• 9 minutes

Protecting your environment requires taking inventory of the devices that are in your network. However, mapping devices in a network can often be expensive, challenging, and time-consuming.

Microsoft Defender for Endpoint provides a device discovery capability that helps an organization find unmanaged devices connected to its corporate network. It completes this discovery process without the need for extra appliances or cumbersome process changes. Device discovery uses onboarded endpoints to collect, probe, and scan the network to discover unmanaged devices. The device discovery capability enables organizations to discover:

• Enterprise endpoints (workstations, servers and mobile devices) that Microsoft Defender for Endpoint has yet to onboard.
• Network devices like routers and switches.
• IoT devices like printers and cameras.

Unknown and unmanaged devices introduce significant risks to a network. It doesn't matter whether it's an unpatched printer, network devices with weak security configurations, or a server with no security controls.

Once the Microsoft Defender for Endpoint device discovery service discovers devices, an organization can:

• Onboard unmanaged endpoints to the service, increasing the security visibility on them.
• Reduce the attack surface by identifying and assessing vulnerabilities, and detecting configuration gaps.

Additional viewing. Select the following link to watch a short video that introduces device discovery.

A security recommendation to onboard devices to Microsoft Defender for Endpoint is also available as part of the Vulnerability Management module.

Discovery methods

An organization can choose the discovery mode its onboarded devices should use. The mode controls the level of visibility you can get for unmanaged devices in your corporate network.

There are two modes of discovery available:

• Basic discovery. In this mode, endpoints passively collect events in a network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection. This mode doesn't initiate network traffic. Endpoints just extract data from the network traffic that an onboarded device sees. With basic discovery, you only gain limited visibility of unmanaged endpoints in your network.
• Standard discovery (recommended). This mode enables endpoints to actively find devices in a network to enrich collected data and discover more devices. This process helps organizations build a reliable and coherent device inventory. In addition to devices that use the passive method, standard mode also applies common discovery protocols that use multicast queries in the network. This process finds even more devices. Standard mode uses smart, active probing to discover more information about observed devices to enrich existing device information. When an organization enables Standard mode, its network monitoring tools can observe minimal and negligible network activity generated by the discovery sensor.

Standard discovery is the default mode for all customers starting July 2021. You can choose to change this configuration to basic through the Settings page. If you choose basic mode, you only gain limited visibility of unmanaged endpoints in your network.

Organizations can change and customize their discovery settings. For more information, see Configure device discovery.

The discovery engine distinguishes between network events received in the corporate network versus outside of the corporate network. The Microsoft Defender for Endpoint device discovery service can't discover devices or list them in the device inventory if the devices don't connect to corporate networks.

Device inventory

The Microsoft Intune admin center lists devices in the device inventory. It does so even if the Microsoft Defender for Endpoint device discovery service discovered the devices, but Microsoft Defender for Endpoint has yet to onboard and secure them.

To assess these devices, you can use a filter in the device inventory list called Onboarding status. This filter can have any of the following values:

• Onboarded. Microsoft Defender for Endpoint onboards the endpoint.
• Can be onboarded. Microsoft Defender for Endpoint discovered the endpoint in the network. It identified the operating system as one supported by Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint has yet to onboard the device. Microsoft recommends that organizations onboard these devices as soon as possible.
• Unsupported. Microsoft Defender for Endpoint discovered the endpoint in the network, but it doesn't support the endpoint.
• Insufficient information. The system couldn't determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.

You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.

Additional reading. For more information, see Device inventory.

Network device discovery

The large number of unmanaged network devices deployed in an organization creates a large surface area of attack. They also represent a significant risk to the entire enterprise. Microsoft Defender for Endpoint's network discovery capability helps organizations:

• Discover their network devices.
• Classify their devices accurately.
• Add their devices to their asset inventory.

