Learning to manage Microsoft Defender Advanced Threat Protection takes time, but the built-in evaluation lab can help expedite the process.
In a previous article, we discussed onboarding machines into Microsoft Defender ATP, but how do you proceed beyond that?
It is easy to become overwhelmed by the Security Operations dashboard or the Threat Analytics page. However, not fully understanding the implication of managing a service like MDATP could leave you just as vulnerable even with all the data.
To get skilled on threat detection and system management in MDATP, I found that the evaluation lab is a built-in and effective way to see the details and kill chain of a simulated attack, allowing you to focus on the important information without any risk.
A Look at MDATP’s Evaluation Lab
The evaluation lab in MDATP allows the creation of three Windows 10 test devices, each of which is available for 72 hours.
Since there are only three test machines available for the lifetime of the subscription, it is important to start by planning test scenarios using varied inputs like different times of the day, specific computers, their locations, user access levels and so on.
Choose from the following threat simulations:
- Automated Investigations
- Persistence methods
- Defense evasion techniques
- APT29 (Cozy Bear)
- Credential Theft
- OS Configuration changes
- Code Execution
- Known Ransomware Infection
Results are available to view by “Devices” and “Simulations” (bottom of the screenshot above). Selecting the machine – in this case, testmachine1 – provides details of that device, including the following information:
- Tags
- Security Info – open incidents, active alerts, exposure, risk, etc.
- Device Details – Domain, OS, IP Address, etc.
- Network Activity – first seen and last seen dates and times
Along with the information about the evaluation device, a wealth of incident information is also available, as you can see below.
- Overview – including active alerts, security assessments and logged on users
- Alerts – including threat name, status, category, investigation state, etc.
- Timeline – including list of threat events by date and time
- Security Recommendations
- Software Inventory
- Discovered Vulnerabilities
- Missing KBs
Looking specifically at the Alerts tab, you will find a list of all alerts for the machine.
Selecting an alert provides the kill chain or “Alert Story” including specifics like Processes, File Names, Registry Keys and Users. This is the information you are really after when hunting down threats in your environment.
You can also take action and “Manage” the alert by assigning it to an information security team member or “Link” the alert to other alerts. You’ll also find full details of the threat itself, which systems have been impacted, and recommended remediation steps.
Final Thoughts
Learning to manage MDATP takes time, but you can expedite the process using sample exploits in the evaluation lab before introducing the service to your environment.
The lab gives you a look at all levels of information in MDATP – from general details about threats and machines all the way down to a single process on a single machine – without needing to involve any users or computers in your organization.