This is a brief post explaining how to configure policies in Microsoft Defender External Attack Surface Management (MDEASM) through its API. Although the policies functionality has been available in MDEASM for some time, the process for configuring them via the API has, unfortunately, not yet been documented.

Save a Filter

First you need to save a filter because the policy engine needs this as an input. You can do this via the UI or use the API:

curl -X PUT "{endpoint}/savedFilters/testFilter?api-version=2024-03-01-preview" \
    -H "Authorization: Bearer $access_token" \
    -H "Content-Type: application/json" \
    -d @filters.json

and the json file looks like so:

{
    "description": "testFilter",
    "filter": "createdAt >= \"2024-10-15T22:00:000Z\""
}

This filter simply looks for any asset discovered after 15th October 2024.

Create a Policy

curl -X PUT "{endpoint}/policies/testPolicy?api-version=2024-03-01-preview" \
    -H "Authorization: Bearer $access_token" \
    -H "Content-Type: application/json" \
    -d @policies.json

and the json file:

{
    "name": "testPolicy",
    "description": "new test policy",
    "filterName": "testFilter",
    "action": "setState",
    "actionParameters": {
        "value": "candidate"
    },
    "priority": 1
}

This policy sets the state of any asset found by the filter to “candidate”.

Hope that’s useful to someone out there!

If documentation is not forthcoming from Microsoft soon, I will also expand this post to detail other policy configurations via API.

⚡️ Enjoyed this post? Buy me a coffee… in sats! Just tip me via my Lightning address: [email protected]