Microsoft Defender ATP Gets macOS Investigation Support

The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices, Microsoft announced on Wednesday.

General availability signifies that this EDR feature is deemed ready for use in production environments. The feature underwent a quick turnaround as it was at the preview stage last month. Microsoft had announced back in March that it was changing the name of "Windows Defender ATP" to "Microsoft Defender ATP" largely because macOS client support was added.

The EDR feature of Microsoft Defender ATP, per Microsoft's description, collects and stores "telemetry" data from devices for six months, which can be used by investigators to detect security incidents in post-breach analyses. The data collected may include things like "process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others," according to Microsoft.

The use of the EDR feature with macOS devices brings the "same familiar investigation experience" that's had with Windows devices, the announcement promised. Microsoft supplies a machine timeline capability with the EDR feature that shows security events in chronological order and lets investigators drill down into the information.

There's also an advanced hunting tool for investigators that lets them launch queries using the Kusto query language, which offers access to "30 days of raw data." It's possible to actively monitor events and system states, as well, using the advanced hunting tool's custom detection rules.

New capabilities get added over time to the Microsoft Defender ATP solution, which requires Microsoft 365 E5 or Microsoft 365 E5 Security subscriptions to use. This current release has been "optimized for code compilation (to support developers) and for large software deployments and updates (to support the majority of macOS customers)," the announcement explained.

The new EDR feature for macOS devices will just show up for Microsoft Defender ATP users. It's available via the "the onboarding section in Microsoft Defender Security Center," according to the announcement. There's also a free trial available.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

  • Feature Update Deferral Mix-Up in Windows 10 Version 2004 Further Explained

    Microsoft last week described the confusion it is attempting to avoid by removing the client graphical user interface (GUI)-based controls to defer Windows 10 feature updates, starting with version 2004.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.