Overview of attack surface management

Microsoft Security Exposure Management helps you to visualize, analyze, and remediate cross-workload attack surfaces.

Security Exposure Management is currently in public preview.


Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Enterprise exposure graph

The enterprise exposure graph is the central tool for exploring and managing attack surfaces. The graph gathers information about assets, users, workloads, and more, from across your enterprise to provide a unified, comprehensive view of your organizational security posture.

Graph schemas

Graph schemas provide a framework for organizing and analyzing interconnected assets from multiple workloads across the organization.

  • Schemas are made up of tables that provide either event information or information about devices, alerts, identities, and other entity types.
  • You query against schemas for proactive threat hunting across data and events. You can build queries in advanced hunting.
  • To understand schemas and build effective queries, you can use a built-in schema reference that provides table information.

Enterprise exposure graph schemas

The enterprise exposure graph and the exposure graph schemas extend the existing Defender XDR advanced hunting schemas.

  • The schemas provide attack surface information to help understand how potential threats can reach and compromise valuable assets.
  • You use the schema tables and operators to query the enterprise exposure graph. Queries allow you to inspect and search attack surface data, and to retrieve exposure information to help prevent risk.
  • The enterprise exposure graph currently includes assets, findings, and entity relationships from:
    • Microsoft Defender for Cloud
    • Microsoft Defender for Endpoint
    • Microsoft Defender Vulnerability Management
    • Microsoft Defender for Identity
    • Microsoft Entra ID

By correlating exposure queries with other graph data, such as incident data, you can uncover risk to a greater degree.

Attack surface map

The attack surface map helps you to visualize the exposure data that you query using the exposure graph schema.

In the map you can explore the data, check what assets are at risk, contextualize them in a broader network framework, and prioritize security focus.

For example, you can check whether a particular asset has unwanted connections, or see whether a device has a path to the internet, and if so, what other devices are exposed.

Next steps