Microsoft Previews Linux Endpoint Detection And Response Capabilities
Microsoft has announced today the public preview of endpoint detection and response (EDR) capabilities on Linux servers running Microsoft Defender Advanced Threat Protection (ATP) — now known as Microsoft Defender for Endpoint.
The addition of EDR capabilities provides security analysts with the ability to spot attacks involving Linux servers in their environments almost in real-time via alerts automatically aggregated as incidents based on attacker attribution and techniques.
“This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center,” Microsoft Senior Product Manager Tomer Hevlin said.
Microsoft Defender for Endpoint’s Linux EDR capabilities provide admins with:
• Rich investigation experience: including machine timeline, process creation, file creation, network connections, login events and, of course, the popular advanced hunting.
• Optimized performance: enhanced CPU utilization in compilation procedures and large software deployments.
• In-context AV detections: just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.
Also Read: Key PDPA Amendments 2019/2020 You Should Know
Support for Linux devices
Microsoft Defender for Endpoint was made generally available for enterprise customers with Linux devices earlier this year, in June.
On Linux endpoints, it comes in the form of a command-line product that will send all detected threats to the Microsoft Defender Security Center.
Admins with licenses for servers can deploy and configure it on Linux devices with the help of Ansible or Puppet, as well as with any existing Linux configuration management tool.
At the moment, EDR capabilities are available on Linux Server distributions supported by Microsoft Defender for Endpoint, including RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2.
Trying Linux EDR in public preview
To get started with Microsoft Defender for Endpoint’s public preview EDR capabilities, customers have to enable preview features in Microsoft Defender Security Center.
Those who are already running Microsoft Defender for Endpoint on Linux can go straight to configuring their Linux servers to Preview mode by running the following command on each machine:
$ sudo mdatp edr early-preview enableBefore getting started with Linux EDR preview, you will first have to make sure that the Linux servers you want to enable the new capabilities on are running Microsoft Defender for Endpoint version 101.12.99 or higher.
Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service
More info on how to quickly simulate attacks using EDR for Linux and about providing feedback can be found here.
0 Comments