Microsoft
Deploying and managing Defender for Endpoint on linux at Scale is something you’ll have to use linux management tools, think of Puppet or Ansible. Manual is an option, but not ideal at scale.
However, there is definitely a use case for manual operations and troubleshooting of the agent — especially locally at and endpoint — that’s why there’s a powerful Command line interface built into the agent.
and the magic all happens behind the initial command:
mdatp
It’s all fun uphill from there!
Always referring bac kto original and official guidance in Microsoft Learn, of course.
Investigate agent health issues | Microsoft Learn
From it I managed to verify all the local commands available for MDE in supported linux endpoints.
So I created this Flowchart to help understand what kind of commands you can isue locally and what kind of settings can be configured locally too.
You can find this in my Github also. The mermaid format is available there too, please attribute if you re-use/build upon.
The key point here is that settings can be changed, but also reports and actions taken — with the proper credentials, of course.
Settings include any changes to how the agent operates locally anc incldue scan settings, monitoring, EDR, Network configuration. etc.
What I call actions are to the operation of the local agent, think of active instructions such as starting a manual scan, for example:
Lastly, what I call “Outputs” are commands that create inline reports/results, for example checking out scan results via command line:
As a result of this short learning exercise, you can infer and understand that you can create powerful policies to exclude specific files / paths to be verified.
And that the most powerful local command is
mdatp health
Check it out yourself! 😉
Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo
