Microsoft Defender ATP Adds Live Response for Linux and macOS
Microsoft has announced the addition of new live response capabilities for macOS and Linux to Defender for Endpoint, the enterprise version of Windows 10 Defender Antivirus from Redmond.
The new features are now available in public preview on the Enterprise Endpoint Security Platform (formerly known as Microsoft Defender Advanced Threat Protection) and come with new unique commands for those platforms.
They are designed to help Security Operations Teams (SecOps) trigger response actions directly from the live response interface during incident investigations.
SecOps experts can use them to contain identified threats by enforcing network isolation, blocking attempts by attackers to exfiltrate data or move sideways across the network.
Other response actions added today for macOS and Linux clients also allow them to collect information about attackers’ tools and techniques, and remotely initiate virus scans to detect and fix malware infections on them. compromised devices.
With Live Response for macOS and Linux, analysts can perform the following tasks:
- Run basic and advanced commands to investigate suspicious entities.
- Collect files (such as malware samples, script output) for offline analysis.
- Trigger response actions on the device.
- Download any Bash script to their live response library, then run it on the device to collect forensic evidence and fix malicious entities.
“With Live Response, you have the power to perform in-depth investigative work and take immediate response actions to contain identified threats quickly – in real time,” Microsoft said.
“Live Response is designed to improve investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats and search for proactively emerging threats. “
This update showcases Microsoft’s ongoing efforts to extend the capabilities of Defender for Endpoint across all popular platforms to help security teams defend all endpoints using one platform. unified security.
Microsoft Defender for Endpoint was made available for macOS devices in May 2019 and extended to Linux and Android devices in June 2020.
Earlier this year, in April 2021, Microsoft also announced that Microsoft Defender for Endpoint supports Windows 10 on Arm devices.