Blog Post

Microsoft Defender for Endpoint Blog
2 MIN READ

Evaluation Lab: Expanded OS support & Atomic Red Team simulations

Yaniv_Carmel's avatar
Yaniv_Carmel
Icon for Microsoft rankMicrosoft
Nov 22, 2021

Microsoft Defender for Endpoint’s Evaluation Lab is an environment that allows security teams to seamlessly test their defense against threats. We are excited to share that the Evaluation Lab now supports adding Windows 11, Windows Server 2016, and Linux devices. In addition, we’d also like to announce a new partnership with Red Canary’s open-source simulation library, Atomic Red Team! 

 

NOTE: Both updates are only available in the Microsoft 365 Defender portal at security.microsoft.com.

 

Expanded OS support

The evaluation lab now supports the following operating systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2016 and Linux (Ubuntu). To create a new device, simply select it within the “Add device” wizard. The new device will automatically be onboarded with no required additional steps.

 

 

Once created, you can connect to the device via RDP (Windows) or SSH (Linux). You can connect to a Linux device using any SSH client.

 

 

Atomic Red Team simulations

Powered by Red Canary, Atomic Red Team is an open-source library of tests that security teams can use to simulate adversarial activity in their environments. Atomic tests are simple – each test is mapped to a single MITRE ATT&CK® technique or sub-technique, most of them have no prerequisites, and many come with easy-to-use configuration and cleanup commands.

Evaluation Lab users can now use Atomic Red Team simulations to evaluate Microsoft Defender for Endpoint’s detection capabilities against both Windows and Linux threats. The simulations are provided as script files, so that security teams can choose to run them in the Evaluation lab or any other testing environment of their choice.

 

 

The first simulation, 2021 Threat Detection Report, executes tests according to Red Canary’s latest report of top Windows techniques associated with confirmed threats, as compiled from roughly 20,000 confirmed threats detected across customer environments.

 

The second simulation, Linux techniques, is a collection of simple tests compiled to allow security teams to evaluate Microsoft Defender for Endpoint’s detection capabilities against common Linux persistence, discovery, and defense evasion techniques.

 

We’re looking forward to you trying out the Evaluation Lab updates. Let us know your thoughts and feedback in the comments below or through the feedback tool in the portal!

Published Nov 22, 2021
Version 1.0
  • sbairu_25's avatar
    sbairu_25
    Copper Contributor

    Dear Microsoft Defender for Endpoint Support Team,

    I hope this message finds you well. I am reaching out to seek clarification and guidance following a recent update concerning the Microsoft Defender for Endpoint’s Evaluation Lab. As per the latest communication and updates on the portal, it was indicated that the Evaluation Lab would be deprecated on January 18, 2024. Unfortunately, I have noticed that the Evaluation Lab feature is already unavailable in my portal, which has led to some confusion and hindered my testing plans.

    Given the critical role that the Evaluation Lab has played in allowing users to test and evaluate features within a safe and controlled environment, its unavailability poses a significant challenge to my current workflow and evaluation processes. I was relying on this functionality for upcoming assessments and to familiarize myself with the latest security capabilities of Microsoft Defender for Endpoint.

    Could you please provide me with the following information:

    1. Confirmation of the Evaluation Lab’s deprecation date and the reason for its current unavailability in my portal.
    2. Detailed information on the next available options or alternatives that Microsoft is offering to replace the Evaluation Lab functionality. It would be particularly helpful to understand any new tools or platforms that enable similar testing capabilities.
    3. Guidance on how to access and utilize these alternatives, including any necessary steps to enable them on my portal.
    4. Any additional resources, documentation, or support channels that you recommend to facilitate a smooth transition to these new testing environments?

    Understanding the importance of continuous testing and evaluation in maintaining a robust security posture, I am keen to explore the alternatives provided by Microsoft to ensure seamless security assessments and feature evaluations moving forward.

    I appreciate your prompt attention to this matter and look forward to your detailed response. Please let me know if you require any further information from my side to assist with this inquiry.

    Thank you for your support and cooperation.