Microsoft Defender External Attack Surface Management (Defender EASM)

Defender family keep evolving and this time taking a look at Defender EASM.

What is EASM?

To give you an outside perspective of your online infrastructure, it continuously locates and maps your digital assault surface. With the use of this visibility, security and IT teams may recognize unknowns, rank risks, stop threats, and extend vulnerability and exposure control outside of the firewall. Defender EASM makes use of Microsoft’s crawling technology to find assets connected to your established web infrastructure and continuously checks these assets for fresh connections. Utilizing infrastructure and vulnerability data, Attack Surface Insights are produced to highlight the main areas of concern for you.

What regions are supported?

Currently these are the supported regions.

  • southcentralus
  • westus3
  • eastus
  • eastasia
  • swedencentral
  • australiaeast
  • japaneast

Supported assets

Defender EASM includes the discovery of the following kinds of assets:

  • Domains
  • Hostnames
  • Web Pages
  • IP Blocks
  • IP Addresses
  • ASNs
  • SSL Certificates
  • WHOIS Contacts

How to set it up?

First you will provision the workspace and then create a custom attack surface.

Then you can create an Custom attack surface.

Once done, verify and confirm.

Process and result

Microsoft will begin with a seed, scan their security graph, and repeatedly forge connections with additional assets; the end result is the inventory of your attack surface. For further elaboration and analysis, we then pull in other datasets. The entire procedure takes between 24 and 48 hours to finish.

You’ll have a thorough attack surface after your discovery process is over, including a system of record for your web applications, third-party dependencies, and web infrastructure. Utilize this to identify unmanaged assets, comprehend the security posture of your firm, evaluate compliance, and identify dangers to your attack surface.

Data residency, availability and privacy

Attack from Microsoft Defender external Both global and client-specific data are present in Surface Management. Labels added by clients are regarded as customer data, but the underlying internet data is global Microsoft data. The location of the customer’s choice governs the storage of all consumer data.

When users log in, Microsoft records their IP addresses for security reasons. This information is kept for up to 30 days, but it might be kept for longer if it’s necessary to look into possible misuse of the product that might be fraudulent or malicious.

Customers shouldn’t experience any downtime in the event of a region failure because Defender EASM makes use of technologies that duplicate data to backup regions.
Customer data is processed by Defender EASM. Customer data is copied to the paired region by default.

How the reports look like?

Once the assessment is done, you will see the services you defined to the query and was there any match for different attack surfaces.

And from the inventory page you can what was discovered from your environment


A free fully-functional 30-day trial of Microsoft Defender Threat Intelligence is available but you can also buy it from the get go.

Purchase MethodDefender External Attack Surface Management
Microsoft Representative€0.012 asset/day
Azure Portal€0.012 asset/day

More information on Microsoft official page

Why to bother with EASM?

EASM is a penetration testing as a service. It will find out your weak spots based on the information you give but using Microsoft’s own security services to investigate.

Nice service and not that expensive to use compared to the benefits you could get from it.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *