Filter Criteria in EASM Configuration
Click to view navigation pane


Filter Criteria in External Attack Surface Management (EASM) Configuration

Let's understand the filter criteria that enable you to discover externally exposed hosts. When you configure EASM for the first time, verify the Organization and the Domain details.

Explore the following to understand more about filter criteria for an EASM configuration profile:

-  Important to Know

-  Know More about Include and Exclude Types and Filters

Domain and Organization Validation

-  Add Filters

-  Add Section

-  Add Exclusion

-  Optional Setting

Important to Know!

- If you want to upgrade from Shodan to EASM and have already configured Shodan, the existing Shodan profile is migrated to EASM.

- The wildcard is not supported for all seed and filter types. When you upgrade from Shodan to EASM, if there are any wildcards, you must remove them before saving the EASM profile.

- Only Primary domains are supported for a seed-type domain. Hence, when you upgrade from Shodan to EASM, if there are any subdomains, remove them before saving the EASM profile.

- The Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes are selected by default and applicable for Organization and Domain seed type only. If you clear these checkboxes, then subsidiaries and horizontal domain enumeration are not included in the EASM configuration.

- You can provide multiple values for all seed types by separating the values using a semicolon.

Know More about Include and Exclude Types and Filters

Refer to the following tables that provide more information about the details you can enter in the Include and Exclude types.

Seed Type for Include

Filter

Description

Examples

Character Limit

Organization

Name of the organization that owns the IP space. Note: The correct legal entity name should be the name of the organization.

Google LLC

4000

Domain

Domain of the EASM assets.
Note: Only the top-level domain is expected.

google.com

4000

IP/Netblock

Alias for net filter string

34.120.218.237

4000

Certification Subject

Certificate

cadz02.canadadz.com

4000

ASN

 

The Autonomous System Numbers (ASN). When you include the ASN, the associated netblocks are discovered in Shodan and active assets are discovered during the sync. 

AS123456

The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported.

4000

 

Seed Type for Exclude

Filter

Description

Examples

Character Limit

Organization

Name of the organization that owns the IP space.
Note: The correct legal entity name should be the name of the organization.

Google LLC

4000

Domain/SubDomain

Domain/SubDomain of the EASM assets. 
Note: You can exclude a maximum of 250 Domain/Subdomains.

qualys.com/doc.qualys.com

4000

IP/Netblock

Alias for net filter string. 
Note: You can exclude a maximum of 1000 IP/Netblocks.

34.120.218.237

4000

City

Name of the city

Kansas City

100

Country

2-letter country code

US

4000

CDN

The default value is True, which is auto-populated. You cannot add the CDN criterion multiple times like the rest of the exclude filter criteria.

 - -

ASN

 

The Autonomous System Numbers (ASN). When you exclude the ASN, the associated netblocks are not discovered in Shodan, and active assets are not discovered during the sync. 

AS123456

The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported.

4000

Domain and Organization Validation

You can validate a domain or an organization that enables you to fetch the details of subsidiaries based on the domain or organization value you enter.

The validation is not supported for multiple values. The Validate button is displayed only after entering the details in the Value field. 

Note: The subsidiary data will be synced only if you select the Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes.

Validate domain and organization.

Scenario 1 (Validation is successful) - You choose to validate based on the Domain or an Organization, and the validation is successful:

Validation successful.

When you click the View Organization and Primary Domain List link, you can see the list of Organizations and Domains for which the data will be available after subsequent syncs. You can download this data as well. 

You can get the following details from the CATALOG and ENUMERATED DOMAINS tabs:

CATALOG tab: A list of domains and organizations available in the EASM catalog DB.

ENUMERATED DOMAINS tab: A list of organizations and primary domains in WHOIS DB and catalog entries. Also, you can see catalog organizations and their corresponding catalog and WHOIS domain. 

As a result, you can differentiate between the data from our catalog and WHOIS. 

Scenario 2 (Validation is pending) - You choose to validate based on the Domain or an Organization, and the validation is pending:

You can see the status as 'Pending Validation'. If you hover over the info icon next to it, you can see the following info text: 

The value entered was not found in the EASM catalog. EASM discovery will be conducted for the value entered, but the related domains and orgs required to expand the discovery scope are currently unavailable in the EASM catalog. The value will be reviewed for addition to the catalog of associated domains, and if it's added to the catalog, the status will change to Validated.

Add Filters

Refer to the following screen capture that shows your Seed section Type and Value.

When you click Add Filters, the relation of the seed with the filters will be AND.

Type Filters

When you add the filter criteria, use the button to add multiple IPs and Cities. Alternatively, you can add the IPs or Cities in the same text boxes by using a semicolon-separated list.

Select a Country from the Country list by searching for a country name. When you select the country,  the 2-letter country code for that country is selected. Use the button to add multiple countries.  

Note: The character limit for IP and Country seed filter is 4000, and the character limit for the City seed filter is 100.

Add Section

When you click Add Section, a different section is added.

The filter section is given for each seed type.

Add Exclusion

The Exclude section will be an AND operation with the Include section.

You can also exclude IP addresses from the EASM Discovery.

Optional Setting

When you turn on the toggle next to Add Internet-facing tagged assets to EASM discovery scan, in addition to Organization and Domain, etc., your Internet-facing tagged assets, including scanned and cloud agent assets, are picked up as input to EASM. After the sync, you can see the External Attack Surface details on the “Asset Details” page.

When you turn off the toggle, all the internet-facing tagged asset information related to EASM, like tags and sources, is deleted from the “Asset Details” page.