Schedule scans with Microsoft Defender for Endpoint (Linux)
Applies to:
- Microsoft Defender for Endpoint Server
- Microsoft Defender for Servers
To run a scan for Linux, see Supported Commands.
For Linux (and Unix), you can use a tool called crontab (similar to Task Scheduler in Windows) to run scheduled tasks.
Prerequisite
Note
To get a list of all the time zones, run the following command:
timedatectl list-timezones
Examples for timezones:
America/Los_Angeles
America/New_York
America/Chicago
America/Denver
To set the Cron job
Use the following commands:
Backup crontab entries
sudo crontab -l > /var/tmp/cron_backup_200919.dat
Note
Where 200919 == YRMMDD
Tip
Do this before you edit or remove.
To edit the crontab, and add a new job as a root user:
sudo crontab -e
Note
The default editor is VIM.
You might see:
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
Press "Insert"
Add the following entries:
CRON_TZ=America/Los_Angeles
0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
Note
In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC -8).
Press "Esc"
Type ":wq
" without the double quotes.
Note
w == write, q == quit
To view your cron jobs, type sudo crontab -l
To inspect cron job runs
sudo grep mdatp /var/log/cron
To inspect the mdatp_cron_job.log*
sudo nano mdatp_cron_job.log
If you're using Ansible, Chef, Puppet, or SaltStack
Use the following commands:
To set cron jobs in Ansible
cron - Manage cron.d and crontab entries
For more information, see Ansible documentation.
To set crontabs in Chef
cron resource
For more information, see Chef documentation.
To set cron jobs in Puppet
Resource Type: cron
See https://puppet.com/docs/puppet/5.5/types/cron.html for more information.
Automating with Puppet: Cron jobs and scheduled tasks
For more information, see Puppet documentation about jobs and scheduled tasks.
To manage cron jobs in SaltStack
Resource Type: salt.states.cron
Example:
mdatp scan quick > /tmp/mdatp_scan_log.log:
cron.present:
- special: '@hourly'
For more information, see the Salt.States.Cron documentation.
Additional information
To get help with crontab
man crontab
To get a list of crontab file of the current user
crontab -l
To get a list of crontab file of another user
crontab -u username -l
To back up crontab entries
crontab -l > /var/tmp/cron_backup.dat
Tip
Do this before you edit or remove.
To restore crontab entries
crontab /var/tmp/cron_backup.dat
To edit the crontab and add a new job as a root user
sudo crontab -e
To edit the crontab and add a new job
crontab -e
To edit other user's crontab entries
crontab -u username -e
To remove all crontab entries
crontab -r
To remove other user's crontab entries
crontab -u username -r
Explanation
+—————- minute (values: 0 - 59) (special characters: , \- \* /) <br>
| +————- hour (values: 0 - 23) (special characters: , \- \* /) <br>
| | +———- day of month (values: 1 - 31) (special characters: , \- \* / L W C) <br>
| | | +——- month (values: 1 - 12) (special characters: , \- \* /) <br>
| | | | +—- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , \- \* / L W C) <br>
| | | | |*****command to be executed
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.