The Linux Agent Age Report detects potential use of outdated or unsupported agent versions that may lack critical security patches. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify systems potentially vulnerable to known exploits due to outdated software.
KQL Query
let LinuxAgentVersions =
externaldata (data:string)["https://packages.microsoft.com/rhel/8/prod/"]
| parse kind=regex data with @'.*">' Filename:string '</a>' Timestamp:datetime " " Size:int
| where Filename startswith "mdatp_"
| parse Filename with "mdatp_" Version:string ".x86_64.rpm"
| extend SoftwareVersion = strcat(Version, ".0")
// The below line should NOT be considered a statement of support, but rather a rough estimate. Uncomment to use.
//| extend IsSupported = Timestamp > ago(270d), RemainingSupportInDays = 270 - datetime_diff('day', now(), Timestamp)
| project-away data;
DeviceTvmSoftwareInventory
| where SoftwareName == "defender_for_linux"
| project DeviceId, DeviceName, SoftwareVersion
| lookup kind=leftouter (LinuxAgentVersions) on $left.SoftwareVersion == $right.SoftwareVersion
id: 392533b7-a31a-488e-a553-5223811092de
name: Linux Agent Age Report
description: |
This query uses the public MDE GitHub repo as a source to estimate the time that an agent build remains supported
based on the time it was uploaded. Please note that the timestamps used in this query are meant to estimate the
support period and will likely not represent the actual expiration of the package which will be based on the build.
If you would like an estimate of support, uncomment the extend statement to get an idea of what is \ is not
supported and an idea of how long support will remain for current agents.
This query currently only supports GA builds, not preview builds.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareInventory
query: |
let LinuxAgentVersions =
externaldata (data:string)["https://packages.microsoft.com/rhel/8/prod/"]
| parse kind=regex data with @'.*">' Filename:string '</a>' Timestamp:datetime " " Size:int
| where Filename startswith "mdatp_"
| parse Filename with "mdatp_" Version:string ".x86_64.rpm"
| extend SoftwareVersion = strcat(Version, ".0")
// The below line should NOT be considered a statement of support, but rather a rough estimate. Uncomment to use.
//| extend IsSupported = Timestamp > ago(270d), RemainingSupportInDays = 270 - datetime_diff('day', now(), Timestamp)
| project-away data;
DeviceTvmSoftwareInventory
| where SoftwareName == "defender_for_linux"
| project DeviceId, DeviceName, SoftwareVersion
| lookup kind=leftouter (LinuxAgentVersions) on $left.SoftwareVersion == $right.SoftwareVersion
Scenario: System update or patching using yum or apt
Filter/Exclusion: Exclude events where the agent update is part of a known system maintenance window or scheduled update task (e.g., yum update or apt upgrade executed via a cron job or Ansible playbook).
Scenario: Regular agent configuration refresh via a centralized management tool (e.g., Puppet, Chef, or Ansible)
Filter/Exclusion: Exclude events where the agent update is initiated by a configuration management tool (e.g., ansible-playbook or puppet agent --test).
Scenario: Agent version check or health check performed by a monitoring tool (e.g., Nagios, Zabbix, or Datadog)
Filter/Exclusion: Exclude events where the agent is being queried for its version or health status (e.g., zabbix_agentd or datadog-agent check commands).
Scenario: Scheduled backup or log rotation task (e.g., logrotate or rsync)
Filter/Exclusion: Exclude events where the agent is being interacted with as part of a backup or log rotation process (e.g., logrotate or rsync commands executed by a cron job).
Scenario: Agent reinstallation or migration during a system reconfiguration
Filter/Exclusion: Exclude events where the agent is being reinstalled or moved as part of a system reconfiguration (e.g., rpm -e or dpkg --remove followed by a new installation).