Merge pull request #143 from miashapan/patch-1

Update device-discovery-faq.md

Author: denisebmsft

defender-endpoint/device-discovery-faq.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/23/2021
+ms.date: 11/12/2024
 ---
 
 # Device discovery frequently asked questions
@@ -65,11 +65,54 @@ The discovery engine distinguishes between network events that are received in t
 ## What protocols are you capturing and analyzing?
 
 By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols:
-ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD
+
+- ARP
+- CDP
+- DHCP
+- DHCPv6
+- IP (headers)
+- LLDP
+- LLMNR
+- mDNS
+- MNDP
+- MSSQL
+- NBNS
+- SSDP
+- TCP (SYN headers)
+- UDP (headers)
+- WSD
 
 ## Which protocols do you use for active probing in Standard discovery?
 When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP
+
+- AFP
+- ARP
+- DHCP
+- FTP
+- HTTP
+- HTTPS
+- ICMP
+- IphoneSync
+- IPP
+- LDAP
+- LLMNR
+- mDNS
+- NBNS
+- NBSS
+- PJL
+- RDP
+- RPC
+- SIP
+- SLP
+- SMB
+- SMTP
+- SNMP
+- SSH
+- Telnet
+- UPNP
+- VNC
+- WinRM
+- WSD
 
 In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage.
 
@@ -91,6 +134,7 @@ Devices will actively be probed when changes in device characteristics are obser
 ## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it, what should I do?
 
 The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
+
 `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1`
 
 ## What is the amount of traffic being generated by the Standard discovery active probe?
@@ -101,7 +145,7 @@ Active probing can generate up to 50Kb of traffic between the onboarded device a
 
 You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
 
- The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
+The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
 
 ## Can I onboard unmanaged devices that were found?
 
@@ -138,4 +182,5 @@ The device discovery capabilities have been built to only discover and identify
 ### You can exclude network lures from active probing
 
 Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode).
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]