Next Level Learning

Configure MDE with JSON Configuration Profile.

1. Configuration Profile

1.1 User Activity

Sample Configuration Profile

We can use the mdatp_managed.json file to help configure our Linux MDE deployments at scale rather than settings each Linux server individually.

Refer to https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide for more details.

1.1 Background Activity

{
  "antivirusEngine": {
    "enforcementLevel": "real_time",
    "scanAfterDefinitionUpdate": true,
    "scanArchives": true,
    "maximumOnDemandScanThreads": 2,
    "exclusionsMergePolicy": "merge",
    "exclusions": [],
    "allowedThreats": [],
    "disallowedThreatActions": ["allow", "restore"],
    "nonExecMountPolicy": "unmute",
    "unmonitoredFilesystems": ["nfs,fuse"],
    "threatTypeSettingsMergePolicy": "merge",
    "threatTypeSettings": [
      {
        "key": "potentially_unwanted_application",
        "value": "audit"
      },
      {
        "key": "archive_bomb",
        "value": "audit"
      }
    ]
  },
  "cloudService": {
    "enabled": true,
    "diagnosticLevel": "required",
    "automaticSampleSubmissionConsent": "safe",
    "automaticDefinitionUpdateEnabled": true
  }
}

1.2 User Activity

mdatp_managed.json lives in

/etc/opt/microsoft/mdatp/managed

1.3 User Activity

Core Components

This is a nonexhaustive list of the core components of the MDE agent. Refer to https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide#enforcement-level-for-antivirus-engine for a more up-to-date list.

enforcementLevel

behaviorMonitoring

maximumOnDemandScanThreads

exclusionsMergePolicy

exclusions

nonExecMountPolicy

unmonitoredFilesystems

threatTypeSettings

cloudService

diagnosticLevel

End Section 1 - Configuration Profile

2. Applying the Configuration Profile

2.1 User Activity

Configuration: Before

View your current configuration before applying the configuration profile

mdatp health

2.1 Background Activity

Sample Output

2.2 User Activity

Configuration: Apply

Copy the configuration profile to the linux server's managed folder

Change directory to /etc/opt/microsoft/mdatp/managed

cd /etc/opt/microsoft/mdatp/managed

Use the `cat` command to view the contents of the mdatp_managed.json file

cat mdatp_managed.json

2.2 Background Activity

Sample Output

Sample mdatp_managed.json configuration profile saved in /etc/opt/microsoft/mdatp/managed

Sample output from the mdatp_managed.json configuration file.

2.3 User Activity

Configuration: After

View your new configurations after applying the configuration profile

mdatp health

2.3 Background Activity

Sample Output

Immediately after applying the configuration profile, the MDE agent will begin to apply the new settings. This may take a few minutes to complete.

Settings that have been configured using the mdatp_managed.json file will be marked with a [managed]

End Section 2 - Applying the Configuration Profile