Defender Remote Port Connection Sequence

Why does Defender regularly attempt to connect devices within the same subnet, using this port sequence: 106, 111, 515, 623, 660, 808, 1433, 1434, 1521, 1720, 2049, 2869, 3283, 3306, 5040, 5357, 500...

investigation

microsoft defender for endpoint

microsoft defender for office 365

threat hunting

StephanGee
Oct 10, 2022
Could be this feature
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide

Jonhed

Iron Contributor

Oct 10, 2022

By default, all devices run device discovery.
If you want to limit the devices that run this, you need to specify a device-tag to use and then set it on the devices you want.

CodnChips

Brass Contributor

Oct 11, 2022

Thanks Jonhed - I've confirmed the setting is Standard and also saw the Tag function you mention. Thanks for your input & contribution.

Forum Discussion

Defender Remote Port Connection Sequence

Resources