Microsoft ATP endpoint detection on Linux

Microsoft today announced a public preview of Endpoint Detection and Response (EDR) capabilities on Linux servers running Microsoft Defender Advanced Threat Protection (ATP) - now known as Microsoft Defender for Endpoint.

The addition of EDR capabilities allows security analysts to detect attacks on Linux servers almost in real time through alerts that are automatically collected as incidents based on the attacker's performance and techniques.

"It simply came to our notice then preventive capabilities against viruses  and summary reports available through the Microsoft Defender Security Center, ”said Tomer Hevlin, Senior Product Manager at Microsoft.

Microsoft Defender EDR features for Endpoint Linux provide administrators with:

<br>• Rich exploration experience: including machine scheduling, process creation, file creation, network connections, login events and, of course, the popular advanced "hunt".
<br>• Optimized performance: Improved CPU usage in editing processes and large software applications.
<br>• AV detections in the environment: just like with Windows, find out where a threat came from and how the malicious process or activity was created.

Support for Linux devices

Microsoft Defender for Endpoint was made available to corporate customers with Linux devices earlier this year, in June.

Endpoint on Linux comes in the form of a command line product that will send all detected threats to the Microsoft Defender Security Center

EDR capabilities are currently available on Linux server distributions supported by Microsoft Defender for Endpoint: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or later LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2.

More information on how to quickly simulate attacks using EDR for Linux can be found here.