Microsoft Defender External Attack Surface Management
Microsoft Defender External Attack Surface Management (EASM) discovers, monitors, and manages your external-facing assets and attack surface. You can bring asset, vulnerability observation, and security data from Defender EASM into Brinqa to gain comprehensive visibility into your organization's external exposure and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Microsoft Defender External Attack Surface Management and how to obtain that information from Microsoft. See create a data integration for step-by-step instructions on setting up the integration.
Connection settings
When setting up a data integration, select Microsoft Defender External Attack Surface Management(Microsoft Defender for EASM) from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Microsoft Defender External Attack Surface Management with Brinqa:
-
Server: The EASM server endpoint. For example,
centralus.easm.defender.microsoft.com. Required. -
Subscription ID: The Azure Subscription ID associated with the Defender EASM resource. Required.
-
Resource group name: The Azure Resource group where the Defender EASM workspace is located. Required.
-
Workspace name: The name of the Defender EASM workspace. Required.
-
Login URL: The Microsoft Azure authentication URL. The default URL is
https://login.microsoftonline.com. -
Client ID: The client ID associated with the service principal, which must have permissions to log in to Microsoft Azure Active Directory (Active AD) and access the Defender EASM API. Required.
-
Client secret: The client secret associated with the service principal. Required.
-
Tenant ID: The unique identifier for the Active AD tenant associated with the service principal. Required.
The API URL is automatically computed from the Server, Subscription ID, Resource group name, and Workspace name fields. You do not need to enter it manually.
Register a Microsoft Azure application
You must create a new application for the Microsoft Defender External Attack Surface Management connector to authenticate with Azure AD and access the Defender EASM APIs. To register an application in your Azure AD tenant, follow these steps:
-
Log in to your Microsoft Azure Portal as an administrator.
-
Navigate to and click Microsoft Entra ID.
-
On the left-hand side of the page, click App registrations, and then click New registration.
-
Give your new application a name, select the supported account types, and provide an optional Redirect URI. If you do not have a redirect URI, you can leave the field as is.
-
Click Register.
For additional details about registering an application in Azure AD and creating a service principal, see Microsoft Azure documentation.
Obtain Microsoft Azure credentials
After you have created your new Microsoft Azure application, your client and tenant ID display. Copy the Application (client) ID and Directory (tenant) ID as shown below:
To obtain your client secret, follow these steps:
-
Click Certificates & secrets and then click New client secret.
-
Provide a description, set an expiry date, and then click Add.
The new client secret displays. You cannot view the client secret again. There is both a Value and Secret ID. The Value field is what is needed for authentication. Copy the Value field and save it in a secure location.
Assign permissions
After you have created your new Microsoft Azure application and obtained the authentication credentials, you must assign the required permissions for the application to access your Defender EASM data. To do so, follow these steps:
-
Navigate to API permissions > Add a permission > APIs my organization uses and search for EASM API.
-
Click Application permissions, grant the following permission, and then click Add permissions:
- EASM:
user_impersonation(or equivalent read access)
- EASM:
-
Click Grant admin consent for default directory, and then click Yes in the confirmation dialog.
The Defender EASM API uses the scope https://easm.defender.microsoft.com/.default for authentication. Ensure the application has the appropriate permissions assigned. For additional information, see Microsoft EASM documentation.
Additional settings
The Microsoft Defender External Attack Surface Management connector contains additional options for specific configuration:
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Defender EASM API before giving up and reporting a failure. The default setting is 5.
-
Page size: The number of records to fetch per API call. The maximum and default setting is 100.
-
Parallel requests: The maximum number of parallel API requests the connector uses for fetching observations. The default setting is the minimum of 4 and the number of available processors.
-
Fetch connected assets: When enabled, the connector makes additional API calls to fetch connected asset relationships for each asset during sync. This provides richer relationship data but increases API usage and sync time. The default setting is disabled.
Types of data to retrieve
The Microsoft Defender External Attack Surface Management connector can retrieve the following types of data from the Defender EASM API:
Table 1: Data retrieved from Microsoft Defender External Attack Surface Management
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| ASN | Yes | Network |
| Contact | Yes | Person |
| Domain | Yes | Site |
| Host | Yes | Host |
| IPAddress | Yes | Host |
| IPBlock | Yes | IP Range |
| Page | Yes | Site |
| SSLCertificate | Yes | Site Certificate |
| Observation | Yes | Vulnerability |
| ObservationDefinition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Microsoft Defender External Attack Surface Management in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
ASN
Table 2: ASN attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| asnResource.asn | asn |
| asnResource.registries | registries |
| asnResource.organizationIds | organizationIds |
| ASSET_CATEGORY_NETWORK | categories |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Contact
Table 3: Contact attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| contactResource.names | names |
| contactResource.organizations | organizations |
| contactResource.email | emails |
| ASSET_CATEGORY_PERSON | categories |
Domain
Table 4: Domain attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| assetResource.asset.locations | cities, countries, states |
| domainResource.registrantNames | whoisNames |
| domainResource.registrantContacts | whoisEmails |
| domainResource.registrantOrgs | whoisOrganizations |
| domainResource.whoisServers | whoisServers |
| domainResource.registrarNames | registrars |
| domainResource.nameServers | nameServers |
| domainResource.mailServers | mailServers |
| domainResource.registrantPhones | whoisContacts |
| ASSET_CATEGORY_DOMAIN | categories |
Host
Table 5: Host attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| hostResource.location | cities, countries, states |
| hostResource.ipAddresses | ipAddresses, publicIpAddresses, privateIpAddresses |
| hostResource.cnames | cnames |
| hostResource.asns | asns |
| hostResource.ipBlocks | ipblocks |
| hostResource.sslCerts | sslcertSubjectCommonNames, sslcertSha1 |
| hostResource.webComponents | webcomponentNames, webcomponentCategories, webcomponentVersions |
| hostResource.resourceUrls | resourceUrls, resourceHosts |
| hostResource.attributes | trackerTypes, trackerValues |
| domainAsset (WHOIS data) | whoisNames, whoisEmails, whoisOrganizations, whoisServers, whoisContacts, registrars, nameServers, mailServers |
| ASSET_CATEGORY_HOST | categories |
IPAddress
Table 6: IPAddress attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| assetResource.asset.locations | cities, countries, states |
| ipAddressResource.ipAddress | ipAddress |
| ipAddressResource.sslCerts | sslcertSubjectCommonNames, sslcertSha1 |
| ipAddressResource.webComponents | webcomponentNames, webcomponentCategories, webcomponentVersions |
| ipAddressResource.attributes | trackerTypes, trackerValues |
| ipAddressResource.netRanges | networkRanges |
| ASSET_CATEGORY_HOST | categories |
IPBlock
Table 7: IPBlock attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| assetResource.asset.locations | cities, countries, states |
| ipBlockResource.ipBlock | ipblock |
| ipBlockResource.startIp | startIp |
| ipBlockResource.endIp | endIp |
| ipBlockResource.netRanges | networkRanges |
| ipBlockResource.netNames | networkNames |
| ASSET_CATEGORY_NETWORK | categories |
Page
Table 8: Page attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| pageResource.location | cities, countries, states |
| pageResource.url | url |
| pageResource.titles | titles |
| pageResource.responseCodes | responseCodes |
| pageResource.finalUrls | finalUrls |
| pageResource.finalResponseCodes | finalResponseCodes |
| pageResource.responseTimes | responseTimes |
| pageResource.charsets | charsets |
| pageResource.frameworks | frameworks |
| pageResource.sslCerts | sslcertSubjectCommonNames, sslcertSha1 |
| pageResource.webComponents | webcomponentNames, webcomponentCategories, webcomponentVersions |
| pageResource.securityPolicies | securityPolicyNames, securityPolicyTypes |
| ASSET_CATEGORY_DOMAIN | categories |
SSLCertificate
Table 9: SSLCertificate attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| assetResource.uuid | uid |
| assetResource.name | name |
| assetResource.state | sourceStatus, providerStatus |
| assetResource.asset.firstSeen | firstSeen |
| assetResource.asset.lastSeen | lastSeen |
| assetResource.createdDate | sourceCreatedDate |
| assetResource.updatedDate | sourceLastModified |
| assetResource.externalId | externalId |
| assetResource.discoGroupName | discoveredGroupName |
| assetResource.labels | tags |
| connectedAssets | connectedAsset |
| assetResource.asset.locations | cities, countries, states |
| sslCertResource.serialNumber | serialNumber |
| sslCertResource.invalidBefore | certificateIssued |
| sslCertResource.invalidAfter | certificateExpired |
| sslCertResource.version | sslVersion |
| sslCertResource.keyAlgorithm | certificateKeyAlgorithm |
| sslCertResource.keySize | certificateKeySize |
| sslCertResource.sigAlgName | signatureAlgorithm |
| sslCertResource.sigAlgOid | signatureAlgorithmOid |
| sslCertResource.selfSigned | selfSigned |
| sslCertResource.subjectCommonNames | subjectCommonNames |
| sslCertResource.subjectAlternativeNames | subjectAlternateNames |
| sslCertResource.subjectOrganizations | subjectOrganizationNames |
| sslCertResource.subjectOrganizationUnits | subjectOrganizationUnits |
| sslCertResource.subjectLocality | subjectLocality |
| sslCertResource.subjectCountry | subjectCountry |
| sslCertResource.subjectState | subjectState |
| sslCertResource.issuerCommonNames | issuerCommonNames |
| sslCertResource.issuerAlternativeNames | issuerAlternateNames |
| sslCertResource.issuerOrganizations | issuerOrganizationNames |
| sslCertResource.issuerOrganizationUnits | issuerOrganizationUnits |
| sslCertResource.issuerLocality | issuerLocality |
| sslCertResource.issuerCountry | issuerCountry |
| sslCertResource.issuerState | issuerState |
| ASSET_CATEGORY_CERTIFICATE | categories |
Observation
Table 10: Observation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| MD5(name + priority + observationType) | uid |
| observationResource.name | name |
| assetResource.uuid | targets |
| MD5(name + priority + observationType) | type |
| observationResource.remediationState | status, providerStatus, sourceStatus |
| observationResource.priority | severity, sourceSeverity |
| observationResource.description | description |
| observationResource.types | observationType |
| assetResource.kind | assetKind |
ObservationDefinition
Table 11: ObservationDefinition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| MD5(name + priority + observationType) | uid |
| observationResource.name | name |
| observationResource.description | description |
| observationResource.priority | severity, sourceSeverity, severityScore |
| observationResource.cvssScoreV2 | cvssV2BaseScore |
| observationResource.cvssScoreV3 | cvssV3BaseScore |
| observationResource.remediationSource | remediationSource |
| observationType | categories, observationType |
| assetResource.labels | tags |
| cve.name | cveIds, cveRecords |
| cve.cweId | cweId, weaknesses |
| cve.cvss3Summary | CVSS v3 vector metrics |
Operation options
The Microsoft Defender External Attack Surface Management connector supports the following operation options. See connector operation options for information about how to apply them.
