After a few months in preview, Microsoft has made Defender Endpoint Detection and Response (EDR) generally available for Linux servers.
Microsoft has extended its Defender product over multiple platforms throughout the last year or so, having shaved the “Windows” prefix from the system. Android, macOS, and iOS have all joined the party and Microsoft Defender for Endpoint turned up for Linux around six months ago.
The theory goes that administrators with a mixed network can onboard devices via the same portal and view alerts in what Microsoft describes as a “single pane of glass experience”.
The EDR support enriches the capability with extra timeline features and enhancements to the advanced hunting tool. “Customers can use this capability,” according to Microsoft, “to search for threats across Linux servers, exploring up to 30 days of raw data.”
Why make games for Linux if they don’t sell? Because the nerds are just grateful to get something that works
It’s handy stuff for admins already familiar with the Windows experience and keeps procedures consistent. Users can include elements such as process and file creation in their investigations as well as gather insight into where a threat or malicious activity came from.
Six Linux distributions are supported at present: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS (or higher LTS), SLES 12+, Debian 9+, and Oracle Linux 7.2. The platform can be deployed and configured with Puppet, Ansible, “or using your existing Linux configuration management tool.”
There remains no love for a standalone Linux desktop at this stage; this is aimed squarely at servers, although there are no shortage of alternatives from vendors such as Sophos or F-Secure.
Users already running Microsoft Defender for Endpoint (Linux) will get the EDR capability with an agent update. Those who opted into the preview programme last year will also need to update the agent.
And, of course, Microsoft Defender for Endpoint (Linux) will require the Servers licence. ®