From 469a0c8f8723a6bec42bcd5c2b618e083bc9d7b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 20 Dec 2020 22:26:58 +0100 Subject: [PATCH 1/9] add info about the allowedThreats option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../linux-install-manually.md | 12 ++++--- .../linux-install-with-ansible.md | 30 ++++++++++++++-- .../linux-install-with-puppet.md | 34 ++++++++++++++++--- 3 files changed, 63 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index cb813cf147..3df93c4de6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -14,9 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -144,10 +144,10 @@ In order to preview new features and provide early feedback, it is recommended t sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list ``` For example, if you chose *insiders-fast* channel: - + ```bash sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list - ``` + ``` - Install the `gpg` package if not already installed: @@ -328,6 +328,8 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp threat list ``` + If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). + ## Log installation issues See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 35fe0795ab..6643175264 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -14,9 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -248,6 +248,30 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory. ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts ``` +## Testing + +Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on a newly onboarded device: + +- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): + + ```bash + mdatp health --field real_time_protection_enabled + ``` + +- Open a Terminal window. Copy and execute the following command: + + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` + +- The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats: + + ```bash + mdatp threat list + ``` + +If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). + ## Log installation issues See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 46100ac983..b2358ccaea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -14,9 +14,9 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- @@ -52,7 +52,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) -4. From a command prompt, verify that you have the file. +4. From a command prompt, verify that you have the file. ```bash ls -l @@ -225,9 +225,33 @@ If the product is not healthy, the exit code (which can be checked through `echo - 1 if the device isn't onboarded yet. - 3 if the connection to the daemon cannot be established. +## Testing + +Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on a newly onboarded device: + +- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): + + ```bash + mdatp health --field real_time_protection_enabled + ``` + +- Open a Terminal window. Copy and execute the following command: + + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` + +- The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats: + + ```bash + mdatp threat list + ``` + +If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). + ## Log installation issues - For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues). +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues). ## Operating system upgrades From fdb7bddab305812754fbe4f1c0ae407d07b70967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 28 Dec 2020 22:46:32 +0000 Subject: [PATCH 2/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index b2358ccaea..2be925e7de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -247,7 +247,7 @@ Run a detection test to verify that the device is properly onboarded and reporti mdatp threat list ``` -If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). +If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues From 808515fa6efecd072fe8c331e804fce10d5b8e95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 28 Dec 2020 22:46:43 +0000 Subject: [PATCH 3/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 6643175264..daadffbab5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -270,7 +270,7 @@ Run a detection test to verify that the device is properly onboarded and reporti mdatp threat list ``` -If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). +If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues From 2de18161ad371f989e2450f398c79b1b6051a69a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 28 Dec 2020 22:46:49 +0000 Subject: [PATCH 4/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-manually.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 3df93c4de6..c8f20a2db8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -328,7 +328,7 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp threat list ``` - If the the test file isn't detected and quarantined it might be labeled as a allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). + If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues From 4410925f661d97fa1c6ea0936de0fdd56d1518c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 29 Dec 2020 20:04:40 +0000 Subject: [PATCH 5/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-manually.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index c8f20a2db8..8e6178d0be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -328,7 +328,7 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp threat list ``` - If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). + If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues From 9bff7e4ad7836f2cda2508de084437fa4e3e2df2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 29 Dec 2020 20:04:50 +0000 Subject: [PATCH 6/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index daadffbab5..ea03743538 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -270,7 +270,7 @@ Run a detection test to verify that the device is properly onboarded and reporti mdatp threat list ``` -If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). +If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues From 198032fd9f6c339e7ae4d6963dca655db6c033f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 5 Feb 2021 15:19:08 +0000 Subject: [PATCH 7/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 4bb6d76a83..8b2e7da1ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -261,7 +261,7 @@ Run a detection test to verify that the device is properly onboarded and reporti - Open a Terminal window. Copy and execute the following command: - ``` bash + ```bash curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt ``` From 95888c61c75699a5290a6193f406f9a2311e4e6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 5 Feb 2021 15:19:14 +0000 Subject: [PATCH 8/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index a80cb41d24..292caa4194 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -238,7 +238,7 @@ Run a detection test to verify that the device is properly onboarded and reporti - Open a Terminal window. Copy and execute the following command: - ``` bash + ```bash curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt ``` From 1490d9ba4e735783ebc225a74a9fcc2f98a5762b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 5 Feb 2021 20:23:14 +0000 Subject: [PATCH 9/9] Update windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 292caa4194..260bdb6f66 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -248,7 +248,7 @@ Run a detection test to verify that the device is properly onboarded and reporti mdatp threat list ``` -If the the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). +If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Log installation issues