Integrating Defender EASM with Microsoft Sentinel Guide

13 Min. Read

Microsoft Defender External Attack Surface Management (EASM) provides organizations with a comprehensive view of their digital attack surfaces. It discovers known and unknown resources, from web pages to IP addresses and domains, helping prioritize risks and defend against potential threats.

Integrating Defender EASM into Microsoft Sentinel becomes essential so that you have only one platform to monitor and respond to threats. In this guide, we’ll cover all the steps to connect Defender EASM to Microsoft Sentinel to enrich an incident by looking at whether an asset in your organization is internet-connected and exposed to vulnerabilities.

Overview of Defender EASM and Its Importance

Microsoft Defender External Attack Surface Management (EASM) uses Microsoft’s crawling technology to actively scan and uncover new connections over time. It generates Attack Surface Insights by applying vulnerability and infrastructure data, revealing critical areas of concern.

The tool is essential for managing assets beyond the firewall’s protection and addressing the challenges of modern networks, including shadow IT. EASM’s dynamic inventory helps bring rogue elements under control, ensuring all assets are accounted for and managed.

Key benefits of EASM include:

  • Discovering digital assets and maintaining an always-on inventory
  • Analyzing and prioritizing risks and threats
  • Pinpointing attacker-exposed weaknesses
  • Gaining visibility into third-party attack surfaces

EASM integrates with other Microsoft solutions, enabling enriched workflows and stronger defenses. Its data connections feature allows seamless integration with platforms like Azure Log Analytics and Azure Data Explorer (ADX), enabling automatic asset data and insights export.

By providing an “external” perspective of infrastructure through continuous monitoring, EASM helps organizations take proactive steps against evolving threats. It streamlines the process of identifying, assessing, and mitigating risks across the digital landscape.

Supported Regions and Assets

Microsoft Defender EASM currently supports only 14 regions globally, including:

  • Australia East
  • Canada Central
  • Central US
  • East Asia
  • East US
  • France Central
  • Japan East
  • North Europe
  • Norway East
  • South Central US
  • Sweden Central
  • Switzerland North
  • West Europe
  • West US 3

More regions will be added in the future. Defender EASM discovers various assets relevant to an organization’s external attack surface, including:

Asset Type Description
Domains Registered web addresses
Hostnames Names assigned to network devices
Web Pages Individual pages within websites
IP Blocks Ranges of IP addresses
IP Addresses Unique network identifiers
ASNs Autonomous System Numbers
SSL Certificates Digital certificates for secure connections
WHOIS Contacts Domain registration information

This broad spectrum of asset detection allows Defender EASM to present a thorough mapping of an organization’s external assets. The continuous scanning and re-evaluation of the attack surface ensures that the inventory remains up-to-date, capturing new additions or changes as they occur.

Prerequisites

To follow this guide, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create one here for free.

2) Log Analytics workspace – To create a new workspace, follow the instructions to create a Log Analytics workspace.

3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days; follow the quick onboarding process. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for 90 days. Defender EASM integration into Sentinel/Log Analytics is NOT free and will follow the official data ingestion and storage retention costs.

4) Ensure you have the following roles assigned on the following resources:

5) A Contributor role assigned for you to create the EASM resource. New Defender EASM resources start with a 30-day trial. After the trial period, you will be automatically billed at the standard metered rate of $0.011 asset/day.

6) Data connection permissions. Defender EASM data connections do not support private links or networks (more on this below).

Assuming you have all the prerequisites in place, take the following steps:

Setting Up Defender EASM

To set up Microsoft Defender EASM, follow these steps:

1) Create a Defender EASM Azure resource:

Go to the Azure portal and search for Microsoft Defender External Attack Surface Management.

Create a new EASM resource and configure subscription, resource group, and region settings.

Create Microsoft Defender EASM Resource
Create Microsoft Defender EASM Resource

2) Create a custom attack surface:

After setting up the workspace, the system searches for pre-existing attack surface information. Microsoft has preemptively configured the attack surfaces of many organizations, mapping their initial attack surface by discovering infrastructure connected to known assets.

Start attack surface discovery
Start attack surface discovery

If your organization is not found, you can create a new custom attack surface under “Manage” in the “Discovery” section, as shown in the figure below.

Create a custom attack surface
Create a custom attack surface

Next, enter “seeds“, such as domain names, IP blocks, hosts, ASNs, Whois organizations, etc. Known assets (seeds) discover connected (known and/or unknown) assets to build up the attack surface.

Enter organization information and seeds
Enter organization information and seeds

3) Verification and confirmation:

Microsoft scans its security graph and maps your digital footprint. This process typically takes 24 to 48 hours.

Discovered assets by Microsoft Defender EASM
Discovered assets by Microsoft Defender EASM

4) Post-scan analysis:

Review the detailed inventory of your attack surface under “General” in the ‘Inventory‘ section.

Defender EASM Inventory
Defender EASM Inventory

5) Leverage the data:

Integrate with other tools like Azure Log Analytics and Microsoft Sentinel for enriched investigation playbooks and automated responses. This setup process helps establish a strong defense mechanism and enables continuous updating and management of your security posture (more on this in the next section).

Defender EASM Dashboards

Once the discovery is completed, we can access the Dashboards section, which provides insights into identifying unmanaged assets, assessing security posture, and evaluating compliance.

1) The Attack Surface Summary page provides insights into the core components of the attack surface (High, Medium, and Low risks), which has the same view as the Overview page.

Attack surface summary
Attack surface summary

2) The Security Posture page overviews the security maturity of different configuration areas, such as CVE exposure, domain administration, hosting and networking, domain configuration, Open ports, SSL configuration, and SSL organization.

Security posture
Security posture

3) The GDPR Compliance page provides an overview of GDPR (EU Privacy law) compliance with public-facing web assets (websites, SSL certificates, cookies, PII, and login posture).

GDPR Compliance
GDPR Compliance

4) The OWASP Top 10 page provides an overview of the top 10 web-based attacks, such as (SQL) Injection, broken access control, cryptographic failure, insecure design, security misconfiguration per asset, Identification and authentication failures, server-side request forgery, etc.

OWASP Top 10
OWASP Top 10

5) The CWE Top 25 Software Weaknesses page provides the top 25 Common Weakness Enumeration (CWE) provided annually (for the last five years) by MITRE ATT&CK®. These most common and impactful software weaknesses are easy to find and exploit.

CWE Top 25 Software Weaknesses
CWE Top 25 Software Weaknesses

6) The CISA known exploits page provides a list of exploits identified by the Cybersecurity & Infrastructure Security Agency (CISA) recently exploited by threat actors.

CISA Known Exploits
CISA Known Exploits

Configuring Data Connections

Defender EASM offers data connections to help you seamlessly integrate your attack surface data into other Microsoft solutions to supplement existing workflows with new insights. To best use your attack surface data, you must get data from Defender EASM and use it in other security tools, such as Microsoft Sentinel, for remediation purposes.

The data connector sends Defender EASM asset data to two different platforms: Log Analytics and Azure Data Explorer (ADX). You need to export Defender EASM data to either tool. Data connections are subject to the pricing model for each respective platform.

Next is configuring the Log Analytics connection to integrate Defender EASM with Microsoft Sentinel.

Integrating Defender EASM with Microsoft Sentinel

Integrating Defender EASM with Microsoft Sentinel enhances security monitoring and incident response by leveraging comprehensive attack surface data. This integration enables the creation of alerts and custom dashboards, improving threat detection capabilities. To add a data connection to Microsoft Sentinel, take the following steps:

1) Log Analytics Permissions:

  • Open the Log Analytics (Sentinel) workspace where you want to ingest your Defender EASM data.
  • On the leftmost pane, under Settings, select Agents.
  • Expand the Log Analytics agent instructions section to view your workspace ID and primary key. The next step will use these values to set up your data connection.
Configure Log Analytics permissions
Configure Log Analytics permissions

2) Open Data Connections:

3) Initiate Connection:

  • Under the Log Analytics section, click Add Connection.
Add Log Analytics connection
Add Log Analytics connection

4) Enter Connection Details:

  • Provide a name for the connection, Workspace ID, API Key (Workspace primary or secondary key), content type (select to integrate asset data, attack surface insights, or both), and update frequency (daily, weekly, and monthly).

5) Confirmation and Data Flow:

  • Click Add. Data will start populating into Log Analytics within about 30 minutes.
EASM | Add data connection
EASM | Add data connection

This setup creates a seamless data flow, enhancing threat detection and response capabilities within 30 minutes of configuration.

Query EASM Data in Microsoft Sentinel

Once the Microsoft Defender EASM Data Connection is connected, data from Microsoft Defender EASM is ingested into the Log Analytics workspace and is usable in Microsoft Sentinel. If we navigate to the logs section, we can see that the following 10 Custom Logs tables are created, where the table name ends with (_CL), which stands for custom table:

  • EasmAsset_CL
  • EasmAssetBanner_CL
  • EasmAssetWebComponent_CL
  • EasmContactAsset_CL
  • EasmDomainAsset_CL
  • EasmHostAsset_CL
  • EasmIpAddressAsset_CL
  • EasmPageAsset_CL
  • EasmRisk_CL
  • EasmSslCertAsset_CL
Microsoft Defender EASM Custom Logs tables in Log Analytics
Microsoft Defender EASM Custom Logs tables in Log Analytics

Next, we could use this information to enrich an Incident. For example, when a device is involved in an incident, we can quickly see if it is internet-connected and exposed (which ports? and vulnerabilities?).

Custom Alerts and Dashboards

1) Create Custom Alerts:

  • In Microsoft Sentinel, go to Logs and use KQL to query Defender EASM data. Here are a couple of query examples:

The following KQL query searches for high-risk assets in Defender EASM and generates the corresponding incidents in Sentinel.

let queryperiod = 7d;
EasmRisk_CL
| where AssetLastSeen_t >= ago(queryperiod)
| where CategoryName_s == "High Severity"
| extend Rule = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].Rule)
| project TimeGenerated, AssetType_s, AssetName_s, CategoryName_s, Rule

The following KQL query, look at the “EasmAssetBanner_CL” table and shows which ports are open and connected (inbound) to the Internet. To further automate things, you can create a playbook (Logic App) to enrich an incident with data like the Internet’s exposure, open ports, vulnerabilities/CVE, etc.

let assetname = "add-here-the-asset-name";
EasmAssetBanner_CL
| where AssetType_s == "IP_ADDRESS" and AssetName_s == assetname
  • Last, save queries and create a Microsoft Sentinel scheduled analytic rule alert based on them.
Query the "EasmAssetBanner_CL" table
Query the “EasmAssetBanner_CL” table

2) Develop Custom Dashboards:

  • Use Workbooks in Microsoft Sentinel to create visual reports.
  • Add queries that return Defender EASM data and customize visualizations.

Microsoft has developed the workbook below, which you can import directly into your Sentinel environment by clicking “Deploy to Azure” button below.

Deploy To Azure

Create Defender EASM Workbook
Create Defender EASM Workbook

Once the workbook is deployed, you can start visualizing data snapshots, and then the charts and visuals will populate with that information.

Defender EASM Workbook
Defender EASM Workbook

Edit or Delete a Data Connection

To edit or delete a data connection in Defender EASM, take the following steps:

  • Edit a Data Connection: Select the connection to edit, make changes, and click Save.
  • Delete a Data Connection: Select the connection and click Delete.
  • Reconnect: For disconnected connections, select and click Reconnect.
Edit or delete a data connection in Defender EASM
Edit or delete a data connection in Defender EASM

This integrated approach streamlines incident management and ensures a proactive stance in securing the digital landscape.

Use Cases and Benefits

Integrating Microsoft Defender EASM with Microsoft Sentinel offers several use cases that enhance an organization’s security operations:

1) Creating Alerts: Custom alerts can be set up based on asset or insight data queries. For example, alerts can be triggered for new high-severity vulnerabilities on approved inventory.

2) Generating Custom Reports: Security teams can create dashboards highlighting specific issues, such as approved hosts with expired SSL certificates.

3) Incorporating Data into Automated Workflows: EASM data can be integrated into existing SIEM and XDR solutions to enhance threat-hunting and incident response processes.

Benefits of this integration include:

  • Enhanced Situational Awareness: Continuous updates on the attack surface allow quick identification of new vulnerabilities for your assets.
  • Improved Incident Response: Custom alerts and integrated workflows enable faster and more accurate responses to threats.
  • Custom Reporting and Compliance: Specific reports can be generated to maintain compliance with regulatory standards.
  • Reduced Complexity: The integration provides a centralized platform for managing external attack surfaces.
  • Resource Optimization: Automated workflows allow security teams to focus on critical tasks rather than manual data management.

This integration combines powerful tools and actionable insights, equipping security teams to handle evolving cyber threats efficiently.

Microsoft Defender EASM Use Cases and Benefits
Microsoft Defender EASM Use Cases and Benefits

Microsoft Defender EASM is a crucial tool in modern cybersecurity strategies. It offers insights and defenses against evolving threats by continuously mapping and monitoring digital attack surfaces. With its ability to discover digital assets, analyze risks, and pinpoint weaknesses, Defender EASM provides an “outside-in” view that complements traditional “inside-out” security approaches.

Top 10 Microsoft Sentinel Alerts for Defender EASM

Here are some effective alerts you can set up in Microsoft Sentinel using the data provided by Defender External Attack Surface Management (EASM). These alerts focus on monitoring external-facing assets, vulnerabilities, and potential risks that can affect your organization’s security posture:

1. Newly Discovered Exposed Assets

Description: Alert when Defender EASM discovers a new asset that is exposed to the internet.
Alert Logic: Trigger when a new IP address, domain, or service is found that is not previously listed in your inventory.
Use Case: Helps track shadow IT or misconfigured assets that could increase your attack surface.
KQL: The query below will alert on any asset that AssetFirstSeen_t falls within the last 24 hours.

let queryPeriod = 24h;
EasmAsset_CL
| where AssetFirstSeen_t >= ago(queryPeriod)
| project TimeGenerated, AssetType_s, AssetName_s, AssetFirstSeen_t

2. Publicly Accessible Critical Services

Description: Alert when critical services (e.g., RDP, SSH, DBs) are detected as publicly accessible.
Alert Logic: Identify if any services running on exposed assets should not be publicly accessible based on defined policies.
Use Case: Protects against potential unauthorized access to sensitive services.
KQL: The query below will alert when critical services (e.g., RDP, SSH, SQL, Oracle DB ports) are detected as publicly reachable in the last 24 hours. You could also use a watchlist to add all critical ports instead of adding the list of ports directly into the query.

let queryPeriod = 24h;
let criticalPorts = dynamic([22, 3389, 1433, 1521]);
EasmAssetBanner_CL
| where TimeGenerated >= ago(queryPeriod)
| where AssetType_s == "IP_ADDRESS"
| where Port_d in (criticalPorts)
| project 
    TimeGenerated,
    AssetName_s,
    Port        = Port_d,
    Service     = Banner_s,
    FirstSeen   = BannerFirstSeen_t,
    LastSeen    = BannerLastSeen_t

