Jump to content

Recommended Posts

  • FPCH Admin
Posted

When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines.

 

Microsoft Defender for Servers is available in two different plans, both of which include integration and automated deployment of Microsoft Defender for Endpoint for both, Windows and Linux machines.

 

 

 

large?v=v2&px=999.pngDefender for Servers plan comparison

 

To learn more, see this table about supported features for VMs and servers in Defender for Cloud. Also, to learn more about Defender for Servers plan features, see this documentation.

 

 

 

How to enable Defender for Endpoint integration for Linux machines

 

 

Microsoft Defender for Endpoint for Linux integration has been introduced to Defender for Servers back in summer 2021. At this time, Defender for Endpoint integration for Windows servers has been part of the product for quite a while already, and when introducing Linux support, we added an opt-in method for existing customers to decide at which point in time they would like to enable integration and deployment for their Linux machines. Since then, Defender for Endpoint integration will be enabled for Windows and Linux by default on any new subscription when Defender for Servers is enabled for the first time. However, in case the following three dependencies are true, Defender for Endpoint for Linux integration is not automatically enabled:

 

  • Your subscription was created earlier than August 2021
  • In August 2021, your subscription was configured to have Defender for Endpoint integration enabled
  • In August 2021, your subscription had Defender for Servers enabled

 

In this scenario, you will see the opt-in capability in your subscription’s Integrations blade within Defender for Cloud:

 

large?v=v2&px=999.pngEnable Defender for Endpoint integration for Linux machines

 

In the figure above, you see there is a second button to enable Defender for Endpoint’s unified solution for Windows Server 2012 R2 and 2016 machines. To learn more about this option, please see this article.

 

 

 

We know that in large environments, it might be challenging to find all the subscriptions that don’t have enabled Linux integration with Defender for Endpoint, yet. This is why we are offering several at-scale capabilities to enable the integration in your environment.

 

 

 

Enabling Defender for Endpoint integration for Linux on multiple subscriptions

 

 

In Defender for Cloud’s Overview blade, we are introducing a new Insights campaign that gives you visibility into subscriptions that do not have Defender for Endpoint integration enabled for Linux machines.

 

large?v=v2&px=999.pngNew insights campaign in Microsoft Defender for Cloud's Overview dashboard

 

You can use this new campaign to directly enable integration for Linux machines from this Overview blade by clicking the Take Action link.

 

large?v=v2&px=999.pngEnable Defender for Endpoint integration for Linux machines at scale

 

It will then show you all subscriptions that don’t have integration for Linux machines enabled, including the amount of affected Linux machines in each subscription. You can then select some or all of them and enable the integration at scale. Once done, you can track the deployment progress by clicking the Track Deployment link.

 

large?v=v2&px=999.pngTrack the Defender for Endpoint deployment across your environment

 

This link will redirect you to a custom workbook that we have published on Github and which you can deploy to your environment.

 

large?v=v2&px=999.pngDefender for Endpoint provisioning status

 

The workbook will show you the current deployment status of Defender for Endpoint extensions to your Azure VMs and Azure Arc machines, and if the installation and onboarding was successful, or if it failed.

 

 

 

Enable integration via PowerShell

 

 

A second option we are providing is a PowerShell script that will enable integration for Linux machines on all of your subscriptions. The script will check if Defender for Endpoint integration is enabled at all, and if not, enable it for both, Windows and Linux machines. In case it already is enabled for Windows, Linux integration will be enabled in addition.

 

 

 

write-host '#####################################################################################################' -ForegroundColor green

write-host '# #' -ForegroundColor green

write-host '# This script will enable MDE integration for Linux machines with Microsoft Defender for Cloud. #' -ForegroundColor green

write-host '# Please enter your Tenant ID. The script will then configure all subscriptions in this tenant. #' -ForegroundColor green

write-host '# #' -ForegroundColor green

write-host '# You will be asked if you want to enable MDE integration on all subscriptions, or only those #' -ForegroundColor green

write-host '# that already have MDE integration for Windows machines enabled. #' -ForegroundColor green

write-host '# #' -ForegroundColor green

write-host '#####################################################################################################' -ForegroundColor green

write-host ''

$tenantId = Read-Host "Enter your Tenant ID"

$enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions (y/n)?"

while ("y","n" -notcontains $enableMDE) {

$enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions? Please only enter (y/n)."

}

$subscriptions = Get-AzSubscription -TenantId $tenantId

Foreach ($subscription in $subscriptions){

$context = Set-AzContext -Subscription $subscription.id

Write-host -nonewline "Testing subscription "

Write-host -nonewline $context.subscription.Name -ForegroundColor Green

Write-host -nonewline " with subscription ID "

Write-host -nonewline $context.subscription.Id -ForegroundColor Green

Write-host "."

$test0 = Get-AzSecuritySetting -SettingName WDATP

If ($test0.enabled) {

$test1 = Get-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW

If ($test1.enabled){

Set-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW `

-SettingKind DataExportSettings `

-Enabled $false > $null

Write-Host "Enabled MDE integration for Linux machines on subscription" $context.subscription.id

}

}

elseif ($enableMDE -eq "y"){

Set-AzSecuritySetting -SettingName WDATP `

-SettingKind DataExportSettings `

-Enabled $true > $null

Write-Host "Enabled MDE integration for all machines on subscription" $context.subscription.id

}

else {

continue

}

}

 

 

 

We have also published the PowerShell script in the Defender for Cloud Github repository.

 

 

 

Enable integration via REST API

 

 

When enabling Defender for Endpoint integration for Linux machines using the Defender for Cloud UI, clicking the button, or using the insights campaign will leverage a REST API call against your subscription(s). You can also use this API call in your own automations, ARM templates, or Azure Policy definitions.

 

To enable Defender for Endpoint integration for Linux machines on a subscription, use the following API call against the microsoft.security/settings REST API provider:

 

 

 






















Parameter Value
REST Method PUT
API URI https://management.azure.com/subscriptions//providers/Microsoft.Security/settings/WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW?api-version=2022-05-01
API Version
2022-05-01
JSON Body {
"name": "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW",
"type": "Microsoft.Security/settings",
"kind": "DataExportSettings",
"properties": {
"enabled": false
}
}

 

 

 

Conclusion

 

 

While Defender for Endpoint integration is automatically enabled on new subscriptions, or when enabling Defender for Servers for the first time, you might have subscriptions in your environment that still don’t have the latest integration features enabled. For these subscriptions, you will now get the visibility in Defender for Cloud’s Overview dashboard and can use a variety of automation capabilities to enable Defender for Endpoint integration for Linux machines at scale.

 

 

 

Acknowledgements

 

 

Specials thanks to Gal Fenigshtein for the strong collaboration on this topic and for reviewing this blog.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...