Filter Criteria in EASM Configuration
Click to view navigation pane


Filter Criteria in External Attack Surface Management (EASM) Configuration

Let's understand the filter criteria that enable you to discover externally exposed hosts. When you configure EASM for the first time, verify the Organization and the Domain details.

Explore the following to understand more about filter criteria for an EASM configuration profile:

Manage Configurations.

-  Important to Know

-  Know More about Include and Exclude Types and Filters

Domain and Organization Validation

-  Add Filters

-  Add Section

-  Add Exclusion

Import Seed Values in Bulk from CSV File While Configuring EASM Profile

-  Optional Settings

Important to Know!

- The Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes are selected by default and applicable for Organization and Domain seed type only. If you clear these checkboxes, then subsidiaries and horizontal domain enumeration are not included in the EASM configuration.

- You can provide multiple values for all seed types by separating the values using a semicolon. Also, you can Import Seed Values in Bulk from CSV File While Configuring EASM Profile. 

- If the same IP address is entered in the Include and Exclude seed, the exclusion takes precedence. 

Know More about Include and Exclude Types and Filters

Refer to the following tables that provide more information about the details you can enter in the Include and Exclude types.

Seed Type for Include

Filter

Description

Examples

Organization

Name of the organization that owns the IP space. Note: The correct legal entity name should be the name of the organization.

Google LLC

Domain/Subdomain

Domain/Subdomain of the EASM assets.
Note: Only the top-level domain is expected.

We introduced the functionality to search and autocomplete the values entered in Organization, Domain/Subdomain seeds while creating the EASM profile.

When you type the first three characters in the value field next to the Organization or Domain/Subdomain seed, the top 5 matching suggestions are auto-populated. As a result, you can configure the EASM profile quickly.

google.com

IP/Netblock

Alias for net filter string

34.120.218.237

Certification Subject

Certificate

cadz02.canadadz.com

ASN

The Autonomous System Numbers (ASN). When you include the ASN, the associated netblocks are discovered in Shodan and active assets are discovered during the sync. 

AS123456

The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported.

 

Seed Type for Exclude

While creating or modifying the EASM Configuration profile, you can click the Add icon to view the Exclude filters, select the required filter, and provide the seed values.

Note that, like the seed type inclusion, you can import the seed values you want to exclude in bulk from the CSV file while configuring the EASM profile. 

Exclusion options.

Filter

Description

Examples

Organization

Name of the organization that owns the IP space.
Note: The correct legal entity name should be the name of the organization.

Google LLC

Domain/SubDomain

Domain/SubDomain of the EASM assets.

qualys.com/doc.qualys.com

IP/Netblock

Alias for net filter string.

34.120.218.237

City

Name of the city

Kansas City

Country

2-letter country code

US

CDN

The default value is True, which is auto-populated. You cannot add the CDN criterion multiple times like the rest of the exclude filter criteria.

 -

ASN

 

The Autonomous System Numbers (ASN). When you exclude the ASN, the associated netblocks are not discovered in Shodan, and active assets are not discovered during the sync. 

AS123456

The value must start with AS, and then you can enter a maximum of 6 digits. Other alphabets or special characters are not supported.

Domain and Organization Validation

You can validate a domain or an organization that enables you to fetch the details of subsidiaries based on the domain or organization value you enter.

The validation is not supported for multiple values. The Validate button is displayed only after entering the details in the Value field. 

Vertical Enumeration for EASM Discovery

You can add a subdomain to the Include filter. With Vertical Enumeration, you can find the sibling subdomains of the subdomains you add to the Include filter.

Upon entering the subdomain and selecting the Vertical Enumeration checkbox, the primary domain for the subdomain is also identified.

-  Suppose you enter the subdomain and don't select the Vertical Enumeration checkbox: The validation is not done after you click Check Catalog, and the status will not be shown as Validated.

-  Suppose you enter the subdomain and select the Vertical Enumeration checkbox: The validation is done only if the primary domain of the subdomain you entered is available in the catalog. If so, the status will be shown as Validated when you click Check Catalog.

Check catalog.

Insight Into the User-defined, Catalog, and Enumerated Data for Seed Values

Upon clicking Review, you can gain insight into the Inclusions and Exclusions you added to the EASM profile.

-  You can see the user-defined seed values and the respective EASM catalog data. When you view the user-defined seed values, you can see the file name if the seed values are included or excluded using the CSV file.

-  Pagination support is provided to view all the data records. 

-  You can download the details in the CSV, HTML, and XML format.

Inclusion and Exclusion details.

- When you create or edit the EASM configuration, you can select and remove specific include and exclude values you added through the bulk upload.

Delete include and exclude entries.

