You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/external-attack-surface-management/what-is-discovery.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ Microsoft Defender External Attack Surface Management (Defender EASM) relies on
16
16
17
17
18
18
19
-
Through this process, Microsoft enables organizations to proactively monitor their constantly shifting digital attack surface and identify emerging risks and policy violations as they arise. Many vulnerability programs lack visibility outside their firewall, leaving them unaware of external risks and threats—the primary source of data breaches. At the same time, digital growth continues to outpace an enterprise security team’s ability to protect it. Digital initiatives and overly common “shadow IT” lead to an expanding attack surface outside the firewall. At this pace, it is nearly impossible to validate controls, protections, and compliance requirements. Without Defender EASM, it is nearly impossible to identify and remove vulnerabilities and scanners cannot reach beyond the firewall to assess the full attack surface.
19
+
Through this process, Microsoft enables organizations to proactively monitor their constantly shifting digital attack surface and identify emerging risks and policy violations as they arise. Many vulnerability programs lack visibility outside their firewall, leaving them unaware of external risks and threats—the primary source of data breaches. At the same time, digital growth continues to outpace an enterprise security team’s ability to protect it. Digital initiatives and overly common “shadow IT” lead to an expanding attack surface outside the firewall. At this pace, it's nearly impossible to validate controls, protections, and compliance requirements. Without Defender EASM, it's nearly impossible to identify and remove vulnerabilities and scanners can't reach beyond the firewall to assess the full attack surface.
20
20
21
21
## How it works
22
22
@@ -48,7 +48,7 @@ Using this set of first-level connections, we can quickly derive an entirely new
48
48
49
49
## Automated versus customized attack surfaces
50
50
51
-
When first using Defender EASM, you can access a pre-built inventory for your organization to quickly kick start your workflows. From the "Getting Started" page, users can search for their organization to quickly populate their inventory based on asset connections already identified by Microsoft. It is recommended that all users search for their organization’s pre-built Attack Surface before creating a custom inventory.
51
+
When first using Defender EASM, you can access a prebuilt inventory for your organization to quickly kick start your workflows. From the "Getting Started" page, users can search for their organization to quickly populate their inventory based on asset connections already identified by Microsoft. It's recommended that all users search for their organization’s pre-built Attack Surface before creating a custom inventory.
52
52
53
53
To build a customized inventory, users create Discovery Groups to organize and manage the seeds they use when running discoveries. Separate Discovery groups allow users to automate the discovery process, configuring the seed list and recurrent run schedule.
54
54
@@ -62,13 +62,13 @@ For these reasons, newly discovered assets are labeled as one of the following s
62
62
63
63
| State name | Description |
64
64
|--|--|
65
-
| Approved Inventory | A part of your owned attack surface; an item that you are directly responsible for. |
65
+
| Approved Inventory | A part of your owned attack surface; an item that you're directly responsible for. |
66
66
| Dependency | Infrastructure that is owned by a third party but is part of your attack surface because it directly supports the operation of your owned assets. For example, you might depend on an IT provider to host your web content. While the domain, hostname, and pages would be part of your "Approved Inventory," you may wish to treat the IP Address running the host as a “Dependency.” |
67
67
| Monitor Only | An asset that is relevant to your attack surface but is neither directly controlled nor a technical dependency. For example, independent franchisees or assets belonging to related companies might be labeled as “Monitor Only” rather than "Approved Inventory" to separate the groups for reporting purposes. |
68
-
| Candidate | An asset that has some relationship to your organization's known seed assets but does not have a strong enough connection to immediately label it as “Approved Inventory.” These candidate assets must be manually reviewed to determine ownership. |
69
-
| Requires Investigation | A state similar to the "Candidate" states, but this value is applied to assets that require manual investigation to validate. This is determined based on our internally generated confidence scores that assess the strength of detected connections between assets. It does not indicate the infrastructure's exact relationship to the organization as much as it denotes that this asset has been flagged as requiring additional review to determine how it should be categorized. |
68
+
| Candidate | An asset that has some relationship to your organization's known seed assets but doesn't have a strong enough connection to immediately label it as “Approved Inventory.” These candidate assets must be manually reviewed to determine ownership. |
69
+
| Requires Investigation | A state similar to the "Candidate" states, but this value is applied to assets that require manual investigation to validate. This is determined based on our internally generated confidence scores that assess the strength of detected connections between assets. It doesn't indicate the infrastructure's exact relationship to the organization as much as it denotes that this asset has been flagged as requiring additional review to determine how it should be categorized. |
70
70
71
-
When reviewing assets, it is recommended that you start with the assets labeled with "Requires Investigation." Asset details are continuously refreshed and updated over time to maintain an accurate map of asset states and relationships, as well as to uncover newly created assets as they emerge. The discovery process is managed by placing seeds in Discovery Groups that can be scheduled to rerun on a recurrent basis. Once an inventory is populated, the Defender EASM system continuously scans your assets with Microsoft’s virtual user technology to uncover fresh, detailed data about each one. This process examines the content and behavior of each page within applicable sites to provide robust information that can be used to identify vulnerabilities, compliance issues and other potential risks to your organization.
71
+
When reviewing assets, it's recommended that you start with the assets labeled with "Requires Investigation." Asset details are continuously refreshed and updated over time to maintain an accurate map of asset states and relationships, as well as to uncover newly created assets as they emerge. The discovery process is managed by placing seeds in Discovery Groups that can be scheduled to rerun on a recurrent basis. Once an inventory is populated, the Defender EASM system continuously scans your assets with Microsoft’s virtual user technology to uncover fresh, detailed data about each one. This process examines the content and behavior of each page within applicable sites to provide robust information that can be used to identify vulnerabilities, compliance issues, and other potential risks to your organization.
72
72
73
73
## Next steps
74
74
-[Deploying the EASM Azure resource](deploying-the-defender-easm-azure-resource.md)
0 commit comments