MicrosoftDocs
diff --git a/‎defender-endpoint/behavior-monitor-macos.md‎
Lines changed: 114 additions & 113 deletions b/‎defender-endpoint/behavior-monitor-macos.md‎
Lines changed: 114 additions & 113 deletions
diff --git a/‎defender-endpoint/demonstration-behavior-monitoring.md‎
Lines changed: 12 additions & 13 deletions b/‎defender-endpoint/demonstration-behavior-monitoring.md‎
Lines changed: 12 additions & 13 deletions
@@ -1,26 +1,26 @@
 ---
 title: Behavior Monitoring in Microsoft Defender Antivirus on macOS
 description: Behavior Monitoring in Microsoft Defender Antivirus on macOS
-author: YongRhee-MSFT # GitHub alias
-ms.author: yongrhee # Microsoft alias
+author: YongRhee-MSFT
+ms.author: yongrhee
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
 ms.date: 05/29/2024
 ms.subservice: ngp
 audience: ITPro
-ms.collection: 
+ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.custom: 
+ms.custom:
 - partner-contribution
 ms.reviewer: yongrhee
 search.appverid: MET150
-f1.keywords: NOCSH 
+f1.keywords: NOCSH
 ---
 
- # Behavior monitoring in Microsoft Defender Antivirus on macOS
+# Behavior monitoring in Microsoft Defender Antivirus on macOS
 
 **Applies to:**
 
@@ -39,19 +39,19 @@ f1.keywords: NOCSH
 
 - Device is onboarded to Microsoft Defender for Endpoint.
 - [Preview features](/defender-endpoint/preview) is enabled in the Microsoft XDR portal ([https://security.microsoft.com](https://security.microsoft.com)).
-- Device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly InsiderFast). 
-- Minimal Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. Version number refers to the **app_version** (also known as **Platform update**).
+- Device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly InsiderFast).
+- Minimal Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. Version number refers to the **app_version** (also known as **Platform update**).
 - Ensure that Real-Time Protection (RTP) is enabled.
 - Ensure [cloud-delivered protection](/defender-endpoint/mac-preferences) is enabled.
 - Device must be explicitly enrolled into the preview.
 
 ## Overview
 
-Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. 
+Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
 
 ## Deployment instructions
 
-To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods: 
+To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
 
 - [Intune](#intune-deployment)
 - [JamF or other 3<sup>rd</sup> party MDM](#via-jamf-deployment)
@@ -63,78 +63,78 @@ The following sections describe each of these methods in detail.
 
 1. Copy the following XML to create a _.plist_ file and save it as **BehaviorMonitoring_for_MDE_on_macOS.mobileconfig**
 
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>PayloadUUID</key>
-        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-        <key>PayloadType</key>
-        <string>Configuration</string>
-        <key>PayloadOrganization</key>
-        <string>Microsoft</string>
-        <key>PayloadIdentifier</key>
-        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-        <key>PayloadDisplayName</key>
-        <string>Microsoft Defender for Endpoint settings</string>
-        <key>PayloadDescription</key>
-        <string>Microsoft Defender for Endpoint configuration settings</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-        <key>PayloadRemovalDisallowed</key>
-        <true/>
-        <key>PayloadScope</key>
-        <string>System</string>
-        <key>PayloadContent</key>
-        <array>
-            <dict>
-                <key>PayloadUUID</key>
-                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                <key>PayloadType</key>
-                <string>com.microsoft.wdav</string>
-                <key>PayloadOrganization</key>
-                <string>Microsoft</string>
-                <key>PayloadIdentifier</key>
-                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                <key>PayloadDisplayName</key>
-                <string>Microsoft Defender for Endpoint configuration settings</string>
-                <key>PayloadDescription</key>
-                <string/>
-                <key>PayloadVersion</key>
-                <integer>1</integer>
-                <key>PayloadEnabled</key>
-                <true/>
-                <key>antivirusEngine</key>
-                <dict>
-                <key>behaviorMonitoring</key>
-                <string>enabled</string>
-                </dict>
-                <key>features</key>
-                <dict>
-                <key>behaviorMonitoring</key>
-                <string>enabled</string>
-                <key>behaviorMonitoringConfigurations</key>
-                <dict>
-                <key>blockExecution</key>
-                <string>enabled</string>
-                <key>notifyForks</key>
-                <string>enabled</string>
-                <key>forwardRtpToBm</key>
-                <string>enabled</string>
-                <key>avoidOpenCache</key>
-                <string>enabled</string>
-                                 </dict>
-                    </dict>
-            </dict>
-        </array>
-    </dict>
-</plist>
-```
-
-2. Open **Devices** > **Configuration profiles**. 
+   ```xml
+   <?xml version="1.0" encoding="UTF-8"?>
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+       <dict>
+           <key>PayloadUUID</key>
+           <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+           <key>PayloadType</key>
+           <string>Configuration</string>
+           <key>PayloadOrganization</key>
+           <string>Microsoft</string>
+           <key>PayloadIdentifier</key>
+           <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+           <key>PayloadDisplayName</key>
+           <string>Microsoft Defender for Endpoint settings</string>
+           <key>PayloadDescription</key>
+           <string>Microsoft Defender for Endpoint configuration settings</string>
+           <key>PayloadVersion</key>
+           <integer>1</integer>
+           <key>PayloadEnabled</key>
+           <true/>
+           <key>PayloadRemovalDisallowed</key>
+           <true/>
+           <key>PayloadScope</key>
+           <string>System</string>
+           <key>PayloadContent</key>
+           <array>
+               <dict>
+                   <key>PayloadUUID</key>
+                   <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                   <key>PayloadType</key>
+                   <string>com.microsoft.wdav</string>
+                   <key>PayloadOrganization</key>
+                   <string>Microsoft</string>
+                   <key>PayloadIdentifier</key>
+                   <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                   <key>PayloadDisplayName</key>
+                   <string>Microsoft Defender for Endpoint configuration settings</string>
+                   <key>PayloadDescription</key>
+                   <string/>
+                   <key>PayloadVersion</key>
+                   <integer>1</integer>
+                   <key>PayloadEnabled</key>
+                   <true/>
+                   <key>antivirusEngine</key>
+                   <dict>
+                   <key>behaviorMonitoring</key>
+                   <string>enabled</string>
+                   </dict>
+                   <key>features</key>
+                   <dict>
+                   <key>behaviorMonitoring</key>
+                   <string>enabled</string>
+                   <key>behaviorMonitoringConfigurations</key>
+                   <dict>
+                   <key>blockExecution</key>
+                   <string>enabled</string>
+                   <key>notifyForks</key>
+                   <string>enabled</string>
+                   <key>forwardRtpToBm</key>
+                   <string>enabled</string>
+                   <key>avoidOpenCache</key>
+                   <string>enabled</string>
+                                    </dict>
+                       </dict>
+               </dict>
+           </array>
+       </dict>
+   </plist>
+   ```
+
+2. Open **Devices** > **Configuration profiles**.
 
 3. Select **Create profile** and select **New Policy**.
 
@@ -152,35 +152,35 @@ The following sections describe each of these methods in detail.
 
