How does defender protect azure linux vms

Katarkandi, Sandeep 67231 0 Reputation points
2021-05-28T20:41:29.08+00:00

Azure Defender does not integrate with Azure services to monitor and protect your linux based machines. Then how does Security Center present the alerts and remediation suggestions from linux services. Say for instance that it uses auditd but how are we protecting linux through ASC?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,339 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2021-06-01T12:28:25.79+00:00

    anonymous user Thanks for reaching out.

    Azure security center depends on log analytics agent to collect logs from the supported servers. Once you have the logs flowing in from the log agent by onboarding them from Azure security center portal we start getting the information.

    Azure defender collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. auditd lives in the mainline kernel.

    Auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign-in attempts, kernel module loading, and other activities.

    You can see these numbers of alerts can be generated and tracked by ASC for linux : https://learn.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux
    Once generated, you will find them here under your ASC section :

    101391-image.png

    For more information about process and alerts on linux, check our github simulation for linux detection : https://github.com/Azure/Azure-Security-Center/blob/main/Simulations/Azure%20Security%20Center%20Linux%20Detections_v2.pdf


  2. Sandeep Katarkandi 1 Reputation point
    2021-06-24T00:01:15.937+00:00

    hi vipul, i can see that the defender is enabled on all the vms including linux through security center but doesnt show any extension for atp or defender on the linux vms. the next option is to verify through command or query if the atp or qualys extension is present on the linux servers. defender is integrated through security center but what is the possible ways to find out if the defender is present on the linux servers. Thanks.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.