Hi

We have a fleet of around 1000 RHEL 7.2 systems that we wish to onboard to Microsoft Defender. There are a mix of DEV, Pre-Prod, PROD and run Web, DB + enterprise Apps for the business. We want to ensure that we can simply onboard them with least business disruption, so thinking to start with Anti-virus in “Passive” mode as described here–> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine

Want to clarify the following:

If we on board these devices with AV set to “Passive”, the AV will catch the threats / malicious actions, but will not take any action – is that correct?When we publish a Linux configuration profile using to Linux systems that’s detailed here–> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences and if they have the AV set to “passive” mode, will they start reporting the alerts raised by AV component to Defender portal? Is this handled by EDR?What’s the significance of this particular setting “Report AV Suspicious Events to EDR“. Does this setting enable/disable the raised alerts for Linux endpoints to be reported to Defender portal? If yes, is there a way to filter this telemetry just for Linux systems?Is it fair to say that reviewing this telemetry provides enough (or all) the information to plan what configuration profile for Linux (for example, what files/paths/actions are currently raising alerts, so we can review them and create appropriate exceptions)?Is there any recommendation from Microsoft around safe / good start when planning the configuration profile for Linux systems to ensure minimum business disruption?

Thanks

Taranjeet Singh

​HiWe have a fleet of around 1000 RHEL 7.2 systems that we wish to onboard to Microsoft Defender. There are a mix of DEV, Pre-Prod, PROD and run Web, DB + enterprise Apps for the business. We want to ensure that we can simply onboard them with least business disruption, so thinking to start with Anti-virus in “Passive” mode as described here–> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine Want to clarify the following:If we on board these devices with AV set to “Passive”, the AV will catch the threats / malicious actions, but will not take any action – is that correct?When we publish a Linux configuration profile using to Linux systems that’s detailed here–> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences and if they have the AV set to “passive” mode, will they start reporting the alerts raised by AV component to Defender portal? Is this handled by EDR?What’s the significance of this particular setting “Report AV Suspicious Events to EDR”. Does this setting enable/disable the raised alerts for Linux endpoints to be reported to Defender portal? If yes, is there a way to filter this telemetry just for Linux systems?Is it fair to say that reviewing this telemetry provides enough (or all) the information to plan what configuration profile for Linux (for example, what files/paths/actions are currently raising alerts, so we can review them and create appropriate exceptions)?Is there any recommendation from Microsoft around safe / good start when planning the configuration profile for Linux systems to ensure minimum business disruption? ThanksTaranjeet Singh  Read More

​