- There are some cases where you might need to disconnect a device from the network so you can stop the attacker from using it, isolating the endpoints can help in such situations.
- Microsoft Defender for Endpoint now provides the same level of protection against Linux endpoints as it does on Windows.
- It is recommended to use a split-tunneling VPN to protect Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection data.
Microsoft Defender can now isolate compromised Linux endpoints just as it does on Windows. Some attack scenarios may require you to disable a device from the network so you can stop the attacker from controlling it. This new feature works the same way on Linux as it does on Windows. This disables the device from communicating with the network, while still allowing the Defender for Endpoint service to monitor it.
Supports many enterprise distros
This new feature is supported by Microsoft Defender for Endpoint on all distributions of Linux that are listed below:
- Red Hat Enterprise Linux 6.7 or higher (Preview)
- Red Hat Enterprise Linux 7.2 or higher
- Red Hat Enterprise Linux 8.x
- Red Hat Enterprise Linux 9.x
- CentOS 6.7 or higher (Preview)
- CentOS 7.2 or higher
- Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher
- Oracle Linux 7.2 or higher
- Oracle Linux 8.x
- Amazon Linux 2
- Fedora 33 or higher
The post announcing this also adds that when you isolate a device, only certain processes and websites are allowed to run. So, if you have a VPN tunnel connected to a device, it won’t be able to access the Microsoft Defender for Endpoint cloud service after you’ve isolated it. So Microsoft recommends using a split-tunneling VPN to protect Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection data.
Linux endpoint manual isolation
In the Microsoft 365 Defender portal, navigate to the device page of the Linux device. Click “Isolate Device”.
You can see the progress of the action in the Action Center once it has been finished on the device. You can reconnect your device from the same menu.
Linux endpoint isolation using API
Linux isolation is available using APIs. For more details, please refer to the resource below: