Merge pull request #2163 from MicrosoftDocs/main

denisebmsft · web-flow · commit 77a2f206f151 · 2024-12-11T18:15:12.000-08:00
Pushing doc updates live -- Mac
diff --git a/defender-endpoint/behavior-monitor-macos.md b/defender-endpoint/behavior-monitor-macos.md
@@ -1,12 +1,12 @@
 ---
 title: Behavior Monitoring in Microsoft Defender Antivirus on macOS
 description: Behavior Monitoring in Microsoft Defender Antivirus on macOS
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 05/29/2024
+ms.date: 12/11/2024
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -35,26 +35,26 @@ f1.keywords: NOCSH
 > [!IMPORTANT]
 > Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-## Prerequisites
+## Overview of behavior monitoring
 
-- Device is onboarded to Microsoft Defender for Endpoint.
-- [Preview features](/defender-endpoint/preview) is enabled in the Microsoft XDR portal ([https://security.microsoft.com](https://security.microsoft.com)).
-- Device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly InsiderFast).
-- Minimal Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. Version number refers to the **app_version** (also known as **Platform update**).
-- Ensure that Real-Time Protection (RTP) is enabled.
-- Ensure [cloud-delivered protection](/defender-endpoint/mac-preferences) is enabled.
-- Device must be explicitly enrolled into the preview.
+Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
 
-## Overview
+## Prerequisites
 
-Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
+- The device must be onboarded to Microsoft Defender for Endpoint.
+- [Preview features](/defender-endpoint/preview) must be enabled in the [Microsoft Defender portal](https://security.microsoft.com).
+- The device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly `InsiderFast`). 
+- The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24042.0002](/defender-endpoint/mac-whatsnew#may-2024-build-101240420008---release-version-2012404280) or newer. The version number refers to the `app_version` (also known as **Platform update**).
+- Real-time protection (RTP) must be enabled.
+- [Cloud-delivered protection](/defender-endpoint/mac-preferences) must be enabled.
+- The device must be explicitly enrolled in the preview program.
 
-## Deployment instructions
+## Deployment instructions for behavior monitoring
 
 To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
 
 - [Intune](#intune-deployment)
-- [JamF or other 3<sup>rd</sup> party MDM](#via-jamf-deployment)
+- [JamF or other non-Microsoft MDM](#jamf-deployment)
 - [Manually](#manual-deployment)
 
 The following sections describe each of these methods in detail.
@@ -148,7 +148,7 @@ The following sections describe each of these methods in detail.
 
 8. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices or to a Device Group or User Group.**
 
-#### Via JamF deployment
+#### JamF deployment
 
 1. Copy the following XML to create a _.plist_ file and save it as **Save as BehaviorMonitoring_for_MDE_on_macOS.plist**
 
@@ -209,19 +209,78 @@ For more information, see: [Resources for Microsoft Defender for Endpoint on mac
 
 See [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
 
-### Verifying Behavior Monitoring detection
+### Verifying behavior monitoring detections
 
 The existing Microsoft Defender for Endpoint on macOS command line interface can be used to review behavior monitoring details and artifacts.
 
 ```bash
+
 sudo mdatp threat list
+
 ```
 
 ### Frequently Asked Questions (FAQ)
 
 #### What if I see an increase in cpu utilization or memory utilization?
 
-Disable Behavior Monitoring and see if the issue goes away.
+Disable behavior monitoring and see if the issue goes away.
+
+- If the issue doesn't go away, it isn't related to behavior monitoring.
+- If the issue goes away, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+
+## Network real-time inspection for macOS
+
+> [!IMPORTANT]
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The network real-time inspection (NRI) for macOS feature enhances real-time protection (RTP) by using [behavior monitoring](behavior-monitor-macos.md) in concert with file, process, and other events to detect suspicious activity. Behavior monitoring triggers both telemetry and sample submissions on suspicious files for Microsoft to analyze from the cloud protection backend, and is delivered to the client device, resulting in a removal of the threat.
+
+### Is there an impact on performance?
+
+NRI should have a low impact on network performance. Instead of holding the connection and blocking, NRI makes a copy of the packet as it crosses the network, and NRI performs an asynchronous inspection.
+
+> [!NOTE]
+> When network real-time inspection (NRI) for macOS is enabled, you might see a slight increase in memory utilization. 
+
+### Requirements for NRI for macOS
+
+- The device must be onboarded to Microsoft Defender for Endpoint.
+- Preview features must be turned on in the [Microsoft Defender portal](https://security.microsoft.com).
+- The device must be in the Beta channel (formerly `InsiderFast`).
+- The minimum version number for Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24092.0004](/defender-endpoint/mac-whatsnew#oct-2024-build-101240920004---release-version-2012409240) or newer. The version number refers to the `app version` (also known as Platform update).
+- Real-time protection must be enabled.
+- Behavior monitoring must be enabled.
+- Cloud-delivered protection must be enabled.
+- The device must be explicitly enrolled into the preview.
+
+### Deployment instructions for NRI for macOS
+
+1. E-mail us at `NRIonMacOS@microsoft.com` with information about your Microsoft Defender for Endpoint OrgID where you would like to have network real-time inspection (NRI) for macOS enabled. 
+
+   > [!IMPORTANT]
+   > In order to evaluate NRI for macOS, send email to `NRIonMacOS@microsoft.com`. Include your Defender for Endpoint Org ID. We're enabling this feature on a per-request basis for each tenant.
+ 
+2. Enable behavior monitoring if it's not already enabled:
+
+   ```Bash
+
+   sudo mdatp config behavior-monitoring --value enabled
+   
+   ```
+ 
+3. Enable network protection in block mode:
+
+   ```Bash
+
+   sudo mdatp config network-protection enforcement-level --value block
+   
+   ```
+
+4. Enable network real-time inspection (NRI):
+
+   ```Bash
+
+   sudo mdatp network-protection remote-settings-override set --value "{\"enableNriMpengineMetadata\" : true}"
+   
+   ```
 
-- If the issue doesn't go away, it is not related to Behavior Monitoring.
-- If the issue goes away, take an aka.ms/xMDEClientAnalyzer and contact Microsoft support.
diff --git a/defender-endpoint/demonstration-behavior-monitoring.md b/defender-endpoint/demonstration-behavior-monitoring.md
@@ -98,7 +98,7 @@ Details: This program is dangerous and executes command from an attacker.
 Affected items:
 behavior: process: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe, pid:6132:118419370780344
 process: pid:6132,ProcessStart:133621698624737241
-Learn more	Actions
+Learn more    Actions
 ```
 
 In the [Microsoft Defender portal](https://security.microsoft.com), you should see information like this: 
@@ -123,7 +123,7 @@ When RTP is enabled, the result shows a value of 1.
 
 ### Enable Behavior Monitoring for Microsoft Defender for Endpoint
 
-For more information on how to enable behavior monitoring for Defender for Endpoint, see [Deployment instructions](behavior-monitor-macos.md#deployment-instructions).
+For more information on how to enable behavior monitoring for Defender for Endpoint, see [Deployment instructions for behavior monitoring](behavior-monitor-macos.md#deployment-instructions-for-behavior-monitoring).
 
 ### Demonstration of how Behavior Monitoring works
 
@@ -156,7 +156,7 @@ To demonstrate how Behavior Monitoring blocks a payload:
 
    `zsh: killed      sudo bash BM_test.sh`
 
-   The file was quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:
+   The file is quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:
 
    ```bash
    mdatp threat list
diff --git a/defender-endpoint/mac-whatsnew.md b/defender-endpoint/mac-whatsnew.md
@@ -6,7 +6,7 @@ author: deniseb
 ms.author: deniseb
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 11/18/2024
+ms.date: 12/11/2024
 audience: ITPro
 ms.collection:
 - m365-security
@@ -43,6 +43,12 @@ For more information on Microsoft Defender for Endpoint on other operating syste
 
 - In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.1 or newer.
 
+- On macOS Sequoia (Version 15.0 - 15.1.1), users may encounter prompts about incoming network connections from applications when the native firewall is active.  
+
+   ![Screenshot showing prompts about incoming network connections](media/mac-whatsnew/image.png)
+
+If an end user encounters a prompt for Defender for Endpoint on macOS processes such as `wdavdaemon_enterprise` or `Microsoft Defender Helper`, the end user can safely choose the **Deny** option. This selection doesn't impact Defender for Endpoint's functionality.  Enterprises can also add *Microsoft Defender* to allow [incoming connections](https://support.apple.com/en-ca/guide/deployment/dep8d306275f/web).  This issue is fixed in macOS Sequoia 15.2.
+
 ## Sequoia support
 
 - Microsoft Defender for Endpoint supports version 15.0.1 or newer.
diff --git a/defender-endpoint/media/mac-whatsnew/image.png b/defender-endpoint/media/mac-whatsnew/image.png
