Hi We have a fleet of around 1000 RHEL 7.2 systems that we wish to onboard to Microsoft Defender. There are a mix of DEV, Pre-Prod, PROD and run Web, DB + enterprise Apps for the business. We want to ensure that we can simply onboard them in a passive mode, i.e., enable Anti-virus in "Passive" mode as described here--> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine Since these are all critical servers, we want to ensure there's least business interruption of on boarding these devices to Defender. Therefore, want to clarify the following: If we on board these devices with AV set to "Passive", the AV will catch the threats / malicious actions, but will not take any action - is that correct? When we publish a Linux configuration profile using to Linux systems that's detailed here--> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences and if they have the AV set to "passive" mode, will they start reporting the alerts raised by AV component to Defender portal? What's the significance of this particular setting " Report AV Suspicious Events to EDR ". Will it enable the threat / malicious detection telemetry for Linux endpoints to Defender portal? If yes, is there a way to filter this telemetry just for Linux systems? Is it fair to say that reviewing this telemetry provides all the information to plan what configuration profile for Linux (for example, what files/paths/actions are currently raising alerts, so we can review them and create appropriate exceptions)? Is there any recommendation from Microsoft around safe / good start when planning the configuration profile for Linux systems to ensure minimum business disruption? Is the guidance here common to all OSes (including Linux) or specific to Windows OS--> https://learn.microsoft.com/en-us/defender-endpoint/edr-in-block-mode?view=o365-worldwide Thanks Taranjeet Singh

Defender for Endpoint for Linux - View Threat Telemetry

Taranjeet Malik 546

We have a fleet of around 1000 RHEL 7.2 systems that we wish to onboard to Microsoft Defender. There are a mix of DEV, Pre-Prod, PROD and run Web, DB + enterprise Apps for the business. We want to ensure that we can simply onboard them in a passive mode, i.e., enable Anti-virus in "Passive" mode as described here--> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine

Since these are all critical servers, we want to ensure there's least business interruption of on boarding these devices to Defender. Therefore, want to clarify the following:

If we on board these devices with AV set to "Passive", the AV will catch the threats / malicious actions, but will not take any action - is that correct?
When we publish a Linux configuration profile using to Linux systems that's detailed here--> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences and if they have the AV set to "passive" mode, will they start reporting the alerts raised by AV component to Defender portal?
What's the significance of this particular setting "Report AV Suspicious Events to EDR". Will it enable the threat / malicious detection telemetry for Linux endpoints to Defender portal? If yes, is there a way to filter this telemetry just for Linux systems?
Is it fair to say that reviewing this telemetry provides all the information to plan what configuration profile for Linux (for example, what files/paths/actions are currently raising alerts, so we can review them and create appropriate exceptions)?
Is there any recommendation from Microsoft around safe / good start when planning the configuration profile for Linux systems to ensure minimum business disruption?
Is the guidance here common to all OSes (including Linux) or specific to Windows OS--> https://learn.microsoft.com/en-us/defender-endpoint/edr-in-block-mode?view=o365-worldwide

Thanks

Taranjeet Singh

AmaranS 6,415 Reputation points Microsoft Vendor

2024-08-04T15:37:25.7666667+00:00

Hi Taranjeet Malik,

Thank you for reaching out to us on the Microsoft Q&A forum.

Can you please specify the exact Learn Path/Module name/Exercise link where you are encountering this error along with the screenshots for reference.
Taranjeet Malik 546 Reputation points

2024-08-07T01:48:09.68+00:00

Hi @AmaranS not sure what you mean in you last response - I'm not reviewing any Microsoft Learn Paths. I'm dealing with a specific situation and want to understand the specific questions that I listed above. Does that makes sense?ThanksTaranjeet Singh
AmaranS 6,415 Reputation points Microsoft Vendor

2024-08-07T01:56:55.26+00:00

Hi Taranjeet Malik,

Thank you for reaching out to us on the Microsoft Q&A forum.

This topic is currently not supported in the Q&A forums.

Microsoft Learn Paths now only support the Q&A platform.

Please don't forget to Upvote helpful answer and close this thread.
Taranjeet Malik 546 Reputation points

2024-08-11T23:37:05.6333333+00:00

Seriously?

I've been using this support channel for very long time to clarify similar queries. Are you sure Defender for Endpoint is not supported by Q&A Forums? Has something changed recently?

Thanks

Taranjeet Singh

Share via

Defender for Endpoint for Linux - View Threat Telemetry

Your answer