Microsoft Defender External Attack Surface Management Blog articles

Leverage Generative AI to expedite attack surface investigations in Defender EASM

sohampatel — Tue, 21 May 2024 15:27:00 GMT

A prerequisite to securing an organization on the internet is first knowing what digital assets in the organization are internet-facing. With the constantly changing internet, the migration to multi-cloud environments, the evolution of organizations with mergers and acquisitions, and the emergence of shadow IT, it is often difficult to maintain an updated external view of an organization’s attack surface, leading to security gaps emerging for attackers to exploit.

Microsoft Defender External Attack Surface Management (EASM) solves this challenge by discovering externally facing assets and identifying their risk. Their vulnerabilities can be identified, which helps with prioritizing them, so you know where to start with remediation efforts.

While Defender EASM equips organizations with an updated external attack surface view and the risks associated with it, these vast, multifaceted attack surfaces require many resources to analyze each asset and its associated metadata. This often increases the time to remediation and the likelihood of an attacker exploiting a security gap. However, generative AI can expedite this analysis process, enabling security professionals to defend organizations at machine speed.

At Microsoft Ignite in November 2023, we announced Defender EASM’s prompting capabilities in Copilot for Security. Today, we are thrilled to share that the same capabilities – and more – are available in public preview the Copilot chat pane in the Azure portal and can be used alongside Copilot for Security customers’ Defender EASM resources. This allows organizations to stay secure, with ease.

Dig into your external attack surface

The Copilot chat pane in Azure gives customers AI-driven insights on risky assets within their external attack surface. Instead of manually drilling down to investigate asset details, simply ask Copilot about recently expired SSL certificates and domains, and you’ll get automated answers for each in seconds. To understand which assets may have Common Vulnerabilities and Exposures (CVE), you can quickly find out by asking Copilot “which assets have critical severity CVEs?” or “Does this ‘CVE ID’ impact me?” Knowing where CVEs lie, and how they are classified, will help you in focusing resources and remediation efforts on those that matter most.

Our Copilot capabilities also enable customers to quickly identify assets impacted by specific risks and vulnerabilities, such as assets that have Common Vulnerability Scoring System (CVSS) scores, that are still using SHA-1 certificates, or are expiring soon – empowering them to determine what assets must be remediated first.

For example, we can investigate which assets are impacted by medium priority CVSS Scores and what vulnerabilities must be remediated to secure the targeted assets. In this scenario in the image below, we can see that because of the jQuery version, https://portal.fabrikam.com/ is at risk.

Perform advanced queries using natural language

An advanced feature in Defender EASM is the ability to search inventory to help solve a wide variety of specific business objectives and answer targeted questions, like "What assets were registered by name@example.com?” or “What assets are using an Azure service and have vulnerabilities?” . This querying capability enables organizations to quickly find assets for remediation based on their business objectives and prompt questions. With 65 unique filter fields and 20 filter operators, these queries can become extremely sophisticated to best address the organizations’ needs.

To fully utilize Defender EASM’s robust querying capabilities, a certain level of familiarity with the Defender EASM querying tool is required. However, by using Defender EASM capabilities in Copilot, queries can be done faster and easier than ever before. Now, any natural language inquiries, such as "which pages seen in the last 30 days are using jQuery?" and "find all the page, host, and ASN assets in my inventory with X or Y IP address," can be automatically converted into the corresponding inventory queries across all data discovered by Defender EASM. This allows security analysts to leverage Defender EASM's extensive querying capabilities to extract asset metadata and key asset information – without requiring an advanced query skillset.

To illustrate how this works using Copilot, let’s say that an organization has been informed about the risk associated with jQuery version 3.1.0. From here, a security analyst will want to understand what other assets in their environment are using that same version of jQuery. The analyst can then enter a prompt in natural language, which will create a query in Defender EASM to show the assets running jQuery 3.1.0.

Use Defender EASM's Copilot prompts today

Defender EASM’s Copilot prompting capabilities in the Azure portal are currently in public preview and available to Copilot for Security customers. To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. To create a new Defender EASM resource and start using the prompts in the Azure chat pane, to go https://www.portal.azure.com and search for “Defender EASM”.

Get visibility into your curated external assets with enhanced generative AI capabilities

SushmaRaja — Wed, 13 Mar 2024 16:00:00 GMT

Finding, tracking, and managing all the assets found within an organization’s vast – and often unknown – digital attack surface can be a daunting task. A lack of knowing and monitoring all your assets, including shadow IT, leads to security gaps that can be exploited by attackers.

Understanding and documenting your entire attack surface with relevant asset tracking is critical to securing your environment. This highlights the importance of adding an external attack surface management (EASM) tool to your security stack.

EASM solutions are designed to provide a view of your digital attack surface from the outside in, enabling organizations to see exactly what attackers browsing the internet see when they come across an asset owned by your organization. Microsoft Defender EASM discovers and maps both known and unknown assets from an external perspective just as an attacker would see as they look to find a way to compromise an organization.

Enhanced Defender EASM functionality in Microsoft Copilot for Security

In November 2023, we announced new Defender EASM capabilities in Microsoft Copilot for Security that help security teams understand their attack surface, the pervasive CVEs within it, and get assistance remediation prioritization with the help of generative AI. The attack surface snapshot that Copilot users receive when using the prompts are, by default, generated from a library of pre-built attack surfaces that Microsoft has discovered for thousands of organizations. From our daily scans of the internet, Defender EASM discovers and searches for an organization’s attack surface based on publicly available information.

The results of prompts pulled from an organization’s pre-built attack surface are intended to give customers high-level visibility into their external assets and associated vulnerabilities. So far, they have been used by Early Access customers to achieve this visibility. One customer reported that they were able to identify unknown assets and remediate major vulnerabilities based on information gathered from EASM.

Now, we are thrilled to share enhanced functionality with these capabilities, which allows customers to directly connect their seeded and curated Defender EASM resource to Copilot for Security. With the curated Defender EASM integration, Copilot users can leverage generative AI to get comprehensive, up-to-date information about their external attack surface, analyzing assets that go above and beyond their pre-built attack surface.

Setting up is simple. In the configuration menu of Copilot for Security, turn on the Defender External Attack Surface Management skills on and then click on the Settings icon to enter your resource information. Once this information is entered, your future prompts in Copilot will utilize information from your configured EASM resource.

All of the existing Defender EASM prompts can be used when searching for information for a curated resource.

Sample prompts to get a summary of your externally facing assets include:

What are the externally facing assets for [my resource]?
What is [my resource’s] attack surface?
What is my attack surface?

Sample prompts to get attack surface insights include:

Do I have vulnerabilities in my external attack surface for [my resource]?
What risk is in my external attack surface?
What insights are there in my external attack surface?

Sample prompts to learn about CVEs of impact include:

Does this [CVE ID] impact me?
Should I be worried about this [CVE ID]?
How many assets have critical CVSS’s for [my resource]?

Sample prompts to help you understand how you can prioritize remediation efforts include:

Which SSL certificates from [my resource] do I need to take action on?
Which expired SSL certificates are recent?
What are my expired domains?
Am I using SHA1 in my attack surface?

Learn more about Copilot for Security

To learn more about Microsoft Copilot for Security, visit aka.ms/CopilotForSecurity or contact your Microsoft sales representative. If you missed us at Microsoft Secure, you may watch the keynote video and extended Copilot demo session.

New External Attack Surface Protection Initiative in Microsoft Security Exposure Management

Today, we are excited to announce Defender EASM’s latest integration into Microsoft Security Exposure Management, our newest platform that delivers a clear and unified end-to-end view of an organization’s exposure by combining multiple Microsoft Security products and workloads in a single pane of glass, enabling continuous security posture visibility and improvement across the digital estate.

The integration, called the External Attack Surface Protection Initiative, allows CISOs and security team members to see different exposure metrics pertaining to their external attack surface, encouraging proactive posture management.

Defender EASM data surfaces the following information in Exposure Management:

Percent of assets in the attack surface with High, Medium, and Low Severity Insights

Large organizations’ attack surfaces can be incredibly broad, so prioritizing the key findings derived from Defender EASM’s data helps customers quickly and efficiently address the most important exposed elements of their attack surface. These Insights are primarily derived by detections created from internal researchers and can include critical CVEs, known associations to compromised infrastructure, use of deprecated technology, infrastructure best practice violations, or compliance issues.

Insight priorities are determined by Microsoft’s assessment of the potential impact of each insight – high, medium, and low severity – and the integration with Microsoft Security Exposure Management helps teams understand which insights to prioritize remediating first. In addition to getting visibility into these common areas of weakness, customers also receive remediation recommendations for each.

Percent of internet-facing assets with Critical and High CVE vulnerabilities

Common Vulnerabilities and Exposures (CVEs) is a list of publicly disclosed vulnerabilities relating to software weaknesses that could potentially catch the attention of an attacker. When Defender EASM completes the discovery of an organization’s assets, it then looks at what CVEs are associated with the assets. In Exposure Management, customers can see the percentage of assets in their attack surface that have Critical and High CVEs associated with, helping them visualize where they can take action.

Percent of expired SSL certificates

The security posture for configuration of an organization's SSL certificate portfolio determines both customer experience and risk of data compromise. In most modern browsers, websites with an expired SSL certification or outdated encryption will be blocked with a warning message to the user, impacting web traffic and brand trust. Users who proceed can have their communications with the website intercepted by a Man-in-the-Middle (MITM) attack. This can have several business impacts from business disruption, compliance issues, to exposure of adjacent critical systems derived by analyzing certificate values.

Percent of expired domains

Domains, previously owned by your organization which have expired, could be renewed and used by malicious actors to impersonate your brand to target your organization, employees, or customers. Organizations should review these domains to determine if they should be re-registered.

Percent of assets with remote access enabled

When remote access is enabled on open ports, it effectively allows attackers to gain unauthorized access to your network. This metric uncovers the percentage of assets in organizations’ external attack surfaces that have remote access enabled, so they can determine if it’s an asset that shouldn’t be accessible from anywhere.

Percent of assets utilizing SSH SHA1

Secure Shell Secure Hash Algorithm 1 (SSH SHA 1) is an older hash function that uses weak encryption. Defender EASM can detect assets that use this hash algorithm and alert customers to which assets are exposed to this risk in Exposure Management. Organizations should replace these certificates with new SSL certificates that use SHA-256.

Learn more about Microsoft Security Exposure Management

Achieving robust attack surface visibility and understanding posture are imperative in effectively managing threat exposure. Microsoft Security Exposure Management provides the essential tools and insights needed for proactive cybersecurity measures. It is not just a choice; it's a strategic move towards fortifying your organization's defenses in the face of evolving threats. Dive into a new era of cybersecurity resilience by getting started today.

Latest Defender EASM Features Increase Visibility and Enhance Querying for Faster Remediation

dandennis — Tue, 06 Feb 2024 17:04:07 GMT

Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Features recently added increase CWE and CVE visibility and boost query efficiency so users can focus on finding the information that's most important to their environment. Below, learn about these powerful new enhancements and how you can begin using them today.

New Features

CWE Top 25 Software Weaknesses dashboard

The Top 25 Common Weakness Enumeration (CWE) list is provided annually by MITRE. These CWEs represent the most common and impactful software weaknesses that are easy to find and exploit. This dashboard displays all CWEs included on the list over the last five years, listing all inventory assets that might be impacted by each CWE. Referencing this dashboard saves you research time and helps your vulnerability remediation efforts by helping you identify the greatest risks to your organization based on other tangible observed exploits.

CISA Known Exploits dashboard

While there are hundreds of thousands of identified CVE vulnerabilities, only a small subset hasve been identified by the Cybersecurity & Infrastructure Security Agency (CISA) as recently exploited by threat actors. This list includes less than .5% of all identified CVEs; for this reason, it is instrumental to helping security professionals prioritize the remediation of the greatest risks to their organization. Those who remediate threats based on this list operate with the upmost efficiency because they’re prioritizing the vulnerabilities that have resulted in real security incidents.

Both new Defender EASM dashboards are designed to help users find the threats that pose the greatest threat to their organization as efficiently as possible. To learn more about dashboards, see our help documentation.

Push notifications

Users now receive one-time push notifications in the Azure portal to alert them of key updates to their attack surface. These notifications are designed to guide users to the information that helps them create a comprehensive external attack surface and efficiently manage their ever-changing digital landscape. Users can expect notifications in the following instances:

Free Trial Ending (within 10 days): when you login to Defender EASM within 10 days of your free trial ending, you will receive a one-time notification that alerts you of the impending trial end.
New Insight published: if your external attack surface contains inventory assets that are potentially impacted by a new insight, you will receive a notification. Clicking the notification will route you to the detailed list of all assets that are affected by the insight.
Discovery run completion: when a discovery run is successfully completed and discovers new assets related to your external attack surface, you will receive a notification that "X (number) of assets" have been added to your inventory. Click this notification to view a list of the assets added to inventory through that particular discovery run.
Discovery run failure: when a discovery run fails, you will receive a push notification that routes you to the Discovery Group page when clicked. This page provides more details about the failure and offers the option to re-run the discovery.

Software Development Kits (SDKs) for Java and Javascript

Customers can now access client libraries for Javascript and Java that help them operationalize the Defender EASM REST API to automate processes and improve workflows. These SDKs are now available to customers in Public Preview.

Key enhancements

"NEW" flag for insights

New insights are now flagged with “NEW” on the "Attack surface priorities" charts and other areas in the UI. This helps customers quickly navigate to insights that they have not yet investigated, enabling better prioritization when reviewing your attack surface.

Discovery run improvements

Performance enhancements were completed on the backend of the discovery engine to enable larger asset counts to be brought into inventory with each discovery run. Furthermore, we have added tooltips to the Discovery Group details page to provide more insight into failed discovery runs. By hovering over the information icon next to any failed discovery run within the Run History section, users can understand why their run failed and adjust accordingly before running another discovery, improving efficiency.

Filter editor redesign

Defender EASM has implemented a new design for filters that makes it easier for you to quickly query your inventory. Each query is now constructed from the main inventory page in a more visual format, making it easier to construct multiple queries before submitting. Unlike the previous filter design, these improvements allow users to view and edit all queries simultaneously before submitting the request, improving the ease of usability of the feature. In addition, we have added an “OR” operator for many filters, allowing you to quickly search for multiple desired results.

New attack surface insights

The Defender EASM team is constantly adding new insights to the platform to ensure that our users have visibility into the latest security threats. The follow insights were added to Defender EASM in the last three months.

Detectable insights

CVE-2023-42115 - Exim Unauthenticated Remote Code Execution
CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization
CVE-2023-22515 - Confluence Privilege Escalation
CVE-2023-42793 - TeamCity Unauthenticated Remote Code Execution
CVE-2023-38646 Metabase Unauthenticated Command Execution
CVE-2023-33246 - Apache RocketMQ Broker Unauthenticated Remote Command Injection
CVE-2023-22518 - Atlassian Confluence Improper Authorization
CVE-2023-47246 - SysAid Help Desk Path Traversal to Remote Code Execution
CVE-2023-46604 - Apache ActiveMQ OpenWire Broker Remote Code Execution
CVE-2023-45849 - Perforce Helix Core Unauthenticated Remote Code Execution over RPC

Potential Insights

Potential Insights are created when a vulnerable version of software has not been detected and needs to be validated by the customer. Customers using this software should check if they have the vulnerable versions highlighted in the insight:

[Potential] August 2023 Juniper Junos OS Multiple Vulnerabilities in J-Web
[Potential] CVE-2023-40044 - WS_FTP Server Ad Hoc Transfer Unauthorized Deserialization
[Potential] CVE-2023-4966 - Citrix NetScaler Gateway and NetScaler ADC Session Token Leak
[Potential] CVE-2023-20198 & CVE-2023-20273 - Cisco IOS XE Authorization Bypass and Privilege Escalation
[Potential] CVE-2023-46747 - F5 BIG-IP Unauthenticated AJP Smuggling
[Potential] CVE-2023-41998 - Arcserve UDP Multiple Vulnerabilities
[Potential] CVE-2023-48365 - Qlik Sense Unauthenticated Remote Code Execution
[Potential] CVE-2023-50164 - Struts2 Unauthenticated File Traversal and Upload to Remote Code Execution

We want to hear from you!

MDEASM is made by security professionals for security professionals. Join our community of security pros and experts to provide product feedback and suggestions and start conversations about how MDEASM helps you manage your attack surface and strengthen your security posture. With an open dialogue, we can create a safer internet together.

Defender EASM - Performing a Successful Proof of Concept (PoC)

Michael_Lindsey — Wed, 29 Nov 2023 16:06:30 GMT

Welcome to an introduction of the concepts and simple approach required for executing a successful Proof of Concept (PoC) for Microsoft Defender External Attack Surface Management (Defender EASM). This article will serve as a high-level guide to help you execute a simple framework for evaluating Defender EASM, and other items to consider when embarking on the journey to understand the Internet exposed digital assets that comprise your external attack surface, so you can view risks through the same lens as a malicious threat actor.

Planning for the PoC

To ensure success, the first step is planning. This entails understanding the value of Defender EASM, identifying stakeholders who need to be involved, and scheduling planning sessions to determine use cases & requirements and scope before beginning.

For example, one of the core benefits of the Defender EASM solution is that it provides high value visibility to Security and IT (Information Technology) teams that enables them to:

Identify previously unknown assets
Prioritize risk
Eliminate threats
Extends vulnerability and exposure control beyond the firewall

Next, you should identify all relevant stakeholders, or personas, and schedule in 1-2 short planning sessions to document the tasks and expected outcomes, or requirements. These sessions will establish the definition of success for the PoC.

Who are the common stakeholders that should participate in the initial planning sessions? The answer to that question will be unique to each organization, but some common personas include the following:

Vulnerability Management Teams
IT personnel responsible for Configuration Management, Patching, Asset Inventory Databases
Governance, Risk, & Compliance (GRC) Teams

(Optional) GRC aligned Legal, Brand Protection, & Privacy Teams
Internal Offensive Penetration Testing and Red Teams
Security Operations Teams
Incident Response Teams
Cyber Threat Intelligence, Hunting, and Research Teams

Use Cases & Requirements

Based on the scope, you can begin collaborating with the correct people to establish use cases & requirements to meet the business goals for the PoC. The requirements should clearly define the subcomponents of the overarching business goals within the charter of your External Attack Surface Management Program. Examples of business goals and high-level supporting requirements might include:

Discover Uknown Assets

Find Shadow IT

Discover Abandoned Assets

Resulting from Mergers, Acquistions, or Divestitures
Insufficient Asset Lifecycle Management in Dev/Test/QA Environments

Identification of Vulnerabilities

Lack of Patching or Configuration Management

Assignment of Ownership to Assets

Line of Business or Subsidiary
Based on Geographic Location
On-Prem vs Cloud

Reporting, Automation, and Defender EASM Data Integrations

Data Connector integration with Log Analytics or Kusto

Use of a reporting or visualization tool, such as PowerBI
Logic Apps to automate management of elements of your attack surface

Prerequisites to Exit the Planning Phase

Completion of the Planning Phase!
Configure an Azure Active Directory or personal Microsoft account. Login or create an account here.
Set up a Free 30-day Defender EASM Trial

- Visit the following link for information related to setting up your Defender EASM attack surface today for free.

Deploy & Access the Defender EASM Platform

- Login to Defender EASM

- Follow the deployment Quick Start Guide

Measuring Success?

Determining how success will establish the criteria for a successful or failed PoC. Success and Acceptance Criteria should be established for each requirement identified. Weights may be applied to requirements, but measuring success can be as simple as writing out criteria as below:

Requirement: Custom Reporting

Success Criteria: As a vulnerability manager, I want to view a daily report that shows the assets with CVSSv2 and CVSSv3 scores of 10.

Acceptance Criteria:

Data must be exported to Kusto
Data must contain assets & CVSS (Common Vulnerability Scoring System) scores
Dashboards must be created with PowerBI and accessible to user
Dashboard data must be updated daily

Validation: Run a test to validate that acceptance criteria has been met.

Pass / Fail: Pass

Executing the PoC

Implementation and Technical Validation

We will now look at five different use cases & requirements, define the success and acceptance criteria for each, and validate that the requirements are met by observing the outcome of each in Defender EASM.

Use Case 1: Discover Unknown Assets, Finding Shadow IT

Success Criteria: As a member of the Contoso GRC team, I want to identify Domain assets in our attack surface that have not been registered with the official company email address we use for domain registrations.

Acceptance Criteria:

Defender EASM allows for searches of Domain WHOIS data that returns the “Registrant Email” field in the result set.

Validation:

Click the “Inventory” link on the left of the main Defender EASM page.

Figure: Launch the inventory query screen

Execute a search in Defender EASM that excludes Domains registered with our official company email address of ‘domainadmin@constoso.com’ and returns all other Domains that have been registered with an email address that contains the email domain ‘contoso.com’.

Figure: Query for incorrectly registered Domain assets

Click on one of the domains in the result set to view asset details. For example, “woodgrovebank.com” domain.
When the asset details open and confirm that the domain ‘woodgrovebank.com’ is in the upper left corner.
Click on the “Whois” tab.
Note that this Domain asset has been registered with an email address that does not match the corporate standard (i.e., “employeeName@contoso.com”) and should be investigated for the existence of Shadow IT.

Figure: WHOIS asset details

Resources:

Understand asset details: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-asset-details
Domain asset filters: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/domain-asset-filters
Understanding WHOIS: https://en.wikipedia.org/wiki/WHOIS

Use Case 2: Abandoned Assets, Acquisitions

Success Criteria: As a member of the Contoso Vulnerability Management team, who just acquired Woodgrove Bank, I want to ensure acquired web sites using the domain “woodgrovebank.com” are redirected to web sites using the domain “contoso.com”. I need to obtain results of web sites that are not redirecting as expected, as those may be abandoned web sites.

Acceptance Criteria:

Defender EASM allows for search of specific initial and final HTTP (Hypertext Transfer Protocol) response codes for Page assets
Defender EASM allows for search of initial and final Uniform Resource Locator (URL) for Page assets

Validation:

Run a search in Defender EASM that looks for Page assets that have:
1. Initial response codes that cause HTTP redirects (i.e., “301”, “302”)
2. Initial URLs that contain “woodgrovebank.com”
3. Final HTTP response codes of “200”
4. Final URL, post HTTP redirect, that do not contain “contso.com”

Figure: Query for incorrect page redirection

Click one of the Page assets in the result set to see the asset details.

Figure: Page asset overview

Validate:
1. Initial URL contains “woodgrovebank.com”
2. Initial response code is either “301” or “301”
3. Final URL does not contain “contoso.com”
4. Final response code is “200”

Resources:

Asset details summary view: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-asset-details
Defender EASM inventory filters overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/inventory-filters
Page asset filters: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/page-asset-filters
HTTP Response Codes: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Use Case 3: Identification of Vulnerabilities, Lack of Patching or Configuration Management

Success Criteria: As a member of the Contoso Vulnerability Management team, I need the ability to retrieve a list of assets with high priority vulnerabilities and remediation guidance in my attack surface.

Acceptance Criteria:

Defender EASM provides a dashboard of prioritized risks in my external attack surface
Defender EASM provides remediation guidance for each prioritized vulnerability
Defender EASM provides an exportable list of assets impacted by vulnerability

Validation:

From the main Defender EASM page, click “Attack Surface Summary” to view the “Attack Surface Summary” dashboard
Click the link that indicates the number of assets impacted by a specific vulnerability to view a list of impacted assets

Figure: Attack Surface Insights Dashboard

Validate that Defender EASM provides additional information about vulnerabilities and remediation guidance.
Click the link in the upper right corner titled “Download CSV report” and validate the contents within

Figure: Vulnerability remediation details

Resources:

Understanding dashboards: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/understanding-dashboards
Understanding CVEs: https://nvd.nist.gov/vuln

Use Case 4: Assignment of Ownership to Assets, Line of Business or Subsidiary

Success Criteria: As a member of the Contoso GRC team, I need the ability to assign ownership of assets to specific business units through, along with a mechanism to quickly visualize this relationship.

Acceptance Criteria:

Defender EASM provides an approach to assigning ownership via labels
Defender EASM allows users to apply labels to assets that meet specific indicators that indicate affiliation with a specific business unit
Defender EASM provides the ability to apply labels in bulk

Validation:

Click the “Inventory” link on the left of the main Defender EASM page to launch the search screen
Run a search that returns all Page assets that are on the IP Block “10.10.10.0/24”. The Page assets on this network all belong to the Financial Services line of business, so it is the only indicator of ownership needed in this example.

Figure: Query to determine Page asset ownership by IP Block

Select all assets in the result set by clicking the arrow to the right of the checkbox as shown in the following image and choose the option for all assets.

Figure: Selecting assets for bulk modification

Click the link to modify assets, followed by the link to “Create a new label” on the blade that appears.
A new screen will appear that allows the creation of a label. Enter a descriptive “Label name”, an optional “Display name”, select a desired color, and click “Add” to finish creating a label.

Figure: Link to modify assets and create a label

Figure: Create label detail

After creating the label, you will be directed back to the screen to modify assets. Validate that the label was created successfully.
Click into the label text box to see a list of labels available to choose from and select the one that was just created.
Click “Update”

Figure: Label selected assets

Click the bell icon to view task notifications to validate the status of labels update.

Figure: View status of label update task

When the task is complete, run the search again to validate that labels have been applied to the assets owned by the Financial Services organization.

Figure: Query to validate labels have been applied to assets

Resources:

Asset modification overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/labeling-inventory-assets
Defender EASM inventory filters overview: https://learn.microsoft.com/en-us/azure/external-attack-surface-management/inventory-filters

Finishing the PoC

Summarize Your Findings

Identify how the Defender EASM solution has provided increased visibility to your organization’s attack surface in the PoC.

Have you discovered unknown assets related to Shadow IT?
Were you able to find potentially abandoned assets related to an acquisition?
Has your organization been able to better prioritize vulnerabilities to focus on the most severe risks?
Do you know have a better view of asset ownership in your organization?

Feedback?

We would love to hear any ideas you may have to improve our Defender EASM platform or where and how you might use Defender EASM data elsewhere in the Microsoft Security ecosystem or other security 3^rd party applications. Please contact us via email at mdesam-pm@microsoft.com to share any feedback you have regarding Defender EASM.

Interested in Learning About New Defender EASM Features?

Please join our Microsoft Security Connection Program if you are not a member and follow our Private & Public Preview events. You will not have access to this exclusive Teams channel until you complete the steps to become a Microsoft Security Connection Program member. Users that would like to influence the direction/strategy of our security products are encouraged to participate in our Private Preview events. Members who participate in these events will earn credit for respective Microsoft product badges delivered by Credly.

Conclusion

You now understand how to execute a simple Defender EASM PoC, to include deploying your first Defender EASM resource, identifying common personas, how to set requirements, and measure success. Do not forget! - you can enjoy a free 30-day trial by clicking on the link below.

You can discover your attack surface discovery journey today for free.

Optimize insights and efficiency with latest Defender EASM features and generative AI integrations

gkostolny — Wed, 15 Nov 2023 16:00:00 GMT

Discovering and prioritizing vulnerabilities that often arise as a result of known and unknown internet-exposed assets – which can emerge from shadow IT, the supply chain, and the shift of moving to the cloud, for example – is an essential practice our customers take to reduce external risk and stay secure.

Over the last six months, Microsoft Defender External Attack Surface Management (EASM) has released updates that help Defender EASM customers increase the speed to operationalize its findings. Now, vulnerability management teams are using labels to drive workflows and denote asset ownership, they are saving queries to quickly modify newly discovered assets, and they are combining it all with data connector exports to generate custom reports to help them see their security data holistically.

These new features that we’ve recently delivered make it easier for our customers to track inventory changes, see important asset findings in one place, connect data to supplement workflows, and has made managing assets and long-running tasks more efficient.

Additionally, we’re excited to announce that we’ve extended Defender EASM’s footprint into Microsoft Security Copilot with capabilities that enable Copilot users to learn more about their external attack surface exposures in context and at AI speeds.

Read on to learn more about the latest in Defender EASM.

Understand inventory changes over time

While Defender EASM has long provided detailed dashboards with information on vulnerabilities, misconfigurations, breakdowns of device types, and other useful analytics, these have primarily focused on point-in-time snapshot-style views. In October, we released a new dashboard that shows inventory changes in your attack surface. With the introduction of this dashboard, you can now see changes to the attack surface over time, as assets move in and out of the attack surface, whether automatically due to Microsoft’s ongoing scanning and enumeration, or due to manual curation in product, or even via API-based adjustments made via external integrations. In addition to a graphical overview of the changes over the selected time period (7 or 30 days), you can also see the change counts for each day in the last 30 days, both in the aggregate and for each individual asset type.

Inventory changes dashboard in Defender EASM

See asset vulnerabilities in one place

In Defender EASM we have two different detection methods used to identify software, services, and vulnerabilities on your external assets: insight detections authored by Microsoft’s security research team, and internet graph-based detections based on software and service components that Defender EASM can identify in your environment, allowing us to identify likely CVEs on assets. Our two different detection methods complement one another and are valuable in generating the most accurate coverage, however, analysts sometimes found it challenging to align the two together when inspecting assets, and complicated to identify which observations came from Microsoft research versus graph detection, or both methods combined.

In June, we introduced a new feature into the Defender EASM interface that helps unify asset detail data and showcases all high, medium, and low priority observations related to any given asset in a single tab, labeled “Observations”, on the asset details page. The new tab is helpful so you can see exactly which detection method the insights are coming from, whether that be from research, graph detection, or both. This new tab represents a significant step in unifying findings in the EASM interface so that analysts can understand all the security posture-relevant findings for an asset in a single place and make smart decisions about how best to proceed in terms of investigation or remediation steps. Analysts can also more clearly understand the breadth of Microsoft’s security knowledge regarding any given asset and feel confident that EASM is providing them with clear guidance as they evaluate ongoing deployment of security controls, whether direct or compensating.

Observations tab Defender EASM

Connect, organize, and take action on your data

This year, we’ve added many new capabilities and features in Defender EASM that make it easier for you to connect your external attack surface data to other Microsoft tools, as well as the ability to keep assets organized with labeling, bulk modification, and task management.

Created to supplement existing workflows, gain new insights, and automate data flow between tools, Defender EASM’s recent data connections feature is compatible with both Microsoft Log Analytics and Azure Data Explorer. The integration provides external attack surface data flow into your mission-critical systems, so you can get a holistic view of your data, enhance data visualizations, stay compliant, and effectively guard against vulnerabilities. Learn how to get started with data connections here.

Data connections in Defender EASM

Organizing attack surface data – even after you’ve enabled a data connection – is important because it helps you apply business context to the asset at hand. For example, labeling assets is helpful to distinguish any assets that may have come in from a merger or acquisition, or those that require compliance monitoring, or when dealing with assets impacted by a specific vulnerability that requires mitigation. New this year, we’ve added the ability to apply any text label to a subset of assets – including within any asset export via the data connectors – so they can be grouped together to better operationalize your inventory.

Asset labeling in Defender EASM

In addition to applying labels to better organize assets, assets can also be categorized to tell you what their role is within your organization. For example, if the asset is approved and owned, or dependent on a third party, or only retained in your inventory to be monitored. Now, you can change the state of your selected assets in bulk, saving you time in categorizing many assets at once.

Changing the state of your assets in bulk in Defender EASM

With the new ability to modify hundreds – or even thousands – of assets at a time, we’ve added a new “Task Manager” page to Defender EASM, making it possible to easily track the progress of tasks (like asset modification or downloading dashboard chart data) that may take a longer time to complete. Furthermore, you will also be notified via a pop-up about the progress of any relevant tasks that are running in the background – eliminating the need to check the status every so often and helping you stay focused on other priorities.

Task manager page in Defender EASM

Notifications in Defender EASM

Learn more about organizing, modifying, and tracking your external attack surface data here.

Get a snapshot view of your external attack surface with generative AI

We are excited to announce our new Defender EASM capabilities within the Microsoft Security Copilot standalone experience, currently available in the Early Access Program. These capabilities enable your security teams to quickly gain derive insights into your (non-curated) external attack surface at AI speeds – without the need for prior configuration in Defender EASM.

The capabilities solve for three distinct needs:

They help SOC teams understand their externally facing assets
They help vulnerability managers understand particular CVEs of impact
They help security teams know where to start prioritizing remediation efforts

Let’s dive into how you can use the capabilities to address each.

Understand your externally facing assets

Understanding your digital footprint as threats emerge every day is critical in keeping your organization secure and compliant. The new set of Defender EASM capabilities in Security Copilot allow your organization’s SOC team to obtain a global snapshot view of the external attack surface, based on Microsoft’s pre-built library of external attack surfaces, by identifying externally facing assets exposed to the internet -- such as domains, hosts, and IP addresses – whether they are hosted on premise, in the cloud, or originating from a third party. You can also see how many high, medium, and low priority insights that may impact your organization are present, and quickly identify the assets they are tied to.

Use any of the following prompts in Security Copilot to understand your external attack surface:

Please tell me my externally facing assets.
Get the external attack surface for [my organization].
What is the external attack surface for [my organization]?
What are the externally facing assets for [my organization]?
How many High Priority Insights impact my external attack surface?
Get high priority attack surface insights for [my organization].
Get low priority attack surface insights for [my organization].
Does my organization have high severity vulnerabilities in the external attack surface?
Are there any medium priority insights?

Understanding the external attack surface in Security Copilot’s standalone experience

Understand particular CVEs of impact

After you’ve understood your attack surface composition, it’s imperative to investigate if there are high priority insights present so you can understand which assets are risky to your organization. Defender EASM capabilities do the digging for you, enabling you to quickly see high priority observations and significantly reduce the time it takes to research vulnerable assets.

Use the following prompts to understand if your organization is impacted by a particular CVE of interest and get visibility into vulnerable and critical high severity CVEs:

Is my external attack surface impacted by [CVE ID]?
Get assets affected by [CVE ID] for my organization.
Which assets are affected by [CVE ID] for my organization?
Is my external attack surface impacted by [CVE ID]?
Are any assets impacted be [CVE ID] for [my organization]?
Get assets affected by high severity CVSS’s in my attack surface.
How many high priority insights impact my external attack surface?
How many assets have critical CVSS’s for my organization?
What assets are affected by CVSS for [my organization]?
Are there assets with high CVSS scores for [my organization]?

Showcasing particular CVEs within the external attack surface in Security Copilot’s standalone experience

Asking about high priority insights in Security Copilot’s standalone experience

Understand how you should prioritize your remediation efforts

Once you’ve found the assets that need attention, Defender EASM capabilities will take it a step further and identify assets that need immediate attention by showing assets with critical and high CVSS scores, expired domains and SSL certificates, and any assets using SSL SHA1. This is helpful in reducing the time it takes you to determine which assets should be remediated first.

Use the following prompts to unlock which assets need your attention first:

How many domains are expired in my organization’s attack surface?
How many assets are using expired domains for my organization?
How many SSL certificates are expired for my organization?
How many assets are using expired SSL certificated for my organization?
How many SSL SHA1 certificates are present for my organization?
How many assets are using SSL SHA 1 for my organization?

Checking for expired domains in Security Copilot’s standalone experience

Defender EASM capabilities in Security Copilot make it easy for you to get a snapshot view of your external attack surface, without needing to create a Defender EASM workspace.

Interest in the Security Copilot Early Access Program has been high and space is still available. Reach out to your sales representative to get more details on early access program qualifications.

An introduction to Microsoft Defender EASM’s Data Connections functionality

lgoduti — Tue, 19 Sep 2023 16:32:08 GMT

Microsoft Defender External Attack Surface Management (EASM) continuously discovers a large amount of up-to-the-minute attack surface data, helping organizations know where their internet-facing assets lie. Connecting and automating this data flow to all our customers’ mission-critical systems that keep their organizations secure is essential to understanding the data holistically and gaining new insights, so organizations can make informed, data-driven decisions.

In June, we released the new Data Connections feature within Defender EASM, which enables seamless integration into Azure Log Analytics and Azure Data Explorer, helping users supplement existing workflows to gain new insights as the data flows from Defender EASM into the other tools. The new capability is currently available in public preview for Defender EASM customers.

Why use data connections?

The data connectors for Log Analytics and Azure Data Explorer can easily augment existing workflows by automating recurring exports of all asset inventory data and the set of potential security issues flagged as insights to specified destinations to keep other tools continually updated with the latest findings from Defender EASM. Benefits of this feature include:

Users have the option to build custom dashboards and queries to enhance security intelligence. This allows for easy visualization of attack surface data, to then go and perform data analysis.
Custom reporting enables users to leverage tools such as Power BI. Defender EASM data connections will allow the creation of custom reports that can be sent to CISOs and highlight security focus areas.
Data connections enable users to easily access their environment for policy compliance.
Defender EASM’s data connectors significantly enrich existing data to be better utilized for threat hunting and incident handling.
Data connectors for Log Analytics and Azure Data Explorer enable organizations to integrate Defender EASM workflows into the local systems for improved monitoring, alerting, and remediation.

In what situations could the data connections be used?

While there are many reasons to enable data connections, below are a few common use cases and scenarios you may find useful.

The feature allows users to push asset data or insights to Log Analytics to create alerts based on custom asset or insight data queries. For example, a query that returns new High Severity vulnerability records detected on Approved inventory can be used to trigger an email alert, giving details and remediation steps to the appropriate stakeholders. The ingested logs and Alerts generated by Log Analytics can also be visualized within tools like Workbooks or Microsoft Sentinel.
Users can push asset data or insights to Azure Data Explorer/Kusto to generate custom reports or dashboards via Workbooks or Power BI. For example, a custom-developed dashboard that shows all of a customer’s approved Hosts with recent/current expired SSL Certificates that can be used for directing and assigning the appropriate stakeholders in your organization for remediation.
Users can include asset data or insights in a data lake or other automated workflows. For example, generating trends on new asset creation and attack surface composition or discovering unknown cloud assets that return 200 response codes.

How do I get started with Data Connections?

We invite all Microsoft Defender EASM users to participate in using the data connections to Log Analytics and/or Azure Data Explorer so you can experience the enhanced value it can bring to your data, and thus, your security insights.

Step 1) Ensure your organization meets the preview prerequisites

Aspect

Details

Required/Preferred

Environmental Requirements

Defender EASM resource must be created and contain an Attack Surface footprint.
Must have Log Analytics and/or Azure Data Explorer/ Kusto

Required Roles & Permissions

- Must have a tenant with Defender EASM created (or be willing to create one). This provisions the EASM API service principal.

- User and Ingestor roles assigned to EASM API (Azure Data Explorer)

Step 2) Access the Data Connections

Users can access Data Connections from the Manage section of the left-hand navigation pane (shown below) within their Defender EASM resource blade. This page displays the data connectors for both Log Analytics and Azure Data Explorer, listing any current connections and providing the option to add, edit or remove connections.

Connection prerequisites: To successfully create a data connection, users must first ensure that they have completed the required steps to grant Defender EASM permission for the tool of their choice. This process enables the application to ingest our exported data and provides the authentication credentials needed to configure the connection.

Step 3: Configure Permissions for Log Analytics and/or Azure Data Explorer

Log Analytics:

Open the Log Analytics workspace that will ingest your Defender EASM data or create a new workspace.
On the leftmost pane, under Settings, select Agents.

Azure Data Explorer:

Expand the Log Analytics agent instructions section to view your workspace ID and primary key. These values are used to set up your data connection.
Open the Azure Data Explorer cluster that will ingest your Defender EASM data or create a new cluster.
Select Databases in the Data section of the left-hand navigation menu.

Select + Add Database to create a database to house your Defender EASM data.

4. Name your database, configure retention and cache periods, then select Create.

5. Once your Defender EASM database has been created, click on the database name to open the details page. Select Permissions from the Overview section of the left-hand navigation menu.

To successfully export Defender EASM data to Data Explorer, users must create two new permissions for the EASM API: user and ingestor.

6. First, select + Add and create a user. Search for “EASM API,” select the value, then click Select.

7. Select + Add to create an ingestor. Follow the same steps outlined above to add the EASM API as an ingestor.

8. Your database is now ready to connect to Defender EASM.

Step 4: Add data connections for Log Analytics and/or Azure Data Explorer

Log Analytics:

Users can connect their Defender EASM data to either Log Analytics or Azure Data Explorer. To do so, select “Add connection” from the Data Connections page for the appropriate tool. The Log Analytics connection addition is covered below.

A configuration pane will open on the right-hand side of the Data Connections screen as shown below. The following fields are required:

Name: enter a name for this data connection.
Workspace ID For Log Analytics, users enter the Workspace ID and the coinciding API key associated with their account.
Api key Log Analytics users enter the API key associated with their account
Content: users can select to integrate asset data, attack surface insights, or both datasets.
Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly.

Azure Data Explorer:

The Azure Data Explorer connection addition is covered below.

A configuration pane will open on the right-hand side of the Data Connections screen as shown below. The following fields are required:

Name: enter a name for this data connection.
Cluster name:
Region: The region associated with Azure Data explorer
Database: The database associated with the Azure Data explorer
Content: users can select to integrate asset data, attack surface insights, or both datasets.
Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly.

Step 5: View data and gain security insights

To view the ingested Defender EASM asset and attack surface insight data, you can use the query editor available by selecting the ”Logs” option from the left hand menu of the Azure Log Analytics Workspace you created earlier. These tables are also updated at the Data Connection configuration record frequency.

Extending Defender EASM Asset and Insights data, via these two new data connectors, into Azure ecosystem tools like Log Analytics and Data Explorer enables customers to orchestrate the creation of contextualized data views that can be operationalized into existing workflows and provides the facility and toolsets for analysts to investigate and develop new methods of applicative Attack Surface Management.

Additional resources:

One Microsoft: Enriching MDEASM assets with Threat Intelligence Feeds

jamilmirza — Tue, 22 Aug 2023 13:37:31 GMT

Organizations need processes and tools such as Microsoft Defender External Attack Surface Management (MDEASM) to help with identifying and managing the points in a software system or network infrastructure that could be targeted by potential attackers. These points, often referred to as "attack vectors," are vulnerabilities or weaknesses that attackers could exploit to gain unauthorized access, compromise systems, or steal sensitive data.

The External Attack Surface specifically refers to the components and interfaces of a system that are exposed to the outside world, such as public-facing applications, network services, APIs, and other entry points. These are the points that can be targeted by attackers who are trying to breach the system from outside the organization's perimeter.

In this blog, I will cover how Microsoft Security can help identify threats by leveraging Microsoft Defenders External Attack Surface Management asset discovery against the Microsoft Defender Threat Intelligence feeds.

Prerequisites:

Microsoft Defender External Attack Surface Management workspace
Microsoft Defender External Attack Surface Management API Access and Client App Registered
Azure Logic Apps
Microsoft Defender Threat Intelligence API Access and Client App Registered

What is Microsoft Defender Threat Intelligence

Microsoft Defender Threat Intelligence (MDTI) is a service offered by Microsoft that focuses on collecting, analyzing, and disseminating information related to cybersecurity threats. It encompasses a wide range of threat data, including indicators of compromise (IoCs), attack techniques, tactics, and procedures used by cybercriminals and threat actors.

MDTI leverages advanced detection techniques to identify emerging threats and vulnerabilities. This includes the analysis of telemetry data from various Microsoft products and services, allowing for the detection of patterns and anomalies that might indicate potential threats. The service also provides threat intelligence feeds that offer real-time updates on malicious domains, IP addresses, URLs, and file hashes. These feeds enable organizations to integrate threat intelligence directly into their security solutions for automated protection.

Benefits of integrating Defender External Attack Surface Management data with Defender Threat Intelligence

Understanding your potential weaknesses is important and these are highlighted using MDEASM. However, teams are already stretched with resource constraints so how do you prioritize? What if I prioritize the wrong vulnerabilities and we get breached? The MDEASM insights will help but the more context will always enable you to make better informed decisions. This is where the MDTI integration and automation can help. Why not use MDTI to tell you if any of your asset across your attack surface are linked to threat actors, leveraging the “most expansive source of threat intelligence telemetry” (Forrester Wave).

Use Case

The key objective of this integration is to send an email alert if there is any information in MDTI which will help you to understand if there is an immediate prioritization which needs both attention in MDEASM and possibly further investigation to ensure there has been no breach.

Take all domains discovered in MDEASM and check them against the MDTI articles. There is a possibility that new research has been released and domains on your attack Surface have been mentioned.

Extract the keywords from each of the domains in MDEASM and check them against the same MDTI endpoint. You may not have specific domains called out but there could be research which suggests that your organization is on the target list.

Take the same information as mentioned above and check this against the Intel Profiles. If there is a domain/keyword associated with a known threat actor then, once again this should be treated as high priority.

Finally, checking the domains against the transparent reputation score in MDTI. If there is a score then it could be that the your organization has been targeted already or that there is some reputational damage should be rectified urgently.

How to get started with the MDTI integration

Go to the GitHub repository for MDEASM to install the solution on your Azure Cloud instance: https://github.com/Azure/MDEASM-Solutions/tree/main/Automation/MDTI-MDEASM-Integration
To proceed, you need to deploy the logic app which is available on the MDEASM GitHub Link (previous step). You can find the “Deploy to Azure Button” on the page and clicking on it will prompt you to provide certain parameters.

After you click the button, Azure should load in the browser and you will need to authenticate. You will be redirected to the screenshot above. Please enter your credentials as described in the screenshot and click “Review + Create”.
The Logic App should now run on the schedule as instructed in the settings.

Overview of the Logic App

Call to action

Proceed to the MDEASM Github page and deploy the azure logic app to deploy the solution.

Conclusion

The integration of Microsoft Defender External Attack Surface Management into Microsoft Defender Threat Intelligence helps organizations to understand and prioritize vulnerabilities on their Attack Surface. There is so much intelligence available that it can become difficult to set the right priorities. With all this information, how do you know which data is relevant now? The MDEASM/MDTI integration gives insight into real threats against an organization or vertical, ensuring that assets which are being targeted are prioritized with immediate effect.

Latest functionalities uplevel asset management and enhance data visibility

lgoduti — Wed, 16 Aug 2023 17:39:08 GMT

Latest functionalities uplevel asset management and enhance data visibility

Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Recently added features and enhancements uplevel asset management and enhance data visibility within the tool, helping customers gain efficiency and stay organized. Learn about these exciting new functionalities below and how you can start using them today.

New Capabilities

Observation Unification

Within EASM, there are two different detection methods:

Analyst insights that can be seen in the attack surface priorities area and;
Graph detection insights from CVEs, which come from components MDEASM identifies within the environment

Previously, the two types of insights were displayed separately within the asset details page, which could cause confusion when trying to drill down to the single source of truth that summarized all key observations for any given asset. Now, we’ve consolidated the insights into one area within the asset details page, under the new “Observations” tab, which combines the previous “Insights” and “Asset Details” tabs. The new Observation tab contains all high, medium, and low priority observations related to the asset. This gives customers a clear understanding of whether the observation is coming from analyst insights, graph detection insights, or both, in one consolidated view. Learn more here.

Bulk Modification

Previously, users were able to select 25 assets at a time to modify. With recent enhancements, users can now modify more than 25 assets at once, saving time and creating efficiency for bulk asset modifications. This is helpful to customers who may trying to remove significant numbers of assets from their inventory at one time or label a bulk amount of assets at one time, for example.

Task Manager

We’ve recently added a “Task Manager” section in the main navigation area of Defender EASM, which provides users with key information, such as what change was made and its status, about any given task that’s run in their instance. Paired with our new bulk modification ability, the Task Manager page enables users to track the progress of large tasks that often take time to complete and provides visibility into the status of their bulk modification efforts.

Notifications

Along with now having key information about tasks, we’ve also integrated a notification system into Defender EASM so that users can get automatically notified on the progress of their tasks, for example, when a task has been submitted, completed, or failed, which eliminates the need to manually go into Task Manager to check the status of tasks.

Dashboard chart exports

Do give users the most valuable information needed from asset downloads, we’ve added a functionality to all Defender EASM dashboard charts that allows users to export the assets and the details surrounding them, like a type of risk associated with a certain dashboard chart. The downloading function significantly reduces the time is takes to organize asset details.

Saved Queries

We’re happy to now provide the ability to save frequently used inventory filters, which will help organizations track and quickly access recurring searches. These saved queries can be edited, deleted, and are visible from a new tab on the Inventory page in Defender EASM.

New Available Regions

We’ve now added more regions to Defender EASM! Customers can now use the tool in the following expanded regions:

South Central U.S.
East U.S.
Australia East
West U.S. 3
Sweden Central
East Asia
Japan East
West Europe

Learn how to create resource groups by region here.

New Enhancements

Asset labels in data connections

Adding labels to assets plays a large part in helping add business context to discovered assets. When exporting asset details to Log Analytics or Azure Data Explorers, users will now see a new table called “EasmAssetLabel,” which provides string values for any user-generated labels applied to the exported assets. Alongside UUID values and snapshot dates.

Blocking of private IPs

If a user accidentally adds a seed that is a private IP, Defender EASM will do a discovery based on that private IP, which can cause greatly enlarge the workspace, creating issues within the tool. Now, the UI and API will automatically block all private IP addresses from being inputted as discovery seeds, ensuring the workspace doesn’t impact billable assets if a private IP were to be added.

Deduplication of discovery seeds

When adding seeds to a discovery group, Defender EASM will now prompt users to remove any duplicative seeds prior to saving their changes, notifying users to remove or change any duplicate entries before they are submitted.

New columns in dashboard drilldowns

New columns have been added to certain chart drilldown pages to help users better understand the context behind their listed assets. We’ve asses a “Reputation” a “Domain Expiration” column, and a “Sensitive Services” column to give customers more information. These additions are useful when downloading asset information as the fields will now be included in the export!

“Securing the Cloud” chart update

The “Securing the Cloud” dashboard chart has been broken into two different charts: Hosting Providers and CDNs. The new change makes chart data more immediately actionable, and users can click any part of these charts to see a full list of impacted assets.

We want to hear from you!

Latest Enhancements Boost Usability, Enhance Your Tools and Workflows

Mike_Browning — Wed, 10 May 2023 18:04:50 GMT

Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Features recently added boost usability and enable exciting new ways for customers to leverage their inventory data and critical security insights derived from their organization's assets and workloads. Below, learn about these powerful new enhancements and how you can begin using them today.

New Features

Data Connections

Defender EASM now offers data connections to help users seamlessly integrate their attack surface data into other Microsoft solutions to supplement existing workflows with new insights. The data connector sends asset data to two different platforms: Microsoft Log Analytics and Azure Data Explorer. Users need to be active customers to export Defender EASM data to either tool, and data connections are subject to the pricing model of each respective platform. Data connections can support large exports – more than 100 million assets a day.

Software Development Kit (SDK)

Customers can now access a client library for Python that helps them operationalize the Defender EASM REST API to automate processes and improve workflows. The SDK is now available to customers in Public Preview.

Asset Labels

Labels help you organize your attack surface and apply business context in a highly customizable way; you can apply any text label to any asset, allowing you to group assets and better operationalize your inventory.

Common labeling of assets includes:

Assets from a merger or acquisition
Require compliance monitoring
Owned by a specific business unit in their organization
Impacted by a specific vulnerability that requires mitigation

Relate to a particular brand owned by the organization
Added to inventory within a specific time range

Key Enhancements

REST API: The Defender EASM REST API lets customers manage their attack surface at scale. Users can leverage Defender EASM data to automate workflows by integrating into existing processes or creating new applications and clients. Recent updates include implemented validation checks & error responses, critical contextual information contained in response when retrieving task data (e.g., task ID, timestamps), and "groupBy" and "segmentBy" fields for asset details and summaries.

Regional Expansion: The "westeurope" region is now supported by Defender EASM. Currently supported regions:

southcentralus
eastus

australiaeast
westus3
swedencentral
eastasia
japaneast

westeurope

Latest Updated chart timestamps: Dashboard charts now have a "Last updated" timestamp that indicates the time the chart data was last refreshed. This transparency helps customers understand the freshness of the presented data. The timestamp is localized to the user's time zone.

Inventory sorting: Users can now sort most Defender EASM data by table columns. By clicking on the applicable column header name, users can choose for their data to ascend or descend by the selected value. Sorting is supported on both the Inventory page and Chart drill-downs displaying the assets comprising a count on a dashboard chart. Both pages support sorting by the "Asset" (name), "Kind," "First Seen," and "Last Seen" column values.

CVEs: Users can now filter host, IP address, and page assets by CVE ID. All CVEs in Defender EASM are now hyperlinked to the Defender Threat Intelligence Community portal, where you can obtain additional data. We now display CVE information by CVSS 2.0 and 3.x scores - all visible on the Asset Details page and dashboards.

Other Chart Enhancements:

Billable asset chart: The marker ticks on the vertical axis indicating asset counts are now easier to interpret.
SSL certificate CNAME added to dashboards: CNAMES have been added to all dashboard charts that pertain to SSL certificate information.
"Securing the Cloud" columns added in the drill-down view for "Securing the Cloud" dashboard charts, users will now see a new column for the "Last Seen" value, indicating when our detection system last observed an asset.

CVSS v2.0 and CVSS 3.x breakdown in Charts:

We now display CVE information by CVSS 2.0 and 3.x scores. This is visible on the Asset Details page, as well as on dashboards:

New Attack Surface Insights:

CVE-2019-15846 - Exim SNI Unauthenticated Remote Command Execution Vulnerability
CVE-2022-47986 - IBM Aspera Faspex Unauthenticated Remote Code Execution
CVE-2023-21745 - Microsoft Exchange Server Authenticated Privilege Escalation and Code Execution
CVE-2023-21529 - Microsoft Exchange Server Authenticated Remote Code Execution
CVE-2023-27898 - Jenkins Unauthenticated XSS to Remote Code Execution
CVE-2023-20025 - Cisco Small Business RV Routers Unauthenticated Remote Command Execution
(Non-CVE) Telnet Service Exposure Exim 21Nails Multiple Vulnerabilities
(Non-CVE) Elementor Pro for WordPress Authenticated Privilege Escalation if Installed with WooCommerce

Potential Insights

CVE-2022-44877 - CentOS Web Panel Unauthenticated Remote Code Execution
CVE-2022-47966 - Zoho ManageEngine Products Unauthenticated SAML XML Remote Command Execution
CVE-2022-24637 - Open Web Analytics Unauthenticated Remote Code Execution [Potential] CVE-2021-44529 - Ivanti Cloud Services Appliance Unauthenticated Command Injection
CVE-2022-31702 VMware vRealize Network Insight Command Injection
CVE-2022-31706 VMware vRealize Log Insight Unauthenticated Remote Code Execution
CVE-2023-0669 - GoAnywhere MFT Unauthenticated Remote Code Execution via Deserialization in Licensing Service
CVE-2023-27532 Veeam Backup Unauthenticated Credential Disclosure
CVE-2023-26359 - Adobe ColdFusion Arbitrary File Read and Unauthenticated Remote Code Execution Non-CVE Insights |

We want to hear from you!

Part 2: Uncovering Trackers Using the Defender EASM API

Michael_Lindsey — Thu, 27 Apr 2023 19:19:03 GMT

Thanks for joining me for the second installment on leveraging Trackers in Microsoft Defender External Attack Surface Management (Defender EASM) to find and manage risk in your organization. This blog post is part two of this series, building on the concepts introduced in part one about discovering your attack surface and applying this valuable inventory data to inform your security efforts at scale. As a quick refresher, in part one, we defined Trackers in Defender EASM and learned how to search for them in the User Interface (UI). This blog post will closely examine the Defender EASM Application Program Interface (API).

Concepts: The Defender EASM API

The Defender EASM API supplies a much more detailed view of an organization’s attack surface and allows end users to automate processes and operationalize workflows using standardized REST API calls. In this blog post, we will walk through a simple example of extracting “attributetypes” and “attributeValues” from the JSON (JavaScript Object Notation) responses returned by the Defender EASM API. We should remember from part one of this series that in Defender EASM, the terms “Tracker” and “Attribute” are synonymous. This asset metadata has entries for the type of tracker/attribute and a value for the tracker/attribute.

