Microsoft Defender ATP Gets macOS Investigation Support

The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices, Microsoft announced on Wednesday.

General availability signifies that this EDR feature is deemed ready for use in production environments. The feature underwent a quick turnaround as it was at the preview stage last month. Microsoft had announced back in March that it was changing the name of "Windows Defender ATP" to "Microsoft Defender ATP" largely because macOS client support was added.

The EDR feature of Microsoft Defender ATP, per Microsoft's description, collects and stores "telemetry" data from devices for six months, which can be used by investigators to detect security incidents in post-breach analyses. The data collected may include things like "process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others," according to Microsoft.

The use of the EDR feature with macOS devices brings the "same familiar investigation experience" that's had with Windows devices, the announcement promised. Microsoft supplies a machine timeline capability with the EDR feature that shows security events in chronological order and lets investigators drill down into the information.

There's also an advanced hunting tool for investigators that lets them launch queries using the Kusto query language, which offers access to "30 days of raw data." It's possible to actively monitor events and system states, as well, using the advanced hunting tool's custom detection rules.

New capabilities get added over time to the Microsoft Defender ATP solution, which requires Microsoft 365 E5 or Microsoft 365 E5 Security subscriptions to use. This current release has been "optimized for code compilation (to support developers) and for large software deployments and updates (to support the majority of macOS customers)," the announcement explained.

The new EDR feature for macOS devices will just show up for Microsoft Defender ATP users. It's available via the "the onboarding section in Microsoft Defender Security Center," according to the announcement. There's also a free trial available.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Attackers Using Excel Read-Only Files To Obscure Malware

    Attackers can attempt to hide malicious payloads in Excel files sent by e-mail by using a standard Excel feature, according to a Tuesday post by Mimecast researchers.

  • Microsoft 365 Personal and Family Product Unveiled

    Microsoft on Monday announced new "Microsoft 365 Personal and Family subscriptions" to come next month, a new single consumer product providing access to applications such as Excel, PowerPoint and Word.

  • Microsoft Shifting Away from Office 365 Brand Name in April

    Microsoft on Monday announced coming product naming changes, where "Office 365" is mostly getting replaced by the "Microsoft 365" brand.

  • Microsoft Grows Services Amid COVID-19

    Microsoft in a Saturday announcement recapped how its services have been affected by "shelter-in-place" governmental mandates in the last week, providing details on growth stats and prioritizations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.