Announcing device isolation support for Linux [Public Preview]

News Informatique

Announcing device isolation support for Linux [Public Preview]

Overview 

Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device.

Important to note:

  • When isolating a device, only certain processes and web destinations are allowed. Therefore, devices that are behind a full VPN tunnel won’t be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic. 
  • Exclusion is not supported for Linux isolation

This capability is part of the set of response actions that can be taken on a device. Further information on the response actions can be found in Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn

Note: The capability applies to all Microsoft Defender for Endpoint Linux supported distros documented in the System requirements page. 

Walkthrough 

Linux Manual Isolation

In the Microsoft 365 Defender portal, navigate to the device page of the Linux device. You’ll see the “Isolate Device” action among other response actions on the device page 

thumbnail image 1 of blog post titled Announcing device isolation support for Linux Figure 1: ‘Isolate Device’ on the Device page

Once the action is completed on the device, you can track progress in the Action Center. 

You’ll be able to reconnect the device back to the network at any time. The button on the device page will change to say Release from isolation, by following the same steps as isolating the device. 

API 

Linux isolation is available using APIs. For more details, please refer to the resources below: 

Isolate machine API | Microsoft Learn 

Release device from isolation API | Microsoft Learn 

Source

Device isolation support for Linux on Microsoft Defender for Endpoint

0 28 February 2023
MDE

No Comments

Add your comment

Thibault CHÂTIRON

Expert Sécurité

À propos de moi

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts

Categories
AADConnect AIP Application Guard Azure Azure ATP Blockchain Conditional Access Copilot Delve DLP eDiscovery ethereum Exchange Online Graph API Guest Hello For Business Information barriers Insider Risk Management Intune MCAS MDE MDI MDO MFA Microsoft 365 Microsoft Threat Protection OneDrive Passwordless Prim'X Purview Sentinel SharePoint Online Solidity SSPR Windows Zed
Recent Posts
February 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728  
Categories
Archives

©  2024 Thibault Chatiron