Let us begin with using the API to answer a real-world question. Defender EASM power users with a keen eye may already know that the UI does allow end-users to search for specific attributes and values. But what if you do not know what attributes to search for? The Defender EASEM UI does not supply a mechanism to list all available attributes in an attack surface, but the API can help us see what is present within our own set of assets. We will use the API to answer the question, “What attributes (i.e., trackers) did Defender EASM find in my attack surface, how many of each type are there, and what are the attribute values?” Easy enough, but we must get some prerequisites out of the way.

Prerequisites

Defender EASM resource deployed and populated with assets

A cursory understanding of how REST APIs work and familiarity with interacting with them in your programming language or tool of choice

Knowledge of the Defender EASEM API endpoints, specifically the “List” endpoint

A Client Service Principal configured with the correct roles for access to the Defender EASM API

A willingness to dive in, have fun, and get your hands dirty!

Concepts: The Approach

We will be modifying a Defender EASM example Jupyter Notebook published to GitHub. To succeed in this exercise, you should read the accompanying blog “Seeking Dead and Dying Servers with the MDEASM APIs” for more information and setup requirements. Our simple approach for retrieving all “attributeTypes,” “attributeValues,” and asset “names” are:

Get a token for your Client Service Principal.

Set a filter for all assets that are: “state = confirmed AND kind = page AND attributeType !empty.”

Send an initial API request with the parameter “mark = *”

Loop through subsequent API requests and JSON result sets to parse recent asset “name, “attributeType,” “attributeValue”, and add these to a dictionary.

For each successful request, grab “next link,” resubmit, and append parsed results to the dictionary.

Format and print results.

The example Jupyter Notebook will perform most of these steps for us, and we’ll simply need to focus on our query and desired output. To make our output a little easier to read, we will modify our Jupyter Notebook to use the pandas Python package.

Python Example

Assuming that we have followed all of the instructions to install the example Jupyter Notebook, we must ensure that we have the pandas package installed in our Python environment (virtual environments are recommended). Then, we will need to import pandas into our notebook by adding one line:

import requests, time, json, re

# Add pandas package import here

import pandas as pd

For simplicity’s sake, we will also make a copy and modify an existing function in our Jupyter notebook, specifically, the function “get_asset_list().” In the Jupyter notebook, create a new markdown and a code cell just after the cell containing our imports, and paste the following code in each:

### Attribute Assets - List

## Attribute Assets List returns##

def get_attributeType_list(query):

''' Call Assets List endpoint and return Attributes - takes a URL encoded query string '''

check_url_encoding(query)

global planeType

planeType = 'data'

azure_auth()

nextUrl = None

url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/assets?api-version={apiVersion}&maxpagesize={maxpagesize}&filter={query}&mark={mark}"

# Code Modification: Create dictionary

results = []

payload={}

headers = {

‘User-Agent’: ‘MDEASM Python Notebook,’

‘Authorization’: f’Bearer {bearerToken}’

}

response = requests.request("GET", url, headers=headers, data=payload)

if response.status_code != 200:

print("Error getting asset list")

print(response.text)

return None

if len(response.text) == 0:

print("No assets found matching your query")

return None

else:

responsejson = json.loads(response.text)

responseresults = responsejson['content']

# Code Modification: Loop, extract, and append attribute data points of interest

for name in responseresults:

for attributes in name['asset']['attributes']:

if (attributes['recent']):

r = {

'name' : name['name'],

'attributeType' : attributes['attributeType'],

'attributeValue' : attributes['attributeValue'],

}

results.append(r)

if 'nextLink' in responsejson and nextUrl != responsejson['nextLink']:

nextUrl = responsejson['nextLink']

else:

nextUrl = None

while nextUrl:

azure_auth()

response = requests.request("GET", nextUrl, headers=headers, data=payload)

responsejson = json.loads(response.text)

responseresults = responsejson['content']

# Code Modification: Loop, extract, and append attribute data points of interest

for name in responseresults:

for attributes in name['asset']['attributes']:

# Ensure only recent attribute data is returned

if (attributes['recent']):

r = {

'name' : name['name'],

'attributeType' : attributes['attributeType'],

'attributeValue' : attributes['attributeValue'],

}

results.append(r)

if 'nextLink' not in responsejson:

nextUrl = None

else:

time.sleep(1)

nextUrl = responsejson['nextLink']

if len(results) == 0:

print("No assets found matching your query")

else:

print("Number of results: " + str(len(results)))

# Code Modification: return results instead of printing them

return results

Viewing Trackers with Pandas

Now that we’ve added a new function to our Jupyter Notebook, it’s time to use it and visualize the data with pandas. We’ll author a new query that only returns page assets that have attributes (i.e., trackers) and populate a pandas data frame with the following code in a new cell.

# Create a query to return page assets with non-empty attributes

query = 'state = confirmed AND kind = page AND attributeType !empty'

# Load our pandas dataframe

df = pd.DataFrame(get_attributeType_list(query))

Once our query completes, Jupyter will print the results in a table with the following:

# View results returned

View the Most Common Trackers in an Attack Surface

Now, let’s use pandas to view just the counts of unique “attributeTypes." This list is useful for understanding which technologies are most prevalent in our attack surface and can be used as a starting point to inform and create more queries for hunting the data in your attack surface via the API. It’s also possible that you’ll see something unexpected in the list that requires more investigation to understand potential security risks.

# Create a second dataframe to display count of attributeTypes

df2 = pd.DataFrame(df['attributeType'].value_counts().rename_axis('Attribute Type').reset_index(name='Count'))

df2

Export Trackers Data? Yes!

Lastly, we’ll quickly export both of our data sets to *.csv files (comma-separated values) which can be viewed in Excel natively. Be sure to change the file path to match where the output file should be created on your computing device.

# Export our pandas dataframes to CSV

df.to_csv (r'./export_all_attribute_data.csv', encoding='utf-8', index = None, header=True)

df2.to_csv (r'./export_attributeType_count.csv', encoding='utf-8', index = None, header=True)

We’ve barely scratched the surface of what the pandas Python module can do. I encourage everyone to learn more about its data analysis capabilities as this was a simple introduction. Python and pandas make it easy to quickly prototype visualizations, export data in standard formats, and help you quickly gain an understanding of the metadata in your own attack surface with the Defender EASM API.

Conclusion

Now you should have a good understanding of how to query for Trackers using the Defender EASM API. More importantly, I’ve shown you how to modify an example Jupyter Notebook published by Microsoft to create your own bespoke queries and visualizations. I hope you will join me for the next installment of this series, where we will look at a related asset metadata type – web components!

 Be sure to try it for yourself! You can discover your attack surface discovery journey today for free.

Seeking Dead and Dying Servers with the MDEASM APIs

jtwells — Thu, 27 Apr 2023 19:08:12 GMT

This post follows Seeking Dead and Dying Servers blog and introduces the Microsoft Defender for External Attack Surface Management (Defender EASM) APIs. You should start with the previous post if you haven't already done so or are brand new to Defender EASM.

Defender EASM APIs provide much more capability than the UI (user interface) alone, enabling users to work with large numbers of assets in one action or piece of code. The pro of APIs is they provide an unencumbered interface between the application and the code or app interacting with it to enable exciting capabilities. However, leveraging an API usually involves significant coding work, even for experienced users. Luckily, I've written sample Jupyter Notebooks in Python and PowerShell you can download and use regardless of your experience level.

Choosing how to interact with the APIs

Most initial API interaction involves a command-line interface (CLI) application such as cURL, which is fast and incredibly flexible but comes with a steep learning curve. Users must be skilled with shell scripting to do more than single one-off API calls. API clients such as Postman and Insomnia make interacting with APIs much more manageable. We have covered their usage elsewhere. You may feel this is a better option, and if so, you can follow along after downloading our Postman collection. However, a Jupyter Notebook is a better option for many use cases. I'll explain below.

Using cURL or an API client such as Postman are great for quick interactions with APIs depending on your comfort level at the command line. However, I've found that once I have the logistics of working with an API figured out, I want to start using it extensively right away. API clients don't always have a smooth transition to a production-like capacity (features like Postman's "Code snippet" capability is handy here). If you need complex logic that takes the output from an API and does something with the results programmatically, you often exceed what you can get from a client, especially with a freemium version.

Conversely, suppose you are a skilled developer or experienced with APIs and creating Azure Functions or Logic Apps (or any cloud version thereof). In that case, you probably want to see the API docs and be left alone. The same goes for creating microservices or applications as part of a much bigger architecture. This is typically the realm of a Security Operations Engineer or similarly qualified individual; they take the sample notebooks, get ramped up, and are on their way instantly.

For the rest of us, Jupyter Notebooks can be incredibly helpful and decrease the time needed to go from testing an API to using it in production. Also, notebooks provide a great entry point for coding. If you're like me, you've said you wanted to learn to code or code better more often than you care to admit. I taught myself Python and PowerShell using Jupyter Notebooks inside of VS Code with just a few extensions, and you can get started today without writing a single line of code until you are ready. The advantage is that you can begin experimenting with the APIs and see the results immediately, then share those snippets easily with others on your team to iterate on further.

Jupyter Notebooks were made popular by data science and machine learning engineers. However, they have since spread to various domains. They are even used from within Microsoft Sentinel and leveraged by the Microsoft Threat Intelligence Center (MSTIC) team and their fantastic tool MSTICPy. Jupyter Notebooks provide a web interface for executing, visualizing, and sharing code easily and in a granular fashion. For our examples, I'll provide one cell of code at a time that interacts with a single API endpoint and then display the results, if any, below it.

One by one, you can see how the interaction is set up and executed and then fire it off yourself with only the required input, such as a query. This process differs from a script that requires full compiling and execution before you see the output. This can be tedious and time-consuming for big queries when you only want to make an API call to examine if you are getting the results you expected.

Note: One massive caveat here is that notebooks are not "production worthy" from an operational standpoint, nor are they secure. They are solely a testing tool but can produce code that can be taken and quickly implemented in a scalable and secure solution with minor modifications.

The provided sample notebooks use Service Principal client secrets within them in plain text and should never be shared with others outside your organization. These samples are made to be easy to use and follow the code execution without much extra effort. Using Notebooks by default is an entirely local process, meaning the server behind it is running on localhost, and everything you do is as secure as your local machine is. The moment your notebook is shared publicly or run on an instance other than your host is when things can go very wrong.

Also, be aware that notebooks have a "memory" in that if you run code and display an output, then share that notebook in that state with others, you run the risk of sharing those secrets with the public as the variables are stored in the metadata of the notebook itself until you 'Clear All Outputs.' See the Jupyter docs regarding security matters if you are curious, but as long as everything stays local, you should be fine.

Our Setup

As mentioned, VS Code makes a tremendous all-in-one environment once correctly configured. I'll quickly point out a few things that may help.

There are tons of great IDEs; many can run Jupyter and interpret Python or PowerShell. However, few do both, which is one of the many reasons I love VS Code.
Install the language of choice. Python and PowerShell have extensive support for many system architectures and operating systems, in addition to a range of system managers such as Anaconda. Choose what works for you, but if the language is not already installed, check with your systems admin first to see what is permitted or recommended
VS Code's Extensions provide added functionality at the click of a button, specifically the following:

For those using Python get the Python Extension for VS Code.
Also, the Jupyter Extension for VS Code
For those wanting to use PowerShell, get the PowerShell Extension.

You will also need the .NET Extension Pack, which includes Jupyter support.
Download our sample notebooks, and once the required extensions are activated, open them in VS Code.
You will need an MDEASM workspace with a completed Discovery run to query the APIs against.
Lastly, you will need API credentials, and we will be ready.

Authentication

There are several ways to obtain the necessary MDEASM API credentials, and every call to the API must include an authorization header containing a valid Azure AD Bearer Token. For our case, I took the liberty of writing a simple function that authenticates and provides our notebook with a bearer token that will eventually expire on its own. This function will also check to see if the current bearer token has expired and if it has, request a new valid token. This process is the Client Service Principal authentication flow. It lends itself nicely to scripts and processes that need a token for as long as the task runs and then lets it expire without further interaction.

Setting up a Client Service Principal requires some extended permissions. You can get a token with the Azure CLI if you don't have one. Check with your admin to see if they can help you get an Azure AD Application configured or if using the CLI is an option, but you will need the following either way:

If obtaining a bearer token from an AAD App:

TenantId
ClientId
ClientSecret

If obtaining a bearer token from the CLI, you will need the following:

BearerToken (you will provide it to the notebook manually)
BearerTokenExpires (in a standard DateTime format)
TenantId

For everything else, you will need:

subscription
ResourceGroupName
ResourceName (the name of your MDEASM workspace)
Region your MDEASM resource is deployed in

With that, let's get started.

The Notebook

I love Jupyter Notebooks, especially when prototyping Azure Functions or working with an unfamiliar API. APIs are usually brittle and not very forgiving when given the wrong input, so testing with a notebook is great—you only need to run the necessary code without compiling an entire script every time. However, what APIs lack in user-friendliness, they make up for in flexibility, speed, and robustness, which we will take advantage of today.

After following the steps from our previous blog Seeking Dead and Dying Servers, we may have a large set of data from our queries looking for Microsoft IIS and Apache webservers with a CVSSv3 score of 9 or higher (hopefully not). More realistically, you changed the query to a CVSSv3 score of 7 or above, which still returns a significant number of assets, which is challenging to work with in the UI.

Making things more complex, the assets returned are from all over the enterprise. You want a list of them that you can share with others broken down by their distribution, such as FQDN, IP Block, or ASN. This is something you can do easily via the API.

Configuration

At the top of either notebook are a title and a brief explanation. Below that is the first cell which includes the most critical variables and a helper function that handles obtaining a bearer token and then checking to see if it has expired every time it is called again. If you set up an AAD App, you will enter the clientId, clientSecret, and tenantId. Otherwise, if you used an alternate method of getting a token (e.g., AZ CLI), you would place it in its respective place along with the expiry. Regardless of how you obtained the token, you will still need to provide the remaining values subscriptionId, resourceGroupName, resourceName, and region.

What's important to note is that all the values except BearerTokenExpires must be within quotes. Quotes are used to type these values as strings. BearerTokenExpires is purely numerical and is typed as an integer. Strings without quotes and integers with quotes will create errors, so remember to enter them like in the provided examples.

The remaining values are all mostly set for you or are used to check for errors later so that you can ignore them for now. Notebook cells are sequential, so all the variables you enter at the top must be entered and the cell executed before they will be available to be used further below in the notebook. The same goes for functions—I've written the function for each endpoint and added another cell directly below to run the function with the input you supply. If you don't execute the function cell directly above it first, there will not be a function in memory to call – it's a common mistake.

If everything is set up correctly, your AAD App is configured properly, and, your CLI-produced bearer token has the expiration time set, you can run the cell by either pressing the 'Execute Cell' button beside it (it's shaped like a play button) or Shift/Enter to run that cell. Do not press 'Run All' as there are missing values you still need to enter below. If successful, you should see this output:

Great! You are ready to start using the MDEASM APIs.

Assets – List

This will likely be the endpoint used most, as it will take a properly formatted query and request the full asset details from the API for each asset returned. As you may have noticed while exploring the UI, a lot of data is associated with each asset. However, this is nominal compared to what returns from the API. The API provides all the data to you at once. It is up to you to decide what you care about and don't.

Scroll down to the section in the notebook titled 'Assets – List.' There will be a cell full of code that gets the API call made in the form of a function and another cell below it to use that function and display the results.

First, you must execute (Shift/Enter) the upper cell containing the function definition def get_asset_list() or function GetAssetList, depending on your selected language. Don't worry if nothing happens; this compiles the function and prepares it for the next cell.

In the next cell, let's replace the empty quotes with this query I have prepared for this example:

'state = confirmed AND kind in ("host", "ipAddress") AND webComponentType = Server AND webComponentName ^=in ("Apache", "Microsoft IIS") AND cvss3BaseScore >= 7'

You may loosely recognize this from the previous blog as the query for any webserver associated with a host or IP address whose Web Component Name starts with "Apache" or "Microsoft IIS" that has a CVSS v3 score of 7 or higher (with some slight modifications). You may also recall me mentioning that APIs are notoriously unforgiving for incorrect input, and this looks different than it does in the UI. The API needs this standardized format to consistently get precisely what you or your script is asking for, so it must be formatted very specifically. It's easy to make out the same groupings of filters in the UI, but the names are camel case (ex. webComponentType) or altogether different in certain instances (cvss3BaseScore vs. 'CVSS v3 Score').

Also, take note of the spaces and the use of the word AND to combine these filters into one cohesive query statement. Lastly, note the array value for webComponentName starting within (^=in). These individual values must be each enclosed in quotes, separated by a comma, and inside parentheses. Once entered in the cell, Shift/Enter again, and let it work through the query.

This may take a while, depending on how big your result set is. In my example, it took 1 minute 42.6 seconds to return 551 results using Python. There are several factors at play here least of which is a ~1-second delay between subsequent API calls. The results from the API are paginated, and each "page" has a link that points to the next page of results. This slight delay is an industry-wide practice of good internet citizenship. Still, more than just being 'nice,' it helps reduce the exception handling one must account for when APIs are under heavy utilization. Every page of results returned incurs a one-second delay, and for 551 assets in chunks of 25, that's 22 seconds of giving the API a little breathing room. This is only a big deal if you had 7k assets returned. Then, that slight delay adds 4.6 minutes in just waiting. We can do better.

The number of results per page gets set with every call in the form of a URL parameter called maxPageSize. If you recall, at the top of the notebook, maxPageSize is set at 25, which is a conservative number and much safer than, say 500. I recommend not exceeding 100 because pushing APIs hard can have unpredictable outcomes. Now we are only pausing 7 seconds overall, and my example returned the same results in 1 minute 3.7 seconds – (38.9 seconds) even faster than the mere 7 seconds we saved in wait time alone. As with all things, use with moderation.

In the response below the cell you are using, you should see either the query results or a message stating no assets matched. If you see no results, pat your vuln management team on the back. You can adjust your query with a lower cvss3BaseScore or remove the webComponentName altogether for more possible results.

Note that you see only the name of the assets being returned, not any of the hundreds of other data points we have for those assets. Next, we will perform a little work on the raw output to better understand how these assets relate to key centralized infrastructure like domains.

Near the bottom of the notebook, I've added a helper function I use pretty regularly that works precisely like our get_asset_list() and GetAssetList functions but, this time, finds common pieces of infrastructure like domains, IP Blocks, and ASNs. This can be a great way to see across organizational boundaries to find pockets of technology requiring attention. Why mitigate one risk when you can resolve many all at once?

Get Common Assets

This function aims to demonstrate programmatic functionality, not natively part of the API or the UI. It uses the same code as Assets – List to obtain a batch of matching assets but then parses the response of each asset returned and, based on its kind, looks for associated domains, IP Blocks, and ASNs and adds them to a dictionary. When it finds one, it first checks to see if it already exists in the dictionary – if found, it ups the count by one. If not, it adds it and starts the count at 1. In the end, the dictionary is sorted based on the observation count from highest to lowest, making it easy to see where the most significant number of assets related to your query are clustered around.

Conclusion

Hopefully, this sparks some ideas for ways to automate getting this information into the right hands of your organization. Suppose X asset is on Y domain, and everything there is the responsibility of Praveen's team. What's stopping you from scripting a small Azure Function that does a weekly check and sends an email to the team's distribution group? What about graphs and visualizations completely custom to your company's risk appetite? The possibilities are infinite, and now you have a place to get started and experiment freely.

We will continue to update the notebooks as more endpoints and features become generally available. Be sure to try this out for yourself -  You can discover your attack surface discovery journey today for free.

Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview

pcowger — Thu, 06 Apr 2023 15:55:21 GMT

The Microsoft Defender EASM (Defender EASM) team is excited to share that new Data Connectors for Azure Log Analytics and Azure Data Explorer are now available in public preview.

Defender EASM continuously discovers an incredible amount of up-to-the-minute Attack Surface Data, so connecting and automating this data flow to all our customers’ mission-critical systems that keep their organizations secure is essential. The new Data Connectors for Log Analytics and Azure Data Explorer can easily augment existing workflows by automating recurring exports of all asset inventory data and the set of potential security issues flagged as insights to specified destinations to keep other tools continually updated with the latest findings from Defender EASM.

Common Use-Cases and Scenarios

Push asset data or insights to Log Analytics to create alerts based on custom asset or insight data queries. For example, a query that returns new High Severity vulnerability records detected on Approved inventory can be used to trigger an email alert giving details and remediation steps to the appropriate stakeholders. The ingested logs and Alerts generated by Log Analytics can also be visualized within tools like Workbooks or Microsoft Sentinel.

Push asset data or insights to Azure Data Explorer/Kusto to generate custom reports or dashboards via Workbooks or Power BI. For example, a custom-developed dashboard that shows all of a customer’s approved Hosts with recent/current expired SSL Certificates that can be used for directing and assigning the appropriate stakeholders in your organization for remediation.

Include asset data or insights in a data lake or other automated workflows. For example, generating trends on new asset creation and attack surface composition or discovering unknown cloud assets that return 200 response codes.

Getting Started

We invite all customers to participate and experience the value for themselves. Before beginning, ensure you have a few things enabled/configured/etc.

Preview Prerequisites:

Aspect

Details

Required/Preferred

Environmental Requirements

Defender EASM resource must be created and contain an Attack Surface footprint.
Must have Log Analytics and/or Azure Data Explorer/ Kusto

Required Roles & Permissions

Must have a tenant with Defender EASM created (or be willing to create one).

Contributor (Log Analytics)
User and Ingestor (Azure Data Explorer)

The Defender EASM Data Connectors allow users to integrate two different kinds of attack surface data into the tool of their choice. Users can migrate asset data, attack surface insights, or both data types. Asset data provides complete details about all the assets in your inventory, whereas attack surface insights provide immediately actionable insights on potential security issues based on Defender EASM dashboards.

To accurately present the infrastructure that matters most to your organization, please note that both content options will only include assets in the “Approved Inventory” state.

Asset data: The Asset Data option will send data about all your assets to the tool of your choice. This option is best for use cases where the granular underlying metadata is vital to operationalizing your Defender EASM integration (e.g., customized reporting in Data Explorer might require this). This option does not provide any pre-determined insights about the assets; instead, it offers a full export of raw data so users can surface the customized insights they care about most.

Attack surface insights: Attack Surface Insights provide an actionable set of results based on key insights delivered through the dashboards in Defender EASM. This option offers less granular metadata on each asset. Instead, it categorizes assets based on the corresponding insight(s) and provides the high-level context required to investigate further. This option is ideal for those who want to integrate these pre-determined insights into custom reporting workflows in conjunction with data from other tools.

Accessing data connections

Users can access Data Connections from the Manage section of the left-hand navigation pane within their Defender EASM resource blade. This page displays the data connectors for both Log Analytics and Azure Data Explorer, listing any current connections and providing the option to add, edit or remove connections.

Configuring Log Analytics permissions

Open the Log Analytics workspace that will ingest your Defender EASM data or create a new one.
Select Access control (IAM) from the left-hand navigation pane. For more information on access control, see identity documentation.
On this page, select +Add to create a new role assignment.
From the Role tab, select Contributor. Click Next.
Open the Members tab. Click + Select members to open a configuration pane. Search for “EASM API” and click on the value in the members list. Once done, click Select, then Review + assign.
Once the role assignment has been created, select Agents from the Settings section of the left-hand navigation menu.
Expand the Log Analytics agent instructions section to view your Workspace ID and Primary key. These values will be used to set up your data connection. Save the values in the following format:

WorkspaceId=XXX;ApiKey=YYY

Configuring Data Explorer permissions

Open the Data Explorer cluster that will ingest your Defender EASM data or create a new cluster.
Select Databases in the Data section of the left-hand navigation menu.
Select + Add Database to create a database to house your Defender EASM data.
Name your database, configure retention and cache periods, then select Create.
Once your Defender EASM database has been created, click on the database name to open the details page. Select Permissions from the Overview section of the left-hand navigation menu.

To successfully export Defender EASM data to Data Explorer, users must create two new permissions for the EASM API: user and ingestor.

First, select + Add and create a user. Search for “EASM API,” select the value, then click Select.
Select + Add to create an ingestor. Follow the same steps outlined above to add the EASM API as an ingestor.
Your database is now ready to connect to Defender EASM. When configuring your Data Connection, you will need the cluster name, database name, and region in the following format. Please note this is case specific.
ClusterName=XXX;Region=YYY;DatabaseName=ZZZ

Add a data connection:

Users can connect their Defender EASM data to either Log Analytics or Azure Data Explorer. To do so, select “Add connection” from the Data Connections page for the appropriate tool.

A configuration pane will open on the right-hand side of the Data Connections screen. The following four fields are required:

Name: enter a name for this data connection.
Connection String: enter the details required to connect your Defender EASM resource to another tool. For Log Analytics, users enter the workspaceID and the coinciding API key associated with their account. For Azure Data Explorer, users enter the cluster name, region, and database name associated with their account. Both values must be entered in the format shown when the field is blank.
Content: users can select to integrate asset data, attack surface insights, or both datasets. Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly.

Once all four fields are configured, select Add to create the data connection. At this point, the Data Connections page will display a banner that indicates the resource has been successfully created, and data will begin populating within 30 minutes. Once connections are created, they will be listed on the main Data Connections page under the applicable tool.

Edit or delete a data connection:

Select the appropriate connection from the list on the main Data Connections page to edit or delete a data connection. This action will open a page that provides additional data about the connection. It displays the configurations you elected when creating the connection, as well as the following:

Recurring on: the day of the week or month that Defender EASM sends updated data to the connected tool.
Created: the date and time that the data connection was created.
Updated: the date and time that the data connection was last updated.

Users can elect to edit or delete their data connection from this page. If the data connection gets disconnected, users can reconnect to either Log Analytics or Data Explorer from this page, validating the configurations used to set up the integration.

Opening the query editor of the Azure Data Explorer cluster database you created to ingest your Defender EASM data shows all the available ingested assets and attack surface insight data tables. These tables are updated at the frequency specified within the Data Connection configuration record.

To view the ingested Defender EASM asset and attack surface insight data, you can use the query editor available by selecting the ”Logs” option from the left menu of the Azure Log Analytics Workspace you created earlier. These tables are also updated at the Data Connection configuration record frequency.

For more information on all things EASM or to get started, head over to Overview | Microsoft Learn

Why is Defender EASM Discovery Important?

jamilmirza — Sat, 29 Apr 2023 20:12:08 GMT

The Defender External Attack Surface Management (Defender EASM) Discovery is an integral part of the external attack surface management process. Organizations often struggle to keep up with demanding business requests and create additional infrastructure not under their IT compliance. COVID increased pressure on organizations to allow employees to work from home and make rapid changes to new or existing infrastructure.

How can you get an accurate picture of your risk with all these changes happening? How could you know where your attack surface is vulnerable? Defender EASM Discovery is the answer.

Figure 1 – Discover Vulnerabilities

Discovery Seeds

Defender EASM uses the idea of seeds to enable the Discovery process. Microsoft has some organization seeds already configured, which can be leveraged to start the Discovery. However, you can add your own if the organization is not listed. These seeds are the initial instructions to go and find infrastructure linked to the given organization.

Seeds consist of Organization names, Domains, IP Blocks, Hosts, Email Addresses, ASNs, and Whois Organizations. Once these have been added to the Discovery, Defender EASM’s proprietary algorithm will use these instructions as starting points on a weekly or monthly basis (depending on your configurations) to find infrastructure linked to your organization.

Figure 2 – Discovery Seeds

Continuous Discovery

Once the seeds have been created, Defender EASM will continuously look for new infrastructure. When assets are added to the Attack Surface, their details are continuously updated to maintain an accurate map of asset states and relationships. The Defender EASM process is essential when identifying your entire digital estate. There are often assets in your Inventory you did not know existed or assets you expected to have been decommissioned. Completing a manual Discovery process without Defender EASM’s proprietary technology and necessary skills would be time-consuming, expensive, and likely omitting important assets.

Discovery enables you to keep an eye on your ever-evolving attack surface. This dynamic process is vital in the cat-and-mouse game with threat actors targeting your organization. For those looking to master Defender EASM, don’t forget to check out the Microsoft Ninja training course!

Microsoft Defender External Attack Surface Overview, Concepts, and Vocabulary

jamilmirza — Tue, 21 Feb 2023 19:41:25 GMT

Welcome to an introduction to Microsoft Defender External Attack Surface Management (Defender EASM). This article will give you a high-level understanding of the concepts that help you understand your digital attack surface and the start of your Defender EASM Ninja Training journey.

Enterprises have primarily invested in internal security controls to capture adversaries as they plan and execute cyber attacks. One of the recent products added to the Cyber Security portfolio, Defender EASM allows you to understand your attack surface from the outside-in perspective and see it how attackers do.

Most cyber attacks progress from the phases of attack planning to breach and data exfiltration. The sooner you can detect and stop the threat actor, the less expensive it will be for an organization. Most companies invest in solutions inside their firewall. However, organizations can leverage Defender EASM to extend visibility and control outside their firewall to detect and mitigate attacks in the planning phase and more efficiently respond to external adversaries before more material impact occurs.

Imagine seeing which or how many deprecated web components are displayed to a potential attacker so they can plan their attack. Defender EASM gives you this visibility.

Microsoft Defender External Attack Surface Management’s technology is based on Microsoft’s acquisition of RiskIQ. These strong foundations have been developed further within Defender EASM to leverage Microsoft’s powerful threat intelligence and technology to develop a comprehensive inventory of digital assets to help defenders uncover potential infrastructure risks and highlight areas that may need attention.

Figure 1 – Defender EASM Overview 

Figure 2 – Why Defender External Attack Surface Management?

Figure 3 – Where does Microsoft’s External Attack Surface fit in your organization?

Figure 4 – Where does Microsoft’s External Attack Surface fit in your organization?

Concepts and Vocabulary

We’ll use the following terms throughout this training and the platform. Take some time to familiarize yourself with the below list.

Discovery	The attack surface is continuously changing. Defender External Attack Surface Management Discovery continually identifies new assets which need to be added to the Inventory to be put under management.
Inventory	The area where all the assets can be searched using the filter.
Assets	Assets include IP addresses, IP Blocks, hosts, domains, pages, SSL Certificates, Autonomous System Numbers (ASNs), and Whois contacts.
Filter	Search which can be run against the Inventory to return assets that match the defined criteria.
Billable Assets	Assets are only categorized as billable if placed in the Approved Inventory state. We do not charge for any other state. Additionally, duplicative host assets are NOT included in the billable asset count.

Now that you have a high-level understanding of Defender EASM, you can continue your Ninja Training journey. The concepts and vocabulary shall be referenced continuously as you read through more articles and should give you the foundation knowledge needed to understand the subjects being discussed.

Become a Microsoft Defender External Attack Surface Management Ninja: Level 400 training

jamilmirza — Tue, 21 Feb 2023 19:40:54 GMT

Welcome to Microsoft Ninja training! This blog post will walk you through Microsoft Defender External Attack Surface Management (Defender EASMI) Level 400 training to become proficient in understanding and managing your organization's external attack surface.

Curriculum  

This program comprises four training modules enabling users to get to know and get the most out of their Defender EASM instance. Throughout this training, you'll familiarize yourself with Defender EASM, how it discovers your attack surface, and how to use it to identify risks across your organization's digital estate. Once complete, you'll be ready to leverage the information in Defender EASM to ensure you've minimized attack surface risk.

The modules listed below are split into four groups:

Part 1: Overview

Module 0: Other Learning and Support Options
Module 1: Use Cases, Users, and How to Get Started

Part 2: The Discovery Process and Overview

Module 2: Getting Started with Discovery

Part 3: Dashboards and Reporting

Module 3: How to Prioritize

Part 4: Analyzing your Assets

Module 4: An overview of your Inventory
Module 5: Understanding your Assets

Part 1: Overview

Module 0: Other Learning and Support Options 

The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable:

Already a Ninja? Join our Private Preview program to be informed of new features. We will update this Ninja training as new features, and integrated use cases are introduced. 
Have a good feature idea you want to share with us? Let us know on the MS Defender External Attack Surface Management channel of the Cloud Security Private Community [EXTERNAL] Teams site.

Think you're a Microsoft Defender EASM Ninja?

Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills!

Disclaimer: This is not an official Microsoft certification and only acts to recognize your participation in this training content.

Take the knowledge check here.  
If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got wrong, study more, and retake the assessment.

Module 1: Use Cases, Users, and How to Get Started 

Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security, and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Defender EASM leverages Microsoft's crawling technology to discover assets related to your known online infrastructure and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase your organization's key areas of concern (read more).

Defender EASM aids the following target organizations and functions:

Security Operations
Vulnerability Management
Application Security
Threat Hunting
CISO / CSO / CIO / Executives
Penetration Testing

Common tactical use cases include:

Data Enrichment
Infrastructure exposure
Potential Data loss
Brand exposure
First-party risk
Third-party risk

If you want an overview of Microsoft Defender External Attack Surface Management's capabilities, please visit Defender EASM Overview.

Lastly, want to try it yourself? Defender EASM 30-day trials are available to start in the Microsoft Azure portal (read more). You will need a valid Azure subscription with a contributor role assigned to create a resource to begin the trial. 

Part 2: The Discovery Process and Overview

While the previous section provides an overview of our Defender EASM platform and how to get started, this section provides thorough information regarding Defender EASM's Discovery Process and Overview. It also provides examples to provide more information regarding the value of Defender EASM's Discovery algorithm (read more).

Module 2: Getting Started with Discovery 

Keeping up with your ever-changing infrastructure can be a difficult, if not impossible challenge. The Discovery Process has been designed to continuously identify new infrastructure and automatically identify assets to ensure you clearly understand your security posture (read more). Discovery seed types include domains, IP Blocks, Hosts, Email Contacts, ASNs & Whois Organizations.

Part 3: Dashboards & Reporting

Data has never been as valuable as it is in today's world. It is fair to say that there is often so much data that it becomes difficult to find what is important and, therefore, impossible to use effectively. The dashboards in Defender EASM help to highlight important information within your attack surface and splits your actions into manageable tasks to help improve your security posture.

Module 3: How to Prioritize

At this point, your initial Discovery Process is complete, and data is consistently populating your Dashboards (read more). These dashboards are broken down into the following:

Attack Surface Summary
Security Posture
GDPR Compliance
OWASP Top 10

Filtering can also help identify specific attack vectors that may be important for a given organization. Defender EASM is constantly updating the assets in the Inventory and keeping those findings in the dashboards up to date. Enrolling this data for information pertinent to an attack on a given sector could prove to be an essential utility when understanding where potential vulnerabilities exist in the Attack Surface (read more).

Part 4: Analyzing your Assets

Discovery should now be set up to recursively identify infrastructure with observed connections to legitimate assets within your attack surface. You should also understand how to use the dashboards to highlight areas of concern that may need addressing within your attack surface.

So what now? Part 4 will help you to understand how to use the Inventory.

Module 4: An Overview of your Inventory

Assets comprise IP addresses, IP blocks, hosts, domains, pages, SSL certificates, ASNs, and Whois contacts, as mentioned in Module 2. Each asset type contains different information, which can be filtered accordingly. Another important consideration of assets is Asset Status. The status of an asset has important implications when it comes to billing and reporting (read more).

Module 5: Understanding Your Assets

The Defender EASM Inventory allows you to access all the assets within your scope and write customizable filters (read more). What if something else needs to be identified in your attack surface that has not been highlighted via the dashboards? For example, what if a known threat actor targets your organization by exploiting a vulnerability? How can you identify deprecated versions running on your infrastructure? (read more)

You can use the Defender EASM inventory to show how many instances of this web component are exposed on your attack surface. A simple filter can be applied to reveal these assets and show you how many potential exposures you may have. These results can then be passed to the relevant teams to patch or update accordingly.  

Part 1: Uncovering Trackers Using the Defender EASM UI

Michael_Lindsey — Mon, 01 May 2023 02:02:56 GMT

Also by Jamil Mirza

Microsoft Defender External Attack Surface Management (Defender EASM) discovers your externally facing digital assets and provides many useful details about the assets found to help you manage risk impacting your organization. One example of this asset detail is Trackers, which can be associated with Page, Host, or IP Address assets. The definition of Trackers from the Defender EASM official documentation is as follows:

Trackers are unique codes or values found within web pages and often are used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Microsoft's tracker dataset includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky and continues to grow regularly.

What’s so special about Trackers and why should security teams understand what they are and the functionality they provide? In practice, Trackers can be used for both legitimate and malicious purposes, and it’s important to understand any potential risk created by the latter. Below are a few examples.

Example Legitimate Uses:

Product Management and IT (information technology) teams may use them to track user interactions with a website, gathering both user information and browsing habits to personalize and improve a user’s web experience.
Marketing teams may use them to collect metrics about the effectiveness of advertising campaigns and the conversion of ad impressions to the sale of goods or services.
Governance, Risk, and Compliance (GRC) teams may need to monitor the use of trackers due to regulatory requirements, such as those in the Health Insurance Portability and Accountability Act (HIPAA)

Example Malicious Uses:

Threat actors have been known to use well-known trackers and leverage obfuscation to evade the detection of compromised websites. Attackers may also incorporate them into phishing websites to decrease the chance their attempt at impersonation of a legitimate website will be noticed.
Trackers are often delivered to a user’s browser from a third-party source, and in this case, it’s important for security teams to be aware of the following:
- Any changes that might indicate the breach of a third party’s infrastructure that would allow a threat actor to deliver malicious JavaScript to an unsuspecting user.
- Misconfigurations that could lead to data leakage.

This blog post will show you how to view Trackers in the User Interface (UI). In a second forthcoming post, I will demonstrate the awesome power of the Defender EASM API (Application Programming Interface) and how you can increase the visibility of Trackers in your attack surface. In the final installment of this series, I will describe the similarities and differences between Trackers and Web Components.

Trackers in Defender EASM

We have already defined what Trackers are in terms of how they are generally used on the internet. Within the rich corpus of Defender EASM data called “Trackers” (AKA “Attribute Type” in the UI search screen), there are additional derived data subtypes to be aware of. These other derived asset attributes are valuable for managing an external attack surface in several ways, but not all fit within the traditional definition of a website tracker.

For example, there are several attributes you may encounter that are related to “JARM hashes.” JARM hashes aren’t website trackers as you might think of them, but they are useful for identifying technologies that make up an attack surface. Sometimes, they can identify individual users if certain customized configurations are used. You can learn more about JARM hashes in this blog post. Now that we have a baseline knowledge of the Tracker data set available in a Defender EASM Azure resource, and an understanding that it contains even more valuable data than the name implies, let’s dive in!

Searching and Viewing Trackers

In this example, we will focus on Google Tag Manager (GTM), which according to Google enables the following:

Tag Manager allows you to add and update your own tags for conversion tracking, site analytics, remarketing, and more. There are nearly endless ways to track activity across your sites and apps, and the intuitive design lets you change tags whenever you want.

One mechanism GTM uses to provide this functionality is by dynamically injecting and executing JavaScript code when a user loads a website in a browser. Unfortunately, threat actors have developed multiple complex methods to abuse this design, and those techniques are beyond the scope of this blog post. Regardless of approach, the result is typically the injection of malicious code that allows an attacker to profit from advertising revenue or breached data – avoiding raising the suspicion of site administrators and developers.

Find all Trackers in 3 Steps

Let’s assume that our goal is to find all Page assets in our attack surface that use GTM. With Defender EASM, it’s easy for security teams to uncover these websites with a simple search in the “Inventory” blade. Only the following three filters are needed:

The filter of “State = Approved” is default and should not be changed for this example (i.e., “Approved” signifies ownership by your organization)
Add a filter for “Kind = Page” to focus-in on websites only
Add a filter for “Attribute Type = GoogleTagManagerId”

That’s it! It’s now possible to navigate to the asset details of each Page asset returned by clicking the link in the “Asset” column.

After selecting any result returned, Defender EASM will present you with the details for that asset. Select “Trackers” in the asset details screen to view all trackers Microsoft has detected for that specific asset. In this instance, the results will include assets using GTM and their corresponding values.

Note: As previously mentioned, there are many types of Trackers in the Defender EASM data set. Viewing those programmatically will be shown in the next installment of this blog series.

Find Tracker Values in Just One More Step

Let’s assume that you know the exact GTM value of interest, or at least what the value begins with. By simply adding one more filter, Defender EASM allows us to reduce our data set to just the GTM values we might want to interrogate further.

Add the filter “Attribute Value,” the operator “Starts With,” and the characters that comprise the beginning of the GTM string value.

The result set will now be reduced to just those Page assets that may need to be analyzed per business needs.

Conclusion

You now understand Trackers in Defender EASM and how they could create risk to your organization. You can also search for them via the Defender EASM UI within your external attack surface. I sincerely hope you will join me for the next installment of this series. Happy Tracker hunting!

Begin your attack surface discovery for free today by trying Defender External Attack Surface Management journey today.

Latest Engineering Semester Enables Tighter Integrations, Ease of Use

Mike_Browning — Tue, 31 Jan 2023 17:33:16 GMT

The launch of Microsoft Defender External Attack Surface Management (Defender EASM) was part of Microsoft's ongoing vision to provide unmatched threat intelligence capabilities. We've continued to innovate, introducing impactful new features that drive value for our customers through simplicity and integrations that enhance the products and workflows security teams already use via Defender EASM data.

Our latest build includes a REST API to let customers manage their attack surface at scale, a billable assets dashboard to help users more efficiently track their usage, and integration with Microsoft Defender for Cloud to help them understand how and why a digital asset is vulnerable. The team has also introduced enhancements such as dark mode and improvements to discovery and inventory capabilities. This blog will cover what's new in MDEASM and how it can help improve your security posture by bringing unknown resources, endpoints, and assets under secure management.

