Learning Path 2 - Lab 1 - Exercise 2 - Mitigate Attacks with Microsoft Defender for Endpoint

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that is implementing Microsoft Defender for Endpoint. Your manager plans to onboard a few devices to provide insight into required changes to the Security Operations (SecOps) team response procedures.

To explore the Defender for Endpoint attack mitigation capabilities, you will run two simulated attacks.

Important: Please wait until WIN1 appears in the Devices page before you continue. Otherwise, you might need to repeat this task to see the alerts that will be generated later.

Task 1: Simulated Attacks

In this task, you will run two simulated attacks to explore the capabilities of Microsoft Defender for Endpoint.

  1. If you are not already at the Microsoft 365 Defender portal in your Microsoft Edge browser, go to (https://security.microsoft.com) and login as Admin for your tenant.

  2. From the menu, under Endpoints, select Evaluation & tutorials and then select Tutorials & simulations from the left side.

  3. Select the Tutorials tab.

  4. Under Automated investigation (backdoor) you will see a message describing the scenario. Below this paragraph, click Read the walkthrough. A new browser tab opens which includes instructions to perform the simulation.

  5. In the new browser tab, locate the section named Run the simulation (page 5, starting at step 2) and follow the steps to run the attack. Hint: The simulation file RS4_WinATP-Intro-Invoice.docm can be found back in portal, just below the Read the walkthrough you selected in the previous step by selecting the Get simulation file button.

  6. Repeat the last 3 steps to run another tutorial, Automated investigation (fileless attack).

Task 2: Investigate the Attacks

  1. In the Microsoft 365 Defender portal select Incidents & alerts from the left menu bar, then select Incidents.

  2. A new incident called “Multi-stage incident…” is in the right pane. Click the incident name to load its details.

  3. Select the Manage incident button and a new window blade appears.

  4. Under Incident tags type “Tutorial” and select Tutorial (Create new) to create a new tag.

  5. Select the toggle Assign to and add your user account (Me) as owner of the incident.

  6. Under Classification, expand the drop-down menu.

  7. Under Informational, expected activity, select Security testing.

  8. Add any comments if desired and click Save to finish.

  9. Review the contents of the Alerts, Devices, Users, Investigations, Evidence and Response, Graph tabs. Hint: Some tabs might be hidden due the size of your display. Select the ellipsis tab (…) to make them appear.

Warning: The simulations and tutorials here are an excellent source of learning through practice. Simulations and tutorials are being added and edited regularly in the portal. However, some of these simulations & tutorials may interfere with performance of the labs designed for this training course. Only perform the simulations and tutorials recommended in the instructions provided for this lab when using the course provided Azure tenant. You may perform the other simulations and tutorials after this training course is complete with this tenant.

You have completed the lab.