Here’s a quick blog for onboarding CentOS to Microsoft Defender for Endpoint (MDE). I recently went through some of the steps listed on Microsoft’s documentation and decided to create some screenshots.
You can obtain a copy of CentOS from here. For testing purposes you can use smaller ISO which is approx 723MB
In this Demo, I’ll be using Hyper-V to deploy CentOS.
In Hyper-V New > Virual Machine
Ensure the Network Adapter you have can access the internet for the OS Install and Defender for Endpoint
Power on the VM, be aware you may get this error when attempting to boot from the DVD. This is because Hyper-V does not trust the image.
Disable Secure Boot in Hyper-V for CentOS to allow the Virtual Machine to boot
Power on the virtual machine, it will not boot to the ISO
Address the configurations with the yellow warning triangles below and then click “Begin Installation“
Accept the license agreement and finish the configuration
For testing purposes you do not have to configure the following options:
- Location Services
- Connect your online accounts
Create an account to use
Install Python on CentOS
You will need Python installed on your CentOS as part of the tools required to deploy Defender for Endpoint. You should either ensure this is installed or install it before proceeding to deploy MDE.
- From the menu select “Activities > Terminal”
- From the menu select “Activities > Firefox”
- Navigate to the Python website
- Download Python 3.9.6 from GZipped source tarball
Linux filenames and paths are case sensitive. When navigating to a file or folder or running script remember to ensure you
The package will be located in the “Downloads” folder.
From the “Terminal” do the following:
tar -xf Python-3.9.6.tgz
Prepare and Install Defender for Endpoint
The relevant area of the document is here
- Open the Terminal
sudo yum install yum-utils
sudo yum-config-manager –add-repo=https://packages.microsoft.com/config/centos/8/prod.repo
sudo rpm –import http://packages.microsoft.com/keys/microsoft.asc
sudo yum install mdatp
mdatp health –field org_id
The results returned should be blank as the endpoint has not been enrolled in Defender for Endpoint.
2. Open FireFox and navigate to https://security.microsoft.com
Go to Settings > Onboarding
Choose “Linux Server”
“Download onboarding package”
3. Save the file, this will be saved to the “Downloads” folder
4. From the Terminal run
5. From the Terminal run
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
6. From the Terminal run
mdatp health –field org_id
7. From the Terminal run
mdatp health –field healthy
“True” means the client is functioning as expected
8. From the Terminal run
mdatp health –field definitions_status
This confirms the client has the latest updates
9. From the Terminal run
mdatp health –field real_time_protection_enabled
This checks that Real Time Protection (RTP) is enabled.
Testing Threat Protection
We can now test the client and generate some alerts to test the functionality. We will generate alerts using Eicar, more information here
- Open the Terminal and run
curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
2. From the terminal run
mdatp threat list
This will confirm if the file has been quarantined.
3. We can review https://security.microsoft.com to check the status of the endpoint and the alert.
I hope these steps help with testing any deployments