Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft Defender ATP for Linux

Posted on 27. February 202012. May 2020

Microsoft Defender ATP for Linux is here! Again, Microsoft expand their MDATP ecosystem to match the commitment to open source and operating systems other than Windows (Server). Azure resources are heavily depending on Linux, so this is a logical next step.

In the course of 2020, MDATP’s capabilities will also be extended to iOS and Android. But for now, let’s have a look at MDATP for Linux.

Getting ready

Make sure you are running a supported Linux version. Those are as follows:

  • Red Hat Enterprise Linux 7 or higher
  • CentOS 7 or higher
  • Ubuntu 16.04 LTS or higher LTS
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Enterprise Linux 7

For this post, I am using Ubuntu Server 18.04 LTS. All terminal inputs refer to it (and Debian).

What we also need:

  • about 650 MB of disk space
  • Kernel version 2.6.38 or above including the fanotify kernel option

Fanotify is a module of the Linux kernel that allows access and monitoring of files and directories, which is necessary for an AV/EDR solution like Defender ATP.

We also need network connectivity to the MDATP cloud endpoint. You can check that in a browser by accessing these URLs:

  • https://x.cp.wd.microsoft.com/api/report
  • https://cdn.x.cp.wd.microsoft.com/ping

As a Windows guy, I will mainly focus on GUI configuration, but of course you can always use the Linux Terminal instead:

curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'

Either way should return ‘OK’.

Get the MDATP onboarding package

Now we need to get the onboarding from the Defender ATP portal:

This is a zip file very similar to the one for Windows 10, however, it contains a python script that must be executed:

python WindowsDefenderATPOnboarding.py

In my case, I used sudo and entered the direct path of the .py file:

This will place all relevant information to /etc/opt/microsoft/mdatp:

You don’t need to touch any of those files!

Installing MDATP

Now, we only need to install MDATP. There are a few steps we have to take in the Terminal:

Install curl:

sudo apt-get install curl

Get the configuration from Mirosoft’s repository:

curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list

Please mind the placeholders [distro],[version], and [channel]. You can use a browser to find out what you have to place there: https://packages.microsoft.com/config/

[distro] represents your distribution, e.g. “ubuntu”

[version] e.g. “18.04”

[channel] represents one of the .list files you see for your distribution

Using Ubuntu 18.04 and the insider-fast channel results in the following Terminal input:

curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list

Install the repository information:

sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list

Install the gpg package:

sudo apt-get install gpg

Install Microsoft’s GPG public key:

curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/

Install the https driver:

sudo apt-get install apt-transport-https

Update repo metadata:

sudo apt-get update

And finally, install MDATP:

sudo apt-get install mdatp

MDATP will grab the information we set earlier using the python onboarding script.

Working with MDATP locally

After a few minutes, the MDATP agent will turn to healty. You can check that via Terminal:

mdatp --health healthy

This will return ‘1’ once all is set.

You can also use

mdatp --health

to view more information, including the orgId which has to be in place for full functionality:

Now, we can do some tests, e.g. download an EICAR test file:

curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt

Quarantined files can be viewed using:

mdatp --threat --list --pretty

Working with the MDATP portal

After a view moments, the Linux machine and its alerts will appear in the MDATP portal:

We also get the familiar alert experience:

Other tasks

There are some other steps and tasks that might be interesting for you:

  • Deploy via Puppet: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet
  • Deploy via Ansible: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible
  • Updating the client: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-updates
  • Proxy configuration: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration
  • AV preferences: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-preferences

Final thoughts

A unified enterprise EDR solution that covers all relevant platforms – sounds like a dream coming true. 😉 I really look forward to what’s to come with Defender ATP. Especially the upcoming version for iOS and Android will be very interesting. However, after macOS support, MDATP for Linux is already a great addition.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT