Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

M365 Defender - Network Discovery

Brass Contributor

Good afternoon gurus and professionals.

 

I have been stuffing around in a test tenant for about 2 years.

 

I have noticed as of late last month that the network discovery agent on one of my corporate laptops within my tenant has been a busy bee, scanning my network and upsetting my firewall.  So much so I have sent my information to my firewall manufacturer to inform them of a vulnerability it found.

 

Since my test tenant is mainly behind the home router, its found my Ubiquiti Wi-Fi, my firewall, all my smart TVs, google speakers and of course all my endpoints.  If I had a smart fridge, garage door and so on, it would of found those as well.

 

 

However my question is this.

 

Having a look at the API and the portal there is no way to rename the devices that this scan engine is discovering (love this its doing great - a one on one match with the firewall).

 

This is a serious issue in IMHO.   How is everyone else dealing with this.

 

HOW are you Microsoft boffins dealing with this?.  I am assuming that the scanning agent on which only one of my devices it still survives (corporate), the other has been terminated by a system reset, but this is not registered either (another problem), the portal doesn't keep a dynamic list of live agents).

 

Yes I'm aware this is in preview but in the following order my feedback is this.

1.  I cant rename devices it finds (in a large enterprise this would be a nightmare).  Yes I checked the API documentation and my conclusion is no.

2.  It doesn't keep a dynamic list of devices with the agents installed.  I've factory reset one (for Uni) switching it from corporate to personal so I can offboard it at leisure (nothing worse than MSDE vetting your Kali VM).

 

Any feedback is appreciated, so if you have taken the time to read this post, can you please add a comment (I concur, no you don't know what your doing etc.. etc..)

 

On a side note I enabled the logging via PowerShell for Firewall reporting this morning WAST.  Cant wait to see how that works (read the appropriate blogs, documentation etc...)

 

 

Yours Sincerely

Leon Scott

Hobbyist and loving what I'm learning.

 

 

 

3 Replies
Love what you're doing here Leon, can't wait to see the reply

Hey @David_Caddick, really appreciate the insight and feedback!

When your refer to a needed dynamic list of live agents, that can be identified by going into the "device inventory" then filtering by "onboarding status = onbarded" (has MDE) then looking at last seen attribute or health state  (see more here Device discovery overview | Microsoft Docs \ View and organize the Microsoft Defender for Endpoint devices list | Microsoft Docs).
The goal, which was built of course for large organizations, is to reduce the need in keeping and maintaining a list of scanning agents rather having Microsoft provide this as an out of the box service which you do not need to manage given MDE being widely deployed.

On renaming a device - that is currently not possible, that said we do track this a a top customer ask and are looking forward to make that happen :)

On offboarding devices - we are able to track devices and if a device have been offboarded we will change the entity "onboarding status" field to the right one 
If that is not the case on your tenant, mind sharing the orgid and the deviceid over email?
Yobasha@microsoft.com  

Thanks :)
Yossi.

Hi @yossi, you'd best follow up with Leon @braedachau as he was the one that had the queries to start with