We are excited to announce public preview of device isolation for Microsoft Defender for Endpoint on Linux devices both manually through the Microsoft 365 Defender portal and using APIs.
Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device.
Important to note:
When isolating a device, only certain processes and web destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
We are excited to bring this feature to you and your security teams. Try it out today and let us know what you think in the comments below! We take all feedback into account as we work to continue to improve your security experience in Microsoft Defender for Endpoint.