Microsoft Defender
Microsoft Defender now detecting Linux intrusions

Microsoft has made a significant move. To enhance the security of Linux-based devices with the addition of device isolation support to Microsoft Defender for Endpoint (MDE). Enterprise administrators now have the ability to manually isolate Linux machines enrolled in MDE. This is easy with using either the Microsoft 365 Defender portal or via API requests. This new feature is accessible on all MDE Linux-supported distros listed on the System requirements page.

Once a Linux machine isolates, any threat actors that may have compromised. The device will then cut off from the system. This will effectively block any malicious activities. It includes data theft, preventing the attacker from controlling the compromised device and performing further activities. Microsoft explained that some attack scenarios may require the isolation of a device from the network. And that this new feature helps in such scenarios.

The device will continue to be under monitoring by the Defender for Endpoint service after isolation. It will take place while disconnecting it from the network. This is similar to the device isolation feature in Windows devices. It is where the connection to the device (under compromise) is retained even after the device is isolated. The device can reconnect to the network after threat mitigation. Either through the “Release from isolation” button on the device page or an ‘unisolate’ HTTP API request.

Microsoft Defender: Enterprise endpoint security solutions

Microsoft Defender for Endpoint on Linux endpoints is a command-line product. It offers antimalware and endpoint detection and response (EDR) capabilities. All threat information detected by MDE on Linux devices is sent to the Microsoft 365 Defender portal. Enterprise administrators with MDE subscriptions can deploy and configure MDE on Linux devices manually. Also, it is possible with the help of configuration management tools such as Puppet, Ansible, and Chef.

The enterprise endpoint security solution is generally available for Linux and Android in June 2020. After entering public preview in February of the same year. Since then, Microsoft continues to enhance its support for Linux devices. With the addition of live response capabilities for Linux devices in Microsoft Defender for Endpoint. The announcement came two years back. It provides support for identifying and assessing the security configurations of Linux devices on enterprise networks.

In November 2020, MDE’s endpoint detection and response (EDR) capabilities were generally available on Linux servers following a public preview stage. This latest addition of device isolation support to MDE further solidifies Microsoft’s commitment to providing robust security for Linux-based devices. With this new feature, enterprise administrators can now better protect their Linux devices from threats, ensuring that their data and systems remain secure.