How To Simulate Suspicious Activity in Microsoft Security Solutions

The idea of this blog is to have a collection of links to playbooks that provides detailed guidance on how you can simulate security product features and generate security alerts in your own cloud environment.

Azure ATP (AATP)

Azure ATP lab simulates different scenarios to identify and detect suspicious activity and potential attacks from the network. It has four (4) different labs and detailed instructions on how to configure the lab, virtual machines, necessary accounts, and permissions. Highly recommendable if you have Azure ATP in use.

• Azure ATP lab overview

The downside is that some scenarios might require changes to domain controllers to be able to simulate the attack and the alert.

Example alerts from the lab in Sentinel

• 

• 

Microsoft Defender ATP (MDATP)

The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of the machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.

There are two labs available which I’m aware of. The first one is included in the MDATP product itself and the second one is a bit older but should work fine with MDATP (except with the newest features).

• Microsoft Defender ATP evaluation lab
• Attack simulation in MDATP

Example Alerts in Sentinel

• 

• 

Azure Identity Protection (IPC)

Azure AD Identity Protection risk detection simulation is available in the product documentation. Simulation guidance is available for the following scenarios: Anonymous IP address (easy), Unfamiliar sign-in properties, (moderate), Atypical travel (difficult)

• Guidance is found from here

Example Alert in Sentinel

Generated from the Tor browser which fulfills the “Anonymous IP address” or “Unfamiliar sign-in properties” scenario.

Azure Security Center (ASC)

With Azure Security Center you can verify that alert is properly being sent to underlying Log Analytics workspace by Log Analytics agent.

• Alert validation in Azure Security Center

Example alert in Security Center and from Sentinel

• 

• 

Cloud App Security (MCAS)

I haven’t found Microsoft guidance about simulating alerts in MCAS but I have written multiple blogs about this topic. I hope these would be helpful for this purpose, simulating the alerts.

• Detect suspicious OAuth apps with MCAS
• MCAS monitoring capabilities for detecting risky apps and suspicious activity

Example Alerts in Sentinel

• 

• 

I spent some time when tried to find simulations for different Microsoft security products. I hope this helps to evaluate security solution capabilities and spare your time a bit!