Introduction into Microsoft Defender EASM (External Attack Surface Management)

  • Domains (e.g. &| hosts (e.g. &| webpages (e.g.
  • IP-address (e.g. &| IP-blocks (e.g.
  • WHOIS registrant (e.g.
  • ASNs (Autonomous System Numbers e.g. 3598)
  • SSL Certificates

Discovery Chain



1) Create an EASM Instance

  • Subscription & Resource group (requires the Contributor role)
  • Instance Name
  • Region (EASM is only available, at the time of writing, in the following regions: South Central US, West US 3, East US, East Asia, Sweden Central, Australia East, Japan East)

2) Search or create an attack surface


  • approved is part of the attack surface (owned asset)
  • dependency is part of the attack surface (third party asset)
  • monitor only relevant asset but not directly owned not a technical dependancy
  • candidate & requires investigation requires manual validation / approval to change the state to approved


Attack Surface Summary

Security Posture

  • CVE exposure (web site vulnerabilities)
  • Domains administration (WHOIS)
  • Hosting and networking (ASN information)
  • Domains configuration (domain name status codes)
  • Open ports (114 ports are scanned on a weekly basis)
  • SSL configuration (e.g. expiration or outdated algorithms)

GDPR Compliance

OWASP Top 10

Integration with XDR & SIEM



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store