EDR for Linux is now generally available
Published Jan 11 2021 10:44 AM 124K Views

We are excited to announce that endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint on Linux server are now generally available.


Over the course of the last year, Microsoft Defender for Endpoint was extended to support all major platforms (Windows, Linux, macOS, Android, and iOS). Today we are taking the next step by adding endpoint detection and response (EDR) for Linux. EDR is essential for navigating today’s Linux threat landscape.


The full set of Microsoft Defender for Endpoint (Linux) preventive and detection and response capabilities are supported across the six most common Linux server distributions:

  • RHEL 7.2+
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2

The Linux solution can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool.


Our customers have joined us on this evolution and given us feedback in every step of the way. For this, we are truly grateful and look forward to the continued partnership.



“The upcoming release is an amazing milestone providing us a 360 view on all our platforms for our threat hunting strategy “

  • Guy Fridman, Head Of Security Operation And Response  


Detections with context


About 6 months ago, we announced the availability of Microsoft Defender for Endpoint (Linux) with preventive antivirus capabilities. Customers can better protect Linux servers, get these devices onboarded in the same portal as their Windows, macOS, and mobile devices, and expand the single pane of glass experience to include Linux-related alerts. With the newly enabled EDR support, security operations can view detections with even richer context. The below device timeline example demonstrates this enriched capability.




The timeline tab includes information about process creation, network connections, file creations and login events.


In the Microsoft Defender for Endpoints (Linux) EDR public preview announcement, we also discussed the post-breach detection capability with an example scenario that customers can use to experience the feature. The below “Suspicious process launched from a world-writable directory” alert is another post-breach detection example.




Unified investigation experience


The timeline is just one piece of the investigation story. Microsoft Defender for Endpoint’s popular advanced hunting tool allows customers to perform free-form investigations using a powerful query engine and an ever-growing set of useful shared queries. Now, customers can use this capability to search for threats across Linux servers, exploring up to 30 days of raw data.




The well designed architecture also seamlessly enables custom detections on top of the advanced hunting capabilities.


The rest of the investigation experience, such as the hyperlinked exploration between the different monitored entities, is consistent with the familiar experience for Windows devices. The monitored entities (e.g. files, processes, network connections, alerts) are available for exploration on Linux devices. Here are a few examples:


File page



IP Address Page




How to get started


Microsoft Defender for Endpoint (Linux) requires the Servers license. You can find this information in our product terms. Please reach out to your account team for more information and eligibility.


To get started, visit our documentation.  If you are already evaluating public preview of Microsoft Defender for Endpoint (Linux) EDR, make sure you update the agent to a released version 101.18.53 or higher.


If you are already running Microsoft Defender for Endpoint (Linux) preventive AV in production, your devices will seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher.


If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender for Endpoint today.


Microsoft Defender for Endpoint team





Version history
Last update:
‎Jun 10 2021 11:08 AM
Updated by: