cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Defender ATP evaluation lab breach & attack simulators are now available in public preview
By
Hadar Feldman
Published May 20 2020 08:58 AM 25.9K Views
Hadar Feldman
Microsoft
‎May 20 2020 08:58 AM

Microsoft Defender ATP evaluation lab breach & attack simulators are now available in public preview

‎May 20 2020 08:58 AM

Update: this integration is now generally available as of June 2020. 

 

Microsoft Defender ATP has partnered with breach and attack simulation solutions, AttackIQ and SafeBreach, to give you convenient access to attack simulators right from the within the portal! These capabilities, now in public preview, are built into our evaluation lab, have no prerequisites, and we encourage you to check them out. 

 

Running threat simulations using third-party platforms is a good way to evaluate and experience Microsoft Defender ATP capabilities within the confines of a lab environment. It’s also a great way to verify that your environment is well configured and protected against advanced threats.  

When you enable the integration, every lab machine you create will have the chosen agent(s) installed, allowing you to run a wide variety of cool simulations. 

 

Running a simulation on a lab device just takes a couple of clicks – and you’ll be able to see results right away – all presented to you in the evaluation lab console as you can see in the image below. 

machinestab2.JPG

 

simulation2.JPG

 

AttackIQ and SafeBreach simulations are easily accessible from within the simulations catalog in the simulations & tutorials section of evaluation lab. Each simulation comes with an in-depth description of the attack scenario, references to MITRE ATT&CK techniques and attack groups part of the simulation, as well as sample advanced hunting queries you can run. 

 

gallery2.JPG

 

gallery3.JPG

 

If you have preview features turned on in Microsoft Defender ATP, you can try out the new attack simulators in the evaluation lab today 

 

Already have a lab? Make sure to enable the new breach and attack simulators and have active machines. 

 

Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. 

 

For more information, see the Microsoft Defender ATP evaluation lab documentation. 

 

 

 

9 Comments
Alex Verboon
MVP
‎May 21 2020 01:21 AM
‎May 21 2020 01:21 AM

Great work, I really like this enhancement of the MDATP Evaluation lab. 

AlonsoTI
Copper Contributor
‎May 21 2020 01:38 PM
‎May 21 2020 01:38 PM

Great work, of great value to evaluate the service in more detail :D 

Jason Hartman
Brass Contributor
‎May 22 2020 08:43 AM
‎May 22 2020 08:43 AM

This looks really interesting.  We are just starting to evaluate Defender ATP and other endpoint protection products. I just setup a trial so I could test this out.   However as I'm getting ready to create some of the test machine as described above, it sounds like you only get one opportunity to do this.  Like once the 48/72 hours expires, those machines will go away and you can never create another batch of test machines.  Am I reading that correctly?

 

I was initially hoping this would be a lab environment for evaluating different products.  Install one with Defender ATP, one with ESET, one with Sophos and run the same attack simulation against all machines and compare how they respond.  Is that possible?   Can I install other software in the VMs?

 

But I guess that leads back to my initial question - do I only have one opportunity to setup these test machine and evaluate them in the span of a couple days and then never again?

 

Thanks!

Jason

Hadar Feldman
Microsoft
‎May 22 2020 10:22 AM
‎May 22 2020 10:22 AM

Hi @Jason Hartman!

 

To your first question - at the moment, lab devices are only available for the limited time you chose. (you can create one machine today, and one machine in a month from now, but each one of them will be limited by time)

That said, if you need more machines, please submit a support ticket and we will review the request.

I see your point on the need of having more lab devices available. We are considering such scenarios, we will share with lab users when possible.

 

Last but not least - other than the fact you can easily run simulations provided by MDATP partners, you have full RDP access to each lab machine (password shown in the device creation process) so yes - you may install anything you'd like :)

 

It'll be great to hear from you about your experience with the new lab capabilities, and with MDATP in general!

0 Likes
Like
Jason Hartman
Brass Contributor
‎May 22 2020 01:05 PM
‎May 22 2020 01:05 PM

Hi @Hadar Feldman Thanks so much for the additional info.

 

You said "you can create one machine today, and one machine in a month from now....".  How would I do that?  I only see 3 options when go to setup a new lab.  3, 4 or 8 devices.

 

Thanks!

Jason

0 Likes
Like
Hadar Feldman
Microsoft
‎May 23 2020 06:47 AM
‎May 23 2020 06:47 AM

@Jason Hartman  for example, the default option (3 machines for 72 hours), means 3 machines 72 hours each. From the moment you'll create a machine in your lab, it'll be available for the next 72 hours.

If you'll create another machine a month from now, it'll be available for 72 hours from creation.

We hope to add more granularity for these options soon.

 

0 Likes
Like
AartecWave
Copper Contributor
‎Jun 02 2020 12:21 PM
‎Jun 02 2020 12:21 PM

Hi @Hadar Feldman, it is a great a very needed integration with BAS products! Are all capabilities and features offered by AttackIQ  and SafeBreach available from ATP Security Center portal with our already purchased E5 license or would buying the BAS product license provide access to all of them?

0 Likes
Like
Johnnyb_infosec
Copper Contributor
‎Jul 21 2021 08:21 PM
‎Jul 21 2021 08:21 PM

Are there license requirements to test this lab environment? 

 

Or this feature only for E5 customers? 

0 Likes
Like
DKMDE
Copper Contributor
‎Feb 07 2024 10:38 PM
‎Feb 07 2024 10:38 PM

MS has deprecated this feature since 18th Jan 2024.

Is there a way to access simulation files and documents.

Eagerly waiting for your reply.

0 Likes
Like
Version history
Last update:
‎Jun 25 2020 08:58 AM
Updated by: