Jump to content
Logging In to Free PC Help Forum Has Changed

Announcing device isolation support for Linux

AWS
 Share

Recommended Posts

  • FPCH Admin
AWS Rookie

AWS

Posted
  • FPCH Admin
Posted

Overview

 

 

We are excited to announce public preview of device isolation for Microsoft Defender for Endpoint on Linux devices both manually through the Microsoft 365 Defender portal and using APIs.

 

 

 

Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device.

 

 

 

Important to note:

 

  • When isolating a device, only certain processes and web destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
  • Exclusion is not supported for Linux isolation

 

This capability is part of the set of response actions that can be taken on a device. Further information on the response actions can be found in Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn.

 

 

 

Note: The capability applies to all Microsoft Defender for Endpoint Linux supported distros documented in the System requirements page.

 

 

 

Walkthrough

 

 

 

 

Linux Manual Isolation

 

In the Microsoft 365 Defender portal, navigate to the device page of the Linux device. You’ll see the “Isolate Device” action among other response actions on the device page

 

 

 

large?v=v2&px=999.pngFigure 1: ‘Isolate Device’ on the Device page

 

 

 

Once the action is completed on the device, you can track progress in the Action Center.

 

You'll be able to reconnect the device back to the network at any time. The button on the device page will change to say Release from isolation, by following the same steps as isolating the device.

 

 

 

API

 

Linux isolation is available using APIs. For more details, please refer to the resources below:

 

Isolate machine API | Microsoft Learn

 

Release device from isolation API | Microsoft Learn

 

 

 

Let us know what you think

 

 

We are excited to bring this feature to you and your security teams. Try it out today and let us know what you think in the comments below! We take all feedback into account as we work to continue to improve your security experience in Microsoft Defender for Endpoint.

 

 

 

If you have questions or comments, reply to this post or reach out to linuxisolation@microsoft.com.

 

 

 

For more information:

 

Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...