Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 05: Generate safe alerts

  1. Go back to your Azure portal tab.

  2. In Azure’s search box, enter and select your rg-xdr-lab resource group.

    kntyiaav.jpg

  3. Select the winvm-mde VM.

  4. On the top bar, select Connect > Connect via Bastion.

    zh9luryn.jpg

  5. On the Bastion page, enter the following credentials:

    Item Value
    Username azureadmin
    Password P@ssword123!

  6. Select Connect.

    This will open the winwm-mde VM in a new browser tab.

  7. In the See text and images copied… dialog, select Allow.

    ontse6o9.jpg

  8. In the Networks flyout pane, select No.

    4ahoz1na.jpg

  9. Close all other windows that load in the VM.

  10. In winwm-mde’s taskbar search box, enter Windows PowerShell, right-click Windows PowerShell > Run as administrator.

    1djlsfbi.jpg

    The Bastion VM tab for winwm-mde in the browser tab. Not the Skillable VM’s taskbar.

  11. Enter the following:

     $eicar='X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

  12. Run the following five times:

     Set-Content -Path C:\eicar.com -Value $eicar -Encoding ASCII

    Select the up arrow on your keyboard to quickly load and rerun the same line.

    dxnt0u13.jpg

    Windows Defender AV should quarantine it and MDE should raise an alert/incident.

    Wait 5-10 minutes after running.

  13. Still in the winwm-mde VM, open Microsoft Edge and close any dialogs without signing in.

    jczu7lq2.jpg

  14. Open a few well-known SaaS sites like the following to seed Cloud Discovery via MDE integration. You do not need to sign in.

    • outlook.com
    • onedrive.com
    • salesforce.com
    • monday.com
    • docusign.com

  15. Close the winwm-mde Bastion browser tab.