EDR for Linux is now available in public preview

Published Nov 17 2020 09:07 AM 25.2K Views

Update: EDR for Linux is now generally available as of January 11, 2021. 


Today, we are excited to announce the public preview of endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint on Linux servers.


With the new Linux EDR capabilities, Defender for Endpoint customers will have the ability to detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.





Linux EDR preview scope


Microsoft Defender for Endpoint on Linux supports recent versions of the six most common Linux server distributions:

  • RHEL 7.2+
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2



With Defender for Endpoint EDR capabilities for Linux, your security team can immediately start benefiting from:


  1. Rich investigation experience – including machine timeline, process creation, file creation, network connections, login events and, of course, the popular advanced hunting.
  2. Optimized performance – enhanced CPU utilization in compilation procedures and large software deployments.
  3. In-context AV detections – just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.






Getting started with Linux EDR preview


To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on preview features in Microsoft Defender Security Center.


If you’re already running Microsoft Defender for Endpoint on Linux, we recommend that you configure some of your Linux servers to Preview mode, by applying the following command on the device:


$ sudo mdatp edr early-preview enable 


Please make sure you are running version 101.12.99 or higher. The version can be found in the output of “mdatp health”.


If you are new to Microsoft Defender for Endpoint on Linux, learn how to get started by visiting our documentation and then enable the preview mode as explained above.


Experience Linux EDR with simulated attack

To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case. Please share your feedback with us!

  1. Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. 
  2. Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command: “./mde_linux_edr_diy.sh”
  3. After a few minutes, should be raised in Microsoft Defender Security Center.
  4. Look at the alert details, machine timeline, and perform your typical investigation steps.




Help us innovate Microsoft Defender for Endpoint on Linux

We are very excited to share today’s Linux EDR preview news with you and your feedback is highly valuable to us! Join us on the journey to enhance Microsoft Defender for Endpoint on Linux. Try the new Linux EDR capabilities and You can submit feedback by joining the discussion below or by clicking on the ‘send a smile/frown’ icon on the top right corner of the security center.








If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.



Tomer Hevlin

Microsoft Defender for Endpoint Team

Version history
Last update:
‎Jun 04 2021 03:53 PM
Updated by: