Latest Defender EASM Features Increase Visibility and Enhance Querying for Faster Remediation
Published Feb 06 2024 09:04 AM 5,589 Views
Microsoft

Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Features recently added increase CWE and CVE visibility and boost query efficiency so users can focus on finding the information that's most important to their environment. Below, learn about these powerful new enhancements and how you can begin using them today.  
 

New Features 

 

CWE Top 25 Software Weaknesses dashboard  

The Top 25 Common Weakness Enumeration (CWE) list is provided annually by MITRE. These CWEs represent the most common and impactful software weaknesses that are easy to find and exploit. This dashboard displays all CWEs included on the list over the last five years, listing all inventory assets that might be impacted by each CWE. Referencing this dashboard saves you research time and helps your vulnerability remediation efforts by helping you identify the greatest risks to your organization based on other tangible observed exploits. 

 

photo 1.png

CISA Known Exploits dashboard  

While there are hundreds of thousands of identified CVE vulnerabilities, only a small subset hasve been identified by the Cybersecurity & Infrastructure Security Agency (CISA) as recently exploited by threat actors. This list includes less than .5% of all identified CVEs; for this reason, it is instrumental to helping security professionals prioritize the remediation of the greatest risks to their organization. Those who remediate threats based on this list operate with the upmost efficiency because they’re prioritizing the vulnerabilities that have resulted in real security incidents.  

Both new Defender EASM dashboards are designed to help users find the threats that pose the greatest threat to their organization as efficiently as possible. To learn more about dashboards, see our help documentation 

 

photo 2.png

 

Push notifications  

Users now receive one-time push notifications in the Azure portal to alert them of key updates to their attack surface. These notifications are designed to guide users to the information that helps them create a comprehensive external attack surface and efficiently manage their ever-changing digital landscape. Users can expect notifications in the following instances:   

  • Free Trial Ending (within 10 days): when you login to Defender EASM within 10 days of your free trial ending, you will receive a one-time notification that alerts you of the impending trial end.   
  • New Insight published: if your external attack surface contains inventory assets that are potentially impacted by a new insight, you will receive a notification. Clicking the notification will route you to the detailed list of all assets that are affected by the insight.  
  • Discovery run completion: when a discovery run is successfully completed and discovers new assets related to your external attack surface, you will receive a notification that "X (number) of assets" have been added to your inventory. Click this notification to view a list of the assets added to inventory through that particular discovery run.  
  • Discovery run failure: when a discovery run fails, you will receive a push notification that routes you to the Discovery Group page when clicked. This page provides more details about the failure and offers the option to re-run the discovery. 

 

Software Development Kits (SDKs) for Java and Javascript 

 Customers can now access client libraries for Javascript and Java that help them operationalize the Defender EASM REST API to automate processes and improve workflows. These SDKs are now available to customers in Public Preview. 

 

photo 3.png

Key enhancements

 

"NEW" flag for insights  

New insights are now flagged with “NEW” on the "Attack surface priorities" charts and other areas in the UI.  This helps customers quickly navigate to insights that they have not yet investigated, enabling better prioritization when reviewing your attack surface. 

 Screenshot 2024-01-02 at 3.09.18 PM.png

Discovery run improvements 

Performance enhancements were completed on the backend of the discovery engine to enable larger asset counts to be brought into inventory with each discovery run.  Furthermore, we have added tooltips to the Discovery Group details page to provide more insight into failed discovery runs. By hovering over the information icon next to any failed discovery run within the Run History section, users can understand why their run failed and adjust accordingly before running another discovery, improving efficiency.  

 

dandennis_6-1706029540898.png

 

Filter editor redesign 

Defender EASM has implemented a new design for filters that makes it easier for you to quickly query your inventory. Each query is now constructed from the main inventory page in a more visual format, making it easier to construct multiple queries before submitting.  Unlike the previous filter design, these improvements allow users to view and edit all queries simultaneously before submitting the request, improving the ease of usability of the feature.  In addition, we have added an “OR” operator for many filters, allowing you to quickly search for multiple desired results.  
 

Screenshot 2024-01-03 at 11.20.18 AM.png

 

New attack surface insights  

 The Defender EASM team is constantly adding new insights to the platform to ensure that our users have visibility into the latest security threats. The follow insights were added to Defender EASM in the last three months.  

Detectable insights 

  • CVE-2023-42115 - Exim Unauthenticated Remote Code Execution 
  • CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization 
  • CVE-2023-22515 - Confluence Privilege Escalation 
  • CVE-2023-42793 - TeamCity Unauthenticated Remote Code Execution 
  • CVE-2023-38646 Metabase Unauthenticated Command Execution 
  • CVE-2023-33246 - Apache RocketMQ Broker Unauthenticated Remote Command Injection 
  • CVE-2023-22518 - Atlassian Confluence Improper Authorization 
  • CVE-2023-47246 - SysAid Help Desk Path Traversal to Remote Code Execution 
  • CVE-2023-46604 - Apache ActiveMQ OpenWire Broker Remote Code Execution  
  • CVE-2023-45849 - Perforce Helix Core Unauthenticated Remote Code Execution over RPC 


Potential Insights
 

Potential Insights are created when a vulnerable version of software has not been detected and needs to be validated by the customer.  Customers using this software should check if they have the vulnerable versions highlighted in the insight: 

  

  • [Potential] August 2023 Juniper Junos OS Multiple Vulnerabilities in J-Web 
  • [Potential] CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization 
  • [Potential] CVE-2023-4966 - Citrix NetScaler Gateway and NetScaler ADC Session Token Leak 
  • [Potential] CVE-2023-20198 & CVE-2023-20273 - Cisco IOS XE Authorization Bypass and Privilege Escalation 
  • [Potential] CVE-2023-46747 - F5 BIG-IP Unauthenticated AJP Smuggling 
  • [Potential] CVE-2023-41998 - Arcserve UDP Multiple Vulnerabilities 
  • [Potential] CVE-2023-48365 - Qlik Sense Unauthenticated Remote Code Execution 
  • [Potential] CVE-2023-50164 - Struts2 Unauthenticated File Traversal and Upload to Remote Code Execution 

 

 

We want to hear from you!    

MDEASM is made by security professionals for security professionals. Join our community of security pros and experts to provide product feedback and suggestions and start conversations about how MDEASM helps you manage your attack surface and strengthen your security posture. With an open dialogue, we can create a safer internet together. 

 

1 Comment
Co-Authors
Version history
Last update:
‎Jan 23 2024 09:20 AM
Updated by: