Microsoft Defender EASM’s assets endpoint enables discovery and monitoring of internet-facing assets like domains, IPs, and certificates. It supports filtering, enrichment, and relationship mapping to help identify exposure, shadow IT, and attack vectors.  Refer to Microsoft Defender EASM official documentation for more information.

Integration Method: API

Tables: Device Inventory Info (5001), Web Resources Activity (6001), Vulnerability Finding (2002), User Inventory Info (5003)

This integration supports the following events.

This integration supports the following versions.

Note:

Microsoft Defender EASM is a continuously updated cloud service. As of this document preparation, the latest release was in October 2024.

Prerequisites

• The user must have access to the Azure portal with an account that has the Global Administrator privilege.

• The user should have access to the DataBee console.

Configuration Overview

1. Create an application with required permission to fetch the data.

2. Add the Microsoft Defender EASM data feed in the DataBee console with the below parameters.

   DataBee Parameter	Microsoft Defender EASM Parameter
   Client Key	Application (client) ID
   Client Secret	Client Secret Value
   Token URL (<application_id>)	Directory (tenant) ID
   Subscription ID	subscriptionId
   Resource Group Name	Resource Group Name
   Workspace Name	Workspace Name

Microsoft Defender EASM Configuration

Create an application

1. Log on to Azure with a user account that has the Global Administrator privilege.

2. In the search bar, search for App Registrations and select it.
    

3. On the “App registrations” page click on New registration, the “Register an application” window will appear.
    

4. On the “Register an application” window:

   1. Under ‘Name’ enter your Application Name then click on Register to create the application.
       

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
    

Create Resource Group and Workspace

1. In the search bar, search for Microsoft Defender EASM and select it.
    

2. Click on the Create button to create a new resource group.
    

3. Select the Subscription.
    

4. Click Create new to create a resource group or select an existing one from the dropdown. If creating new, enter the resource group name and click OK to proceed.
    

5. Click on Review + Create button.
    

Get Resource Group, Workspace, Subscription Id and Location

1. In the search bar, search for Microsoft Defender EASM and select it from the results. This will display a list of available workspaces.

2. Click on the workspace which we have created previously.
    

3. Click on JSON View.
    

4. Copy SubscriptionId, Resource Group Name, Workspace Name and Location for later use.
    

Add access to Subscription to retrieve data

Once the Defender EASM application is created, you must assign the necessary permissions to access the required endpoints. To begin, open the Azure subscription where the service principal resides. This allows you to configure role assignments and grant the appropriate access needed for Defender EASM API operations.

From the Azure Active Directory portal:

1. In the search bar, search for Subscriptions and select it.
    

2. Select the subscription where the application was created.
    

3. Navigate to Access control (IAM), then click Add and select Add role assignment from the dropdown.
    

4. Navigate to the Privileged administrator roles tab and select Contributor roles.
    

5. On the “Add role assignment” window:

   1. Click on Select members, search for the app registered, select app from the list, and then click the Select button to confirm.
       

   2. Review the information to make sure it is correct, and then click on Review + assign.
       

Create secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:

1. Select the application created above.

2. Under Manage, click Certificates and secrets, and then click on Client secrets.
    

3. Click New client secret. “Add a client secret” window appears.
    

4. In “Add a client secret” window:

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.
       

   2. Then click on Add to create the client secret.

5. Copy the ‘Value’ fields for later use.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Microsoft Defender EASM and click it as shown below.
    

3. Click on the API Ingest option for the polling mechanism.
    

4. Enter feed contact information, select the collector which we’ve created previously and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: OAuth2

   • API Base URL: replace the <region> placeholder with the location.

   • Subscription ID: paste the subscriptionId.

   • Resource Group Name: paste the Resource Group Name.

   • Workspace Name: paste the Workspace Name.

   • Client Key: paste the Application (client) ID.

   • Client Secret: paste the Value.

   • Token URL: replace <tenant_id> placeholder with the Directory (Tenant) ID generated earlier.

   • Event Types: preselected for all the event types that integration pulls.
      

6. Click Submit.

Troubleshooting Tips

• If you’re facing invalid_client or unauthorized_client issues this might be possibly due to incorrect credentials. Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• If you are facing 403 response code this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.