From 1bc55fa640fc7c21034e0373321d7b11ceae367d Mon Sep 17 00:00:00 2001 From: Mia Shapan <98898490+miashapan@users.noreply.github.com> Date: Tue, 12 Nov 2024 10:57:15 -0500 Subject: [PATCH 1/3] Update device-discovery-faq.md Removed OT specific protocol --- defender-endpoint/device-discovery-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/device-discovery-faq.md b/defender-endpoint/device-discovery-faq.md index 1800c8499d..180b04bf52 100644 --- a/defender-endpoint/device-discovery-faq.md +++ b/defender-endpoint/device-discovery-faq.md @@ -69,7 +69,7 @@ ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP ## Which protocols do you use for active probing in Standard discovery? When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols: -ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP +ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, IphoneSync, WinRM, VNC, SLP, LDAP In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage. From c53fd91dba5e1312de0dcdf395cac60494035b3a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 12 Nov 2024 12:18:32 -0800 Subject: [PATCH 2/3] Update device-discovery-faq.md --- defender-endpoint/device-discovery-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/device-discovery-faq.md b/defender-endpoint/device-discovery-faq.md index 180b04bf52..a088d22278 100644 --- a/defender-endpoint/device-discovery-faq.md +++ b/defender-endpoint/device-discovery-faq.md @@ -15,7 +15,7 @@ ms.collection: - tier3 ms.topic: conceptual search.appverid: met150 -ms.date: 03/23/2021 +ms.date: 11/12/2024 --- # Device discovery frequently asked questions From a30575767a49390fd834a1ebd4583bb3518f0d16 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 12 Nov 2024 12:24:43 -0800 Subject: [PATCH 3/3] Update device-discovery-faq.md --- defender-endpoint/device-discovery-faq.md | 51 +++++++++++++++++++++-- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/device-discovery-faq.md b/defender-endpoint/device-discovery-faq.md index a088d22278..5b68d1bee3 100644 --- a/defender-endpoint/device-discovery-faq.md +++ b/defender-endpoint/device-discovery-faq.md @@ -65,11 +65,54 @@ The discovery engine distinguishes between network events that are received in t ## What protocols are you capturing and analyzing? By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols: -ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD + +- ARP +- CDP +- DHCP +- DHCPv6 +- IP (headers) +- LLDP +- LLMNR +- mDNS +- MNDP +- MSSQL +- NBNS +- SSDP +- TCP (SYN headers) +- UDP (headers) +- WSD ## Which protocols do you use for active probing in Standard discovery? When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols: -ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, IphoneSync, WinRM, VNC, SLP, LDAP + +- AFP +- ARP +- DHCP +- FTP +- HTTP +- HTTPS +- ICMP +- IphoneSync +- IPP +- LDAP +- LLMNR +- mDNS +- NBNS +- NBSS +- PJL +- RDP +- RPC +- SIP +- SLP +- SMB +- SMTP +- SNMP +- SSH +- Telnet +- UPNP +- VNC +- WinRM +- WSD In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage. @@ -91,6 +134,7 @@ Devices will actively be probed when changes in device characteristics are obser ## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it, what should I do? The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list: + `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1` ## What is the amount of traffic being generated by the Standard discovery active probe? @@ -101,7 +145,7 @@ Active probing can generate up to 50Kb of traffic between the onboarded device a You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget. - The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization. +The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization. ## Can I onboard unmanaged devices that were found? @@ -138,4 +182,5 @@ The device discovery capabilities have been built to only discover and identify ### You can exclude network lures from active probing Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode). + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]