Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To run a scan for Linux, see Supported commands.
For Linux (and Unix), you can use a tool called crontab (similar to Task Scheduler in Windows) to run scheduled tasks.
Prerequisite
Note
To get a list of all the time zones, run the following command:
timedatectl list-timezones
Examples for time zones:
America/Los_AngelesAmerica/New_YorkAmerica/ChicagoAmerica/Denver
Set the Cron job
To set the cron job, use the commands in this article.
Backup crontab entries
Tip
Do this step before you edit or remove entries.
sudo crontab -l > /var/tmp/cron_backup_200919.dat
Where 200919 = YYMMDD
To edit the crontab and add a new job as a root user:
sudo crontab -e
Note
The default editor is VIM.
You might see:
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
Press Insert, and then add the following entries:
CRON_TZ=America/Los_Angeles
0 2 * * sat /usr/bin/mdatp scan quick > ~/mdatp_cron_job.log
Note
In this example, we have set it to 00 minutes, 2 a.m. (hour in 24-hour format), any day of the month, any month, on Saturdays. This setting means the job runs Saturdays at 2:00 a.m. Pacific (UTC -8).
Press Esc, and then type ":wq" without the double quotes.
Note
w == write, q == quit
To view your cron jobs, type sudo crontab -l
To inspect cron job runs
sudo grep mdatp /var/log/cron
To inspect the mdatp_cron_job.log*
sudo nano mdatp_cron_job.log
Verify scan execution
Linux doesn't provide a direct way to confirm that a scheduled scan ran.
Scheduled scans configured through crontab don't surface a status field or dedicated confirmation in Microsoft Defender for Endpoint on Linux.
To verify that a scan ran, run the following command:
mdatp scan list
mdatp scan list returns a history of the last 7 scans performed on the device by Microsoft Defender for Endpoint. For each scan entry, you can see:
- Scan Type - Quick or Full
- Scan Start Time - For example, Jan 05 2023 at 03:18:39 PM
- Scan State - For example, Succeeded, Failed, or Cancelled
Use this command to verify that scheduled scans ran at the expected date, time, and frequency.
The output only covers the last seven scans. If you need to check whether both quick and full scans are running regularly, monitor it over time or script around it.
You can also verify the scan ran by:
Running on-demand scans:
Quick scan
mdatp scan quickFull scan
mdatp scan fullScan a specific path
mdatp scan custom --path /home/user/downloads
Checking scan results
List all detected threats.
mdatp threat listGet details on a specific threat.
mdatp threat get --id [threat-id]
If you're using Ansible, Chef, Puppet, or SaltStack
Use the following commands:
To set cron jobs in Ansible
cron - Manage cron.d and crontab entries
For more information, see Ansible documentation.
To set crontabs in Chef
cron resource
For more information, see Chef documentation.
To set cron jobs in Puppet
Resource Type: cron
For more information, see Puppet documentation: Resource Type: cron.
Automating with Puppet: Cron jobs and scheduled tasks
For more information, see Puppet documentation about jobs and scheduled tasks.
To manage cron jobs in SaltStack
Resource Type: salt.states.cron
Example:
mdatp scan quick > /tmp/mdatp_scan_log.log:
cron.present:
- special: '@hourly'
For more information, see the Salt.States.Cron documentation.
Additional information
To get help with crontab
man crontab
To get a list of crontab files for the current user
crontab -l
To get a list of crontab files for another user
crontab -u username -l
To back up crontab entries
Tip
Do this step before you edit or remove entries.
crontab -l > /var/tmp/cron_backup.dat
To restore crontab entries
crontab /var/tmp/cron_backup.dat
To edit the crontab and add a new job as a root user
sudo crontab -e
To edit the crontab and add a new job
crontab -e
To edit other user's crontab entries
crontab -u username -e
To remove all crontab entries
crontab -r
To remove other user's crontab entries
crontab -u username -r
Explanation
+—————- minute (values: 0 - 59) (special characters: , \- \* /) <br>
| +————- hour (values: 0 - 23) (special characters: , \- \* /) <br>
| | +———- day of month (values: 1 - 31) (special characters: , \- \* / L W C) <br>
| | | +——- month (values: 1 - 12) (special characters: , \- \* /) <br>
| | | | +—- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , \- \* / L W C) <br>
| | | | |*****command to be executed