Expel severity

Product

Critical

High

Medium

Low

Not reviewed

Cisco Secure Endpoint (formerly Cisco AMP)

Alerts involving known malicious tools

Non-generic malware detections

Generic malware detections

CrowdStrike Falcon

Alerts involving known malicious tools

Severities Medium, High, and Critical

Severities Low and Informational

CrowdStrike Falcon OverWatch

All alerts

Elastic Security

Alerts involving known malicious tools

Severities Medium and High

Severity Low

SentinelOne

Alerts involving known malicious tools

Alerts categorized as “Hacktool”

All non-mitigated threats

Mitigated threats and vulnerability scan results

Symantec Endpoint Protection

Alerts involving known malicious tools

Severities Major, Critical, and Fatal

Severities Warning, Minor, and Informational

Tanium XEM Core

Alerts involving known malicious tools

All alerts

Trellix Endpoint Security (HX) (formerly FireEye HX)

Alerts involving known malicious tools

Alerts in certain categories[a]

All alerts

VMware Carbon Black EDR (formerly CB Response)

Alerts involving known malicious tools

Dependent on Expel rule matches.[b]

Dependent on Expel rule matches.

Dependent on Expel rule matches.

Dependent on Expel rule matches.

VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)

Alerts involving known malicious tools

Severity 5 or greater

Severity less than 5

Windows Defender ATP

Alerts involving known malicious tools

High severity alerts and Hacktool alerts

Medium severity alerts

Low and Informational severity alerts

Unwanted software[c]

Mitigated threats

[a] Methodology, backdoor, trojan, credential stealer, malware family, process dumping, exploit activity.

[b] Expel consumes all events generated by the Expel threat feeds and all other enabled threat feeds. It applies rules based on the MITRE framework. Expel makes these rules transparent to customers.

[c] Expel investigates or notifies on unwanted software only by request.