Policy: Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring

As more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented.

Microsoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan.

Typically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices.

Results are classified Critical/High/Medium & Low with proposed mitigations.

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v2.0 > 02 - Microsoft Defender

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv2-0#/policy/types/s0203

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv2-0#/policy/types/s0203") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/s0203'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/s0203'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/s0203"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/s0203"