing or access to
sensitive data

Evidence of an
account compromise

Unusual or risky interaction
with Azure management plane


Risky violations of Azure best

How we use native Azure capabilities

(hint: it’s a lot more than chasing Defender for Cloud (Security Center) alerts)

Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication via an Azure Active Directory app. To collect data, Expel communicates directly with APIs including the Microsoft Graph API for services like Defender for Cloud (Security Center), Azure Activity Logs and Microsoft Defender for Cloud Apps (formerly MCAS).

How Expel uses Azure services for detection, investigation and response

Azure service Examples of how we use them Detect Investigate
Azure Active Directory Monitors who’s accessing your environment
Azure Platform Logs Provides insight into events in the Azure infrastructure
Azure ATP Uses behavioral analytics to flag suspicious behavior
Azure Active Directory Identity Protection Flags risky sign-ons
Microsoft Defender for Cloud Apps (formerly MCAS) Gives us a comprehensive alerting based on activity in your Azure environment
Defender for Cloud (Security Center) Sends us alerts which we analyze and run to ground
Azure Sentinel Azure’s cloud-native SIEM looking for things that go bump


Getting a grip on your
cloud security strategy

Understanding how to think about cloud security differently is half the battle. We’ve thought a lot about it and we’ve identified three key points that should inform your cloud strategy.


Why the cloud is
probably more secure
than your on-prem environment

Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.


Four habits of highly
effective security

Practice these habits consistently and you’ll have an engaged, talented and all-around awesome security team.

Review Expel on G2

© 2022 Expel, Inc. All Rights Reserved

Back To Top