Merge pull request #54192 from R-C-Stewart/NEW-discover-external-assets-vulnerabilities

First upload of module content

Author: v-ccolin

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/1-introduction.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.introduction
+metadata:
+  title: Introduction
+  description: Introduction to discovering unprotected assets and vulnerabilities using Microsoft Defender External Attack Surface Management.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Introduction
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/2-explore-external-attack-surface-capabilities.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.explore-external-attack-surface-capabilities
+metadata:
+  title: Explore External Attack Surface Management (EASM) features and capabilities
+  description: Explore how Microsoft Defender EASM is deployed as an Azure resource, what assets it discovers, and how its outside-in scanning scope differs from other Defender tools.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Explore EASM features and capabilities
+durationInMinutes: 8
+content: |
+  [!include[](includes/2-explore-external-attack-surface-capabilities.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/3-discover-assets-recursive-discovery.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.discover-assets-recursive-discovery
+metadata:
+  title: Discover assets using recursive discovery
+  description: Learn how Microsoft Defender External Attack Surface Management (EASM)'s recursive discovery engine uses seeds to find unknown internet-facing assets.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Discover assets using recursive discovery
+durationInMinutes: 6
+content: |
+  [!include[](includes/3-discover-assets-recursive-discovery.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/4-analyze-attack-surface-dashboards.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.analyze-attack-surface-dashboards
+metadata:
+  title: Analyze your attack surface with dashboards
+  description: Use External Attack Surface Management (EASM) dashboards—Overview, Attack surface summary, Security posture, and OWASP Top 10—to identify and prioritize vulnerabilities, exposed services, certificate issues, and web application risks across your external attack surface.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Analyze your attack surface with dashboards
+durationInMinutes: 7
+content: |
+  [!include[](includes/4-analyze-attack-surface-dashboards.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/5-integrate-external-attack-surface-defender-cloud.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.integrate-external-attack-surface-defender-cloud
+metadata:
+  title: Integrate External Attack Surface Management (EASM) insights with Defender for Cloud
+  description: Connect EASM outside-in discovery data with Defender Cloud Security Posture Management (CSPM) to perform attack path analysis starting from internet-exposed resources and run Cloud Security Explorer queries that correlate external exposure with internal security findings.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Integrate EASM insights with Defender for Cloud
+durationInMinutes: 7
+content: |
+  [!include[](includes/5-integrate-external-attack-surface-defender-cloud.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/6-knowledge-check.yml

@@ -0,0 +1,73 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.knowledge-check
+metadata:
+  title: Knowledge check
+  description: Check your knowledge of discovering unprotected assets and vulnerabilities using Microsoft Defender External Attack Surface Management.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Knowledge check
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: Check your knowledge
+  questions:
+  - content: "A security engineer wants visibility into internet-facing assets their organization doesn't know about—including forgotten test environments from an acquisition and developer-created shadow IT. Which Microsoft Defender tool provides this outside-in discovery capability?"
+    choices:
+    - content: "Microsoft Defender for Cloud Security Posture Management (CSPM)"
+      isCorrect: false
+      explanation: "Incorrect. Defender CSPM provides inside-out posture management for known, enrolled Azure resources. It assesses misconfigurations and compliance gaps within your Azure subscription, but it doesn't discover assets that exist outside your subscription or outside your inventory."
+    - content: "Microsoft Defender Vulnerability Management (MDVM)"
+      isCorrect: false
+      explanation: "Incorrect. MDVM provides inside-out vulnerability scanning for known, enrolled virtual machines. It identifies CVEs in installed software on VMs that are already part of your inventory—it doesn't discover unknown or unenrolled internet-facing assets."
+    - content: "Microsoft Defender External Attack Surface Management (EASM)"
+      isCorrect: true
+      explanation: "Correct. Defender EASM uses outside-in recursive discovery to map your organization's internet-facing attack surface from an attacker's perspective. It discovers unknown and unmonitored assets—including assets from acquired organizations, forgotten environments, and shadow IT—by traversing infrastructure connections starting from known seeds."
+    - content: "Microsoft Defender for Endpoint"
+      isCorrect: false
+      explanation: "Incorrect. Defender for Endpoint provides endpoint detection and response (EDR) capabilities for enrolled devices. It doesn't perform external attack surface discovery or identify internet-facing assets outside your managed device inventory."
+  - content: "You're configuring EASM discovery for your organization after an acquisition. You provide the acquired company's primary domain name as a starting point. What is this starting asset called in the EASM discovery process?"
+    choices:
+    - content: "A discovery target"
+      isCorrect: false
+      explanation: "Incorrect. 'Discovery target' isn't a term used in EASM's discovery process. EASM uses seeds as the known starting points for recursive discovery."
+    - content: "A discovery seed"
+      isCorrect: true
+      explanation: "Correct. Discovery seeds are known legitimate assets you provide as starting points for EASM's recursive discovery engine. The engine queries multiple data sources (WHOIS, DNS, SSL certificates, ASN records) for each seed and recurses through connections to uncover previously unknown assets."
+    - content: "A candidate asset"
+      isCorrect: false
+      explanation: "Incorrect. Candidate is an asset state in the EASM inventory—it means EASM discovered an asset that it believes is owned by your organization but is unconfirmed. The starting point you provide to initiate discovery is called a seed."
+    - content: "An inventory filter"
+      isCorrect: false
+      explanation: "Incorrect. Inventory filters are used within EASM to search and sort discovered assets in your inventory. They aren't used to initiate or configure the discovery process."
+  - content: "After running EASM discovery for a recently acquired company's infrastructure, your security team finds several hosts with Telnet (port 23) open and multiple SSL certificates expiring within 30 days. Which EASM dashboard surfaces these specific technical findings?"
+    choices:
+    - content: "Overview dashboard"
+      isCorrect: false
+      explanation: "Incorrect. The Overview dashboard is the default landing page that provides an at-a-glance summary of your attack surface including high-level risk counts by severity. It doesn't surface specific technical findings like individual open ports or SSL certificate details."
+    - content: "Attack surface summary dashboard"
+      isCorrect: false
+      explanation: "Incorrect. The Attack surface summary dashboard shows SSL certificate expiry counts by timeframe (30, 60, 90 days) and broad vulnerability severity counts. However, the Security posture dashboard surfaces the specific technical details: individual open ports and exposed services like Telnet, SSL certificate configuration problems such as expired or SHA-1 certificates, CVE exposure, and domain administration issues."
+    - content: "Security posture dashboard"
+      isCorrect: true
+      explanation: "Correct. The Security posture dashboard is the primary dashboard for security engineers investigating specific external hygiene issues. It surfaces detailed technical findings including CVE exposure, open ports, and exposed services (such as Telnet on port 23), SSL certificate configuration issues (expired certificates, weak cipher suites, SHA-1 certificates), and domain administration concerns."
+    - content: "OWASP Top 10 dashboard"
+      isCorrect: false
+      explanation: "Incorrect. The OWASP Top 10 dashboard surfaces web application vulnerabilities in categories such as broken access control, cryptographic failures, injection, and security misconfiguration. It doesn't surface infrastructure-level findings like open ports or SSL certificate expiry status."
+  - content: "Your organization has Defender CSPM active. You want to find attack paths that start from internet-exposed IP addresses discovered by EASM and trace through to internal Azure resources. Where do you view these attack paths?"
+    choices:
+    - content: "In the EASM standalone portal at the Security posture dashboard"
+      isCorrect: false
+      explanation: "Incorrect. The EASM Security posture dashboard shows external security hygiene findings—CVE exposure, open ports, SSL issues—within the EASM portal itself. It doesn't show attack paths that trace from internet-exposed IPs through to internal Azure resources."
+    - content: "In the Microsoft Defender portal under Cloud security, go to Attack path analysis"
+      isCorrect: true
+      explanation: "Correct. With Defender CSPM active, EASM integration flows outside-in data into the Defender portal. Under Cloud security > Attack path analysis, you can filter attack paths by internet-exposed resources to see exploitable paths that start from EASM-discovered internet-facing IPs and trace through to internal target assets."
+    - content: "In Microsoft Sentinel under the Threat Intelligence workbook"
+      isCorrect: false
+      explanation: "Incorrect. Microsoft Sentinel is a SIEM and SOAR solution focused on security event correlation and threat detection. Attack path analysis that combines EASM outside-in data with Defender CSPM inside-out data is available in the Microsoft Defender portal, not Microsoft Sentinel."
+    - content: "In the Azure portal under Microsoft Defender for Cloud, go to Workload protections"
+      isCorrect: false
+      explanation: "Incorrect. Workload protections in the Azure portal provide threat protection status and alerts for specific workload types such as servers, containers, and storage. Attack path analysis integrating EASM data is available in the Microsoft Defender portal under Cloud security > Attack path analysis."

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/7-summary.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.discover-external-assets-vulnerabilities.summary
+metadata:
+  title: Summary
+  description: Summary of discovering unprotected assets and vulnerabilities using Microsoft Defender External Attack Surface Management.
+  ms.date: 04/07/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+title: Summary
+durationInMinutes: 2
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/discover-external-assets-vulnerabilities/includes/1-introduction.md

@@ -0,0 +1,10 @@
+Contoso Financial Services recently completed a major cloud migration to Azure and acquired a regional banking partner. Their security team uses Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities to monitor known Azure resources and Microsoft Defender Vulnerability Management (MDVM) to scan enrolled virtual machines for software vulnerabilities. However, security leadership is concerned about internet-facing assets they don't know about: forgotten test environments, infrastructure inherited from the acquisition with no existing inventory, and developer-created resources that bypass central IT. Traditional vulnerability scanners can't see beyond the firewall, and MDVM only scans VMs that are already enrolled and managed. The team needs an outside-in perspective to discover what attackers can actually see when they scan Contoso's internet presence.
+
+Microsoft Defender External Attack Surface Management (EASM) provides exactly this attacker's-eye view by continuously discovering internet-facing assets you own or operate, even if you don't know about them yet. EASM complements your inside-out CSPM and vulnerability scanning by finding unknown assets, mapping their connections, and identifying security hygiene risks. These risks include expired certificates, open ports, exposed services, and OWASP vulnerabilities—all viewed from the perspective of an attacker scanning your organization from the outside.
+
+In this module, you learn to use EASM to discover and secure your external attack surface. Specifically, you:
+
+- Explain how EASM outside-in discovery complements inside-out CSPM posture management
+- Configure asset discovery using seeds to identify unknown internet-facing infrastructure and asset connections
+- Use EASM dashboards to prioritize vulnerabilities and security hygiene risks across your attack surface
+- Integrate EASM findings with Defender CSPM to analyze attack paths starting from internet-exposed resources