This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 12%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
**Please understand that the context may be awkward as I used a translator.
Hello, We are an Azure MSP provider. Our customer is currently using Microsoft Defender for Cloud (MDC) with Server Plan 1 activated. Previously, the Log Analytics Agent (MMA) was used to detect OS-level threats and generate security alerts for CWPP.
However, since MDC has been updated to an agentless approach, MMA is no longer supported, and now OS-level security alerts are detected by Microsoft Defender for Endpoint (MDE) and integrated into MDC.
We are facing an issue.
The customer uses two types of virtual machines: Windows and Linux, and they are utilizing a third-party antivirus (CrowdStrike). For Windows, MDE operates in passive mode, allowing MDE installation. However, for Linux, the third-party antivirus prevents MDE installation. The customer insists on using CrowdStrike antivirus. Is it possible to detect OS-level security alerts and view them in MDC if we migrate from Log Analytics Agent (MMA) to Azure Monitor Agent (AMA)?
If detecting OS-level security alerts with AMA is not feasible, are there any alternative solutions available? (Note: The use of CrowdStrike antivirus is mandatory.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@용현 정 Thank you for reaching out to us, As I understand your ask is related to MDE installation on Linux devices which has CrowdStrike installed.
Have you tried installing MDE on Linux device manually - https://learn.microsoft.com/en-us/defender-endpoint/linux-install-manually ?
Also, as per this doc - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux does the below mentioned approach can be tried?
Just check if agentless scanning - https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection helps to achieve your requirement, if not we need to have MDE installed on Linux in passive mode.
As you mentioned, Microsoft Defender for Cloud (MDC) – specifically Defender for Servers Plan 1 (D4S P1) – does not rely on an agent. D4S P1 primarily provides cloud-based licensing for Microsoft Defender for Endpoint (MDE) on servers. If you are unable to install MDE on Linux, Defender for Servers P1 will offer limited value.
MDE can operate in passive mode on Linux. If a third-party antivirus (AV) is preventing the installation of MDE, this is likely an issue with the third-party AV provider. You should address this with the AV's customer support or the administrator responsible.
In my opinion, MDC’s OS-level alerts do not add significant value over a robust AV-EDR solution. However, the security posture assessments and inventory data from MDE can be beneficial. Unfortunately, there’s no workaround for MDE or MDC in this scenario, but it might be possible to collect Syslog data from Linux into Sentinel, if necessary. That said, I’m not sure if this approach would yield the desired results.