Connect Microsoft Defender EASM to Microsoft Sentinel for Incident enrichment

Derk van der Woude
4 min readMar 26, 2023

Microsoft Defender EASM (External Attack Surface Management) is the Microsoft (one of the two products from the RiskIQ acquisition, the 2nd product is MDTI) pre-firewall CSPM (Cloud Security Posture Management) tool. The tool detects and classifies vulnerabilities of external (internet connected) resources like IP, domain, etc.

MDEASM Setup

The setup of Microsoft Defender EASM for an organization is very simple:

  1. Create a Microsoft Defender EASM Resource (30-day free trail for each MDEASM resource)

Search for a pre-populated attack surface (organization)

If your organization is not found, create a new organization via Create a customer attack surface (organization) and add Seeds (organization name, domain(s), IP(s), Host(s), etc.)

Custom attack surface takes ~24–48 hours to build (scan security graph & inspect assets).

MDEASM Usage

Microsoft Defender EASM starts with the overview portal

General

The general section provides an overview (inventory) of all assets, Type/Kind, State (Approved inventory*, candidate, dependency, monitor only and requires investigation), Labels (Preview, see chapter Manage) and additional data.

*Approved inventory are the only billable assets (hosts, domains and IP addresses)

Dashboards

The dashboard section provides four dashboards with different insights of the classified risks and vulnerabilities of the seeds and discovered assets.

  • Attack Surface Summary provides insights in the core components of the attack surface (High, Medium and Low risks), the same view as the overview page
  • Security Posture provides an overview of the security maturity of different configurations areas.
  • GDPR Compliance provides an overview of GDPR (EU Privacy law) compliance of public facing web assets (websites, SSL certificates, cookie- and login posture)
  • OWASP Top 10 provides an overview of the OWASP Top 10 web-based attacks like (SQL) Injection, broken access control, security misconfiguration etc. per asset

Manage

Manage is the section for the management of Microsoft Defender EASM.

  • Discovery is an overview of the Discovery Groups (collection of seeds), Seeds and Exclusions. The seeds and discovered assets are visible in the Inventory section. An inventory is created from the seeds and all discovered (connected) assets, see example below of a discovery chain.
  • Labels are tags which can be used in the Inventory section to categorize (filter) a set of assets.
  • Billable Assets is an overview of the Approved assets (hosts, domains and IP addresses) to be charged after the first 30 days ($0.011 asset/day)
  • Data Connections provides the option to connect Microsoft Defender EASM to Log Analytics (Microsoft Sentinel) or Azure Data Explorer. To connect Log Analytics:
  1. (Optional) create a Log Analytics workspace
  2. Select Access Control (IAM) and add the role Contributor and member EASM API
  3. Select Settings -> Agent and expand Log Analytics agent instructions. Write down the <WorkspaceID> and <ApiKey>
  4. Add connection in Microsoft Defender EASM -> Data Connections and use the Connections String format WorkspaceId=<WorkspaceId>;ApiKey=<ApiKey>

Microsoft Sentinel

When the Microsoft Defender EASM Data Connection is connected,

data from Microsoft Defender EASM is ingested into the Log Analytics workspace and usable in Microsoft Sentinel. In the logs section the following CustomLogs are available:

  • EasmAssetBanner_CL
  • EasmAssetWebComponent_CL
  • EasmDomainAsset_CL
  • EasmHostAsset_CL
  • EasmIPAddressAsset_CL
  • EasmPageAsset_CL
  • EasmSslCertAsset_CL

We could use this information to enrich an Incident, for example when there is an incident of a device, we could quickly see if the device is internet connected and exposed (which ports? and vulnerabilities?).

The EasmAssetBanner_CL shows which ports are open and connected (inbound) to the internet. To automate things even more, a playbook can be created to enrich an incident with data like: internet exposed, open ports, vulnerabilities/CVE, etc. (see example below)

For more information of the new EASM data connection see https://techcommunity.microsoft.com/t5/microsoft-defender-external/data-connectors-for-azure-log-analytics-and-data-explorer-now-in/ba-p/3776898 for more detail.

The Microsoft Defender EASM GitHub contains interesting solutions for automation.

--

--