Microsoft today announced that it has added device isolation support to Microsoft Defender for Endpoint (MDE) on embedded Linux devices.
Enterprise administrators can manually isolate Linux machines enrolled in a public preview using the Microsoft 365 Defender Portal or through API requests.
Once isolated, threat actors will no longer have a connection to the hacked system, cutting off their control and blocking malicious activity like data theft.
“Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing other activities such as data exfiltration and lateral movement “, explained Microsoft.
“Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while maintaining connectivity to the Defender for Endpoint service, while continuing to monitor the device.”
Isolated devices can be reconnected to the network as soon as the threat has been mitigated using the “Release from isolation” button on the device page or an HTTP “deisolate” API request.
This new feature is supported on all MDE Linux supported distributions listed on the Required configuration page.
On Linux endpoints, Microsoft Defender for Endpoint is a command-line product with anti-malware and EDR (endpoint detection and response) features designed to send all threat information it detects to the portal Microsoft 365 Defender.
Administrators with MDE subscriptions can deploy and configure it on Linux devices manually or with the help of Puppet, Ansible, and Chef configuration management tools.
The enterprise endpoint security solution has been made generally available for Linux and Android in June 2020 after public preview entry in February 2020with support for multiple distributed versions of the Linux server.
Two years ago, Microsoft also announced the addition of live response capabilities for Linux devices in Microsoft Defender for Endpoint and includes support for identifying and assessment of Linux device security configurations on corporate networks.
In the same year, the MDEs endpoint detection and response (EDR) capabilities were also made generally available on Linux servers after a public preview stage that started in November 2020.