Defender for Endpoint on Ubuntu
This paper describes how to manually deploy Microsoft Defender for Endpoint on Ubuntu 20.04 with a few tips, experience from the field, and much more.
Microsoft expands its Microsoft Defender for Endpoint ecosystem to match the commitment to operating systems other than Windows and open-source. As we all know that Azure resources are heavily dependent on Linux platforms, so this is a logical movement.
The most critical part of the enterprise is security, and the fact you can have the ability to integrate Linux with the Microsoft ecosystem is crucial. While many tech Linux people outside the enterprise may not understand the point of Microsoft security tools on Linux, those inside will understand that they can be invaluable. It can make your favorite distro a more viable OS in the workplace.
MDE in a nutshell
Defender for Endpoint provides many features, some on the cloud and others on the ground (on the endpoints). The Defender for Endpoints is quite interesting because the main components, behavioral features, and events allow us more visibility for Linux devices and other device types.
The Endpoint portion of Microsoft Defender for Endpoint contains many components, including:
Endpoint security components at the Endpoint.
API and Integration share signals with other Microsoft security solutions or third-party systems.
Sensors collect cyber telemetry from the Endpoint and send it to cloud protection services. Security events and information from Defender Antivirus, Attack Surface Reduction, built-in firewall, Windows update, and telemetry from the built-in sensors are sent to your Defender for Endpoint tenant in the cloud, where information is stored.
Defender Antivirus is another core component used for real-time protection and cloud-based protection. This component includes local ML models, heuristics, behavioral analysis, and more.
Attack Surface Reduction is a powerful technology that helps you reduce the attack surface in your environment.
Built-in Firewall filtering network data transmissions to and from your Windows systems.
The cloud portion of Microsoft Defender for Endpoint contains many components, including:
SecOps Portal to access their endpoints, investigate potential threats, respond to a breach, or improve their security posture. The security team can also trigger endpoints to collect suspicious sample files, isolate endpoints from the network, or run a full on-demand antivirus scan.
ML & Security Analytics is the brain of Microsoft Defender for Endpoint. It includes extensive data analysis, machine learning models, heuristics, behavioral analysis, detonation-based analysis, and anomaly detection algorithms that detect suspicious and attack-related events in the sensor data.
Real-time detections and Non-real-time detections
Detonation Chamber provides the sandbox environment for deep file analysis where customers upload suspicious files and get a readable report back.
Auto-Investigation to automate investigation and response engine that can start automated threat investigations and immediately perform the necessary remediation steps if a threat is found.
APIs collected data is sent to the Security Graph, which can then be sent to other security products. MDTP also has its API, which can be used to interact with the service.
Behavior monitoring is the protection for Linux based on EDR detections. Most AV solutions will look at known hashes for files and processes. EDR is more advanced and looks at memory, processes, network traffic, and more advanced detections. Linux antivirus platform supports behavior monitoring capabilities.
MDE on Linux
Defender for Non-Windows Endpoints is part of the Microsoft journey that extends its industry-leading endpoint security capabilities beyond Windows and Windows Server to macOS, Android, iOS, and Linux.
Organizations face threats across a variety of platforms and devices. Microsoft has committed to building security solutions not just for Microsoft but also for Microsoft to enable to protect and secure their heterogeneous environments. Microsoft Defender for Endpoint help from a unified view of all threats and alerts in the Microsoft 365 Defender portal across Windows and non-Windows platforms, enabling them to get a complete picture of what’s happening in their environment, which empowers them to assess and respond to threats more quickly.
Microsoft Defender for Endpoint on Linux offers vulnerability management capabilities for Linux servers, preventative antivirus (AV), and endpoint detection and response (EDR). This includes a command-line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2.
Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or your existing Linux configuration management tool for information about the key features and benefits.
Let’s onboard with straightforward actions.
Get Things Ready
Make sure you are running a supported Linux version. Those are as follows:
- Red Hat Enterprise Linux 7 or higher
- CentOS 7 or higher
- Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher
- Oracle Enterprise Linux 7
You can check that in a browser by accessing these URLs:
First, while exploring the Microsoft 365 Defender, you’ll find Linux Server as a choice in the dropdown on the Onboarding page. This onboarding process arrives in two modes: Local Script and Your preferred Linux configuration management (such as Puppet or Ansible).
Choosing “Downloads onboarding package” will allow you to download and install the package.
The python script will write a file containing your organization id, called mdatp_onboard.json to /etc/opt/Microsoft/mdatp.
Terminal Search – So, where can I search for the agent? You can go to MDE Linux agents at the URL: https://packages.microsoft.com. Then, choose the repo to your package manager and download the repository configuration using this command:
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/22.04/insiders-fast.list
The following command will grab the configuration, push the package and install the agent.
sudo mv ./microsoft.list /etc/apt/sources.list.d/prod.list
Install GPG package
sudo apt-get install gpg
Install GPG Public Key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
Install HTTPS Driver
sudo apt-get install apt-transport-https
Repo Metadata Update
sudo apt-get update
Linux MDE installation
sudo apt-get install mdatp -y
sudo python3.8 MicrosoftDefenderATPOnboardingLinuxServer.py
Now we are good to go with the configuration checking and running a few commands.
Now that we installed and configured the MDE agent in ubuntu 20.04, we should check if everything is set with the basic setting and running correctly. The MDE has a rich list with many commands; we can see the complete list when we run the “mdatp” command.
MDATP Health investigates agent health issues and checks all configurations are set. There are many health parameters. The “mdatp health” command checks for general health.
We can also check the service status with the command: service mdatp status.
We can check the process now that we know the wdavdaemon is part of the MDATP service.
If the agent is healthy, we should list the MDATP process with the command: ps -C wdavdaemon -o pid,ppid,%cpu,%mem, RSS, user, cmd.
Last, we should check the Linux agent status on the Microsoft 365 Defender portal.
Play with KQL
Now that MDE is fully deployed on Ubuntu, we can continue to the next thing, my favorite place – Advanced Hunting.
The first will be to check who’s is the new onboarded agents. For this one, we should run the query below:
DeviceInfo | where Timestamp > ago(3d) | where OSPlatform == @"Linux" | summarize arg_max(Timestamp, *) by DeviceId | distinct Timestamp, DeviceName, DeviceId, OSPlatform, OSDistribution, OSVersion, ReportId
Hunt for Malware
DeviceInfo | where OSPlatform == @"Linux" | distinct DeviceId | join kind=inner AlertEvidence on DeviceId | project AlertId | join AlertInfo on AlertId | project AlertId, Timestamp, Title, Severity, Category
Get information for network-related events
DeviceInfo | where Timestamp > ago(1d) | summarize by DeviceId | join kind=inner ( DeviceNetworkEvents | where Timestamp > ago(1d) ) on DeviceId | take 10
More MDE queries on my GitHub account.