On Thursday, managed detection and response provider Expel announced the launch of its Expel for Microsoft offering, which automatically analyzes and prioritizes alerts across a suite of Microsoft products including Active Directory, AD Identity Protection, Azure, Microsoft Cloud App Security, Microsoft Defender for Endpoint, Office 365 and Sentinel.
Expel APIs ingests security signals from Microsoft’s products along with any other third-party signals into Expel Workbench—Expel’s analytics engine that triages alerts by using threat intelligence gathered from across its customer base to uncover suspicious activity. Things such as suspicious logins, data exfiltration attempts, suspicious remote desktop protocol activity or unusual inbox rules can be flagged for further investigation by Expel’s analysts and customer cybersecurity teams to determine what is and isn’t a threat.
SEE: Security incident response policy (TechRepublic Premium)
Unusual inbox rules are rules attackers set up in mail applications that are out of the ordinary such as:
Automatically forwarding emails to RSS subscriptions, junk email or notes
Automatically deleting messages
Redirecting messages to an external email address
Setting rules that contain business email compromise keywords such as virus, password, inbox or tax
Forwarding emails to external addresses
Setting new mailbox delegates
Successful mailbox logins that happen within minutes of denied logins due to conditional access policies
Customized context and business rules also can be applied to help Expel’s detection engine so it can learn what typical network and application traffic looks like.
“Philosophically, we believe that humans are better than technology in two main areas: making judgments and building relationships,” Matt Peters, Expel’s chief product officer, said. “So, at the core of what we do, Expel Workbench is designed to automate as much as possible, leaving to the human the moments that are truly human.”
If an indicator of compromise is found, Expel’s platform automates Tier 1 and Tier 2 investigative steps and can act to isolate threats on their customers’ behalf.
“That potentially malicious file?” It’s already been detonated and IOCs from that have been hunted for across the customers’ Office 365, Microsoft Defender for Endpoint and Sentinel instances,” said Peters.
Expel for Microsoft includes 24/7 monitoring and response for Microsoft and other vendors’ security tools as well as real-time collaboration with Expel’s security operations center analysts using Microsoft Teams or Slack.
Automated remediation is not currently a feature, but the company said it is on the way.
“We’ve also taken our first steps to automate remediation—containing hosts is the big one for our customers—and will be adding targeted remediations over time,” said Peters.