Behavior Monitoring in Defender for Endpoint for macOS - Let's see what's it all about..

Microsoft recently released a capability within Microsoft Defender for Endpoint which improves the early detection and prevention of suspicious and malicious activities targeting  macOS users. I participated in early private previews and I was really impressed by its level of real-time monitoring and detection capabilities.

According to Microsoft - 

"Behavior monitoring observes how software behaves in real-time to detect and analyze potential threats based on the behavior of the applications, daemons, and files within your system. Behavior monitoring is a cornerstone of Microsoft Defender’s cloud-based protection strategy."

BM is being gradually rolled out, but once fully deployed, customers will benefit from this cloud-based protection within Microsoft Defender for Endpoint. 

As of writing this blog, there are of course some prerequisites that organizations will need to consider -

1. The device must be onboarded to Microsoft Defender for Endpoint.

2. Preview features must be enabled in the Microsoft Defender portal.

3. The device must be in the Beta channel (formerly InsiderFast).

4. The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. The version number refers to the app_version (also known as Platform update).

5. Real-time protection (RTP) must be enabled.

6. Cloud-delivered protection must be enabled.

7. The device must be explicitly enrolled in the preview program.

Currently, BM is being rolled out automatically to External channel with App version > 101.25042.0002 and Production channel > 101.25032.0006. If you are not in any of these channels or required app versions, then you can enable the BM feature separately, just like I did. Here is how you can go about enabling it -

Creating the Behavior Monitoring xml

If you are on a Windows device, then copy the following content to create an .xml file.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

    <dict>

        <key>PayloadUUID</key>

        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>

        <key>PayloadType</key>

        <string>Configuration</string>

        <key>PayloadOrganization</key>

        <string>Microsoft</string>

        <key>PayloadIdentifier</key>

        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>

        <key>PayloadDisplayName</key>

        <string>Microsoft Defender for Endpoint settings</string>

        <key>PayloadDescription</key>

        <string>Microsoft Defender for Endpoint configuration settings</string>

        <key>PayloadVersion</key>

        <integer>1</integer>

        <key>PayloadEnabled</key>

        <true/>

        <key>PayloadRemovalDisallowed</key>

        <true/>

        <key>PayloadScope</key>

        <string>System</string>

        <key>PayloadContent</key>

        <array>

            <dict>

                <key>PayloadUUID</key>

                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>

                <key>PayloadType</key>

                <string>com.microsoft.wdav</string>

                <key>PayloadOrganization</key>

                <string>Microsoft</string>

                <key>PayloadIdentifier</key>

                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>

                <key>PayloadDisplayName</key>

                <string>Microsoft Defender for Endpoint configuration settings</string>

                <key>PayloadDescription</key>

                <string/>

                <key>PayloadVersion</key>

                <integer>1</integer>

                <key>PayloadEnabled</key>

                <true/>

                <key>antivirusEngine</key>

                <dict>

                <key>behaviorMonitoring</key>

                <string>enabled</string>

                </dict>

                <key>features</key>

                <dict>

                <key>behaviorMonitoring</key>

                <string>enabled</string>

                </dict>

            </dict>

        </array>

    </dict>

</plist>

Save it as com.microsoft.wdav.xml. Then follow the steps below to import it Intune.

Importing in Intune

1. Sign-in to the Microsoft Intune admin center

2. Browse to Devices –> Configuration Profiles

3. Create profile and select New Policy.

4. Give the profile a name and select platform as macOS. 

5. Select Profile type as Templates and then Custom.

6. Provide the custom configuration profile name as com.microsoft.wdav.

7. Select the Deployment channel as Device channel.

8. Select the .xml that we created earlier. Your settings should look something like below -

9. Assign to a devices or user based group as needed.

Creating custom attribute for tracking (Optional)

If you will like to capture the compliance of BM feature, then you can do so through custom attributes. The compliance for the feature can be checked through Defender Portal, but I wanted something to report within Intune admin console as well.

Here is the script that I put together -

#!/bin/bash

#set -x

var=$(sudo /usr/local/bin/mdatp health --details features --field behavior_monitoring | awk '{print $1}')

echo "MDATP Behavior Monitoring Status:" $var

Save it as CustomAttribute_MDE_BM_Threat_Status_v1.0.sh

Importing the. sh in Intune

1. Navigate to Microsoft Intune admin center.

2. Go to Devices -> macOS -> Custom attributes for macOS -> Add.

3. Give a Name and a even a Description if needed.

5. Configure the following settings:

6. Assign to a device or user based group as needed.

End Result

Before the policy is applied, the feature will show disabled.

After the policy is applied, the feature should show enabled as shown below.

You can also verify for the enforcement of the policy by navigating to Settings-> General -> Device Management

Testing for BM feature

After the feature is enabled, you can test it by running the following as .sh for demonstration purposes.

#!/bin/bash

echo " " >> /tmp/9a74c69a-acdc-4c6d-84a2-0410df8ee480.txt

echo " " >> /tmp/f918b422-751c-423e-bfe1-dbbb2ab4385a.txt

sleep 5

You can import it as a standard script in Intune and run it that way. Note: This might throw an error, but during my testing, it did execute.

Once, the script is executed, it will give a specific result, similar to the one below -

MDATP Threat List: Id: "7faa0f82-8e31-4a2f-bad9-56f093b4f81b" 

Name: Behavior:MacOS/MacOSChangeFileTest 

Type: "behavior" Detection time: Thu Jun 19 13:08:32 2025 

Status: "quarantined" 

Process ID: 4052 Path: /bin/bash Sha256 hash: 706a6b99ab27a29b5fe323d3fcf08934407ab82470f82e76588146e1e5705014 Sha1 hash: fa3b768829d02e71f3299ded43f527a9d20c711e

If you want, you can capture this using custom attribute in Intune as well. Just put the following lines of code in a .sh and import it in Intune using the steps provided under "Creating custom attribute for tracking (Optional)" in this blog above.

#!/bin/bash

#set -x

var=$(sudo /usr/local/bin/mdatp threat list | awk '{print $0}')

echo "MDATP Threat List:" $var

It should look something like below.

If the demonstration script from earlier ran successfully, then the output should be displayed in Intune as well.

Behavior monitoring alerts are displayed in the Microsoft Defender XDR portal alongside all other alerts, enabling effective investigation.

That's it for now. I hope the information in this blog post helped in getting a glimpse of the BM feature and how it can be administered using tools like Intune and Defender XDR. Until next time..