rss.livelink.threads-in-node

Microsoft Secure score not updating after implementation of Attack Surface Reduction

Ubaid_Abbasi — Wed, 23 Apr 2025 13:45:19 GMT

Hello everyone,

I wanted to share that we have successfully implemented Attack Surface Reduction (ASR) rules across our endpoint devices as part of our ongoing security hardening efforts. These configurations are actively deployed and enforced through Intune ASR to help mitigate common attack vectors like Office macro abuse, executable content from email/web, and other high-risk behaviors.

However, we’ve noticed that despite this implementation, some ASR-related recommendations are still appearing in Microsoft Secure Score. This can occur due to delays in telemetry updates, device reporting issues, or Secure Score metrics not immediately reflecting policy enforcement across all endpoints.

We are currently reviewing the underlying data and device reporting to ensure full visibility and alignment with Secure Score.

High values CVE's not showing on High priority observations

dmarquesgn — Thu, 03 Apr 2025 09:02:45 GMT

Hi,

I need some help to understand this logic on Defender EASM. For example, on my "High priority observations", I've got 6 observations, all of those for 1 domain, which is fine.

But then if I go to my inventory and select one other domain, I can see on that host, some CVE's with High priority. Screenshot bellow:

So, why arent' this results being shown on the list of "High priority observations" if they are ranked with High priority. Is there a logic for this?

Thanks

Defender EASM source IP addresses/location

Molx32 — Tue, 22 Oct 2024 15:12:26 GMT

Hey,

I am currently building a service that will leverage EASM for discovery and scan for all our customers. However I have a very specific constraint : the scan must be done from a France-localized IP address. Does the resource location (FranceCentral in my case) make the scan occur from a french IP address?

I didn't find anything in the blog nor the documention about the scan source IP address or the the scan source location.

I'd be glad to hear from the EASM team! 🙂

Analytic rules for Microsoft Sentinel based on MS EASM

dmarquesgn — Tue, 01 Oct 2024 14:11:16 GMT

Hi,

I just imported EASM data to Sentinel, so we can create some analytic rules based on EASM data.

I'm now thinking on which use cases are interesting to create alerts.

Anyone has already followed this path and has some experience of what kind of alerts make sense based on EASM data?

Thanks

New Blog | Leverage Generative AI to expedite attack surface investigations in Defender EASM

DavidFernandes — Fri, 23 Aug 2024 22:07:36 GMT

By Soham Patel

A prerequisite to securing an organization on the internet is first knowing what digital assets in the organization are internet-facing. With the constantly changing internet, the migration to multi-cloud environments, the evolution of organizations with mergers and acquisitions, and the emergence of shadow IT, it is often difficult to maintain an updated external view of an organization’s attack surface, leading to security gaps emerging for attackers to exploit.

Microsoft Defender External Attack Surface Management (EASM) solves this challenge by discovering externally facing assets and identifying their risk. Their vulnerabilities can be identified, which helps with prioritizing them, so you know where to start with remediation efforts.

While Defender EASM equips organizations with an updated external attack surface view and the risks associated with it, these vast, multifaceted attack surfaces require many resources to analyze each asset and its associated metadata. This often increases the time to remediation and the likelihood of an attacker exploiting a security gap. However, generative AI can expedite this analysis process, enabling security professionals to defend organizations at machine speed.

Read the full post here: Leverage Generative AI to expedite attack surface investigations in Defender EASM

New Blog | Leverage Generative AI to expedite attack surface investigations in Defender EASM

DavidFernandes — Fri, 21 Jun 2024 19:51:21 GMT

By Soham Patel

At Microsoft Ignite in November 2023, we announced Defender EASM’s prompting capabilities in Copilot for Security. Today, we are thrilled to share that the same capabilities – and more – are available in public preview the Copilot chat pane in the Azure portal and can be used alongside Copilot for Security customers’ Defender EASM resources. This allows organizations to stay secure, with ease.

Dig into your external attack surface

The Copilot chat pane in Azure gives customers AI-driven insights on risky assets within their external attack surface. Instead of manually drilling down to investigate asset details, simply ask Copilot about recently expired SSL certificates and domains, and you’ll get automated answers for each in seconds. To understand which assets may have Common Vulnerabilities and Exposures (CVE), you can quickly find out by asking Copilot “which assets have critical severity CVEs?” or “Does this ‘CVE ID’ impact me?” Knowing where CVEs lie, and how they are classified, will help you in focusing resources and remediation efforts on those that matter most.

Our Copilot capabilities also enable customers to quickly identify assets impacted by specific risks and vulnerabilities, such as assets that have Common Vulnerability Scoring System (CVSS) scores, that are still using SHA-1 certificates, or are expiring soon – empowering them to determine what assets must be remediated first.

For example, we can investigate which assets are impacted by medium priority CVSS Scores and what vulnerabilities must be remediated to secure the targeted assets. In this scenario in the image below, we can see that because of the jQuery version, https://portal.fabrikam.com/ is at risk.

Read the full post here: Leverage Generative AI to expedite attack surface investigations in Defender EASM

New Blog | Leverage Generative AI to expedite attack surface investigations in Defender EASM

DavidFernandes — Tue, 21 May 2024 21:57:49 GMT

By Soham Patel

Dig into your external attack surface

Read the full post here: Leverage Generative AI to expedite attack surface investigations in Defender EASM

Leverage Generative AI to expedite attack surface investigations in Defender EASM

sohampatel — Tue, 21 May 2024 15:27:00 GMT

Dig into your external attack surface

Perform advanced queries using natural language

An advanced feature in Defender EASM is the ability to search inventory to help solve a wide variety of specific business objectives and answer targeted questions, like "What assets were registered by name@example.com?” or “What assets are using an Azure service and have vulnerabilities?” . This querying capability enables organizations to quickly find assets for remediation based on their business objectives and prompt questions. With 65 unique filter fields and 20 filter operators, these queries can become extremely sophisticated to best address the organizations’ needs.

To fully utilize Defender EASM’s robust querying capabilities, a certain level of familiarity with the Defender EASM querying tool is required. However, by using Defender EASM capabilities in Copilot, queries can be done faster and easier than ever before. Now, any natural language inquiries, such as "which pages seen in the last 30 days are using jQuery?" and "find all the page, host, and ASN assets in my inventory with X or Y IP address," can be automatically converted into the corresponding inventory queries across all data discovered by Defender EASM. This allows security analysts to leverage Defender EASM's extensive querying capabilities to extract asset metadata and key asset information – without requiring an advanced query skillset.

To illustrate how this works using Copilot, let’s say that an organization has been informed about the risk associated with jQuery version 3.1.0. From here, a security analyst will want to understand what other assets in their environment are using that same version of jQuery. The analyst can then enter a prompt in natural language, which will create a query in Defender EASM to show the assets running jQuery 3.1.0.

Use Defender EASM's Copilot prompts today

Defender EASM’s Copilot prompting capabilities in the Azure portal are currently in public preview and available to Copilot for Security customers. To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. To create a new Defender EASM resource and start using the prompts in the Azure chat pane, to go https://www.portal.azure.com and search for “Defender EASM”.

New Blog | Get visibility into your curated external assets with enhanced generative AI capabilities

DavidFernandes — Mon, 13 May 2024 16:48:16 GMT

By Sushma Raja

Finding, tracking, and managing all the assets found within an organization’s vast – and often unknown – digital attack surface can be a daunting task. A lack of knowing and monitoring all your assets, including shadow IT, leads to security gaps that can be exploited by attackers.

Understanding and documenting your entire attack surface with relevant asset tracking is critical to securing your environment. This highlights the importance of adding an external attack surface management (EASM) tool to your security stack.

EASM solutions are designed to provide a view of your digital attack surface from the outside in, enabling organizations to see exactly what attackers browsing the internet see when they come across an asset owned by your organization. Microsoft Defender EASM discovers and maps both known and unknown assets from an external perspective just as an attacker would see as they look to find a way to compromise an organization.

Enhanced Defender EASM functionality in Microsoft Copilot for Security

In November 2023, we announced new Defender EASM capabilities in Microsoft Copilot for Security that help security teams understand their attack surface, the pervasive CVEs within it, and get assistance remediation prioritization with the help of generative AI. The attack surface snapshot that Copilot users receive when using the prompts are, by default, generated from a library of pre-built attack surfaces that Microsoft has discovered for thousands of organizations. From our daily scans of the internet, Defender EASM discovers and searches for an organization’s attack surface based on publicly available information.

The results of prompts pulled from an organization’s pre-built attack surface are intended to give customers high-level visibility into their external assets and associated vulnerabilities. So far, they have been used by Early Access customers to achieve this visibility. One customer reported that they were able to identify unknown assets and remediate major vulnerabilities based on information gathered from EASM.

Now, we are thrilled to share enhanced functionality with these capabilities, which allows customers to directly connect their seeded and curated Defender EASM resource to Copilot for Security. With the curated Defender EASM integration, Copilot users can leverage generative AI to get comprehensive, up-to-date information about their external attack surface, analyzing assets that go above and beyond their pre-built attack surface.

Setting up is simple. In the configuration menu of Copilot for Security, turn on the Defender External Attack Surface Management skills on and then click on the Settings icon to enter your resource information. Once this information is entered, your future prompts in Copilot will utilize information from your configured EASM resource.

Read the full post here: Get visibility into your curated external assets with enhanced generative AI capabilities

New Blog | Get visibility into your curated external assets with enhanced generative AI capabilities

DavidFernandes — Fri, 12 Apr 2024 19:24:41 GMT

By Sushma Raja

Enhanced Defender EASM functionality in Microsoft Copilot for Security

Read the full post here: Get visibility into your curated external assets with enhanced generative AI capabilities

Microsoft Defender EASM should be part of Microsoft Defender XDR

Deleted — Thu, 11 Apr 2024 06:23:25 GMT

Microsoft Defender EASM should be part of Microsoft Defender XDR.

Microsoft Defender EASM should not work as one of the service in Microsoft Azure. It should be part of Exposure management in Microsoft Defender XDR. Already Microsoft is trying to consolidate its Security/Defender platforms in to one platform Microsoft Defender XDR. So at the same time why creating new portal for this?

Get visibility into your curated external assets with enhanced generative AI capabilities

SushmaRaja — Wed, 13 Mar 2024 16:00:00 GMT

Enhanced Defender EASM functionality in Microsoft Copilot for Security

All of the existing Defender EASM prompts can be used when searching for information for a curated resource.

Sample prompts to get a summary of your externally facing assets include:

What are the externally facing assets for [my resource]?
What is [my resource’s] attack surface?
What is my attack surface?

Sample prompts to get attack surface insights include:

Do I have vulnerabilities in my external attack surface for [my resource]?
What risk is in my external attack surface?
What insights are there in my external attack surface?

Sample prompts to learn about CVEs of impact include:

Does this [CVE ID] impact me?
Should I be worried about this [CVE ID]?
How many assets have critical CVSS’s for [my resource]?

Sample prompts to help you understand how you can prioritize remediation efforts include:

Which SSL certificates from [my resource] do I need to take action on?
Which expired SSL certificates are recent?
What are my expired domains?
Am I using SHA1 in my attack surface?

Learn more about Copilot for Security

To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. If you missed us at Microsoft Secure, you may watch the keynote video and extended Copilot demo session.

New External Attack Surface Protection Initiative in Microsoft Security Exposure Management

Today, we are excited to announce Defender EASM’s latest integration into Microsoft Security Exposure Management, our newest platform that delivers a clear and unified end-to-end view of an organization’s exposure by combining multiple Microsoft Security products and workloads in a single pane of glass, enabling continuous security posture visibility and improvement across the digital estate.

The integration, called the External Attack Surface Protection Initiative, allows CISOs and security team members to see different exposure metrics pertaining to their external attack surface, encouraging proactive posture management.

Defender EASM data surfaces the following information in Exposure Management:

Percent of assets in the attack surface with High, Medium, and Low Severity Insights

Large organizations’ attack surfaces can be incredibly broad, so prioritizing the key findings derived from Defender EASM’s data helps customers quickly and efficiently address the most important exposed elements of their attack surface. These Insights are primarily derived by detections created from internal researchers and can include critical CVEs, known associations to compromised infrastructure, use of deprecated technology, infrastructure best practice violations, or compliance issues.

Insight priorities are determined by Microsoft’s assessment of the potential impact of each insight – high, medium, and low severity – and the integration with Microsoft Security Exposure Management helps teams understand which insights to prioritize remediating first. In addition to getting visibility into these common areas of weakness, customers also receive remediation recommendations for each.

Percent of internet-facing assets with Critical and High CVE vulnerabilities

Common Vulnerabilities and Exposures (CVEs) is a list of publicly disclosed vulnerabilities relating to software weaknesses that could potentially catch the attention of an attacker. When Defender EASM completes the discovery of an organization’s assets, it then looks at what CVEs are associated with the assets. In Exposure Management, customers can see the percentage of assets in their attack surface that have Critical and High CVEs associated with, helping them visualize where they can take action.

Percent of expired SSL certificates

The security posture for configuration of an organization's SSL certificate portfolio determines both customer experience and risk of data compromise. In most modern browsers, websites with an expired SSL certification or outdated encryption will be blocked with a warning message to the user, impacting web traffic and brand trust. Users who proceed can have their communications with the website intercepted by a Man-in-the-Middle (MITM) attack. This can have several business impacts from business disruption, compliance issues, to exposure of adjacent critical systems derived by analyzing certificate values.

Percent of expired domains

Domains, previously owned by your organization which have expired, could be renewed and used by malicious actors to impersonate your brand to target your organization, employees, or customers. Organizations should review these domains to determine if they should be re-registered.

Percent of assets with remote access enabled

When remote access is enabled on open ports, it effectively allows attackers to gain unauthorized access to your network. This metric uncovers the percentage of assets in organizations’ external attack surfaces that have remote access enabled, so they can determine if it’s an asset that shouldn’t be accessible from anywhere.

Percent of assets utilizing SSH SHA1

Secure Shell Secure Hash Algorithm 1 (SSH SHA 1) is an older hash function that uses weak encryption. Defender EASM can detect assets that use this hash algorithm and alert customers to which assets are exposed to this risk in Exposure Management. Organizations should replace these certificates with new SSL certificates that use SHA-256.

Learn more about Microsoft Security Exposure Management

Achieving robust attack surface visibility and understanding posture are imperative in effectively managing threat exposure. Microsoft Security Exposure Management provides the essential tools and insights needed for proactive cybersecurity measures. It is not just a choice; it's a strategic move towards fortifying your organization's defenses in the face of evolving threats. Dive into a new era of cybersecurity resilience by getting started today.

Latest Defender EASM Features Increase Visibility and Enhance Querying for Faster Remediation

dandennis — Tue, 06 Feb 2024 17:04:07 GMT

Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Features recently added increase CWE and CVE visibility and boost query efficiency so users can focus on finding the information that's most important to their environment. Below, learn about these powerful new enhancements and how you can begin using them today.

New Features

CWE Top 25 Software Weaknesses dashboard

The Top 25 Common Weakness Enumeration (CWE) list is provided annually by MITRE. These CWEs represent the most common and impactful software weaknesses that are easy to find and exploit. This dashboard displays all CWEs included on the list over the last five years, listing all inventory assets that might be impacted by each CWE. Referencing this dashboard saves you research time and helps your vulnerability remediation efforts by helping you identify the greatest risks to your organization based on other tangible observed exploits.

CISA Known Exploits dashboard

While there are hundreds of thousands of identified CVE vulnerabilities, only a small subset hasve been identified by the Cybersecurity & Infrastructure Security Agency (CISA) as recently exploited by threat actors. This list includes less than .5% of all identified CVEs; for this reason, it is instrumental to helping security professionals prioritize the remediation of the greatest risks to their organization. Those who remediate threats based on this list operate with the upmost efficiency because they’re prioritizing the vulnerabilities that have resulted in real security incidents.

Both new Defender EASM dashboards are designed to help users find the threats that pose the greatest threat to their organization as efficiently as possible. To learn more about dashboards, see our help documentation.

Push notifications

Users now receive one-time push notifications in the Azure portal to alert them of key updates to their attack surface. These notifications are designed to guide users to the information that helps them create a comprehensive external attack surface and efficiently manage their ever-changing digital landscape. Users can expect notifications in the following instances:

Free Trial Ending (within 10 days): when you login to Defender EASM within 10 days of your free trial ending, you will receive a one-time notification that alerts you of the impending trial end.
New Insight published: if your external attack surface contains inventory assets that are potentially impacted by a new insight, you will receive a notification. Clicking the notification will route you to the detailed list of all assets that are affected by the insight.
Discovery run completion: when a discovery run is successfully completed and discovers new assets related to your external attack surface, you will receive a notification that "X (number) of assets" have been added to your inventory. Click this notification to view a list of the assets added to inventory through that particular discovery run.
Discovery run failure: when a discovery run fails, you will receive a push notification that routes you to the Discovery Group page when clicked. This page provides more details about the failure and offers the option to re-run the discovery.

Software Development Kits (SDKs) for Java and Javascript

Customers can now access client libraries for Javascript and Java that help them operationalize the Defender EASM REST API to automate processes and improve workflows. These SDKs are now available to customers in Public Preview.

Key enhancements

"NEW" flag for insights

New insights are now flagged with “NEW” on the "Attack surface priorities" charts and other areas in the UI. This helps customers quickly navigate to insights that they have not yet investigated, enabling better prioritization when reviewing your attack surface.

Discovery run improvements

Performance enhancements were completed on the backend of the discovery engine to enable larger asset counts to be brought into inventory with each discovery run. Furthermore, we have added tooltips to the Discovery Group details page to provide more insight into failed discovery runs. By hovering over the information icon next to any failed discovery run within the Run History section, users can understand why their run failed and adjust accordingly before running another discovery, improving efficiency.

Filter editor redesign

Defender EASM has implemented a new design for filters that makes it easier for you to quickly query your inventory. Each query is now constructed from the main inventory page in a more visual format, making it easier to construct multiple queries before submitting. Unlike the previous filter design, these improvements allow users to view and edit all queries simultaneously before submitting the request, improving the ease of usability of the feature. In addition, we have added an “OR” operator for many filters, allowing you to quickly search for multiple desired results.

New attack surface insights

The Defender EASM team is constantly adding new insights to the platform to ensure that our users have visibility into the latest security threats. The follow insights were added to Defender EASM in the last three months.

Detectable insights

CVE-2023-42115 - Exim Unauthenticated Remote Code Execution
CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization
CVE-2023-22515 - Confluence Privilege Escalation
CVE-2023-42793 - TeamCity Unauthenticated Remote Code Execution
CVE-2023-38646 Metabase Unauthenticated Command Execution
CVE-2023-33246 - Apache RocketMQ Broker Unauthenticated Remote Command Injection
CVE-2023-22518 - Atlassian Confluence Improper Authorization
CVE-2023-47246 - SysAid Help Desk Path Traversal to Remote Code Execution
CVE-2023-46604 - Apache ActiveMQ OpenWire Broker Remote Code Execution
CVE-2023-45849 - Perforce Helix Core Unauthenticated Remote Code Execution over RPC

Potential Insights

Potential Insights are created when a vulnerable version of software has not been detected and needs to be validated by the customer. Customers using this software should check if they have the vulnerable versions highlighted in the insight:

[Potential] August 2023 Juniper Junos OS Multiple Vulnerabilities in J-Web
[Potential] CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization
[Potential] CVE-2023-4966 - Citrix NetScaler Gateway and NetScaler ADC Session Token Leak
[Potential] CVE-2023-20198 & CVE-2023-20273 - Cisco IOS XE Authorization Bypass and Privilege Escalation
[Potential] CVE-2023-46747 - F5 BIG-IP Unauthenticated AJP Smuggling
[Potential] CVE-2023-41998 - Arcserve UDP Multiple Vulnerabilities
[Potential] CVE-2023-48365 - Qlik Sense Unauthenticated Remote Code Execution
[Potential] CVE-2023-50164 - Struts2 Unauthenticated File Traversal and Upload to Remote Code Execution

We want to hear from you!

MDEASM is made by security professionals for security professionals. Join our community of security pros and experts to provide product feedback and suggestions and start conversations about how MDEASM helps you manage your attack surface and strengthen your security posture. With an open dialogue, we can create a safer internet together.

Normalize Billable Assets EASM

G_Singh_ — Tue, 09 Jan 2024 01:18:13 GMT

Hi, we're currently evaluating EASM and running a trial POC.

We've used the default predefined attack surface template for our Org.

The Billable asset count number is quite high and "Host: IP pairs" are contributing mostly which are IPv6 addresses.

Can we filter out all these IPv6 for example: Changing their state from Approved to >> "Candidate" or "Dismissed"? The ultimate goal is to normalize the Billable Assets to get accurate cost estimates by filtering out IPv6 addresses. thanks

New Blog | Defender EASM - Performing a Successful Proof of Concept (PoC)

BrittanyCCP — Thu, 30 Nov 2023 00:39:54 GMT

This blog will serve as a high-level guide to help you execute a simple framework for evaluating Defender EASM, and other items to consider when embarking on the journey to understand the Internet exposed digital assets that comprise your external attack surface, so you can view risks through the same lens as a malicious threat actor.

Read the full blog post here: Defender EASM - Performing a Successful Proof of Concept (PoC) - Microsoft Community Hub

Defender EASM - Performing a Successful Proof of Concept (PoC)

Michael_Lindsey — Wed, 29 Nov 2023 16:06:30 GMT

Welcome to an introduction of the concepts and simple approach required for executing a successful Proof of Concept (PoC) for Microsoft Defender External Attack Surface Management (Defender EASM). This article will serve as a high-level guide to help you execute a simple framework for evaluating Defender EASM, and other items to consider when embarking on the journey to understand the Internet exposed digital assets that comprise your external attack surface, so you can view risks through the same lens as a malicious threat actor.

Planning for the PoC

To ensure success, the first step is planning. This entails understanding the value of Defender EASM, identifying stakeholders who need to be involved, and scheduling planning sessions to determine use cases & requirements and scope before beginning.

For example, one of the core benefits of the Defender EASM solution is that it provides high value visibility to Security and IT (Information Technology) teams that enables them to:

Identify previously unknown assets
Prioritize risk
Eliminate threats
Extends vulnerability and exposure control beyond the firewall

Next, you should identify all relevant stakeholders, or personas, and schedule in 1-2 short planning sessions to document the tasks and expected outcomes, or requirements. These sessions will establish the definition of success for the PoC.

Who are the common stakeholders that should participate in the initial planning sessions? The answer to that question will be unique to each organization, but some common personas include the following:

Vulnerability Management Teams
IT personnel responsible for Configuration Management, Patching, Asset Inventory Databases
Governance, Risk, & Compliance (GRC) Teams

(Optional) GRC aligned Legal, Brand Protection, & Privacy Teams
Internal Offensive Penetration Testing and Red Teams
Security Operations Teams
Incident Response Teams
Cyber Threat Intelligence, Hunting, and Research Teams

Use Cases & Requirements

Based on the scope, you can begin collaborating with the correct people to establish use cases & requirements to meet the business goals for the PoC. The requirements should clearly define the subcomponents of the overarching business goals within the charter of your External Attack Surface Management Program. Examples of business goals and high-level supporting requirements might include:

Discover Uknown Assets

Find Shadow IT

Discover Abandoned Assets

Resulting from Mergers, Acquistions, or Divestitures
Insufficient Asset Lifecycle Management in Dev/Test/QA Environments

Identification of Vulnerabilities

Lack of Patching or Configuration Management

Assignment of Ownership to Assets

Line of Business or Subsidiary
Based on Geographic Location
On-Prem vs Cloud

Reporting, Automation, and Defender EASM Data Integrations

Data Connector integration with Log Analytics or Kusto

Use of a reporting or visualization tool, such as PowerBI
Logic Apps to automate management of elements of your attack surface

Prerequisites to Exit the Planning Phase

Completion of the Planning Phase!
Configure an Azure Active Directory or personal Microsoft account. Login or create an account here.
Set up a Free 30-day Defender EASM Trial

- Visit the following link for information related to setting up your Defender EASM attack surface today for free.

Deploy & Access the Defender EASM Platform

- Login to Defender EASM

- Follow the deployment Quick Start Guide

Measuring Success?

Determining how success will establish the criteria for a successful or failed PoC. Success and Acceptance Criteria should be established for each requirement identified. Weights may be applied to requirements, but measuring success can be as simple as writing out criteria as below:

Requirement: Custom Reporting

Success Criteria: As a vulnerability manager, I want to view a daily report that shows the assets with CVSSv2 and CVSSv3 scores of 10.

Acceptance Criteria:

Data must be exported to Kusto
Data must contain assets & CVSS (Common Vulnerability Scoring System) scores
Dashboards must be created with PowerBI and accessible to user
Dashboard data must be updated daily

Validation: Run a test to validate that acceptance criteria has been met.

Pass / Fail: Pass

Executing the PoC

Implementation and Technical Validation

We will now look at five different use cases & requirements, define the success and acceptance criteria for each, and validate that the requirements are met by observing the outcome of each in Defender EASM.

Use Case 1: Discover Unknown Assets, Finding Shadow IT

Success Criteria: As a member of the Contoso GRC team, I want to identify Domain assets in our attack surface that have not been registered with the official company email address we use for domain registrations.

Acceptance Criteria:

Defender EASM allows for searches of Domain WHOIS data that returns the “Registrant Email” field in the result set.

Validation:

Click the “Inventory” link on the left of the main Defender EASM page.

Figure: Launch the inventory query screen

Execute a search in Defender EASM that excludes Domains registered with our official company email address of ‘domainadmin@constoso.com’ and returns all other Domains that have been registered with an email address that contains the email domain ‘contoso.com’.

Figure: Query for incorrectly registered Domain assets

Click on one of the domains in the result set to view asset details. For example, “woodgrovebank.com” domain.
When the asset details open and confirm that the domain ‘woodgrovebank.com’ is in the upper left corner.
Click on the “Whois” tab.
Note that this Domain asset has been registered with an email address that does not match the corporate standard (i.e., “employeeName@contoso.com”) and should be investigated for the existence of Shadow IT.

Figure: WHOIS asset details

Resources:

Understand asset details: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-asset-details
Domain asset filters: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/domain-asset-filters
Understanding WHOIS: https://en.wikipedia.org/wiki/WHOIS

Use Case 2: Abandoned Assets, Acquisitions

Success Criteria: As a member of the Contoso Vulnerability Management team, who just acquired Woodgrove Bank, I want to ensure acquired web sites using the domain “woodgrovebank.com” are redirected to web sites using the domain “contoso.com”. I need to obtain results of web sites that are not redirecting as expected, as those may be abandoned web sites.

Acceptance Criteria:

Defender EASM allows for search of specific initial and final HTTP (Hypertext Transfer Protocol) response codes for Page assets
Defender EASM allows for search of initial and final Uniform Resource Locator (URL) for Page assets

Validation:

Run a search in Defender EASM that looks for Page assets that have:
1. Initial response codes that cause HTTP redirects (i.e., “301”, “302”)
2. Initial URLs that contain “woodgrovebank.com”
3. Final HTTP response codes of “200”
4. Final URL, post HTTP redirect, that do not contain “contso.com”

Figure: Query for incorrect page redirection

Click one of the Page assets in the result set to see the asset details.

Figure: Page asset overview

Validate:
1. Initial URL contains “woodgrovebank.com”
2. Initial response code is either “301” or “301”
3. Final URL does not contain “contoso.com”
4. Final response code is “200”

Resources:

Asset details summary view: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-asset-details
Defender EASM inventory filters overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/inventory-filters
Page asset filters: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/page-asset-filters
HTTP Response Codes: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Use Case 3: Identification of Vulnerabilities, Lack of Patching or Configuration Management

Success Criteria: As a member of the Contoso Vulnerability Management team, I need the ability to retrieve a list of assets with high priority vulnerabilities and remediation guidance in my attack surface.

Acceptance Criteria:

Defender EASM provides a dashboard of prioritized risks in my external attack surface
Defender EASM provides remediation guidance for each prioritized vulnerability
Defender EASM provides an exportable list of assets impacted by vulnerability

Validation:

From the main Defender EASM page, click “Attack Surface Summary” to view the “Attack Surface Summary” dashboard
Click the link that indicates the number of assets impacted by a specific vulnerability to view a list of impacted assets

Figure: Attack Surface Insights Dashboard

Validate that Defender EASM provides additional information about vulnerabilities and remediation guidance.
Click the link in the upper right corner titled “Download CSV report” and validate the contents within

Figure: Vulnerability remediation details

Resources:

Understanding dashboards: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-dashboards
Understanding CVEs: https://nvd.nist.gov/vuln

Use Case 4: Assignment of Ownership to Assets, Line of Business or Subsidiary

Success Criteria: As a member of the Contoso GRC team, I need the ability to assign ownership of assets to specific business units through, along with a mechanism to quickly visualize this relationship.

Acceptance Criteria:

Defender EASM provides an approach to assigning ownership via labels
Defender EASM allows users to apply labels to assets that meet specific indicators that indicate affiliation with a specific business unit
Defender EASM provides the ability to apply labels in bulk

Validation:

Click the “Inventory” link on the left of the main Defender EASM page to launch the search screen
Run a search that returns all Page assets that are on the IP Block “10.10.10.0/24”. The Page assets on this network all belong to the Financial Services line of business, so it is the only indicator of ownership needed in this example.

Figure: Query to determine Page asset ownership by IP Block

Select all assets in the result set by clicking the arrow to the right of the checkbox as shown in the following image and choose the option for all assets.

Figure: Selecting assets for bulk modification

Click the link to modify assets, followed by the link to “Create a new label” on the blade that appears.
A new screen will appear that allows the creation of a label. Enter a descriptive “Label name”, an optional “Display name”, select a desired color, and click “Add” to finish creating a label.

Figure: Link to modify assets and create a label

Figure: Create label detail

After creating the label, you will be directed back to the screen to modify assets. Validate that the label was created successfully.
Click into the label text box to see a list of labels available to choose from and select the one that was just created.
Click “Update”

Figure: Label selected assets

Click the bell icon to view task notifications to validate the status of labels update.

Figure: View status of label update task

When the task is complete, run the search again to validate that labels have been applied to the assets owned by the Financial Services organization.

Figure: Query to validate labels have been applied to assets

Resources:

Asset modification overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/labeling-inventory-assets
Defender EASM inventory filters overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/inventory-filters

Finishing the PoC

Summarize Your Findings

Identify how the Defender EASM solution has provided increased visibility to your organization’s attack surface in the PoC.

Have you discovered unknown assets related to Shadow IT?
Were you able to find potentially abandoned assets related to an acquisition?
Has your organization been able to better prioritize vulnerabilities to focus on the most severe risks?
Do you know have a better view of asset ownership in your organization?

Feedback?

We would love to hear any ideas you may have to improve our Defender EASM platform or where and how you might use Defender EASM data elsewhere in the Microsoft Security ecosystem or other security 3^rd party applications. Please contact us via email at mdesam-pm@microsoft.com to share any feedback you have regarding Defender EASM.

Interested in Learning About New Defender EASM Features?

Please join our Microsoft Security Connection Program if you are not a member and follow our Private & Public Preview events. You will not have access to this exclusive Teams channel until you complete the steps to become a Microsoft Security Connection Program member. Users that would like to influence the direction/strategy of our security products are encouraged to participate in our Private Preview events. Members who participate in these events will earn credit for respective Microsoft product badges delivered by Credly.

Conclusion

You now understand how to execute a simple Defender EASM PoC, to include deploying your first Defender EASM resource, identifying common personas, how to set requirements, and measure success. Do not forget! - you can enjoy a free 30-day trial by clicking on the link below.

You can discover your attack surface discovery journey today for free.

Optimize insights and efficiency with latest Defender EASM features and generative AI integrations

BrittanyCCP — Wed, 15 Nov 2023 22:59:56 GMT

New Blog | Optimize insights and efficiency with latest Defender EASM features and generative AI integrations.

Over the last six months, Microsoft Defender External Attack Surface Management (EASM) has released updates that help Defender EASM customers increase the speed to operationalize its findings. Now, vulnerability management teams are using labels to drive workflows and denote asset ownership, they are saving queries to quickly modify newly discovered assets, and they are combining it all with data connector exports to generate custom reports to help them see their security data holistically.

These new features that we’ve recently delivered make it easier for our customers to track inventory changes, see important asset findings in one place, connect data to supplement workflows, and has made managing assets and long-running tasks more efficient.

Additionally, we’re excited to announce that we’ve extended Defender EASM’s footprint into Microsoft Security Copilot with capabilities that enable Copilot users to learn more about their external attack surface exposures in context and at AI speeds.

Read on to learn more about the latest in Defender EASM: Optimize insights and efficiency with latest Defender EASM features and generative AI integrations - Microsoft Community Hub

Optimize insights and efficiency with latest Defender EASM features and generative AI integrations

gkostolny — Wed, 15 Nov 2023 16:00:00 GMT

Discovering and prioritizing vulnerabilities that often arise as a result of known and unknown internet-exposed assets – which can emerge from shadow IT, the supply chain, and the shift of moving to the cloud, for example – is an essential practice our customers take to reduce external risk and stay secure.

Read on to learn more about the latest in Defender EASM.

Understand inventory changes over time

While Defender EASM has long provided detailed dashboards with information on vulnerabilities, misconfigurations, breakdowns of device types, and other useful analytics, these have primarily focused on point-in-time snapshot-style views. In October, we released a new dashboard that shows inventory changes in your attack surface. With the introduction of this dashboard, you can now see changes to the attack surface over time, as assets move in and out of the attack surface, whether automatically due to Microsoft’s ongoing scanning and enumeration, or due to manual curation in product, or even via API-based adjustments made via external integrations. In addition to a graphical overview of the changes over the selected time period (7 or 30 days), you can also see the change counts for each day in the last 30 days, both in the aggregate and for each individual asset type.

Inventory changes dashboard in Defender EASM

See asset vulnerabilities in one place

In Defender EASM we have two different detection methods used to identify software, services, and vulnerabilities on your external assets: insight detections authored by Microsoft’s security research team, and internet graph-based detections based on software and service components that Defender EASM can identify in your environment, allowing us to identify likely CVEs on assets. Our two different detection methods complement one another and are valuable in generating the most accurate coverage, however, analysts sometimes found it challenging to align the two together when inspecting assets, and complicated to identify which observations came from Microsoft research versus graph detection, or both methods combined.

In June, we introduced a new feature into the Defender EASM interface that helps unify asset detail data and showcases all high, medium, and low priority observations related to any given asset in a single tab, labeled “Observations”, on the asset details page. The new tab is helpful so you can see exactly which detection method the insights are coming from, whether that be from research, graph detection, or both. This new tab represents a significant step in unifying findings in the EASM interface so that analysts can understand all the security posture-relevant findings for an asset in a single place and make smart decisions about how best to proceed in terms of investigation or remediation steps. Analysts can also more clearly understand the breadth of Microsoft’s security knowledge regarding any given asset and feel confident that EASM is providing them with clear guidance as they evaluate ongoing deployment of security controls, whether direct or compensating.

Observations tab Defender EASM

Connect, organize, and take action on your data

This year, we’ve added many new capabilities and features in Defender EASM that make it easier for you to connect your external attack surface data to other Microsoft tools, as well as the ability to keep assets organized with labeling, bulk modification, and task management.

Created to supplement existing workflows, gain new insights, and automate data flow between tools, Defender EASM’s recent data connections feature is compatible with both Microsoft Log Analytics and Azure Data Explorer. The integration provides external attack surface data flow into your mission-critical systems, so you can get a holistic view of your data, enhance data visualizations, stay compliant, and effectively guard against vulnerabilities. Learn how to get started with data connections here.

Data connections in Defender EASM

Organizing attack surface data – even after you’ve enabled a data connection – is important because it helps you apply business context to the asset at hand. For example, labeling assets is helpful to distinguish any assets that may have come in from a merger or acquisition, or those that require compliance monitoring, or when dealing with assets impacted by a specific vulnerability that requires mitigation. New this year, we’ve added the ability to apply any text label to a subset of assets – including within any asset export via the data connectors – so they can be grouped together to better operationalize your inventory.

Asset labeling in Defender EASM

In addition to applying labels to better organize assets, assets can also be categorized to tell you what their role is within your organization. For example, if the asset is approved and owned, or dependent on a third party, or only retained in your inventory to be monitored. Now, you can change the state of your selected assets in bulk, saving you time in categorizing many assets at once.

Changing the state of your assets in bulk in Defender EASM

With the new ability to modify hundreds – or even thousands – of assets at a time, we’ve added a new “Task Manager” page to Defender EASM, making it possible to easily track the progress of tasks (like asset modification or downloading dashboard chart data) that may take a longer time to complete. Furthermore, you will also be notified via a pop-up about the progress of any relevant tasks that are running in the background – eliminating the need to check the status every so often and helping you stay focused on other priorities.

Task manager page in Defender EASM

Notifications in Defender EASM

Learn more about organizing, modifying, and tracking your external attack surface data here.

Get a snapshot view of your external attack surface with generative AI

We are excited to announce our new Defender EASM capabilities within the Microsoft Security Copilot standalone experience, currently available in the Early Access Program. These capabilities enable your security teams to quickly gain derive insights into your (non-curated) external attack surface at AI speeds – without the need for prior configuration in Defender EASM.

The capabilities solve for three distinct needs:

They help SOC teams understand their externally facing assets
They help vulnerability managers understand particular CVEs of impact
They help security teams know where to start prioritizing remediation efforts

Let’s dive into how you can use the capabilities to address each.

Understand your externally facing assets

Understanding your digital footprint as threats emerge every day is critical in keeping your organization secure and compliant. The new set of Defender EASM capabilities in Security Copilot allow your organization’s SOC team to obtain a global snapshot view of the external attack surface, based on Microsoft’s pre-built library of external attack surfaces, by identifying externally facing assets exposed to the internet -- such as domains, hosts, and IP addresses – whether they are hosted on premise, in the cloud, or originating from a third party. You can also see how many high, medium, and low priority insights that may impact your organization are present, and quickly identify the assets they are tied to.

Use any of the following prompts in Security Copilot to understand your external attack surface:

Please tell me my externally facing assets.
Get the external attack surface for [my organization].
What is the external attack surface for [my organization]?
What are the externally facing assets for [my organization]?
How many High Priority Insights impact my external attack surface?
Get high priority attack surface insights for [my organization].
Get low priority attack surface insights for [my organization].
Does my organization have high severity vulnerabilities in the external attack surface?
Are there any medium priority insights?

Understanding the external attack surface in Security Copilot’s standalone experience

Understand particular CVEs of impact

After you’ve understood your attack surface composition, it’s imperative to investigate if there are high priority insights present so you can understand which assets are risky to your organization. Defender EASM capabilities do the digging for you, enabling you to quickly see high priority observations and significantly reduce the time it takes to research vulnerable assets.

Use the following prompts to understand if your organization is impacted by a particular CVE of interest and get visibility into vulnerable and critical high severity CVEs:

Is my external attack surface impacted by [CVE ID]?
Get assets affected by [CVE ID] for my organization.
Which assets are affected by [CVE ID] for my organization?
Is my external attack surface impacted by [CVE ID]?
Are any assets impacted be [CVE ID] for [my organization]?
Get assets affected by high severity CVSS’s in my attack surface.
How many high priority insights impact my external attack surface?
How many assets have critical CVSS’s for my organization?
What assets are affected by CVSS for [my organization]?
Are there assets with high CVSS scores for [my organization]?

Showcasing particular CVEs within the external attack surface in Security Copilot’s standalone experience

Asking about high priority insights in Security Copilot’s standalone experience

Understand how you should prioritize your remediation efforts

Once you’ve found the assets that need attention, Defender EASM capabilities will take it a step further and identify assets that need immediate attention by showing assets with critical and high CVSS scores, expired domains and SSL certificates, and any assets using SSL SHA1. This is helpful in reducing the time it takes you to determine which assets should be remediated first.

Use the following prompts to unlock which assets need your attention first:

How many domains are expired in my organization’s attack surface?
How many assets are using expired domains for my organization?
How many SSL certificates are expired for my organization?
How many assets are using expired SSL certificated for my organization?
How many SSL SHA1 certificates are present for my organization?
How many assets are using SSL SHA 1 for my organization?

Checking for expired domains in Security Copilot’s standalone experience

Defender EASM capabilities in Security Copilot make it easy for you to get a snapshot view of your external attack surface, without needing to create a Defender EASM workspace.

Interest in the Security Copilot Early Access Program has been high and space is still available. Reach out to your sales representative to get more details on early access program qualifications.

An introduction to Microsoft Defender EASM’s Data Connections functionality

lgoduti — Tue, 19 Sep 2023 16:32:08 GMT

Microsoft Defender External Attack Surface Management (EASM) continuously discovers a large amount of up-to-the-minute attack surface data, helping organizations know where their internet-facing assets lie. Connecting and automating this data flow to all our customers’ mission-critical systems that keep their organizations secure is essential to understanding the data holistically and gaining new insights, so organizations can make informed, data-driven decisions.

In June, we released the new Data Connections feature within Defender EASM, which enables seamless integration into Azure Log Analytics and Azure Data Explorer, helping users supplement existing workflows to gain new insights as the data flows from Defender EASM into the other tools. The new capability is currently available in public preview for Defender EASM customers.

Why use data connections?

The data connectors for Log Analytics and Azure Data Explorer can easily augment existing workflows by automating recurring exports of all asset inventory data and the set of potential security issues flagged as insights to specified destinations to keep other tools continually updated with the latest findings from Defender EASM. Benefits of this feature include:

Users have the option to build custom dashboards and queries to enhance security intelligence. This allows for easy visualization of attack surface data, to then go and perform data analysis.
Custom reporting enables users to leverage tools such as Power BI. Defender EASM data connections will allow the creation of custom reports that can be sent to CISOs and highlight security focus areas.
Data connections enable users to easily access their environment for policy compliance.
Defender EASM’s data connectors significantly enrich existing data to be better utilized for threat hunting and incident handling.
Data connectors for Log Analytics and Azure Data Explorer enable organizations to integrate Defender EASM workflows into the local systems for improved monitoring, alerting, and remediation.

In what situations could the data connections be used?

While there are many reasons to enable data connections, below are a few common use cases and scenarios you may find useful.

The feature allows users to push asset data or insights to Log Analytics to create alerts based on custom asset or insight data queries. For example, a query that returns new High Severity vulnerability records detected on Approved inventory can be used to trigger an email alert, giving details and remediation steps to the appropriate stakeholders. The ingested logs and Alerts generated by Log Analytics can also be visualized within tools like Workbooks or Microsoft Sentinel.
Users can push asset data or insights to Azure Data Explorer/Kusto to generate custom reports or dashboards via Workbooks or Power BI. For example, a custom-developed dashboard that shows all of a customer’s approved Hosts with recent/current expired SSL Certificates that can be used for directing and assigning the appropriate stakeholders in your organization for remediation.
Users can include asset data or insights in a data lake or other automated workflows. For example, generating trends on new asset creation and attack surface composition or discovering unknown cloud assets that return 200 response codes.

How do I get started with Data Connections?

We invite all Microsoft Defender EASM users to participate in using the data connections to Log Analytics and/or Azure Data Explorer so you can experience the enhanced value it can bring to your data, and thus, your security insights.

Step 1) Ensure your organization meets the preview prerequisites

Aspect

Details

Required/Preferred

Environmental Requirements

Defender EASM resource must be created and contain an Attack Surface footprint.
Must have Log Analytics and/or Azure Data Explorer/ Kusto

Required Roles & Permissions

- Must have a tenant with Defender EASM created (or be willing to create one). This provisions the EASM API service principal.

- User and Ingestor roles assigned to EASM API (Azure Data Explorer)

Step 2) Access the Data Connections

Users can access Data Connections from the Manage section of the left-hand navigation pane (shown below) within their Defender EASM resource blade. This page displays the data connectors for both Log Analytics and Azure Data Explorer, listing any current connections and providing the option to add, edit or remove connections.

Connection prerequisites: To successfully create a data connection, users must first ensure that they have completed the required steps to grant Defender EASM permission for the tool of their choice. This process enables the application to ingest our exported data and provides the authentication credentials needed to configure the connection.

Step 3: Configure Permissions for Log Analytics and/or Azure Data Explorer

Log Analytics:

Open the Log Analytics workspace that will ingest your Defender EASM data or create a new workspace.
On the leftmost pane, under Settings, select Agents.

Azure Data Explorer:

Expand the Log Analytics agent instructions section to view your workspace ID and primary key. These values are used to set up your data connection.
Open the Azure Data Explorer cluster that will ingest your Defender EASM data or create a new cluster.
Select Databases in the Data section of the left-hand navigation menu.

Select + Add Database to create a database to house your Defender EASM data.

4. Name your database, configure retention and cache periods, then select Create.

5. Once your Defender EASM database has been created, click on the database name to open the details page. Select Permissions from the Overview section of the left-hand navigation menu.

To successfully export Defender EASM data to Data Explorer, users must create two new permissions for the EASM API: user and ingestor.

6. First, select + Add and create a user. Search for “EASM API,” select the value, then click Select.

7. Select + Add to create an ingestor. Follow the same steps outlined above to add the EASM API as an ingestor.

8. Your database is now ready to connect to Defender EASM.

Step 4: Add data connections for Log Analytics and/or Azure Data Explorer

Log Analytics:

Users can connect their Defender EASM data to either Log Analytics or Azure Data Explorer. To do so, select “Add connection” from the Data Connections page for the appropriate tool. The Log Analytics connection addition is covered below.

A configuration pane will open on the right-hand side of the Data Connections screen as shown below. The following fields are required:

Name: enter a name for this data connection.
Workspace ID For Log Analytics, users enter the Workspace ID and the coinciding API key associated with their account.
Api key Log Analytics users enter the API key associated with their account
Content: users can select to integrate asset data, attack surface insights, or both datasets.
Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly.

Azure Data Explorer:

The Azure Data Explorer connection addition is covered below.

A configuration pane will open on the right-hand side of the Data Connections screen as shown below. The following fields are required:

Name: enter a name for this data connection.
Cluster name:
Region: The region associated with Azure Data explorer
Database: The database associated with the Azure Data explorer
Content: users can select to integrate asset data, attack surface insights, or both datasets.
Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly.

Step 5: View data and gain security insights

To view the ingested Defender EASM asset and attack surface insight data, you can use the query editor available by selecting the ”Logs” option from the left hand menu of the Azure Log Analytics Workspace you created earlier. These tables are also updated at the Data Connection configuration record frequency.

Extending Defender EASM Asset and Insights data, via these two new data connectors, into Azure ecosystem tools like Log Analytics and Data Explorer enables customers to orchestrate the creation of contextualized data views that can be operationalized into existing workflows and provides the facility and toolsets for analysts to investigate and develop new methods of applicative Attack Surface Management.

Additional resources:

New Blog | One Microsoft: Enriching MDEASM assets with Threat Intelligence Feeds

BrittanyCCP — Tue, 22 Aug 2023 17:25:55 GMT

Organizations need processes and tools such as Microsoft Defender External Attack Surface Management (MDEASM) to help with identifying and managing the points in a software system or network infrastructure that could be targeted by potential attackers. These points, often referred to as "attack vectors," are vulnerabilities or weaknesses that attackers could exploit to gain unauthorized access, compromise systems, or steal sensitive data.

The External Attack Surface specifically refers to the components and interfaces of a system that are exposed to the outside world, such as public-facing applications, network services, APIs, and other entry points. These are the points that can be targeted by attackers who are trying to breach the system from outside the organization's perimeter.

This blog covers how Microsoft Security can help identify threats by leveraging Microsoft Defenders External Attack Surface Management asset discovery against the Microsoft Defender Threat Intelligence feeds.

Read the full blog post here: One Microsoft: Enriching owned assets with Threat Intelligence Feeds