EASM Discovery

After creating the Discovery EASM Profile, EASM initiates a passive discovery scan of your externally facing assets. It scans all organizations, subsidiaries, related domains, and ASNs from include seeds (exclude filter) configured in the EASM profile, then uses this set of seeds to perform enumeration and enrichment using third-party sources such as Shodan, WHOIS, and DNS servers.

After the initial passive EASM discovery is complete, two additional discovery scans may occur:

• If the optional Enable EASM Scan setting is enabled, active scans using Qualys external scanners begin.
• If the optional Typosquatted and Defamatory domain discovery option is enabled, the results from the initial discovery are used to define the list of typosquatted and defamatory domains to be discovered. The discovery of these domains then occurs.

The results from EASM Discovery are then filtered based on the exclude seed (exclude filter) if configured in the EASM profile.

EASM Discovery and Status

EASM discovery can take anywhere from two hours to half a day, depending on the volume of discovered data. Discovery status is displayed for each profile on the Configuration > EASM Configuration tab. Once asset discovery is complete, updated asset data becomes available in EASM Inventory and Dashboards for analysis, risk-based prioritization, scanning, and remediation.

If the optional Enable EASM Scan is enabled in the EASM Profile, these scans are scheduled to run after EASM Discovery and use the system-defined option profiles.

If the optional Typosquatted and Defamatory domain discovery option is enabled in the EASM Profile, these scans are also scheduled to run after EASM Discovery.

Analyzing discovered assets attribution after discovery completes

After discovery completes for a profile, you can analyze the discovered data in two phases:

First, review the discovered data to verify asset attribution to your organization. Use dashboards, inventory grouping and filtering, or view the Attribution Confidence Score (ACS) for more information.

Enable EASM scan of assets after validating attribution 

Once you are confident the discovered EASM assets belong to your organization, enable the optional Enable EASM Scan setting in the EASM Profile to perform EASM Lightweight Scan assets using Qualys scanners.

You can also choose to scan only unmanaged EASM assets or all EASM assets.

Qualys will then scan discovered EASM assets using Qualys scanners with three different option profiles at varying recurrence intervals. Qualys external scans provide enhanced detection of operating systems, vulnerabilities, open ports, and exposed software compared to data retrieved from Shodan.