Defender for Endpoint on Ubuntu

This paper describes how to manually deploy Microsoft Defender for Endpoint on Ubuntu 20.04 with a few tips, experience from the field, and much more.

Microsoft expands its Microsoft Defender for Endpoint ecosystem to match the commitment to operating systems other than Windows and open-source. As we all know that Azure resources are heavily dependent on Linux platforms, so this is a logical movement.

The most critical part of the enterprise is security, and the fact you can have the ability to integrate Linux with the Microsoft ecosystem is crucial. While many tech Linux people outside the enterprise may not understand the point of Microsoft security tools on Linux, those inside will understand that they can be invaluable. It can make your favorite distro a more viable OS in the workplace.

MDE in a nutshell

Defender for Endpoint provides many features, some on the cloud and others on the ground (on the endpoints). The Defender for Endpoints is quite interesting because the main components, behavioral features, and events allow us more visibility for Linux devices and other device types.

Endpoint Components

The Endpoint portion of Microsoft Defender for Endpoint contains many components, including:

Endpoint security components at the Endpoint.

API and Integration share signals with other Microsoft security solutions or third-party systems.

Sensors collect cyber telemetry from the Endpoint and send it to cloud protection services. Security events and information from Defender Antivirus, Attack Surface Reduction, built-in firewall, Windows update, and telemetry from the built-in sensors are sent to your Defender for Endpoint tenant in the cloud, where information is stored.

Defender Antivirus is another core component used for real-time protection and cloud-based protection. This component includes local ML models, heuristics, behavioral analysis, and more.

Attack Surface Reduction is a powerful technology that helps you reduce the attack surface in your environment.

Built-in Firewall filtering network data transmissions to and from your Windows systems.

Cloud components

The cloud portion of Microsoft Defender for Endpoint contains many components, including:

SecOps Portal to access their endpoints, investigate potential threats, respond to a breach, or improve their security posture. The security team can also trigger endpoints to collect suspicious sample files, isolate endpoints from the network, or run a full on-demand antivirus scan.

ML & Security Analytics is the brain of Microsoft Defender for Endpoint. It includes extensive data analysis, machine learning models, heuristics, behavioral analysis, detonation-based analysis, and anomaly detection algorithms that detect suspicious and attack-related events in the sensor data.

Real-time detections and Non-real-time detections

Detonation Chamber provides the sandbox environment for deep file analysis where customers upload suspicious files and get a readable report back.

Auto-Investigation to automate investigation and response engine that can start automated threat investigations and immediately perform the necessary remediation steps if a threat is found.

APIs collected data is sent to the Security Graph, which can then be sent to other security products. MDTP also has its API, which can be used to interact with the service.

Behavior monitoring is the protection for Linux based on EDR detections. Most AV solutions will look at known hashes for files and processes. EDR is more advanced and looks at memory, processes, network traffic, and more advanced detections. Linux antivirus platform supports behavior monitoring capabilities.

MDE on Linux

Defender for Non-Windows Endpoints is part of the Microsoft journey that extends its industry-leading endpoint security capabilities beyond Windows and Windows Server to macOS, Android, iOS, and Linux.

Organizations face threats across a variety of platforms and devices. Microsoft has committed to building security solutions not just for Microsoft but also for Microsoft to enable to protect and secure their heterogeneous environments. Microsoft Defender for Endpoint help from a unified view of all threats and alerts in the Microsoft 365 Defender portal across Windows and non-Windows platforms, enabling them to get a complete picture of what’s happening in their environment, which empowers them to assess and respond to threats more quickly.

Microsoft Defender for Endpoint on Linux offers vulnerability management capabilities for Linux servers, preventative antivirus (AV), and endpoint detection and response (EDR). This includes a command-line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2.

Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or your existing Linux configuration management tool for information about the key features and benefits.


Let’s onboard with straightforward actions.

Get Things Ready

Make sure you are running a supported Linux version. Those are as follows:

  • Red Hat Enterprise Linux 7 or higher
  • CentOS 7 or higher
  • Ubuntu 16.04 LTS or higher LTS
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Enterprise Linux 7

You can check that in a browser by accessing these URLs:

The Package

First, while exploring the Microsoft 365 Defender, you’ll find Linux Server as a choice in the dropdown on the Onboarding page. This onboarding process arrives in two modes: Local Script and Your preferred Linux configuration management (such as Puppet or Ansible).

Choosing “Downloads onboarding package” will allow you to download and install the package.

The python script will write a file containing your organization id, called mdatp_onboard.json to /etc/opt/Microsoft/mdatp.

Terminal Search – So, where can I search for the agent? You can go to MDE Linux agents at the URL: Then, choose the repo to your package manager and download the repository configuration using this command:

curl -o microsoft.list

Push it

The following command will grab the configuration, push the package and install the agent.

Repository install

 sudo mv ./microsoft.list /etc/apt/sources.list.d/prod.list

Install GPG package

sudo apt-get install gpg

Install GPG Public Key

curl | gpg --dearmor > microsoft.gpg

sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/

Install HTTPS Driver

sudo apt-get install apt-transport-https

Repo Metadata Update

sudo apt-get update

Linux MDE installation

sudo apt-get install mdatp -y

Run Configuration

sudo python3.8

Now we are good to go with the configuration checking and running a few commands.

Sanity Check

Now that we installed and configured the MDE agent in ubuntu 20.04, we should check if everything is set with the basic setting and running correctly. The MDE has a rich list with many commands; we can see the complete list when we run the “mdatp” command.

MDATP Health investigates agent health issues and checks all configurations are set. There are many health parameters. The “mdatp health” command checks for general health.

We can also check the service status with the command: service mdatp status.

We can check the process now that we know the wdavdaemon is part of the MDATP service.

If the agent is healthy, we should list the MDATP process with the command: ps -C wdavdaemon -o pid,ppid,%cpu,%mem, RSS, user, cmd.

Last, we should check the Linux agent status on the Microsoft 365 Defender portal.

Play with KQL

Now that MDE is fully deployed on Ubuntu, we can continue to the next thing, my favorite place – Advanced Hunting.

The first will be to check who’s is the new onboarded agents. For this one, we should run the query below:

| where Timestamp > ago(3d)
| where OSPlatform == @"Linux"
| summarize arg_max(Timestamp, *) by DeviceId
| distinct Timestamp, DeviceName, DeviceId, OSPlatform, OSDistribution, OSVersion, ReportId

Hunt for Malware

| where OSPlatform == @"Linux"
| distinct DeviceId
| join kind=inner AlertEvidence on DeviceId
| project AlertId
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category

Get information for network-related events

| where Timestamp > ago(1d)
| summarize by DeviceId
| join kind=inner (
| where Timestamp > ago(1d)
) on DeviceId
| take 10

More MDE queries on my GitHub account.


What’s new in Microsoft Defender for Endpoint on Linux

Microsoft Defender for Endpoint for non-Windows platforms

Boost the protection of your Linux

Vulnerability management for Linux

MDE Resources


Troubleshoot installation issues for MDE on Linux

Advanced Hunting 4 Hero’s

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: