Introduction
As organizations grow their digital footprint, managing the external attack surface has become critical for reducing risks and improving security posture. Public-facing assets such as domains, APIs, IP addresses, and cloud resources are often the entry points for attackers. Without comprehensive visibility and monitoring, these assets can become vulnerabilities.
Microsoft Defender External Attack Surface Management (EASM) provides a robust solution to address these challenges. Using advanced discovery technology, Defender EASM continuously maps your organization’s external infrastructure to identify risks and hidden vulnerabilities. In this guide, we’ll explore the features, prerequisites, step-by-step configuration, and its role in exposure management.
I blogged about Exposure Management earlier this year and you might have noticed External Attack Surface Management is also part of an organisation exposure (so not only internally).
Key features of Microsoft Defender External Attack Surface Management
| Feature | Benefit |
|---|---|
| Comprehensive asset discovery | Identifies public-facing assets, including shadow IT and misconfigurations |
| Continuous monitoring | Tracks changes in your attack surface in real time |
| Risk prioritization | Highlights high-risk vulnerabilities and misconfigurations for immediate action |
| Dashboard insights | Provides actionable insights into vulnerabilities, compliance, and risks |
| Integration capabilities | Seamlessly integrates with Microsoft Sentinel and other tools |
Prerequisites
Before deploying Microsoft Defender EASM, ensure the following requirements are met:
| Requirement | Details |
|---|---|
| Azure subscription | An active Azure subscription is required to deploy the EASM resource (billed per asset) |
| User permissions | Owner or contributor role in the Azure subscription |
| Supported regions | Ensure the selected Azure region supports EASM |
Deploying the Defender EASM resource
Steps:
Log into Azure Portal: Azure Portal.
Create the EASM resource:
- Navigate to Create a resource
- Search for “Microsoft Defender External Attack Surface Management” and select it
- Complete the required fields, including subscription, resource group, and region
Review and deploy:
- Validate your settings
- Click Create to deploy the resource
Configuring discovery groups and seeds
Discovery groups and seeds are essential for initializing and managing your attack surface discovery.
Types of seeds:
- Domains
- IP address blocks
- Hosts
- Email contacts
- Autonomous system numbers (ASNs)
- Whois organizations
Steps:
Navigate to Inventory (or through Discovery):
- Open the Defender EASM resource in the Azure Portal
- Select the Inventory tab
Search for already present information about your organization or create a custom policy:
- Provide a name for the group (e.g. Modern Security)
Add seeds:
- Click Add seed and specify the type of seed (e.g., domain names, IP ranges)
- Enter the seed values (e.g.,
example.comor192.168.0.0/24) - Save your changes
Configure exclusions (optional):
- Add exclusions to prevent specific assets from being included in the discovery process
- Examples include subsidiaries or unrelated third-party infrastructure
Later on, when you created assets and your organisation, you can also go along with Discovery Groups (more more granular control over your assets)
Discovering and managing assets
After configuring your organisation and seeds, Defender EASM identifies and categorizes assets (this can take up to 72 hours):
Asset states:
- Approved inventory: Directly managed assets
- Dependencies: Third-party assets supporting your infrastructure
- Monitor only: Relevant but not directly controlled assets
- Candidate: Requires manual review to determine ownership
- Requires investigation: Needs further validation based on connection strength
Steps:
Navigate to the inventory section:
- Access the Inventory tab in the Defender EASM portal
Review assets:
- Approve or reject discovered assets based on relevance and ownership
- Assign labels to group and organize assets
Dashboard integrated in EASM
Attack Surface Summary
- Purpose: Provides a high-level overview of the organization’s external attack surface.
- Features:
- Key metrics for discovered assets (domains, IPs, services)
- Snapshot of high-risk vulnerabilities or misconfigurations
- Trends in attack surface expansion or reduction over time
Security Posture
- Purpose: Highlights the security status of external-facing assets
- Features:
- Overview of compliance levels
- Identification of critical security gaps
- Suggested remediation steps to improve security posture
GDPR Compliance
- Purpose: Monitors compliance with the General Data Protection Regulation (GDPR)
- Features:
- Detects assets and configurations that might violate GDPR
- Highlights exposed personal data or non-compliant systems
- Recommendations for achieving GDPR compliance
OWASP Top 10
- Purpose: Tracks vulnerabilities based on the OWASP Top 10 list
- Features:
- Identification of web application risks, such as injection or broken access control
- Asset-specific vulnerability details
- Risk prioritization to mitigate OWASP-related issues
CWE Top 25 Software Weaknesses
- Purpose: Highlights software weaknesses based on the CWE Top 25 list
- Features:
- Insights into software flaws that could be exploited
- Categorization by weakness type (e.g., input validation errors)
- Recommendations for addressing software vulnerabilities
CISA Known Exploits
- Purpose: Focuses on vulnerabilities listed in the CISA Known Exploited Vulnerabilities Catalog
- Features:
- Identifies assets impacted by active exploits.
- Provides context on known exploitation activity.
- Helps prioritize fixes for vulnerabilities actively targeted by attackers.
Integrating with Microsoft Sentinel
Integration with Microsoft Sentinel enhances centralized monitoring and threat detection.
Steps:
Set up data connection:
- Go to Data connections in the EASM portal
- Link to your Sentinel Log Analytics workspace (use your LAW workspace ID + API key you find under settings > agents > primary/secondary key in LAW)
Verify integration:
KQL Queries for EASM Data in Sentinel:
| Query Purpose | Correct KQL Query | Description |
|---|
| List all assets by type | EasmAsset_CL | summarize count() by AssetType_s | Provides a summary of discovered assets categorized by their type (e.g., domains, IPs). |
| View asset banners | EasmAssetBanner_CL | project AssetName_s, BannerText_s, IP_s | Retrieves banner information for identified assets, including IP and banner text. |
| Identify newly discovered domains | EasmDomainAsset_CL | where TimeGenerated > ago(24h) | project DomainName_s, DiscoveryPath_s | Lists newly discovered domains in the last 24 hours. |
| Monitor SSL certificate issues | EasmSslCertAsset_CL | where SslCertStatus_s contains "expired" | project AssetName_s, SslCertDetails_s | Retrieves findings for expired or problematic SSL certificates. |
| Open port detections | EasmHostAsset_CL | where Description_s contains "Open Port" | project HostName_s, PortDetails_s | Lists hosts with open ports and their details. |
| Filter by OWASP vulnerabilities | EasmPageAsset_CL | where VulnerabilityCategory_s contains "OWASP" | project PageUrl_s, Severity_s | Displays web pages with vulnerabilities categorized under OWASP Top 10. |
| Discover risky assets | EasmRisk_CL | where Severity_s == "High" | project AssetName_s, RiskDescription_s | Highlights assets flagged with high-risk issues. |
| Find risky IP addresses | EasmIpAddressAsset_CL | where RiskLevel_s == "Critical" | project IpAddress_s, RiskDetails_s | Lists critical-risk IP addresses and associated risk details. |
| Identify assets with web components | EasmAssetWebComponent_CL | project AssetName_s, ComponentName_s, Version_s | Shows web components (e.g., CMS, frameworks) detected on assets. |
| Detect potential contact leaks | EasmContactAsset_CL | project ContactEmail_s, DiscoverySource_s | Retrieves contact email addresses exposed on public-facing assets. |
| Track SSL certificate lifecycle | EasmSslCertAsset_CL | summarize count() by SslCertStatus_s | Summarizes SSL certificate statuses (e.g., expired, expiring soon). |
Benefits:
- Unified monitoring across platforms
- Automated responses through Sentinel playbooks
Testing the configuration
Testing ensures your EASM setup is functioning correctly
Simulations:
- Phishing domain detection:
- Register a mock phishing domain and verify its detection
- Open port scanning:
- Use tools like Nmap to identify open ports and validate alerts
- SSL certificate testing:
- Use expired or invalid certificates to test alert triggers
Extra resources
Make sure to check out the EASM github page, because there are useful resources there which might handy to use and integrate:
https://github.com/Azure/MDEASM-Solutions
The role of EASM in exposure management
Microsoft Defender External Attack Surface Management (EASM) is not just a tool for asset discovery—it is a critical enabler for effective exposure management. Exposure management is about identifying, prioritizing, and mitigating risks across your entire attack surface, including internal and external assets. While traditional tools focus on internal vulnerabilities, EASM ensures no external-facing risk goes unnoticed.
How EASM complements exposure management
- Identifying shadow IT: EASM excels in discovering unmanaged or unknown assets that often go unnoticed, such as forgotten subdomains, unsecured APIs, or legacy IPs
- Continuous monitoring: By providing real-time insights, EASM enables organizations to detect and respond to changes in their attack surface, such as the exposure of new ports or the deployment of insecure services
- Risk prioritization: Not all vulnerabilities are equal. EASM helps prioritize risks based on severity, such as misconfigurations that allow unrestricted public access or assets running unsupported software versions
- Integration with broader tools: EASM’s ability to feed data into Microsoft Sentinel ensures its findings are part of a unified threat detection and response strategy. This integration is essential for correlating external risks with internal vulnerabilities
Why EASM data matters in exposure management
Organizations leveraging EASM data within their exposure management framework benefit from:
- Proactive risk reduction: Addressing vulnerabilities before they are exploited by attackers
- Improved visibility: Ensuring a complete view of all assets, both managed and unmanaged
- Streamlined compliance: Demonstrating control over external assets for frameworks such as ISO 27001 or GDPR
- Enhanced threat intelligence: Correlating EASM findings with threat trends, enabling informed decisions on remediation
By integrating EASM with internal tools and processes, organizations can achieve a 360-degree view of their exposure, aligning their security posture with a proactive, defense-in-depth approach.
Conclusion
Microsoft Defender External Attack Surface Management is an indispensable tool for modern organizations aiming to reduce their attack surface and strengthen their cybersecurity posture. Its ability to identify, monitor, and manage external-facing assets ensures no vulnerabilities are left unaddressed. By integrating EASM into a broader exposure management strategy, organizations benefit from:
- Comprehensive visibility: A clear picture of all external-facing assets, enabling informed decision-making
- Actionable insights: Prioritized remediation efforts that address the most critical risks first
- Seamless integration: Unified data streams into Microsoft Sentinel, enhancing incident response and overall security operations
Incorporating EASM into your cybersecurity framework not only mitigates external risks but also complements internal risk management practices, creating a cohesive, proactive defense strategy. By addressing both external and internal vulnerabilities, you can ensure a resilient security posture that evolves with the ever-changing threat landscape.
Leverage Microsoft Defender External Attack Surface Management to protect what attackers target most: your external assets. With its advanced capabilities and integration potential, EASM is not just a tool—it’s a cornerstone of effective exposure management.
1 comment