Getting started with Microsoft Defender EASM (External Attack Surface Management)

About a week ago, Microsoft released a new product called Microsoft Defender EASM which is based upon an earlier product from RiskIQ and is now a part of Microsoft Azure. You can look at this as a Shodan-light alternative where you can see your organization from an outside view—looking at what kind of external services and vulnerabilities you might have.

While Sentinel and other products like Defender for Cloud and Defender for Servers look at the traffic and events from the inside, this is more looking at it from an external attacker.

Now, while this was recently released it is not available in all regions yet but will be rolled out to most regions soon (including an API that provides integration with other Microsoft products like Sentinel for analytics). 

West Europe and North Europe are not available as regions as of now.

EASM can be set up via the Portal within an approved region. By default, you have a 30-day trial before you get billed for any asset, more info about pricing is further down in the post.

You can see an EASM instance as a view of the data. When you set up an instance you can use a predefined domain that has already been mapped or you can create custom rules. As seen below we can search for the specified organization (NOTE: The list above reflects public information that has already been generated as seen below)

Or you can define a custom attack surface (by using the feature Create a custom attack surface) where you define where the EASM crawlers should go and look for assets.

If the discovery engine detects a strong connection between a potential asset and the initial seed, the system will automatically include that asset in an organization’s “Confirmed Inventory.” As the connections to this seed are iteratively scanned, discovering third- or fourth-level connections, the system’s confidence in the ownership of any newly detected assets is lower.

If you define custom seeds, it can take between 24 – 72 hours before data is available. Once it is available you will get a view like this

So, what kind of asset does it discover?

  • Domains
  • Hostnames
  • Web Pages
  • IP Blocks
  • IP Addresses
  • ASNs
  • SSL Certificates
  • WHOIS Contacts

And uses that information to do more in-depth discovery, including port scanning and vulnerability scanning.

And if we go into more depth, we can see for instance sensitive services. and clicking on SSH we can also get more information about the asset like IP reputation, domain info, and services (such as SSH, VNC, and RDP) among other things.

And we can drill down on the service and get more information about the asset, such as service.

Also, vulnerabilities related to the service and mapping it to CVE’s.

Now while the data is being collected you only get a read-only view of the data and therefore you cannot make any changes to the discovered data, so it is important that you look through the data that is collected and filter out data that is not relevant (or no longer relevant for your organization)

Within a workspace, you can have one or multiple organizations, but from a billing perspective, it’s easier to split it up into multiple workspaces.

It should be noted that right now, there is limited API support. The feature is more just wrapped into the Azure Portal where web calls are now going to

I hope that this will become a more native Azure service soon.


Pricing for the feature is based upon assets/per day! The product uses the following assets for the billing – IP, Domains, and Host. So, if you are a small organization and only have about one hundred assets, it will not be that expensive.

As you can see here –> Microsoft Defender External Attack Surface Management – Pricing

However, if you have a lot of external assets…Well, it can get quite costly. But I’m guessing that it will take the same approach that when Microsoft released Sentinel a couple of years ago, where the pricing got overhauled with different tiers once you reach a certain threshold.

I’m looking forward to when this becomes a native Azure service so it is more integrated with Sentinel and native Azure resource manager service so that we can automatically provision it and use it together with Sentinel.




Leave a Reply

Scroll to Top