Microsoft 365 Defender | Network device discovery

3 min readJul 28, 2021

Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint (MDE) is part of the Microsoft 365 Defender (M365D) ecosystem.

The Endpoint discovery feature detects (agent-less where all MDE devices can act as probe) unprotected (Windows, Mac, iOS and Android) devices connected to the corporate network, more info available at Microsoft 365 — Endpoint Discovery | by Derk van der Woude | Medium

The Network device discovery is the 2nd discovery feature which detects network devices (routers, switches and WLAN controllers) and vulnerabilities via the SNMP (Simple Network Management Protocol) protocol.

Why we need network device discovery

While the computer(s) and mobile device(s) are often protected and updated with the latest software patches to protect against vulnerability exploits. Network devices are also connected to the same corporate network but not always patched and protected / monitored.

A good example is the Bangladesh Bank heist in 2016 where almost $951 million was stolen via a $10 router.

Architecture and setup

Network device discovery requires a dedicated Microsoft Defender for Endpoint client to discover network devices on corporate network IP-address or ranges via SNMP (Simple Network Management Protocol).

Download scanner

The first step is to download the scanner and install on the dedicated endpoint.

During installation, a command prompt window will open, follow the instructions to go to the Microsoft website and authenticate.

A MDATP Network Scan Agent is installed and started.

Network assessment job

The second step is to Add network assessment job.

Add a name, select the dedicated device and IP-address or range. The Authentication protocol is required for communication with the scanning device and the network device.

The easiest type is community string (shared password).

Run scan test is an option to verify communication between the devices.

Network device inventory

After a while discovered devices will be visible in the Device inventory section (~2 hours after the assessment job)

The network devices will be visible in the Device inventory section of Microsoft 365 Defender (and Microsoft Defender for Endpoint).

Vulnerabilities on network devices (e.g. outdated software) is visible in the device- and TVM (Threat and Vulnerability Management) section.

Disclaimer: my Cisco SG250 (managed switch with SPAN port which I used for Microsoft Defender for IoT) is not supported yet; the version is not visible and without software version it’s not possible to detect vulnerabilities.

See https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide for more information (e.g supported O.S., assessment job limitations, etc.)