 1. Copy the following XML to create a _.plist_ file and save it as **Save as BehaviorMonitoring_for_MDE_on_macOS.plist**
 
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
-<plist version="1.0">
-    <dict>
-        <key>antivirusEngine</key>
-            <dict>
-                <key>behaviorMonitoring</key>  
-                <string>enabled</string> 
-            </dict>
-                <key>features</key>
-                     <dict>
-                         <key>behaviorMonitoring</key>
-                         <string>enabled</string>
-                         <key>behaviorMonitoringConfigurations</key>
-                             <dict>
-                                 <key>blockExecution</key>
-                                 <string>enabled</string>
-                                 <key>notifyForks</key>
-                                 <string>enabled</string>
-                                 <key>forwardRtpToBm</key>
-                                 <string>enabled</string>
-                                 <key>avoidOpenCache</key>
-                                 <string>enabled</string>
-                             </dict>
-                     </dict>
-    </dict>
-</plist>
-```
+   ```xml
+   <?xml version="1.0" encoding="UTF-8"?>
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+       <dict>
+           <key>antivirusEngine</key>
+               <dict>
+                   <key>behaviorMonitoring</key>
+                   <string>enabled</string>
+               </dict>
+                   <key>features</key>
+                        <dict>
+                            <key>behaviorMonitoring</key>
+                            <string>enabled</string>
+                            <key>behaviorMonitoringConfigurations</key>
+                                <dict>
+                                    <key>blockExecution</key>
+                                    <string>enabled</string>
+                                    <key>notifyForks</key>
+                                    <string>enabled</string>
+                                    <key>forwardRtpToBm</key>
+                                    <string>enabled</string>
+                                    <key>avoidOpenCache</key>
+                                    <string>enabled</string>
+                                </dict>
+                        </dict>
+       </dict>
+   </plist>
+   ```
 
 2. In **Computers** > **Configuration Profiles**, select **Options** > **Applications & Custom Settings**,
 3. Select **Upload File** (_.plist_ file).
@@ -191,7 +191,7 @@ For more information, see: [Set preferences for Microsoft Defender for Endpoint
 
 #### Manual deployment
 
-You can enable Behavior Monitoring on Microsoft Defender for Endpoint on macOS by running the following command from the Terminal: 
+You can enable Behavior Monitoring on Microsoft Defender for Endpoint on macOS by running the following command from the Terminal:
 
 ```bash
 sudo mdatp config behavior-monitoring --value enabled
@@ -216,7 +216,8 @@ The existing Microsoft Defender for Endpoint on macOS command line interface can
 ```bash
 sudo mdatp threat list
 ```
-### Frequently Asked Questions (FAQ):
+
+### Frequently Asked Questions (FAQ)
 
 #### What if I see an increase in cpu utilization or memory utilization?
 
 
@@ -28,7 +28,6 @@ ms.date: 05/15/2024
 - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 
-
 Behavior Monitoring in Microsoft Defender Antivirus monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on content matching, which identifies known malware patterns, behavior monitoring focuses on observing how software behaves in real-time.
 
 ## Scenario requirements and setup
@@ -57,20 +56,21 @@ To demonstrate how Behavior Monitoring blocks a payload:
 
 1. Create a bash script using a script/text editor such as nano or Visual Studio Code (VS Code):
 
-  ```bash
-  #! /usr/bin/bash
-  echo " " >> /tmp/9a74c69a-acdc-4c6d-84a2-0410df8ee480.txt 
-  echo " " >>  /tmp/f918b422-751c-423e-bfe1-dbbb2ab4385a.txt 
-  sleep 5
-  ```
+   ```bash
+   #! /usr/bin/bash
+   echo " " >> /tmp/9a74c69a-acdc-4c6d-84a2-0410df8ee480.txt
+   echo " " >> /tmp/f918b422-751c-423e-bfe1-dbbb2ab4385a.txt
+   sleep 5
+   ```
 
 2. Save as BM_test.sh
-3. Run the following command to make the bash script executable.
+3. Run the following command to make the bash script executable:
 
-  ```bash
-  sudo chmod u+x BM_test.sh
-  ```
-4. . Run the bash script 
+   ```bash
+   sudo chmod u+x BM_test.sh
+   ```
+
+4. Run the bash script:
 
   ```bash
   sudo bash BM_test.sh
@@ -99,4 +99,3 @@ Detection time: Tue May 7 20:23:41 2024
 Status: "quarantined"
 
 If you have Microsoft Defender for Endpoint P2/P1 or Microsoft Defender for Business, go to the [Microsoft Defender XDR portal](https://security.microsoft.com), and you'll see an alert named: "Suspicious 'MacOSChangeFileTest' behavior was blocked."
-