The launch of Microsoft Defender External Attack Surface Management (Defender EASM) was part of Microsoft's ongoing vision to provide unmatched threat intelligence capabilities. We've continued to innovate, introducing impactful new features that drive value for our customers through simplicity and integrations that enhance the products and workflows security teams already use via Defender EASM data.
Our latest build includes a REST API to let customers manage their attack surface at scale, a billable assets dashboard to help users more efficiently track their usage, and integration with Microsoft Defender for Cloud to help them understand how and why a digital asset is vulnerable. The team has also introduced enhancements such as dark mode and improvements to discovery and inventory capabilities. This blog will cover what's new in MDEASM and how it can help improve your security posture by bringing unknown resources, endpoints, and assets under secure management.
REST API
Defender EASM continuously discovers and inventories an organization's digital attack surface. The new REST API lets customers manage their attack surface at scale by integrating with the processes and third-party tools they already use. Via the API, they can create new clients and applications or automate workflows for data enrichment, ticketing management, or process management.
Common use cases for the API include retrieving or curating asset data, creating and managing discovery groups, kickstarting discovery runs, utilizing saved filters, and downloading data.
Data functions include:
- Export, retrieve, and update assets
- Retrieve, create, remove or run a discovery group
- Retrieve discovery templates
- Retrieve asset summary details or snapshot values
- Retrieve, create or remove saved filters
- Retrieve or cancel tasks, and download task data
- Retrieve workspace data
- Bulk modification
Administrative functions include:
- Create, update, delete or retrieve labels
- Create, update, delete or retrieve workspaces
To start using the Defender EASM API, please refer to the Authentication article in our API documentation and the solutions repository developed by our Customer Experience Engineering Team.
Microsoft Defender for Cloud integration
Defender EASM scans the internet and its connections daily, building a complete catalog of a customer's environment and discovering internet-facing resources—even the agentless and unmanaged assets. Insights about how these assets are connected to the internet and other assets are now available in Microsoft Defender for Cloud (MDC) to provide critical context during incident response.
The MDC and Defender EASM partnership cross-correlates externally-facing IP Addresses in MDC to help reduce recommendation noise and focus on the most exploitable vulnerabilities along potential attack paths. The MDC UI allows customers to quickly navigate to Defender EASM for further details via both the Overview and Attack Path pages.
Billable Asset Dashboard
Modern attack surfaces are large, dynamic, and growing every day. Now in preview mode, the billable assets dashboard helps customers better understand how they are billed as Defender EASM discovers their attack surface and identifies new assets that may change their inventory. It provides a breakdown of billable asset counts by day, broken down by asset type, so users can easily track their EASM usage, see how their billing changes over time, and estimate their costs. This feature is in preview mode, and we welcome feedback!
Key Enhancements
Dark Mode: Defender EASM is now compatible with dark mode. Users can enable it by selecting the dark mode theme from the "Appearance + startup views" tab on the Azure Portal Settings page.
Discovery Enhancements: Discovering your organization's attack surface is now easier than ever with improvements to our discovery process. These include:
- A new entry field for "Organization names" as an input into the discovery algorithm
- Added safeguards to protect the platform and improve discovery performance
- Enhanced seed tooltips to provide better examples of supported inputs
- Removed "SSL certificate common name" as a possible seed option
- Seed validation to remove any duplicative seeds
Inventory Filter Improvements: Users can now understand and act on their organization's digital asset inventory more quickly and efficiently with new inventory filter improvements. These include:
- A drop-down list of inventory filters organized by the kind of asset they apply to. Filters that apply to all assets are "Common"
- Improved handling of date filters for "Created at" or "Updated at"
- Format validation for specific freeform values (e.g., ASN) to ensure the inputted field is applicable
New Attack Surface Insights: As the global threat landscape evolves, Defender EASM identifies and tracks new vulnerabilities that put organizations at risk. Users can now detect 31 detectable and potential CVEs. Other Attack Surface Insights include:
- Deprecated Tech – Silverlight
- Command and Control Server Detected
- Cryptocurrency Miner Detected on Website
- Deprecated Tech - Boa Web Server
- Information Disclosure - PHPInfo
- Open Memcached Service Can Leak Sensitive Data
- Open Print Device Exposure
We want to hear from you!
MDEASM is made by security professionals for security professionals. Join our community of security pros and experts to provide product feedback and suggestions and start conversations about how MDEASM helps you manage your attack surface and strengthen your security posture. With an open dialogue, we can create a safer internet together.