Expel severity






Not reviewed

Cisco FirePower

Threat score 44 or greater

Threat score less than 44

Cisco Umbrella DNS

Policy category: Command and Control

Policy category: Phishing[a]

All other policy categories.

Cisco Umbrella Proxy (URL)

Policy Category: Malware with MIME type: Application

All other policy categories and/or MIME types.


Score of 80 or greater

Score less than 80[b]

Fastly Next-Gen WAF (formerly Signal Sciences WAF)

All attack Signals

All non-attack Signals

Palo Alto Firewall Anti-Virus Module

Malware detections with severities High or Critical

Malware detections with Medium severity

Malware detections with severities Low or Informational

Palo Alto FirewallTraffic

Severities High and Critical

Severities Medium, Low, and Informational

Palo Alto FirewallURL

URL categories command-and-control, malware, dynamic DNS, and phishing

All other URL categories

Palo Alto Firewall Wildfire

Categories malicious and grayware

All other categories

SentinelOne Singularity Hologram (formerly Attivo BOTSink)

Severities Very High, High

Severities Medium, Low, and Very Low

Verizon Network Detection and Response (formerly ProtectWise)

Severities High and Medium[c]

Severities Low and None


Malware and unblocked Adware alert categories

Anonymizer and all other alert categories

[a] Requires 3 consecutive events to the same destination domain.

[b] If Expel observes multiple Darktrace alerts with a score of 66 or greater from the same host, Expel alert at severity Low.

[c] Excludes inbound internet scanning from known commodity scanner source IPs.