Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

EDR for Linux is now generally available

Tomer_Hevlin's avatar
Tomer_Hevlin
Icon for Microsoft rankMicrosoft
Jan 11, 2021
 

We are excited to announce that endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint on Linux server are now generally available.

 

Over the course of the last year, Microsoft Defender for Endpoint was extended to support all major platforms (Windows, Linux, macOS, Android, and iOS). Today we are taking the next step by adding endpoint detection and response (EDR) for Linux. EDR is essential for navigating today’s Linux threat landscape.

 

The full set of Microsoft Defender for Endpoint (Linux) preventive and detection and response capabilities are supported across the six most common Linux server distributions:

  • RHEL 7.2+
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2

The Linux solution can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool.

 

Our customers have joined us on this evolution and given us feedback in every step of the way. For this, we are truly grateful and look forward to the continued partnership.

 

“The upcoming release is an amazing milestone providing us a 360 view on all our platforms for our threat hunting strategy “

  • Guy Fridman, Head Of Security Operation And Response  

 

Detections with context

 

About 6 months ago, we announced the availability of Microsoft Defender for Endpoint (Linux) with preventive antivirus capabilities. Customers can better protect Linux servers, get these devices onboarded in the same portal as their Windows, macOS, and mobile devices, and expand the single pane of glass experience to include Linux-related alerts. With the newly enabled EDR support, security operations can view detections with even richer context. The below device timeline example demonstrates this enriched capability.

 

 

The timeline tab includes information about process creation, network connections, file creations and login events.

 

In the Microsoft Defender for Endpoints (Linux) EDR public preview announcement, we also discussed the post-breach detection capability with an example scenario that customers can use to experience the feature. The below “Suspicious process launched from a world-writable directory” alert is another post-breach detection example.

 

 

Unified investigation experience

 

The timeline is just one piece of the investigation story. Microsoft Defender for Endpoint’s popular advanced hunting tool allows customers to perform free-form investigations using a powerful query engine and an ever-growing set of useful shared queries. Now, customers can use this capability to search for threats across Linux servers, exploring up to 30 days of raw data.

 

 

The well designed architecture also seamlessly enables custom detections on top of the advanced hunting capabilities.

 

The rest of the investigation experience, such as the hyperlinked exploration between the different monitored entities, is consistent with the familiar experience for Windows devices. The monitored entities (e.g. files, processes, network connections, alerts) are available for exploration on Linux devices. Here are a few examples:

 

File page

 

IP Address Page

 

 

How to get started

 

Microsoft Defender for Endpoint (Linux) requires the Servers license. You can find this information in our product terms. Please reach out to your account team for more information and eligibility.

 

To get started, visit our documentation.  If you are already evaluating public preview of Microsoft Defender for Endpoint (Linux) EDR, make sure you update the agent to a released version 101.18.53 or higher.

 

If you are already running Microsoft Defender for Endpoint (Linux) preventive AV in production, your devices will seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher.

  

If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender for Endpoint today.

 

Microsoft Defender for Endpoint team

 

 

 
 
 
 
 
 
 
 
 
 

 

 
 
Updated Jun 10, 2021
Version 6.0
  • Philost's avatar
    Philost
    Brass Contributor

    Great news! Does that mean we can expect to see EDR capability made available in Azure Security Center for our Linux IaaS assets?

  • Tartalex's avatar
    Tartalex
    Copper Contributor

    Do you required the access from linux to azure or on prem environment supported?

  • jpcaid5's avatar
    jpcaid5
    Copper Contributor

    is there anything we need to do if we already have ATP install on linux? at the moment i dont getting any telemetry data on the portal