Here’s a quick blog for onboarding CentOS to Microsoft Defender for Endpoint (MDE). I recently went through some of the steps listed on Microsoft’s documentation and decided to create some screenshots.

Deploy CentOS

You can obtain a copy of CentOS from here. For testing purposes you can use smaller ISO which is approx 723MB

In this Demo, I’ll be using Hyper-V to deploy CentOS.

In Hyper-V New > Virual Machine

Ensure the Network Adapter you have can access the internet for the OS Install and Defender for Endpoint

Power on the VM, be aware you may get this error when attempting to boot from the DVD. This is because Hyper-V does not trust the image.

Disable Secure Boot in Hyper-V for CentOS to allow the Virtual Machine to boot

Power on the virtual machine, it will not boot to the ISO

Address the configurations with the yellow warning triangles below and then click “Begin Installation

Accept the license agreement and finish the configuration

For testing purposes you do not have to configure the following options:

  1. Location Services
  2. Connect your online accounts

Create an account to use

Install Python on CentOS

You will need Python installed on your CentOS as part of the tools required to deploy Defender for Endpoint. You should either ensure this is installed or install it before proceeding to deploy MDE.

  1. From the menu select “Activities > Terminal”
  2. From the menu select “Activities > Firefox”
  3. Navigate to the Python website
  4. Download Python 3.9.6 from GZipped source tarball

Important:
Linux filenames and paths are case sensitive. When navigating to a file or folder or running script remember to ensure you

The package will be located in the “Downloads” folder.
From the “Terminal” do the following:

cd Downloads
tar -xf Python-3.9.6.tgz
cd Python-3.9.6
./configure

python3 –version

Prepare and Install Defender for Endpoint

The relevant area of the document is here

  1. Open the Terminal

Bash
sudo yum install yum-utils

Bash
sudo yum-config-manager –add-repo=https://packages.microsoft.com/config/centos/8/prod.repo

Bash
sudo rpm –import http://packages.microsoft.com/keys/microsoft.asc

Bash
yum makecache

sudo yum install mdatp

mdatp health –field org_id

Note:
The results returned should be blank as the endpoint has not been enrolled in Defender for Endpoint.


2. Open FireFox and navigate to https://security.microsoft.com
Go to Settings > Onboarding
Choose “Linux Server”
“Download onboarding package”

3. Save the file, this will be saved to the “Downloads” folder

4. From the Terminal run
“unzip WindowsDefenderATPOnboardingPackage.zip”

5. From the Terminal run
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py

6. From the Terminal run
mdatp health –field org_id

7. From the Terminal run
mdatp health –field healthy

“True” means the client is functioning as expected

8. From the Terminal run
mdatp health –field definitions_status

This confirms the client has the latest updates

9. From the Terminal run
mdatp health –field real_time_protection_enabled

This checks that Real Time Protection (RTP) is enabled.

Testing Threat Protection

We can now test the client and generate some alerts to test the functionality. We will generate alerts using Eicar, more information here

  1. Open the Terminal and run
    curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

2. From the terminal run
mdatp threat list

This will confirm if the file has been quarantined.

3. We can review https://security.microsoft.com to check the status of the endpoint and the alert.

I hope these steps help with testing any deployments