Become a Microsoft Defender External Attack Surface Management Ninja: Level 400 training
Published Feb 21 2023 11:40 AM 14.6K Views

Welcome to Microsoft Ninja training! This blog post will walk you through Microsoft Defender External Attack Surface Management (Defender EASMI) Level 400 training to become proficient in understanding and managing your organization's external attack surface.






This program comprises four training modules enabling users to get to know and get the most out of their Defender EASM instance. Throughout this training, you'll familiarize yourself with Defender EASM, how it discovers your attack surface, and how to use it to identify risks across your organization's digital estate. Once complete, you'll be ready to leverage the information in Defender EASM to ensure you've minimized attack surface risk.

The modules listed below are split into four groups: 


Part 1: Overview

  • Module 0: Other Learning and Support Options
  • Module 1: Use Cases, Users, and How to Get Started 


Part 2: The Discovery Process and Overview

  • Module 2: Getting Started with Discovery 


Part 3: Dashboards and Reporting

  • Module 3: How to Prioritize 


Part 4: Analyzing your Assets

  • Module 4: An overview of your Inventory 
  • Module 5: Understanding your Assets 


Part 1: Overview 


Module 0: Other Learning and Support Options 


The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable: 


Think you're a Microsoft Defender EASM Ninja? 


Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills!


Disclaimer: This is not an official Microsoft certification and only acts to recognize your participation in this training content. 


  1. Take the knowledge check here.   
  2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got wrong, study more, and retake the assessment. 

Module 1: Use Cases, Users, and How to Get Started  


Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security, and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Defender EASM leverages Microsoft's crawling technology to discover assets related to your known online infrastructure and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase your organization's key areas of concern (read more).


Defender EASM aids the following target organizations and functions: 

  • Security Operations 
  • Vulnerability Management 
  • Application Security 
  • Threat Hunting 
  • CISO / CSO / CIO / Executives 
  • Penetration Testing 


Common tactical use cases include: 

  • Data Enrichment 
  • Infrastructure exposure 
  • Potential Data loss 
  • Brand exposure 
  • First-party risk 
  • Third-party risk 


If you want an overview of Microsoft Defender External Attack Surface Management's capabilities, please visit Defender EASM Overview. 


Lastly, want to try it yourself? Defender EASM 30-day trials are available to start in the Microsoft Azure portal (read more). You will need a valid Azure subscription with a contributor role assigned to create a resource to begin the trial.  


Part 2: The Discovery Process and Overview 


While the previous section provides an overview of our Defender EASM platform and how to get started, this section provides thorough information regarding Defender EASM's Discovery Process and Overview. It also provides examples to provide more information regarding the value of Defender EASM's Discovery algorithm (read more). 


Module 2: Getting Started with Discovery  


Keeping up with your ever-changing infrastructure can be a difficult, if not impossible challenge. The Discovery Process has been designed to continuously identify new infrastructure and automatically identify assets to ensure you clearly understand your security posture (read more). Discovery seed types include domains, IP Blocks, Hosts, Email Contacts, ASNs & Whois Organizations.  




Part 3: Dashboards & Reporting 


Data has never been as valuable as it is in today's world. It is fair to say that there is often so much data that it becomes difficult to find what is important and, therefore, impossible to use effectively. The dashboards in Defender EASM help to highlight important information within your attack surface and splits your actions into manageable tasks to help improve your security posture. 


Module 3: How to Prioritize 


At this point, your initial Discovery Process is complete, and data is consistently populating your Dashboards (read more). These dashboards are broken down into the following: 


  • Attack Surface Summary 
  • Security Posture 
  • GDPR Compliance 
  • OWASP Top 10 


Filtering can also help identify specific attack vectors that may be important for a given organization. Defender EASM is constantly updating the assets in the Inventory and keeping those findings in the dashboards up to date. Enrolling this data for information pertinent to an attack on a given sector could prove to be an essential utility when understanding where potential vulnerabilities exist in the Attack Surface (read more).  


Part 4: Analyzing your Assets 


Discovery should now be set up to recursively identify infrastructure with observed connections to legitimate assets within your attack surface. You should also understand how to use the dashboards to highlight areas of concern that may need addressing within your attack surface.


So what now? Part 4 will help you to understand how to use the Inventory. 


Module 4: An Overview of your Inventory 


Assets comprise IP addresses, IP blocks, hosts, domains, pages, SSL certificates, ASNs, and Whois contacts, as mentioned in Module 2. Each asset type contains different information, which can be filtered accordingly. Another important consideration of assets is Asset Status. The status of an asset has important implications when it comes to billing and reporting (read more). 


Module 5: Understanding Your Assets


The Defender EASM Inventory allows you to access all the assets within your scope and write customizable filters (read more). What if something else needs to be identified in your attack surface that has not been highlighted via the dashboards? For example, what if a known threat actor targets your organization by exploiting a vulnerability? How can you identify deprecated versions running on your infrastructure? (read more)


You can use the Defender EASM inventory to show how many instances of this web component are exposed on your attack surface. A simple filter can be applied to reveal these assets and show you how many potential exposures you may have. These results can then be passed to the relevant teams to patch or update accordingly.     

Version history
Last update:
‎Feb 21 2023 11:27 AM
Updated by: