EDR capabilities for macOS have now arrived

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Banner.png

 

We are excited to announce that Microsoft Defender Advanced Threat Protection (ATP) endpoint and detection response (EDR) capabilities for macOS devices are now generally available. We are extending Microsoft Defender ATP capabilities into non-Windows platforms in line with our commitment to build security solutions not just for Microsoft, but also from Microsoft. Customers can expect the same familiar investigation experience, the same solid backend, and the same consistent progression of features coupled with excellent performance that have historically been Microsoft Defender ATP’s signature.

 

Microsoft Defender ATP for Mac was designed and is continuously enhanced in collaboration with our customers. Getting customer feedback in our development process is critical to ensuring we create products our customers love. Our design partners, who influence our priorities, asked for competitive detection coverage with a unified investigation experience under strict performance requirements. With that in mind, the Microsoft Defender ATP team is now delivering core EDR functionality for macOS.

 

Detections with context

 

Earlier this year, we announced the availability of Microsoft Defender ATP for Mac with preventive antivirus capabilities. With Microsoft Defender ATP for Mac, customers can better protect macOS endpoints, get these machines onboarded in the same portal as their Windows devices, and expand the single pane of glass experience to include macOS-related alerts. With the newly enabled EDR support, customers can get detections with even richer context. The machine timeline below demonstrates this capability.

 

timeline.png

 

 

The machine timeline includes information about process creation, network connections, and file creations. In future incremental releases we will expose more and more monitoring capabilities.

 

In the Microsoft Defender ATP for Mac EDR public preview announcement, we also discussed the post-breach detection capability with an example scenario that customers can use to experience the feature. This detection dictionary is growing with more monitoring capabilities and ongoing excellent research by our security teams.

 

Unified investigation experience

 

The machine timeline is just one piece of the investigation story. Our popular advanced hunting tool allows customers to perform free-form investigations using a powerful query engine and an ever-growing set of useful shared queries. Now, customers can use this capability to search for threats across macOS devices, exploring up to 30 days of raw data.

 

AH.png

 

The solid architecture also seamlessly enables custom detections on top of the advanced hunting capabilities.

 

The rest of the investigation experience, such as the hyperlinked exploration between the different monitored entities, is the same as with Windows devices. The monitored entities (e.g. files, processes, network connections, alerts) are available for exploration on macOS devices. Here are a few examples:

 

File page

File.png

 

IP Address Page

IP.png

 

Excellent performance control

 

The performance of security agents is influenced by a variety of factors: the operating system, different endpoint use cases, multiple installed security agents, and the specifications of the device itself. These factors present challenges to all security solutions. The Microsoft Defender ATP team is continuously investing in performance improvements. The current release is optimized for code compilation (to support developers) and for large software deployments and updates (to support the majority of macOS customers). In some cases, customers will need to use exclusion capabilities to optimize even more. In rare cases when a customer has to run another security agent, side-by-side with Microsoft Defender ATP, configuration allows passive mode to mitigate performance issues if observed.

 

What’s next

 

Microsoft Defender ATP for Mac is a journey and it’s just the beginning! We’re excited to continue expanding our capabilities into other non-Windows platforms and are fortunate to have the best design partners among our customers. We are not stopping here. If you are looking to influence the future, fill out our survey. We want to hear what features are the most important to you and how we should prioritize our development investments. The survey also provides an opportunity to apply for a Microsoft Defender ATP design partner role.  Additional details will be shared directly with prospective design partners.

 

How to get started

 

Microsoft 365 E5 Security and Microsoft 365 E5 customers can start using Microsoft Defender ATP for Mac on machines running macOS right away. To get started, navigate to the onboarding section in Microsoft Defender Security Center. Make sure you update the agent to version 100.79.42 or higher.

 

If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities, sign up for free trial of Microsoft Defender ATP today.

 

Please share your feedback and join the discussion below.

 

Microsoft Defender ATP team

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.