Microsoft Windows Defender Advanced Threat Protection (ATP)

Solution Overview
Windows Defender is an anti-malware product focused on providing investigation tools in the event of a breach or suspected breach. ATP analyzes endpoint behavior related to applications or code execution that may look suspicious or actually be malicious. Because no security product is perfect or 100 percent effective, a tool like ATP is needed to hunt for, identify and respond to those things that get past the protection deployed.

Microsoft Defender ATP provides the information you need to discover:

  • How the threat got in?
  • What the threat is, based on behavioral analysis and other signals?
  • Where the threat is going — on the machine or further into your network?

Goals & Objectives

The purpose of the sandbox lab is to help you develop proficiency in managing and monitoring the Microsoft Defender ATP solution. The lab provides a flexible framework for evaluating the solution, its installation and behavior in a sample customer environment.  The lab will introduce you to the concepts and steps involved in detecting and responding to security incidents that are not caught by traditional defense measures.

The lab environment will allow you to:

  • Access the ESA Baseline Sandbox environment.
  • Log in to the cloud-based portal.
  • Navigate the portal's interface and workflow.
  • Introduce a "benign" malicious file.
  • Trace the effects of the file on the endpoint and the overall environment.

Hardware & Software

This lab consists of the following hardware and software:
  • Microsoft Defender Advanced Threat Protection (Current version) 
Server Devices 
  • 1x Windows Jumphost (Windows Server 2016) 
  • 1x Generic Server (Windows Server 2012) 
  • 1x Generic Server (Windows Server 2016) 
  • 1x Generic Server (Red Hat Enterprise Linux 7) 
  • 1x Generic Server (CentOS 7) 
  • 1x Generic Server (Solaris 11) 
Client Devices 
  • 1x Attack Client (Windows 10 Enterprise) 
  • 1x Generic Client (Windows 7 Enterprise) 
  • 1x Attack Host (Kali Linux 2018)