Subsidiaries Enumeration and Horizontal Domain Enumeration

Note: The subsidiary data will be synced only if you select the Subsidiaries Enumeration and Horizontal Domain Enumeration checkboxes.

Validate domain and organization.

Scenario 1 (Validation is successful) - You choose to validate based on the Domain or an Organization, and the validation is successful:

Validation successful.

Scenario 2 (Validation is pending) - You choose to validate based on the Domain or an Organization, and the validation is pending:

You can see the status as 'Pending Validation'. If you hover over the info icon next to it, you can see the following info text: 

The value entered was not found in the EASM catalog. EASM discovery will be conducted for the value entered, but the related domains and orgs required to expand the discovery scope are currently unavailable in the EASM catalog. The value will be reviewed for addition to the catalog of associated domains, and if it's added to the catalog, the status will change to Validated.

Add Filters

Refer to the following screen capture that shows your Seed section Type and Value.

When you click Add Filters, the relation of the seed with the filters will be AND.

Type Filters

When you add the filter criteria, use the button to add multiple IPs and Cities. Alternatively, you can add the IPs or Cities in the same text boxes by using a semicolon-separated list.

Select a Country from the Country list by searching for a country name. When you select the country,  the 2-letter country code for that country is selected. Use the button to add multiple countries.  

Note: The character limit for IP and Country seed filter is 4000, and the character limit for the City seed filter is 100.

Add Section

When you click Add Section, a different section is added.

The filter section is given for each seed type.

Add Exclusion

The Exclude section will be an AND operation with the Include section.

You can also exclude IP addresses from the EASM Discovery.

Import Seed Values in Bulk from CSV File While Configuring EASM Profile

Apart from only manually providing the Include and Exclude seed values while creating or modifying the EASM profile configuration, you can also import Include and Exclude seed values in bulk by importing a CSV file. This user-friendly enhancement fastens and eases the configuration of the EASM profile. 

First, click the Download Template link and download the template for the seed type. From this standard template, you can learn how to provide the seed value details. Then you can upload the CSV file with the required values for the respective Include or Exclude seed type. 

-  You can import the CSV file for the Domains, Subdomains, Organizations, IP/Netblocks, and ASN Include and Exclude seed types.

-  You can't provide a string of semicolon-separated or comma-separated seed values. Also, you can't upload an empty or incorrect CSV file.

An example of an incorrect CSV file: You want to import the CSV file for the Domain seed type and upload the CSV file for the Organization seed type instead.

Optional Settings

Learn more about the EASM profile optional settings.

EASM profile optional settings.

EASM Purge Rule:

When you turn on the EASM Purge Rule toggle, you can automate the purging of assets that are not discovered in the EASM discovery. Also, you need to specify the count of EASM discoveries that should be run before purging the assets that are not discovered in those EASM discoveries. The supported range for this count is 0-10, and the default EASM discovery count is 3.

For example, if you provide this count as 4 and the asset is not discovered through 4 EASM discoveries, it gets deleted from the CSAM account.

Enable EASM Scan:

When you turn this toggle on, the EASM lightweight scan gets started. You can select one of the following options per your requirements:

- All EASM Assets: To include the VM-activated assets in the EASM lightweight scan. The managed assets with the source as EASM and IP or cloud Agent are also included in the EASM lightweight scan.

- Unmanaged EASM Assets only (Exclude VM Activated Assets): To include only unmanaged EASM assets for the EASM lightweight scan.

Asset Inclusion Settings:

You can now exclude the CDN assets from the EASM Lightweight Scan. A new checkbox, Exclude CDN Assets, has been added. By default, this checkbox is selected, which means that the CDN assets get excluded from the EASM Lightweight Scan. Upon clearing this checkbox, the CDN assets get included in the EASM Lightweight Scan.

Add Internet-facing tagged assets to EASM discovery scan:

When you turn on the toggle next to Add Internet-facing tagged assets to EASM discovery scan, in addition to Organization and Domain, etc., your Internet-facing tagged assets, including scanned and cloud agent assets, are picked up as input to EASM. After the sync, you can see the External Attack Surface details on the “Asset Details” page.

When you turn off the toggle, all the internet-facing tagged asset information related to EASM, like tags and sources, is deleted from the “Asset Details” page. 

Typosquatted Domains Discovery:

When you turn on the Typosqatted Domains Discovery toggle while creating or editing the EASM profile, you get the typosquatted domains in the inventory. 

-  When you select the Exclude Defamatory Domains checkbox: The Typosquatted domains are generated without the Defamatory domains.

-  When you clear the Exclude Defamatory Domains checkbox: The typosquatted domains are generated along with the Defamatory domains. 

You can view the Typosquatted domain detail on the Inventory > Domains tab. For more information, see View Domain Details.