🔥Microsoft Defender for Endpoint Device isolation support for Linux🔥

Many of my partners frequently ask about device isolation on Linux devices using MDE. Here is my response:

The public preview of device isolation for Microsoft Defender for Endpoint on Linux devices is available both manually through the Microsoft 365 Defender portal and using APIs.

📝In this post, I'll outline the benefits of this feature, important considerations, and provide a walkthrough of the process.

📌Device Isolation for Enhanced Security

In certain attack scenarios, isolating a device from the network is crucial to prevent attackers from controlling the compromised device and carrying out further activities such as data exfiltration and lateral movement. Like Windows devices, the device isolation feature for Linux devices disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, enabling continuous monitoring.

📌Important Considerations

🔸During device isolation, only specific processes and web destinations are allowed. Therefore, devices behind a full VPN tunnel might not be able to reach the Microsoft Defender for Endpoint cloud service after isolation. It is recommended to use a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.

🔸Exclusion is not supported for Linux isolation.

📌Device Isolation is part of the set of response actions that can be taken on a device. For more information on response actions. Refer to Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network

📌Walkthrough: Linux Manual Isolation

🔸In the Microsoft 365 Defender portal, navigate to the device page of the Linux device. You'll see the "Isolate Device" action among other response actions on the device page.

🔸Once the action is completed on the device, you can track progress in the Action Center.

🔸You can reconnect the device back to the network at any time by clicking "Release from isolation" on the device page, following the same steps as isolating the device.

📌API Support

🔸Linux device isolation is also available using APIs. For more details, please refer to the following resources:

🔹Isolate machine API | Microsoft Learn - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/isolate-machine?view=o365-worldwide

🔹Release device from isolation API | Microsoft Learn -https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/unisolate-machine?view=o365-worldwide