3. New Vulnerabilities on Exposed Assets

Description: Alert when EASM identifies vulnerabilities on externally exposed assets.
Alert Logic: Trigger when CVEs or known vulnerabilities are detected on externally facing systems.
Use Case: Helps prioritize patching or remediation efforts on high-risk, publicly exposed assets.
KQL: The query below will alert when new CVEs are detected on internet-facing assets.

let queryPeriod = 7d;
EasmRisk_CL
| where TimeGenerated >= ago(queryPeriod)
| where MetricDisplayName_s contains "CVE" or CategoryName_s contains "High Severity"
| extend ParsedAuditTrail = parse_json(AssetDiscoveryAuditTrail_s)
| where isnotempty(ParsedAuditTrail)
| mv-expand TrailItem = ParsedAuditTrail
| extend
    DiscoveryRule = tostring(TrailItem["Rule"]),
    DiscoveryAssetType = tostring(TrailItem["AssetType"]),
    DiscoveryAssetName = tostring(TrailItem["AssetName"])
| project TimeGenerated, AssetType_s, AssetName_s, CategoryDescription_s, DiscoveryRule, DiscoveryAssetType, DiscoveryAssetName

4. Expired or Soon-to-Expire Certificates

Description: Alert when an SSL/TLS certificate on an external-facing asset is expired or soon-to-expire.
Alert Logic: Trigger when certificates that are soon to expire or expired dates are found on web-facing assets.
Use Case: Ensures strong encryption is maintained and prevents man-in-the-middle attacks.
KQL: The query below will alert when certificates are expired, or soon-to-expire certificates (e.g., expiring in the next 3 days).

let nowTime = now();
let warningThreshold = nowTime + 3d;
let expiringOrExpiredCerts = EasmSslCertAsset_CL
| extend Expiry = todatetime(InvalidAfter_t)
| where Expiry < nowTime or Expiry <= warningThreshold
| project SubjectCommonNames = SubjectCommonNames_s,
          Thumbprint = Thumbprint_s,
          Expiry,
          TimeGenerated,
          SerialNumber = SerialNumber_s,
          Issuer = IssuerOrganizations_s,
          ExpiryStatus = iif(Expiry < nowTime, "Expired", "ExpiringSoon");

let validCerts = EasmSslCertAsset_CL
| extend Expiry = todatetime(InvalidAfter_t)
| where Expiry > warningThreshold
| summarize ReplacementCount = count() by SubjectCommonNames = SubjectCommonNames_s;

expiringOrExpiredCerts
| join kind=leftanti validCerts on SubjectCommonNames
| project SubjectCommonNames, Thumbprint, SerialNumber, Expiry, ExpiryStatus, Issuer, TimeGenerated, Summary

5. Changes in DNS Records

Description: Alert when unexpected or unauthorized changes are detected in the DNS records of your domains.
Alert Logic: Monitor for any new, removed, or modified DNS records for key domains.
Use Case: Helps identify DNS hijacking attempts or unauthorized redirections.
KQL: The query below will alert when DNS records are added/removed/modified for your domains.

let lookback = 24h;
EasmDomainAsset_CL
| where TimeGenerated >= ago(lookback)
| project TimeGenerated, Domain = Domain_s, NameServers = NameServers_s
| order by Domain asc, TimeGenerated asc
| serialize
| extend
    prevDomain        = prev(Domain),
    prevNameServers   = prev(NameServers)
| where Domain == prevDomain
  and NameServers != prevNameServers
| project
    TimeGenerated,
    Domain,
    PreviousNameServers = prevNameServers,
    CurrentNameServers  = NameServers

6. Exposed Cloud Storage or Data Repositories

Description: Alert when cloud storage (S3 buckets, Azure Blobs) or databases are publicly accessible.
Alert Logic: Identify exposed storage buckets or databases that should be private.
Use Case: Prevents data leakage or breaches due to misconfigurations.
KQL: The query below identifies standard cloud-storage endpoints by name patterns (Azure Blob, AWS S3, GCP Storage) and then joins with the banner table to confirm that HTTP/S (ports 80 or 443) is reachable (i.e., publicly accessible).

let queryPeriod = 24h;

// 1) Find any storage‐style assets in the last 24h
let StorageAssets = 
    EasmAsset_CL
    | where TimeGenerated >= ago(queryPeriod)
    | where AssetType_s in ("DOMAIN","HOSTNAME","WEB_PAGE")
    | where AssetName_s endswith ".blob.core.windows.net"
        or AssetName_s endswith ".storage.azure.com"
        or AssetName_s endswith ".s3.amazonaws.com"
        or AssetName_s matches regex @".*\.s3-[a-z0-9-]+\.amazonaws\.com"
        or AssetName_s endswith ".storage.googleapis.com"
    | project AssetName_s, AssetType_s, FirstSeen = AssetFirstSeen_t;

// 2) Confirm any of these have an open inbound HTTP/S port
StorageAssets
| join kind=inner (
    EasmAssetBanner_CL
    | where TimeGenerated >= ago(queryPeriod)
    | where Port_d in (80, 443)            // HTTP or HTTPS
        and Banner_s has_any ("HTTP","HTTPS")
    | project AssetName_s, Port = Port_d, Service = Banner_s
) on AssetName_s
| project 
    FirstSeen,
    AssetType_s, 
    AssetName_s, 
    Port, 
    Service

7. Potential Phishing or Impersonation Domains

Description: Alert when similar-looking domains (typosquatting) are detected that could be used in phishing attacks.
Alert Logic: Match newly discovered domains with known corporate domain names.
Use Case: Helps proactively defend against phishing or impersonation campaigns targeting employees or customers.
KQL: The query below will alert when newly discovered domains closely resemble corporate domains. You could also use a watchlist to add all your corporate domains instead of adding the list of domains directly into the query.

let corporateDomains = dynamic(["contoso.com","fabrikam.net"]);
let queryPeriod = 7d;

EasmDomainAsset_CL
| where TimeGenerated >= ago(queryPeriod)
| extend DomainLower = tolower(Domain_s)
| mv-expand CorpDomain = corporateDomains
| extend CorpLower = tolower(CorpDomain)
| where DomainLower != CorpLower                            // exclude exact matches
  and substring(DomainLower, 0, 3) == substring(CorpLower, 0, 3)  // same first 3 chars
  and abs(strlen(DomainLower) - strlen(CorpLower)) <= 2      // length within ±2
| project TimeGenerated, DiscoveredDomain = Domain_s, CorpDomain, 
          DiscoveredLength = strlen(DomainLower), CorpLength = strlen(CorpLower)

8. High-Risk Ports Exposed to the Internet

Description: Alert when high-risk ports (e.g., 21, 23, 69, 161, 3389) are found open on internet-facing systems.
Alert Logic: Monitor for ports that are commonly used in attacks or should not be exposed.
Use Case: Prevents external attackers from exploiting misconfigured services.
KQL: The query below will alert when any high-risk ports (FTP, Telnet, TFTP, SNMP, RDP, etc.) are open inbound on internet-facing hosts. You could also use a watchlist to add and maintain all high-risk ports instead of adding the list manually into the query.

let queryPeriod = 24h;
let highRiskPorts = dynamic([21, 23, 69, 161, 3389]);

EasmAssetBanner_CL
| where TimeGenerated >= ago(queryPeriod)
| where AssetType_s == "IP_ADDRESS"     // focus on hosts
| where Port_d in (highRiskPorts)       // high-risk ports list
| project 
    TimeGenerated,
    AssetName     = AssetName_s,
    Port          = Port_d,
    Service       = Banner_s,
    FirstSeen     = BannerFirstSeen_t,
    LastSeen      = BannerLastSeen_t

