Filter Criteria in EASM Configuration
Click to view navigation pane


Filter Criteria in External Attack Surface Management (EASM) Configuration

Let's understand the filter criteria that enable you to discover hosts that are externally exposed.

When you configure EASM for the first time, verify the Organization and the Domain details.

Explore the following to understand more about filter criteria for an EASM configuration profile:

-  Important to Know

-  Know More about Include and Exclude Types and Filters

Domain and Organization Validation

-  Add Filters

-  Add Section

-  Add Exclusion

Important to Know!

- If you want to upgrade from Shodan to EASM and you already configured Shodan, the existing Shodan profile will be migrated to EASM.

- The wildcard is not supported for all seed and filter types. When you upgrade from Shodan to EASM, if there are any wildcards, you must remove them before saving the EASM profile.

- For a seed type domain, only Top-Level Domain (TLD) or Root domains are supported. Hence, when you upgrade from Shodan to EASM, if there are any subdomains, remove them before saving the EASM profile.

- The Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes are selected by default, and they are applicable for Organization and Domain seed type only. If you clear these checkboxes, then subsidiaries and horizontal domain enumeration are not included in the EASM configuration.

- You can provide multiple values for all seed types by separating the values using a semicolon.

Know More about Include and Exclude Types and Filters

Refer to the following tables that provide more information about the details you can enter in Include and Exclude types.

Seed Type for Include

Filter

Description

Examples

Character Limit

Organization

Name of the organization that owns the IP space. Note: The correct legal entity name should be the name of the organization.

Google LLC

4000

Domain

Domain of the EASM assets.
Note: Only the top-level domain is expected.

google.com

4000

IP/Netblock

Alias for net filter string

34.120.218.237

4000

Certification Subject

Certificate

cadz02.canadadz.com

4000

 

Seed Type for Exclude

Filter

Description

Examples

 Character Limit

Organization

Name of the organization that owns the IP space.
Note: The correct legal entity name should be the name of the organization.

Google LLC

4000

Domain/SubDomain

Domain/SubDomain of the EASM assets. 
Note: You can exclude a maximum of 250 Domain/Subdomains.

qualys.com/doc.qualys.com

4000

IP/Netblock

Alias for net filter string. 
Note: You can exclude a maximum of 1000 IP/Netblocks.

34.120.218.237

4000

City

 

Name of the city

Kansas City

100

Country

2-letter country code

US

4000

CDN

The default value is True, which is auto-populated. You cannot add the CDN criterion multiple times like the rest of the exclude filter criteria.

 - -

 

Domain and Organization Validation

You can validate a domain or an organization that enables you to fetch the details of subsidiaries based on the domain or organization value you enter.

The validation is not supported for multiple values. The Validate button is displayed only after entering the details in the Value field. 

Note: The data will be synced only if you select the Subsidiaries Enumeration and Horizontal Domain Enumeration check boxes.

Validate domain and organization.

Scenario 1 (Validation is successful) - You choose to validate based on the Domain or an Organization, and the validation is successful:

Validation successful.

When you click the View Organization and Primary Domain List link, you can see the list of Organizations and Domains for which the data will be available after subsequent syncs. You can download this data as well. 

Scenario 2 (Validation is pending) - You choose to validate based on the Domain or an Organization, and the validation is pending:

You can see the status as 'Pending Validation'. If you hover over the info icon next to it, you can see the following info text: 

The value you provided is not available in the catalog. It might be added to the catalog after subsequent scans, and the status will change to Validated.

Add Filters

Refer to the following screen capture that shows your Seed section Type and Value.

When you click Add Filters, the relation of the seed with the filters will be AND.

Type Filters

When you add the filter criteria, use the button to add multiple IPs and Cities. Alternatively, you can add the IPs or Cities in the same text boxes by using a semicolon-separated list.

Select a Country from the Country list by searching for a country name. When you select the country,  the 2-letter country code for that country is selected. Use the button to add multiple countries.  

Note: The character limit for IP and Country seed filter is 4000, and the character limit for the City seed filter is 100.

Add Section

When you click Add Section, a different section is added.

The filter section is given for each seed type.

Add Exclusion

The Exclude section will be a AND operation with the Include section.

You can also exclude IP addresses from the EASM Discovery.