Click the sections below to view the supported operation options per connector object.
All Asset Models (Domain, Host, IPAddress, IPBlock, SSLCertificate, Page, ASN, Contact)
Table 12: Asset model operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| All asset models | state | Any asset state value (e.g., confirmed, candidateInvestigate, candidate, associatedThirdparty, associatedPartner, dismissed) | Filter assets by their state in Defender EASM. Only assets matching the specified state are retrieved. | Key: state Value: confirmed. This key and value combination only retrieves assets in the confirmed state. |
| discoGroup | Any discovery group name | Filter assets by their discovery group name. Only assets belonging to the specified discovery group are retrieved. | Key: discoGroup Value: My Discovery Group. This key and value combination only retrieves assets that belong to the "My Discovery Group" discovery group. |
Observation and ObservationDefinition
Table 13: Observation and ObservationDefinition operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Observation, ObservationDefinition | state | Any asset state value | Filter the underlying assets whose observations are retrieved. Only observations for assets matching the specified state are included. | Key: state Value: confirmed. This key and value combination only retrieves observations for assets in the confirmed state. |
| discoGroup | Any discovery group name | Filter the underlying assets by discovery group name. Only observations for assets belonging to the specified group are included. | Key: discoGroup Value: My Discovery Group. This key and value combination only retrieves observations for assets in the specified discovery group. |
The option keys and values are case-sensitive as they are shown in this documentation.
Synchronization types
When using the Microsoft Defender External Attack Surface Management connector, it's important to understand the different sync interval types available:
-
Beginning of Time (BoT)
- BoT syncs comprehensively pull all available data from your Defender EASM workspace, as specified by your integration configuration. You should use a BoT sync for initial setups or complete data refreshes.
-
Delta
- Delta syncs retrieve only the data that has changed since your last sync. You should use delta syncs after running an initial BoT sync for regular updates, capturing new or updated assets and observations without reprocessing all historical data.
The EASM connector supports resumable synchronization. If a sync is interrupted, it resumes from the last successfully processed cursor position rather than restarting from the beginning. This is managed via a local key-value store that tracks pagination state per asset kind.
APIs
The Microsoft Defender External Attack Surface Management connector uses the Microsoft Defender EASM REST API. Specifically, it uses the following endpoints:
Table 14: Microsoft Defender External Attack Surface Management API Endpoints
| Connector Object | API Endpoints |
|---|---|
| ASN | GET /assets?filter=kind="as" |
| Contact | GET /assets?filter=kind="contact" |
| Domain | GET /assets?filter=kind="domain" |
| Host | GET /assets?filter=kind="host" |
| IPAddress | GET /assets?filter=kind="ipAddress" |
| IPBlock | GET /assets?filter=kind="ipBlock" |
| Page | GET /assets?filter=kind="page" |
| SSLCertificate | GET /assets?filter=kind="sslCert" |
| Observation | POST /assets/{assetId}:getObservations |
| ObservationDefinition | POST /assets/{assetId}:getObservations |
Changelog
The Microsoft Defender External Attack Surface Management connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 15: Microsoft Defender External Attack Surface Management connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.5.4 | Initial Integration+ release of the Defender EASM connector. Supports 8 asset models (Domain, Host, IPAddress, IPBlock, SSLCertificate, Page, ASN, Contact), Observation (vulnerability) model, and ObservationDefinition (vulnerability definition) model. Includes configurable state and discoGroup operation options, parallelized observation fetching, and resumable cursor-based sync. | May 27th, 2026 |