9. Weak or Default Credentials Detected

Description: Alert when assets are found using default credentials or weak authentication mechanisms.
Alert Logic: Flag systems with poor password hygiene or default credentials are used.
Use Case: Enhances security by enforcing stronger authentication practices on exposed assets.
KQL: The query below leverages the EasmRisk_CL table, which alerts to surface risk insights with high severities discovered by Defender EASM.

let queryPeriod = 7d;
EasmRisk_CL
| where TimeGenerated >= ago(queryPeriod)
| where CategoryName_s =~ "High Severity"    // catches "Attack Surface: High Severity"
| project 
    TimeGenerated, 
    AssetType          = AssetType_s, 
    AssetName          = AssetName_s, 
    Issue              = CategoryDescription_s,    
    DisplayName        = MetricDisplayName_s

10. Abnormal Traffic Patterns or Anomalous IP Access

Description: Alert when unusual traffic or access patterns are detected on exposed assets, such as unexpected countries or IP ranges.
Alert Logic: Correlate external data to detect anomalous access based on time, region, or IP ranges.
Use Case: Detects potential reconnaissance, brute-force attempts, or other suspicious activities.
KQL: The query below will alert on unusual source IPs or geolocations contacting exposed services. This assumes that you are ingesting firewall or NSG logs into the CommonSecurityLog table.

// 1 hour lookback ensures you’re alerted quickly when an external IP suddenly starts probing your public assets
let queryPeriod = 1h;

// 1) Get your externally‐facing asset IPs seen in the last hour
let ExposedIPs = EasmAssetBanner_CL
  | where TimeGenerated >= ago(queryPeriod)
  | where AssetType_s == "IP_ADDRESS"
  | distinct AssetName_s;

// 2) Look at your firewall/NSG logs and find traffic to those assets from outside your internal CIDRs
CommonSecurityLog
| where TimeGenerated >= ago(queryPeriod)
| where DestinationIP in (ExposedIPs)
| where not(
// Exclude private IP address ranges
    ipv4_is_in_range(SourceIP, "10.0.0.0/8") or 
    ipv4_is_in_range(SourceIP, "192.168.0.0/16") or 
    ipv4_is_in_range(SourceIP, "172.16.0.0/12")
  )
// Summarize by 15-minute bins, showing which external sources contacted which exposed assets and how many times.
| summarize Hits = count() by 
    TimeWindow = bin(TimeGenerated, 15m),
    SourceIP   = SourceIP,
    DestIP     = DestinationIP,
    DestPort   = DestinationPort,
    Protocol   = Protocol
| project TimeWindow, SourceIP, DestIP, DestPort, Protocol, Hits

By setting up these alerts in Microsoft Sentinel based on EASM data, you can better manage your external attack surface and reduce the risk of being compromised by exposed or vulnerable assets.

In Summary

Microsoft Defender External Attack Surface Management (Defender EASM) uses proprietary technology to build a dynamic inventory of your web applications, third-party dependencies, and web infrastructure. EASM combines that with the latest threat research and vulnerability intelligence to give you visibility into your organization’s security posture.

EASM is penetration testing as a service. It will find your weak spots based on the information you provide, using Microsoft’s own security services to investigate. It’s a nice service and not that expensive compared to the benefits you could get from it.

As cyber threats grow in sophistication and frequency, tools like Defender EASM become increasingly vital for organizations seeking to maintain a robust security posture in an ever-evolving digital landscape.

__
Thank you for reading our blog.

Please let us know in the comments section below if you have any questions or feedback.

-Charbel Nemnom-

Previous

Enable Sentinel UEBA Activity Templates at Scale (In Bulk)

Update Microsoft Sentinel Workbooks Efficiently at Scale (In Bulk)

Next

2 thoughts on “Integrating Defender EASM with Microsoft Sentinel Guide”

Leave a comment...

  1. Hello Alex, thanks for the comment!
    Please note that I’ve added the queries for the Top 10 Alerts into the following section.
    Hope it helps! Cheers to the KQL Cafe ;-)

Let us know what you think, or ask a question...