Let's understand the filter criteria that enable you to discover externally exposed hosts. When you configure EASM for the first time, verify the Organization and the Domain details.
Explore the following to understand more about filter criteria for an EASM configuration profile:
- Know More about Include and Exclude Types and Filters
- Domain and Organization Validation
- The Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes are selected by default and applicable for Organization and Domain seed type only. If you clear these checkboxes, then subsidiaries and horizontal domain enumeration are not included in the EASM configuration.
- You can provide multiple values for all seed types by separating the values using a semicolon.
Refer to the following tables that provide more information about the details you can enter in the Include and Exclude types.
Seed Type for Include
Filter |
Description |
Examples |
Character Limit |
Organization |
Name of the organization that owns the IP space. Note: The correct legal entity name should be the name of the organization. |
Google LLC |
4000 |
Domain |
Domain of the EASM assets. |
google.com |
4000 |
IP/Netblock |
Alias for net filter string |
34.120.218.237 |
4000 |
Certification Subject |
Certificate |
cadz02.canadadz.com |
4000 |
ASN
|
The Autonomous System Numbers (ASN). When you include the ASN, the associated netblocks are discovered in Shodan and active assets are discovered during the sync. |
AS123456 The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported. |
4000 |
Seed Type for Exclude
Filter |
Description |
Examples |
Character Limit |
Organization |
Name of the organization that owns the IP space. |
Google LLC |
4000 |
Domain/SubDomain |
Domain/SubDomain of the EASM assets. |
qualys.com/doc.qualys.com |
4000 |
IP/Netblock |
Alias for net filter string. |
34.120.218.237 |
4000 |
City |
Name of the city |
Kansas City |
100 |
Country |
2-letter country code |
US |
4000 |
CDN |
The default value is True, which is auto-populated. You cannot add the CDN criterion multiple times like the rest of the exclude filter criteria. |
- | - |
ASN
|
The Autonomous System Numbers (ASN). When you exclude the ASN, the associated netblocks are not discovered in Shodan, and active assets are not discovered during the sync. |
AS123456 The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported. |
4000 |
You can validate a domain or an organization that enables you to fetch the details of subsidiaries based on the domain or organization value you enter.
The validation is not supported for multiple values. The Validate button is displayed only after entering the details in the Value field.
Note: The subsidiary data will be synced only if you select the Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes.
Scenario 1 (Validation is successful) - You choose to validate based on the Domain or an Organization, and the validation is successful:
When you click the View Organization and Primary Domain List link, you can see the list of Organizations and Domains for which the data will be available after subsequent syncs. You can download this data as well.
You can get the following details from the CATALOG and ENUMERATED DOMAINS tabs:
CATALOG tab: A list of domains and organizations available in the EASM catalog DB.
ENUMERATED DOMAINS tab: A list of organizations and primary domains in WHOIS DB and catalog entries. Also, you can see catalog organizations and their corresponding catalog and WHOIS domain.
As a result, you can differentiate between the data from our catalog and WHOIS.
Scenario 2 (Validation is pending) - You choose to validate based on the Domain or an Organization, and the validation is pending:
You can see the status as 'Pending Validation'. If you hover over the info icon next to it, you can see the following info text:
The value entered was not found in the EASM catalog. EASM discovery will be conducted for the value entered, but the related domains and orgs required to expand the discovery scope are currently unavailable in the EASM catalog. The value will be reviewed for addition to the catalog of associated domains, and if it's added to the catalog, the status will change to Validated.
Refer to the following screen capture that shows your Seed section Type and Value.
When you click Add Filters, the relation of the seed with the filters will be AND.
When you add the filter criteria, use the button to add multiple IPs and Cities. Alternatively, you can add the IPs or Cities in the same text boxes by using a semicolon-separated list.
Select a Country from the Country list by searching for a country name. When you select the country, the 2-letter country code for that country is selected. Use the button to add multiple countries.
Note: The character limit for IP and Country seed filter is 4000, and the character limit for the City seed filter is 100.
When you click Add Section, a different section is added.
The filter section is given for each seed type.
The Exclude section will be an AND operation with the Include section.
You can also exclude IP addresses from the EASM Discovery.
When you turn on the toggle next to Add Internet-facing tagged assets to EASM discovery scan, in addition to Organization and Domain, etc., your Internet-facing tagged assets, including scanned and cloud agent assets, are picked up as input to EASM. After the sync, you can see the External Attack Surface details on the “Asset Details” page.
When you turn off the toggle, all the internet-facing tagged asset information related to EASM, like tags and sources, is deleted from the “Asset Details” page.