Microsoft Defender for Endpoint Gets Linux Server Forensics Capabilities

Microsoft Defender for Endpoint now has an endpoint detection and response (EDR) capability for use with Linux servers that's deemed ready for use in production environments, Microsoft indicated on Monday.

The EDR capability for Linux servers reached the "general availability" commercial-release stage after having been previewed back in November. Microsoft Defender for Endpoint (which was rebranded from "Microsoft Defender for Advanced Threat Protection") is a tool for protecting endpoints (devices), with the ability to conduct post-breach investigations.

The EDR capability for Microsoft Defender for Endpoint for Linux servers shows up in the Microsoft Defender Security Center portal for those organizations with the proper licensing. It works with the following Linux server distros:

  • RHEL 7.2+
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2

Microsoft Defender for Endpoint also supports macOS, Windows and mobile operating systems.

IT pros can leverage the EDR feature of the product for anti-virus detections, optimizing the CPU performance of applications and conducting forensic investigations. The tool has an "advanced hunting" capability that provides forensics on data as far back as 30 days. Users also have access to endpoint information via the EDR feature's "machine timeline, process creation, file creation, network connections, [and] login events" display capabilities.

Current users of the Microsoft Defender for Endpoint preview for Linux servers will "seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher," the announcement indicated. To use it, organizations need to have "access to the Microsoft Defender Security Center portal, beginner-level experience in Linux and BASH scripting, and administrative privileges on the device," Microsoft indicated in its documentation.

Microsoft Cloud Solution Provider partners sell the licensing for Microsoft Defender for Endpoint under various E5/A5 plans, according to a document's "licensing requirements" description.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Weird Blue Tunnel Graphic

    Microsoft Goes Deep on 'Solorigate' Secondary Attack Methods

    Microsoft on Wednesday published an analysis of the second-stage "Solorigate" attack methods used by an advanced persistent threat (APT) attack group.

  • Microsoft Talks Teams and SharePoint at Modern Workplace Event

    It's a hybrid world, but remote work is here to stay, according to Microsoft's Teams and SharePoint head Jeff Teper.

  • Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

    Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

comments powered by Disqus