Microsoft Defender for Endpoint includes Introducing Device Isolation Support In public preview on onboard Linux machines. Security features allow IT administrators to manually isolate Linux machines via the Microsoft 365 Defender portal or API requests.
According to Microsoft, attackers will not be able to remotely connect to isolated Linux devices. This action helps block hackers from gaining unauthorized access or stealing sensitive data from a compromised Linux system.
“In some attack scenarios, it may be necessary to isolate the device from the network. This action allows the attacker to take control of the compromised device and perform further activities such as data exfiltration or lateral movement. Similar to Windows devices, this device isolation feature disconnects compromised devices from the network while continuing to monitor the device and maintaining connectivity to the Defender for Endpoint service.” explained Microsoft.
Microsoft notes that admins can manually isolate Linux devices by visiting the Microsoft 365 Defender portal. Then go to the device page for your Linux device and selectIsolate your device” Or the IT person: API for isolating Linux devices From access to external networks.
Microsoft Defender for Endpoint provides device isolation for all Linux supported distributions
Once the device is quarantined, IT can mitigate the threat andfreedom from isolation” button to reconnect the device to the network.Learn more about Microsoft Steps to undo isolation Linux device via “unisolate” HTTP API request
Microsoft Defender for Endpoint currently offers device isolation support for all Linux supported distributions. See the full list here. Support page.
In related news, Microsoft announced several updates to Microsoft Defender for Endpoint in November 2022. Added new Zeek integration Reduce the time required to detect advanced network-based threats.The company also released a new update Protect removable storage devices on Windows devices.