Loss of CWPP protection with AMA Usage

용현 정 65 Reputation points
2024-09-04T12:10:40.6666667+00:00

**Please understand that the context may be awkward as I used a translator.

Hello, We are an Azure MSP provider. Our customer is currently using Microsoft Defender for Cloud (MDC) with Server Plan 1 activated. Previously, the Log Analytics Agent (MMA) was used to detect OS-level threats and generate security alerts for CWPP.

However, since MDC has been updated to an agentless approach, MMA is no longer supported, and now OS-level security alerts are detected by Microsoft Defender for Endpoint (MDE) and integrated into MDC.

We are facing an issue.

The customer uses two types of virtual machines: Windows and Linux, and they are utilizing a third-party antivirus (CrowdStrike). For Windows, MDE operates in passive mode, allowing MDE installation. However, for Linux, the third-party antivirus prevents MDE installation. The customer insists on using CrowdStrike antivirus. Is it possible to detect OS-level security alerts and view them in MDC if we migrate from Log Analytics Agent (MMA) to Azure Monitor Agent (AMA)?

If detecting OS-level security alerts with AMA is not feasible, are there any alternative solutions available? (Note: The use of CrowdStrike antivirus is mandatory.)

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,403 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
44 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 33,001 Reputation points Microsoft Employee
    2024-09-09T07:10:41.12+00:00

    @용현 정 Thank you for reaching out to us, As I understand your ask is related to MDE installation on Linux devices which has CrowdStrike installed.

    Have you tried installing MDE on Linux device manually - https://learn.microsoft.com/en-us/defender-endpoint/linux-install-manually ?

    Also, as per this doc - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux does the below mentioned approach can be tried?

    User's image

    Just check if agentless scanning - https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection helps to achieve your requirement, if not we need to have MDE installed on Linux in passive mode.

    Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,861 Reputation points Microsoft Employee
    2024-09-09T12:41:48.0366667+00:00

    As you mentioned, Microsoft Defender for Cloud (MDC) – specifically Defender for Servers Plan 1 (D4S P1) – does not rely on an agent. D4S P1 primarily provides cloud-based licensing for Microsoft Defender for Endpoint (MDE) on servers. If you are unable to install MDE on Linux, Defender for Servers P1 will offer limited value.

    MDE can operate in passive mode on Linux. If a third-party antivirus (AV) is preventing the installation of MDE, this is likely an issue with the third-party AV provider. You should address this with the AV's customer support or the administrator responsible.

    In my opinion, MDC’s OS-level alerts do not add significant value over a robust AV-EDR solution. However, the security posture assessments and inventory data from MDE can be beneficial. Unfortunately, there’s no workaround for MDE or MDC in this scenario, but it might be possible to collect Syslog data from Linux into Sentinel, if necessary. That said, I’m not sure if this approach would yield the desired results.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.