Microsoft Defender ATP Gets macOS Investigation Support

The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices, Microsoft announced on Wednesday.

General availability signifies that this EDR feature is deemed ready for use in production environments. The feature underwent a quick turnaround as it was at the preview stage last month. Microsoft had announced back in March that it was changing the name of "Windows Defender ATP" to "Microsoft Defender ATP" largely because macOS client support was added.

The EDR feature of Microsoft Defender ATP, per Microsoft's description, collects and stores "telemetry" data from devices for six months, which can be used by investigators to detect security incidents in post-breach analyses. The data collected may include things like "process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others," according to Microsoft.

The use of the EDR feature with macOS devices brings the "same familiar investigation experience" that's had with Windows devices, the announcement promised. Microsoft supplies a machine timeline capability with the EDR feature that shows security events in chronological order and lets investigators drill down into the information.

There's also an advanced hunting tool for investigators that lets them launch queries using the Kusto query language, which offers access to "30 days of raw data." It's possible to actively monitor events and system states, as well, using the advanced hunting tool's custom detection rules.

New capabilities get added over time to the Microsoft Defender ATP solution, which requires Microsoft 365 E5 or Microsoft 365 E5 Security subscriptions to use. This current release has been "optimized for code compilation (to support developers) and for large software deployments and updates (to support the majority of macOS customers)," the announcement explained.

The new EDR feature for macOS devices will just show up for Microsoft Defender ATP users. It's available via the "the onboarding section in Microsoft Defender Security Center," according to the announcement. There's also a free trial available.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

  • Managing Multiple Remote Connections in One Place with mRemoteNG

    If you're juggling multiple remote connections daily, this is the utility for you. Brien walks through the steps to use mRemoteNG, from installation to deployment.

  • Microsoft Unveils Plan To Push Bing to Office 365 ProPlus Users

    Microsoft on Tuesday unveiled plans to deliver an extension that will change the default search engine to Bing in both Google Chrome and Mozilla Firefox browsers for Office 365 ProPlus subscribers.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.