From 5336b80da809f5eb75acd5fc0c8352cd3fb99d8e Mon Sep 17 00:00:00 2001 From: Mati Goldberg Date: Mon, 16 Nov 2020 21:37:39 +0200 Subject: [PATCH] auditd notice --- .../microsoft-defender-atp/microsoft-defender-atp-linux.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 873df4353b..87dd24a90d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -92,6 +92,10 @@ If you experience any installation failures, refer to [Troubleshooting installat After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. +- Audit framework (`auditd`) must be enabled. + >[!NOTE] + > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key. + ### Network connections The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.