Merge pull request #2812 from MicrosoftDocs/mde-linux-exclusions

Mde linux exclusions

Author: Ruchika-mittal01

defender-endpoint/linux-exclusions.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/31/2025
+ms.date: 02/18/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -52,7 +52,7 @@ Antivirus exclusions can be used to exclude trusted files and processes from rea
 
 | Exclusion Category | Exclusion Scope | Description |
 | --- | --- | --- |
-| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus (AV) scans and on-demand scans.| 
+| Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus scans and on-demand scans.| 
 | Global Exclusion  | Antivirus and endpoint detections and response engine <br/>*(scope: global)*  | Excludes events from real time protection and EDR visibility. Doesn't apply to on-demand scans by default. |
 
 > [!IMPORTANT]
@@ -63,12 +63,12 @@ Antivirus exclusions can be used to exclude trusted files and processes from rea
 
 The following table shows the exclusion types supported by Defender for Endpoint on Linux.
 
-Exclusion|Definition|Examples
----|---|---
-File extension|All files with the extension, anywhere on the device (not available for global exclusions) |`.test`
-File|A specific file identified by the full path|`/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
-Folder|All files under the specified folder (recursively)|`/var/log/`<br/>`/var/*/`
-Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat`<br/>`cat`<br/>`c?t`
+|Exclusion|Definition|Examples|
+|---|---|---|
+|File extension|All files with the extension, anywhere on the device (not available for global exclusions) |`.test` |
+|File|A specific file identified by the full path|`/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log` |
+| Folder|All files under the specified folder (recursively)|`/var/log/`<br/>`/var/*/` |
+| Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat`<br/>`cat`<br/>`c?t` |
 
 > [!IMPORTANT]
 > The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`.
@@ -89,6 +89,8 @@ Wildcard|Description|Examples|
 
 ## How to configure the list of exclusions
 
+You can configure exclusions using a management console, Defender for Endpoint security settings management, or the command line.
+
 ### Using the management console
 
 To configure exclusions from Puppet, Ansible, or another management console, please refer to the following sample `mdatp_managed.json`.
@@ -140,6 +142,43 @@ To configure exclusions from Puppet, Ansible, or another management console, ple
 
 For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
 
+### Using Defender for Endpoint security settings management
+
+As a security administrator, you can configure Defender for Endpoint exclusions using the Microsoft Defender portal. This method is referred to as Defender for Endpoint security settings management. If you're using this method for the first time, make sure to complete the following procedures:
+
+#### 1. Configure your tenant to support security settings management
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), navigate to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope**, and then select the Linux platform. 
+
+2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that are not enrolled with Intune](/mem/intune/protect/mde-security-integration).
+
+#### 2. Create a Microsoft Entra group
+
+Create a dynamic Microsoft Entra group that uses the operating system type to ensure that all devices onboarded to Defender for Endpoint receive policies. Using a dynamic group allows devices managed by Defender for Endpoint to be automatically added to the group, eliminating the need for admins to create new policies manually. For more information, see the following articles:
+
+- [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
+- [Microsoft Entra groups overview](/entra/fundamentals/concept-learn-about-groups)
+
+#### 3. Create an endpoint security policy 
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new Policy**. 
+
+2. For Platform, select **Linux**.
+
+3. Select the required exclusion template (**Microsoft defender global exclusion (AV+EDR) for global exclusions and Microsoft defender antivirus exclusions for antivirus exclusions**), and then select **Create policy**.
+
+4. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
+
+5. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.
+
+6. When you're done configuring settings, select **Next**.
+
+7. On the **Assignments** page, select the groups that will receive this profile. Then select **Next**.
+
+8. On the **Review + create** page, when you're done, select **Save**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
+For more information refer: [Manage endpoint security policies in Microsoft Defender for Endpoint](/defender-endpoint/manage-security-policies#create-an-endpoint-security-policy).
+
 ### Using the command line
 
 Run the following command to see the available switches for managing exclusions:
@@ -157,7 +196,7 @@ mdatp exclusion
 
 Examples:
 
-- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)* :
+- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)*:
 
     ```bash
     mdatp exclusion extension add --name .txt