1. Expel Help Center
  2. Connect Your Technology
  3. About Integrations

MDR SIEM Tiers

Tiers specify what we can ingest for each integration, whether or not custom rules are leveraged, and which resulting Expel actions are supported. MDR SIEM tiers only apply to SIEM-based technology and not to integrations that use a via SIEM connection.

Advanced (Tier 1)

Plan Options: Premium, Premium Pro

For Advanced (Tier 1) SIEMs, we may leverage either out-of-the-box (OOTB) or custom rules to map the SIEM alerts to our own ingestion criteria. We also use the SIEM for investigation telemetry.

This tier includes:

  • Support for OOTB vendor detection rules (queried via API), and post Expel rule review to determine level of support per rule (e.g. full support, partial support, index as evidence).
  • Support for custom detection rules (queried via API), and post Expel rule review to determine level of support per rule (e.g. full support, partial support, index as evidence). 
  • 50 custom rules reviewed per contract year.
  • Triage of all generated alerts to the appropriate support level based on Expel rule reviews.

Advanced (Tier 1) SIEM integrations:

  • CrowdStrike Falcon NextGen SIEM
  • Google Security Operations (SecOps)
  • Microsoft Sentinel 
  • Palo Alto Networks Cortex XSIAM
  • Splunk - Enterprise Security (Splunk ES)
  • Splunk - Core (Splunk Core)
  • Sumo Logic Cloud SIEM (CSE)

Essentials (Tier 2)

Plan Options: Select, Premium, Premium Pro

For Essential (Tier 2) SIEMs, we leverage your SIEM's out-of-the-box (OOTB) rules to map the SIEM alerts to our own ingestion criteria, but we do not support any custom rules you may have in place. We also use the SIEM for investigation telemetry.

This tier includes:

  • Support for OOTB vendor detection rules (queried via API), and post Expel rule review to determine level of support per rule (e.g. full support, partial support, index as evidence).
  • Triage of all generated alerts to the appropriate support level based on Expel rule reviews.

Essentials (Tier 2) SIEM integrations:

  • Datadog Observability & Analytics Platform
  • Elastic Elasticsearch
  • Exabeam Fusion SIEM
  • Exabeam Fusion XDR
  • Exabeam Threat Center
  • Hunters SOC Platform
  • Palo Alto Strata
  • Panther Cloud SIEM
  • QRadar
  • SentinelOne Singularity Data Lake

Investigative Only (Tier 3)

Plan Options: Starter, Select, Premium, Premium Pro

For Investigative Only (Tier 3) SIEMS, no alerts from the SIEM are mapped to Expel Alerts, but the SIEM's data can still be used by us for investigation telemetry. We strongly recommend you set up Tier 3 SIEMs in Workbench to increase the available investigative support.

This tier includes:

  • APIs for Investigative Actions.
  • Using the data as an investigative source.

Investigative Only (Tier 3) SIEM integrations:

  • Devo
  • LogRhythm
  • Logz.io
  • Securonix Next-Gen SIEM
  • Sumo Logic Cloud Infrastructure Security

Related articles