Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Defender for Endpoint on Linux - Manual Scan Tips

Microsoft
acamillo_0-1706848728953.png

 

 


Deploying and managing Defender for Endpoint on linux at Scale is something you’ll have to use linux management tools, think of Puppet or Ansible. Manual is an option, but not ideal at scale.

However, there is definitely a use case for manual operations and troubleshooting of the agent — especially locally at and endpoint — that’s why there’s a powerful Command line interface built into the agent.

and the magic all happens behind the initial command:

mdatp

It’s all fun uphill from there!


MDE Linux Command Flowchart

Always referring bac kto original and official guidance in Microsoft Learn, of course. 

Investigate agent health issues | Microsoft Learn

From it I managed to verify all the local commands available for MDE in supported linux endpoints.

So I created this Flowchart to help understand what kind of commands you can isue locally and what kind of settings can be configured locally too.

acamillo_0-1706848395595.png

 

Source: MDE in linux tests and trial. 
You can find this in my Github also. The mermaid format is available there too, please attribute if you re-use/build upon.

The key point here is that settings can be changed, but also reports and actions taken — with the proper credentials, of course.

 


Settings

Settings include any changes to how the agent operates locally anc incldue scan settings, monitoring, EDR, Network configuration. etc.

acamillo_1-1706848395541.png

 

 

Actions

What I call actions are to the operation of the local agent, think of active instructions such as starting a manual scan, for example:

acamillo_2-1706848396176.png

 

Outputs

Lastly, what I call “Outputs” are commands that create inline reports/results, for example checking out scan results via command line:

acamillo_3-1706848395362.png

 


Summary

As a result of this short learning exercise, you can infer and understand that you can create powerful policies to exclude specific files / paths to be verified.

And that the most powerful local command is

mdatp health

Check it out yourself! ;)

 

 


Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo

 

0 Replies