Microsoft Defender for Endpoint doesn't manage network devices as standard endpoints. Why? Because Microsoft Defender for Endpoint doesn't have a sensor built into the network devices themselves. Instead, these types of devices require an agentless approach where a remote scan obtains the necessary information from the devices. To gather this information, each network segment uses a designated Microsoft Defender for Endpoint device to perform periodic authenticated scans of preconfigured network devices. Microsoft Defender for Endpoint's Vulnerability Management feature then provides integrated workflows to secure the following discovered information:

• switches
• routers
• WLAN controllers
• firewalls
• VPN gateways

Additional reading. For more information, see Network devices.

Device discovery integrations

Microsoft Defender for Endpoint addresses the challenge of gaining enough visibility for organizations to locate, identify, and secure their complete OT/IOT asset inventory. It does so by supporting the following integrations:

• Corelight. Microsoft partnered with Corelight to receive data from Corelight network appliances. This design provides Microsoft Defender XDR with increased visibility into the network activities of unmanaged devices. This visibility includes communication with other unmanaged devices or external networks. For more information, see Enable Corelight data integration.
• Microsoft Defender for IoT. This integration combines the device discovery capabilities within Microsoft Defender for Endpoint with the agentless monitoring capabilities of Microsoft Defender for IoT. This integration secures enterprise IoT devices connected to an IT network. For example, Voice over Internet Protocol (VoIP), printers, and smart TVs. For more information, see Enable Microsoft Defender for IoT integration.

Configure device discovery

As previously noted, organizations can configure device discovery in either of two modes - standard or basic. Organizations should use the standard option to actively find devices in their networks. This option guarantees the discovery of endpoints and provides richer device classification.

An organization can customize the list of devices used to perform standard discovery. It can either:

• Enable standard discovery on all the onboarded devices that also support this capability (currently - Windows 10 or later and Windows Server 2019 or later devices only).
• Select a subset or subsets of your devices by specifying their device tags.

Complete the following steps to set up device discovery:

1. Navigate to the Microsoft Defender portal.
2. In the navigation pane in the Microsoft Defender portal, select Settings, and then select Device discovery.
3. If you want to configure Basic as the discovery mode to use on your onboarded devices, select Basic, and then select Save.
4. If you selected the option to use Standard discovery, select one of the following options to determine which devices to use for active probing:
   • all devices
   • a subset of devices by specifying their device tags
5. Select Save.

Exclude devices from active scanning in standard discovery

Some organizations have devices on their network that Microsoft Defender for Endpoint's device discovery service shouldn't actively scan. For example, devices used as honeypots for another security tool. In these cases, an organization can define a list of exclusions to prevent the scanning of these devices. You can configure the devices to exclude in the Exclusions page.

Select networks to monitor

When Microsoft Defender for Endpoint analyzes a network, it determines if the network is:

• A corporate network that it must monitor.
• A noncorporate network that it can ignore.

To identify a network as corporate, Microsoft Defender for Endpoint correlates network identifiers across all tenant's clients. It assumes the network is a corporate network if most of the devices in the organization connect to the same:

• Network name
• Default gateway
• DHCP server address

Organizations typically choose to monitor their corporate networks. However, you can override this decision by choosing to monitor noncorporate networks containing onboarded devices.

An organization can configure where to perform device discovery. It does so by specifying which networks to monitor. Microsoft Defender for Endpoint can perform device discovery on a monitored network.

The Monitored networks page displays a list of networks where Microsoft Defender for Endpoint can perform device discovery. The list shows the networks identified as corporate networks. If there are more than 50 networks identified as corporate networks, the list shows up to 50 networks with the most onboarded devices.

The Monitored networks page sorts the list of monitored networks based upon the total number of devices seen on the network in the last seven days.

You can apply a filter to view any of the following network discovery states:

• Monitored networks. Networks where Microsoft Defender for Endpoint performs device discovery.
• Ignored networks. Microsoft Defender for Endpoint ignores this network and doesn't perform device discovery on it.
• All. Microsoft Defender for Endpoint displays both monitored and ignored networks.

Configure the network monitor state

Organizations can control where device discovery takes place. Monitored networks are where Microsoft Defender for Endpoint performs device discovery. These networks are typically corporate networks. You can also choose to ignore networks or select the initial discovery classification after modifying a state.

• Selecting the initial discovery classification means to apply the default system-made network monitor state.
• Selecting the default system-made network monitor state means that device discovery:
  • Monitors networks identified as corporate.
  • Ignores networks identified as noncorporate.

Complete the following steps to configure the network monitor state:

1. Navigate to the Microsoft Defender portal.
2. In the navigation pane in the Microsoft Defender portal, select Settings, and then select Device discovery.
3. On the Device discovery page, select Monitored networks.
4. View the list of networks. Select the ellipsis icon (three dots) next to the name of the network that you want to monitor.
5. Choose whether you want to monitor, ignore, or use the initial discovery classification. Keep in mind the following considerations:
   • Choosing to monitor a network that Microsoft Defender for Endpoint didn't identity as a corporate network can cause device discovery outside of your corporate network. As such, it might detect home or other noncorporate devices.
   • Choosing to ignore a network stops monitoring and discovering devices in that network. Microsoft Defender for Endpoint doesn't remove discovered devices from inventory. However, it can no longer update them, and the system retains details until the data retention period of the Microsoft Defender for Endpoint expires.
   • Before choosing to monitor noncorporate networks, you must ensure you have permission to do so.
6. Confirm that you want to make the change.

Explore devices in the network

You can use the following advanced hunting (Kusto) query to get more context about each network name described in the networks list. The query lists all the onboarded devices connected to a certain network within the last seven days.

DeviceNetworkInfo
| where Timestamp > ago(7d)
| where ConnectedNetworks != ""
| extend ConnectedNetworksExp = parse_json(ConnectedNetworks)
| mv-expand bagexpansion = array ConnectedNetworks=ConnectedNetworksExp
| extend NetworkName = tostring(ConnectedNetworks ["Name"]), Description = tostring(ConnectedNetworks ["Description"]), NetworkCategory = tostring(ConnectedNetworks ["Category"])
| where NetworkName == "<your network name here>"
| summarize arg_max(Timestamp, *) by DeviceId

Get information on device

You can use the following advanced hunting (Kusto) query to get the latest complete information on a specific device.

DeviceInfo
| where DeviceName == "<device name here>" and isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceId

Vulnerability assessment on discovered devices

Vulnerabilities and risks on your devices as well as other discovered unmanaged devices in the network are part of the current Threat and Vulnerabilities Management flows under "Security Recommendations." The entity pages across the portal represent these vulnerabilities and risks.

For example, search for "SSH" related security recommendations (SSH stands for Secure Shell, a widely adopted protocol for secure communications over an untrusted network). The purpose of the search is to find SSH vulnerabilities related for unmanaged and managed devices.

Use advanced hunting on discovered devices

Organizations can use advanced hunting queries to gain visibility on discovered devices. Find details about discovered devices in the DeviceInfo table, or network-related information about those devices in the DeviceNetworkInfo table.

Run the following query on the DeviceInfo table to return all discovered devices. The results also display the latest details for each device.

DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId // Get latest known good per device ID
| where isempty(MergedToDeviceId) // Remove invalidated/merged devices
| where OnboardingStatus != "Onboarded"

By invoking the SeenBy function in your advanced hunting query, you can get details on which onboarded device saw a discovered device. This information can help determine the network location of each discovered device. It can then help to identify it in the network.

DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId 
| where isempty(MergedToDeviceId) 
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy

Query network related information

Device discovery uses Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to nononboarded devices. The network sensor on the Microsoft Defender for Endpoint onboarded device identifies two new connection types:

• ConnectionAttempt. An attempt to establish a TCP connection.
• ConnectionAcknowledged. An acknowledgment the network accepted a TCP connection.

When a nononboarded device attempts to communicate with an onboarded Microsoft Defender for Endpoint device, the attempt will:

• generate a DeviceNetworkEvent.
• display the nononboarded device activities on the onboarded device timeline and through the Advanced hunting DeviceNetworkEvents table.

You can try this example query:

DeviceNetworkEvents
| where ActionType == "ConnectionAcknowledged" or ActionType == "ConnectionAttempt"
| take 10