Microsoft Defender for Endpoint Adds New Investigation and Response Capabilities

Published: Mar 05, 2024

Cloud Computing

SHARE ARTICLE

Key Takeaways:

  • Microsoft Defender for Endpoint has added new advanced investigation and response capabilities.
  • The file collection feature enables security analysts to gather malicious files to speedup the investigation and response process.
  • The troubleshooting mode allows IT administrators to investigate issues (such as application compatibility and resource consumption) on macOS.

Microsoft has introduced advanced investigation and response capabilities within its Defender for Endpoint service. The latest release brings support for file collection and investigation package collection response actions in public preview for macOS and Linux devices.

According to Microsoft, security professionals should have a clear view of compromised devices to identify the malicious activities that lead to cyberattacks. They need to gather device telemetry data and malicious files to determine the cause of an attack in enterprise environments. The new security features are designed to streamline the process for security teams to enhance protection against security breaches.

“Analysts with the relevant permissions will be able to download files identified on the device and .zip packages that provide additional context about the device’s current state for further analysis of the affected device and a better understanding of the tools and techniques employed by the attacker,” Microsoft explained.

The file collection feature enables security analysts to quickly gather any malicious files for investigation and response purposes. Additionally, the investigation package serves as a collection of forensic data, providing in-depth insights into security incidents. It includes important information such as network activity data, process histories, and system logs.

Microsoft Defender for Endpoint Adds New Investigation and Response Capabilities

Microsoft Defender for Endpoint adds troubleshooting mode for macOS

Lastly, Microsoft Defender for Endpoint now provides support for troubleshooting mode on macOS devices. This feature allows IT administrators to investigate issues such as application compatibility, high CPU usage, and high memory consumption.

To enable troubleshooting mode, admins will need to go to the device page, and it can be activated for up to 4 hours. Once the mode expires, security settings that were previously configured will be restored automatically on the device. Security admins will be able to use the xMDEClientAnalyzer feature to access diagnostic files.

SHARE ARTICLE