REST API

Defender EASM continuously discovers and inventories an organization's digital attack surface. The new REST API lets customers manage their attack surface at scale by integrating with the processes and third-party tools they already use. Via the API, they can create new clients and applications or automate workflows for data enrichment, ticketing management, or process management.

Common use cases for the API include retrieving or curating asset data, creating and managing discovery groups, kickstarting discovery runs, utilizing saved filters, and downloading data.

Data functions include:

Export, retrieve, and update assets
Retrieve, create, remove or run a discovery group
Retrieve discovery templates
Retrieve asset summary details or snapshot values
Retrieve, create or remove saved filters
Retrieve or cancel tasks, and download task data
Retrieve workspace data
Bulk modification

Administrative functions include:

Create, update, delete or retrieve labels
Create, update, delete or retrieve workspaces

To start using the Defender EASM API, please refer to the Authentication article in our API documentation and the solutions repository developed by our Customer Experience Engineering Team.

Microsoft Defender for Cloud integration

Defender EASM scans the internet and its connections daily, building a complete catalog of a customer's environment and discovering internet-facing resources—even the agentless and unmanaged assets. Insights about how these assets are connected to the internet and other assets are now available in Microsoft Defender for Cloud (MDC) to provide critical context during incident response.

The MDC and Defender EASM partnership cross-correlates externally-facing IP Addresses in MDC to help reduce recommendation noise and focus on the most exploitable vulnerabilities along potential attack paths. The MDC UI allows customers to quickly navigate to Defender EASM for further details via both the Overview and Attack Path pages.

Billable Asset Dashboard

Modern attack surfaces are large, dynamic, and growing every day. Now in preview mode, the billable assets dashboard helps customers better understand how they are billed as Defender EASM discovers their attack surface and identifies new assets that may change their inventory. It provides a breakdown of billable asset counts by day, broken down by asset type, so users can easily track their EASM usage, see how their billing changes over time, and estimate their costs. This feature is in preview mode, and we welcome feedback!

Key Enhancements

Dark Mode: Defender EASM is now compatible with dark mode. Users can enable it by selecting the dark mode theme from the "Appearance + startup views" tab on the Azure Portal Settings page.

Discovery Enhancements: Discovering your organization's attack surface is now easier than ever with improvements to our discovery process. These include:

A new entry field for "Organization names" as an input into the discovery algorithm
Added safeguards to protect the platform and improve discovery performance
Enhanced seed tooltips to provide better examples of supported inputs
Removed "SSL certificate common name" as a possible seed option
Seed validation to remove any duplicative seeds

Inventory Filter Improvements: Users can now understand and act on their organization's digital asset inventory more quickly and efficiently with new inventory filter improvements. These include:

A drop-down list of inventory filters organized by the kind of asset they apply to. Filters that apply to all assets are "Common"
Improved handling of date filters for "Created at" or "Updated at"
Format validation for specific freeform values (e.g., ASN) to ensure the inputted field is applicable

New Attack Surface Insights: As the global threat landscape evolves, Defender EASM identifies and tracks new vulnerabilities that put organizations at risk. Users can now detect 31 detectable and potential CVEs. Other Attack Surface Insights include:

Deprecated Tech – Silverlight
Command and Control Server Detected
Cryptocurrency Miner Detected on Website
Deprecated Tech - Boa Web Server
Information Disclosure - PHPInfo
Open Memcached Service Can Leak Sensitive Data
Open Print Device Exposure

We want to hear from you!

Seeking Out Dead and Dying Servers

jtwells — Tue, 17 Jan 2023 22:47:58 GMT

Peruse any social media platform where InfoSec practitioners interact and share their findings, and you will likely find a mention of the latest and greatest 0-day exploit making the rounds. Although 0-days represent the cutting edge of threat activity, aside from a specific error of backdoors in easily identifiable software, these are often the result of misconfigurations, poor defense-in-depth design, or lack of regular patching and updating

The most sophisticated 0 days, those that don't require some error or neglect by defenders are rare and need specific conditions and a lot of luck to succeed. There are vast numbers of much more common vulnerabilities most people should investigate first. Finding out what an attacker can leverage against your organization from their perspective and seeing that platform or version numbers exist across the entire enterprise is one of the most significant advantages of using Microsoft Defender for External Attack Surface Management (MDEASM).

Many organizations are shocked to find deprecated technologies that require immediate attention as part of their online presence. More importantly, they often discover deprecated assets that were previously unknown to remain online. In future Tech Community articles, we will drill deep into solving an array of shadow IT issues like this. Here, though, we'll highlight a particular type of rogue asset that can hide in plain sight: dead and dying web servers, and show you some tricks for finding these assets while excluding others that do not require immediate action.

Note: To follow along in this blog, you must complete discovery in your MDEASM workspace to which you have, at minimum, read the permissions.

One of the most common critical findings by MDEASM customers is severely outdated versions of Apache web server and Microsoft IIS (Internet Information Services). In your MDEASM instance, once an inventory is created and the full discovery has been completed, select "Inventory" from the General section on the left. Notice the filter section at the top of the Inventory blade. This section is where our focus will be for now.

MDEASM has well over 200 asset attributes to use as filters that we can combine with 18 operators for precise subsets of your external attack surface. Select 'Add filter' and select the first instance, 'Web Component Name.'

Note that some filters apply universally to all assets, and others only apply to some. 'Web Component Name' is listed three times under Host, Page, and IP Address asset types. Selecting any of the three instances will act upon all applicable asset types, so it does not matter which you choose.

After selecting the 'Web Component Name' filter, select 'Matches In' under the operator. Next, type 'IIS' and Shift+Enter. Then type in 'Apache.' See the example below and select Apply when ready.

After the results are returned, you may notice that every asset with any Apache platform or IIS, regardless of the version number or state of potential risk, is listed. We need to add another filter to refine the results further. A quick shortcut to finding the most potentially vulnerable assets is to use the 'Affected CVSSv3 Score.' Here, we add the numerical operator 'Greater Than or Equal To' and the numerical value of 9 and press Apply.

Now, let's specify that we only want web servers by clicking 'Add filter.' Under Filter, select 'Web Component Type' + 'Equals' + 'Server' like in the example below.

Together, these filters return any asset in Approved Inventory (those that MDEASM will actively monitor and present in analytics) that we have recently detected a web server technology whose name matches 'Apache' or 'IIS' and has an active CVE with a CVSSv3 score of 9 or higher. These results are a great place to start looking for assets that require investigation. Adjust the filters to suit your needs and explore across your attack surface.

Also, as assets are patched and updated and then rescanned automatically, the platform will expire the older component versions after several unsuccessful follow-on detections and identify new ones.

Bonus: Try to see if the inverse is true. Can you find active web servers on IP addresses that do not have a host associated with them but have common HTTP-related ports like 80, 443, and 8080 open?

Regardless of the server type or version, this would be out of place in many organizations except under specific conditions. Even then, it might warrant an investigation. Try it for yourself and see what you find. Use different filters combined with various operators to discover new things. Don't worry if nothing comes up - in most cases, that's a good thing.

We hope you found this blog post helpful. Please comment below with any questions, or let us know how your hunt for dead and dying servers is going!

Identify Digital Assets Vulnerable to Subdomain Takeover

ajaykallur — Tue, 03 Jan 2023 18:56:27 GMT

Subdomain takeover vulnerabilities are, in most cases, the result of an organization using an external service and letting it expire. However, that expired subdomain is still a part of the organization's external attack surface, with domain DNS entries pointing to it. An attacker could then claim this subdomain and take control of it with little to no effort, a considerable blow to an organization's security posture.

How does this happen? For example, a company might enlist a service desk provider, "FreshDesk.' It would point a subdomain like "support.mycompany.com" to FreshDesk and then claim this domain with the Freshdesk service to activate it. However, a problem arises when the organization abandons the service because they migrate to other services or for some other reason. Meanwhile, after the service agreement expires, the subdomain remains pointing to the FreshDesk platform.

While this might not seem bad initially, the risk of allowing attackers to execute scripts under the subdomain enables them to obtain data from the main website. The risk becomes even more significant when this scenario involves a service that handles PPI, PHI, or trade secrets. Microsoft Defender External Attack Surface Management continuously maps the external-facing resources across your organization's attack surface to identify, classify, and prioritize risks, including subdomain expiration and takeover.

MDEASM Is Purpose-Built to Detect Expired Subdomains

Microsoft Defender External Attack Surface Management discovers your organization's digital assets exposed to the Internet through its unique crawling and scanning capabilities. It maintains a complete inventory of the internet-facing resources connected to your organization and the unique attributes of each. It also offers the necessary tools to manage this inventory for different assets, including hosts, IP addresses, web pages, domains, IP blocks, ASNs, SSL Certs, and contacts.

MDEASM Inventory enables querying for all available attributes (over 200 currently) with multiple search operators, including "Expired Service" and "Service." A service is a hostname making use of a service. An expired service is a hostname (possibly susceptible to takeovers) that previously pointed to an active external service via DNS but now does not resolve.

Customers should use these two inventory filters in tandem because when a rule is written for an "Expired Service" category component, a "Service" category component is written concurrently to show when a service in question was in use and when it expired. This way, customers will always have visibility into the statuses of the services they use and can easily detect the presence of a working or inactive service.

Try it yourself: In MDEASM, query your approved inventory using the "Expired Service" search operator. It will return all digital assets matching this search criterion:

You can select each one of these assets - Host (server, Web Page, or IP Address, to see its full asset details and view all the available data and history:

Below are some of the Web Component details for one of the above-searched assets:

Service Name	Description
Google Cloud	Google cloud services for storage
GitHub Pages	GitHub static website hosting
Shopify	Hosted eCommerce Platform
Heroku	Cloud application platform
Statuspage	Status page hosting
Amazon S3	Cloud storage
Tumblr	Microblogging and social networking platform
Zendesk	Customer service software and support ticket system
Freshdesk	Customer support software and ticketing system
Fastly	Content delivery network
WPEngine	WordPress blog hosting
UserVoice	Product management software
Unbounce	Landing page builder and conversion marketing platform
Tictail	Social shopping platform
Teamwork	Project management, help desk, and chat software
SurveyGizmo	Online survey software
Pingdom	Website and performance monitoring
Instapage	Landing page platform
Help Scout	Customer service software and education platform
Helpjuice	Knowledge base software
Ghost	Publishing platform
FeedPress	FeedPress
Desk	Customer service and helpdesk ticket software
Cloudfront	Content delivery network
Cargo	Web publishing platform
Campaign Monitor	Email marketing
Pantheon	Hosted websites (Drupal, WordPress)
WordPress	Hosted WordPress installations
Surge	Static website publisher
Bitbucket	Project hosting
Intercom	Customer messaging platform
WebFlow	Website creation & Hosting
WishPond	Custom CMS for websites
AfterShip	Package tracking solution for eCommerce
Aha	Hosted Roadmap Service
BrightCove	Online video platform
BigCartel	Online shopping system
Acquia	Hosted SaaS for CMS
Simplebooklet	Online hosting for brochures
GetResponse	Marketing email/landing page solution
Vend	Retail Management software
JetBrains YouTrack	Online ticket tracking platform
Azure	Cloud hosting
Readme	Hosted Developer Hub software
Apigee	API management & analytics
Smugmug	Online store and video/audio/photography hoster
Kajabi	Online Business Platform

You should now be able to query for hosts susceptible to a subdomain takeover attack and search all associated services and their current state. You can discover your attack surface discovery journey today for free.

Welcome to the Microsoft Defender External Attack Surface Management Tech Community

Mike_Browning — Thu, 15 Dec 2022 23:45:35 GMT

Welcome to the Microsoft Defender External Attack Surface Management (MDEASM) Tech Community!

Understanding your external attack surface is critical in this era of digital expansion and hybrid work, as unmanaged resources and shadow IT create an increasingly severe security risk. Since we launched MDEASM over the summer, we've been thrilled to work with organizations of all sizes and complexity that use its unique global attack surface discovery technology to strengthen their security posture.

In the MDEASM Tech Community, we'll share the latest content about how network teams, security defenders, and incident responders can get the most out of MDEASM's industry-leading attack surface management capabilities. The blogs, videos, and training posted here will help you get up-to-speed in identifying, classifying, and prioritizing unknown and unmanaged internet-exposed resources and leveraging insights that help prioritize the most critical risks to your organization. We'll also offer expert how-to guides for integrating MDEASM with other Microsoft Security products and other tools and workflows you already use.

We are also looking forward to hearing from you! The MDEASM Tech Community is a great place to ask us questions and offer our engineering and product teams feedback about what's working well, the unique ways you're leveraging MDEASM, and what you'd like to see us build next.

Stay tuned for all the latest MDEASM content, including:

Best practices: MDEASM continuously discovers and maps your digital attack surface to provide the 'outside-in' perspective an attacker has. We'll share the best ways to put this continuously evolving inventory to work, including key integrations with Defender for Cloud, Microsoft Sentinel, and your team's other existing security tools and workflows.

New features and product updates: Microsoft is always innovating and investing to make products that contribute to a safer world. When we launch updates and new features, our community will be some of the first to know. Here, we'll offer a first-hand look at what's next and the opportunities available to MDEASM users.

How MDEASM and Microsoft Security products are better together: Discovering your attack surface is the first step to managing your security posture. When leveraged with other Microsoft Security products, MDEASM enables you to track assets through digital transformation efforts, proactively manage vulnerabilities at a global scale, and find and eliminate cyber risks born from misconfiguration. We'll show you how it's done.

Solutions to today's most demanding IT Challenges: MDEASM helps security teams safely enable complex technology initiatives, including cloud migration, mergers and acquisitions, remote work and shadow IT, and third-party risk. Here, we'll provide all the information you'll need to tackle them.

Access to training, workshops, and certifications: We're committed to preparing the security community to combat the next generation of threats. Come to the MDEASM Tech Community to learn, practice, and become an EASM expert. Visit the MDEASM Tech Community to complete training courses, earn certifications, and even help us teach other cybersecurity pros.

We want to hear from you!

MDEASM is made by security professionals for security professionals. Join our community of security pros and experts to provide product feedback and suggestions and start conversations about how MDEASM is helping you manage your attack surface and strengthen your security posture. With an open dialogue, we can create a safer internet together.