Microsoft 365 - Endpoint Discovery

Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint is part of the Microsoft 365 Defender ecosystem.

All common enterprise O.S. (Operating Systems) are supported like computer (Mac & Windows), server (Windows & Linux) and mobile (Android & iOS) operating systems.

MDE protects managed endpoints via detecting (and responding to) advanced attacks like zero-days or fileless attacks for example. Unlike most solutions that generate many Alerts related to the same attack, MDE correlates the Alerts from unique attacks into what Microsoft calls an Incident which benefit from automated investigation and responses saving analysts much time.

Endpoint Discovery

A new feature of MDE is Endpoint Discovery. Endpoint Discovery allows discovery of unmanaged endpoints in the corporate network including a new security recommendations to onboard the unmanaged endpoints to protect the endpoints (EDR) and to reduce the risk of exploitation (TVM).

There are two discovery modes, Basic discovery (passive probing) and Standard discovery (active probing), which can be set in the Microsoft 365 Defender portal (Settings -> Endpoint discovery).

Standard discovery is highly recommended so MDE endpoints can actively probe for endpoints in the corporate network to enrich collected data (if passive mode is selected, there will be limited visibility of unmanaged endpoints in the network).

Additional there are three extra options in the discovery settings:

  • Tags assigns dedicated endpoints as probes (e.g. scoped deployment), instead of all endpoints, the ‘all devices’ setting is default and the recommended setting.
  • Exclusions adds IP-addresses or subnets to exclude from Standard discovery, for example highly sensitive devices. Basic discovery is always enabled.
  • Monitored networks provides an overview of Monitored networks (and the option to enable unmonitored networks that did not meet the enterprise network requirements).

Enterprise endpoints are connected to the enterprise network (in the Office or via VPN), but the same endpoints are also connected to home networks. The system automatically identifies enterprise networks via Microsoft internal logic.

Endpoints overview

New MDE endpoints that are discovered in the network and ‘can be onboarded’ to MDE are listed in the Endpoint tab of Device inventory.

The exposure level will be explained in a later chapter (vulnerability management). A new attribute called OnboardingStatus has been added to the scheme (filter option in the GUI above).

  • Onboarded are endpoints are managed by MDE
  • Can be onboarded are discovered endpoints not managed by MDE
  • Unsupported are discovered endpoints not supported (e.g. not supported O.S.) by MDE
  • Insufficient Info are discovered endpoints but not enough information is available (e.g. deprecated endpoints)

The OnboardingStatus indicates of a endpoint is onboarded or ‘can be onboarded’ (supported and unsupported endpoints).

Advanced hunting

Advanced hunting can be used to query the DeviceInfo table in the Advanced hunting section and search for unmanaged endpoints, the output of the query below shows the ‘Can be onboarded’ endpoints.

| where Timestamp > ago(7d)
| summarize arg_max(Timestamp, *) by DeviceId
| where OnboardingStatus == ‘Can be onboarded’
| distinct (DeviceName), DeviceId, OSPlatform, OSVersion, ReportId ,Timestamp

Create detection rule from the query above to get an incident notification if a new unmanaged endpoint is detected.

This incident will be integrated in the Microsoft 365 Defender and/or Azure Sentinel for the SOC (Security Operations Center) to triage the ‘incident’.

Another addition is the DeviceNetworkEvents - ActionType, it indicates if a unmanaged endpoint communicates (successful or attempt) with a managed endpoints, this might indicate an attack (reconnaissance or exploit)

| where ActionType == “ConnectionAcknowledged” or ActionType == “ConnectionAttempt”
| project DeviceName, LocalIP, RemoteIP, LocalPort, Protocol, ActionType

The output shows the name of the unmanaged endpoint, the source (local) and destination (remote) IP address and port used for the communication.

Vulnerability Management

Vulnerabilities are weaknesses in a system that can be exploited (more easily is a public exploit is available). A discovered unmanaged endpoint has an exposure level of low, this level indicates the vulnerability level (level of exposure to exploits) of the endpoint.

The Device inventory page shows the security recommendation from the exposure level of the unmanaged endpoint.

If a endpoint is onboarded to MDE, the TVM module shows insights in software vulnerabilities (e.g. outdated software with public exploit available) and security settings (e.g. Attack Surface Reduction rules).

Microsoft 365 Security portal

The Microsoft 365 Defender portal highlights discovered endpoints.

  • Devices discovered in your organization — Summarizes discovered unmanaged endpoints distribution by device type.
  • Devices discovered in the last 7 days — Summarizes the number of new endpoints recently discovered.
  • Discovered devices to onboard — Presents the number of discovered supported endpoints that were not onboarded to Microsoft Defender for Endpoint.

The Endpoint Discovery feature is new feature to protect unmanaged endpoints and to detect possible attacks to managed endpoints in an early stage of an attack.

Also check out the new MDE Network discovery feature.

Chief Technology Officer @ Nedscaper