Microsoft Defender ATP on Linux (in pictures)

Quite flexible data retention periods

Very noisy warnings

UX is a disaster. To see full process tree an investigator needs to scroll a lot and correlate in head.

AWS SSM agent is a threat.

No triggered Anti-Virus scan, no Incident Response data collection, no Remote Shell, no ability to run Live Response script. Defender here is taken from insider-fast repo. It looks like all these features are early beta.

Code completion is not perfect. FileName had to be written by hand.

With default UI layout it’s really hard to view and analyze telemetry.

It’s cool that 3 different hashes are computed for every file, but this is a huge performance overhead.

Not all fields are promoted to the top level formatted attributes. Some are parsed as JSON.

Conclusion: Microsoft with it’s cloud EDR is not yet ready on Linux. Competition has got more mature products.