A Quick Way to Verify the Connection Between Microsoft Defender External Attack Surface and Microsoft Sentinel
Quick brown fox jumps over the lazy dog
Here’s probably the quickest and easiest way to determine if Microsoft Defender External Attack Surface is connected to your Microsoft Sentinel environment.
All EASM tables are custom tables created with names that start with “EASM”. For example, in my environment, in the Log Analytics workspace options, you can see…
On the Microsoft Sentinel side, the tables will show up in the Custom Logs Solutions area.
If those table names don’t exist in your Microsoft Sentinel Log Analytics workspace that generally means that the data has not yet been created (it takes about half hour to an hour after creating the data connection), or it has not been set up correctly.
Connecting EASM to Microsoft Sentinel requires the following three steps which includes setting up an EASM instance (if you haven’t already), and then configuring permissions and enabling the connection:
If you not already, you need to Create a Defender EASM Azure resource
Configuring Log Analytics permissions (for sending to the Microsoft Sentinel LAW)
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]