Configure the necessary network connectivity
Prior to deploying the sensor, please ensure you have accounted for the following:
Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.
Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:
- uswestcentral
- useast2
- useast
- europenorth
- europewest
- uksouth
- ukwest
You can find more information in Microsoft Azure Datacenter IP Ranges on Microsoft.
Be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.
Install Microsoft Defender for Endpoint
To install the Microsoft Defender for Endpoint sensor you will need access to the Defender portal to onboard any of the supported devices.
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Onboarding.
- Click Select operating system to start onboarding process | Linux.
- Select a deployment method, and then click Download Package.
- Onboard your devices by running the package you downloaded.
- Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.
Uninstall Microsoft Defender for Endpoint
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Offboarding.
- Select Linux Server, and then Local Script.
- Open a shell and navigate to the folder where the offboarding package was downloaded.
- Execute the following commands (replacing the x’s with the proper values for the downloaded package):
unzip WindowsDefenderATPOffboardingPackage_valid_until_xxxxxx-xx.zip
python MicrosoftDefenderATPOffboardingMacOs_valid_until_xxxx-xx-xx.py - Enter su password.
The script will uninstall the Defender ATP agent from the Linux server.
Comments
0 comments
Please sign in to leave a comment.