icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading App for External Attack Surface Management (EASM)
SHA256 checksum (app-for-external-attack-surface-management-easm_11.tgz) f41e17031e6a50b6ce916b0b5d15dff67992cabf04c4131a427c9fb316f026cb
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


App for External Attack Surface Management (EASM)

Splunk Cloud
The Splunk App for External Attack Surface Management supports discovery of Internet-facing services and helps identify those that may require hardening. The app - and its associated external worker - perform:

- subdomain discovery
- open port discovery (passive)
- open port discovery (active)
- web service discovery
- web technology discovery
- web vulnerability scans
- web spiders (crawls)

Splunk App for External Attack Surface Management


The App for External Attack Surface Management (EASM) is intended to:
- Discover your internet-facing assets and services, starting with nothing more than your domain name
- Alert on new subdomains, newly exposed ports and web app vulnerabilities
- Integrate with vulnerability management to patch and harden

The App for EASM makes use of open-source recon tools from ProjectDiscovery.io, wrapped in a REST API that runs on a worker server external to Splunk. The worker has been designed to be easy to stand up - using Docker - is stateless and secured via HTTPS and API key-based auth.

1. Splunk
2. Somewhere to run the EASM Worker server (“worker”) as a container
3. Some way of letting Splunk talk HTTPS to the worker, e.g. a reverse proxy terminating TLS and proxying traffic to the worker’s ASGI web server

For further details around standing up a worker, refer to gf13579/splunk_easm_worker (github.com).

Installation and Configuration Overview

  1. Install the App for External Attack Surface Management from Splunk or a tgz release from github
  2. Create an index e.g. 'easm' or pick an existing index to use and update the easm_index macro as required, e.g. index=your_index_here
  3. Setup a HEC input - and ensure port 8088 is accessible by our EASM worker. Leave the sourcetype set to Automatic and specify your target index (e.g. easm) as the default.
  4. Make a note of the HEC token and confirm that HEC is enabled, globally (by default it isn’t).
  5. Use the app's setup page to configure details of your external worker - the base url:port and API key, along with a HEC URL and token to be passed to the worker during discovery
  6. Edit the app's lookups - via the app's UI - to configure your seeds i.e apex domains, IPs, IP ranges and known subdomains
  7. Create discovery jobs - modular inputs - again, via the app's UI for convenience
  8. Wait for results

App Configuration Steps

Use the setup page to configure the application

Field Description Example
Base URL of EASM Worker The URL of our EASM worker - starting with https, followed by the FQDN of our host. https://some-easm-worker-host.spinningplates.net
API Key The value we configured in the .env file earlier some_super_secure_string
HEC URL The URL of our HEC endpoint - which could be on this Splunk server, or another one
HEC Token The HEC token shown by Splunk when setting up a HEC input dd8f39b4-a93e-4d07-9a94-2128c4bcd0ab

Now we can setup our seeds - typically one or more apex domains e.g. example.com and example.org.

Seeds are managed via lookups. The EASM App’s navigation menu includes links to edit those lookups using the Lookup Editor (“Splunk App for Lookup File Editing“) - if installed.

Configuration → Seed Items → Edit Seed Domains

Populate apex_domains.csv, for example:

entity target description out_of_scope
example example.com
example example.org
portswigger ginandjuice.shop
acunetix vulnweb.com

Now we’ll setup a basic discovery job - again, using the menu:

Configuration → Data Inputs → Edit Discovery Jobs

Give the discovery input a name, specify the types of discovery - or * for all basic discovery types. Specify an entity - which relates back to the entity field in the seed lookups and use the More settings option to specify a target index and the interval. As with all modular inputs, leave the interval blank to run the input a single time, or specify either a cron string or the number of seconds between inputs.

On saving the input, Splunk will run it based on the schedule. If the schedule was left blank, Splunk will run it immediately and once only - which is handy for testing.

The app typically needs to run discovery at least twice to start getting interesting data - the first time to discover an initial set of subdomains, which will be used in subsequent discovery of open ports, web services etc.


In the app, check the EASM Logs dashboard (Advanced -> EASM Logs) to see Splunk invoking the modular inputs, and output from those inputs.

On the worker node, you can view live log activity (stdout) using docker-compose logs --follow --timestamps.

Release Notes

Version 1.1
Sept. 9, 2023

2023-09-09 - First Splunkbase release for a port of app 7010 with a revised app id

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.