MacOS Investigation Support Added to Microsoft Defender ATP
Microsoft on Wednesday announced the "general availability" of the endpoint and detection response (EDR) feature in its Microsoft Defender Advanced Threat Protection (ATP) product for macOS.
The EDR feature underwent a quick turnaround as it was at the preview stage last month. Microsoft had announced back in March that it was changing the name of "Windows Defender ATP" to "Microsoft Defender ATP" largely because macOS client support was added.
The EDR feature of Microsoft Defender ATP, per Microsoft's description, collects and stores "telemetry" data from devices for six months, which can be used by investigators to detect security incidents in post-breach analyses. The data collected may include things like "process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others," according to Microsoft.
The use of the EDR feature with macOS devices brings the "same familiar investigation experience" that's had with Windows devices, the announcement promised. Microsoft supplies a machine timeline capability with the EDR feature that shows security events in chronological order and lets investigators drill down into the information.
There's also an advanced hunting tool for investigators that lets them launch queries using the Kusto query language, which offers access to "30 days of raw data." It's possible to actively monitor events and system states, as well, using the advanced hunting tool's custom detection rules.
New capabilities get added over time to the Microsoft Defender ATP solution, which requires Microsoft 365 E5 or Microsoft 365 E5 Security subscriptions to use. This current release has been "optimized for code compilation (to support developers) and for large software deployments and updates (to support the majority of macOS customers)," the announcement explained.
The new EDR feature for macOS devices will just show up for Microsoft Defender ATP users. It's available via the "the onboarding section in Microsoft Defender Security Center," according to the announcement. There's also a free trial available.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.