While I was doing a PoC about Defender For Identity in one of my costumers, I decided to take one step further and try to work with all the Defender capabilities enabled in the VM.
In this case, I was preparing Defender for Identity, but also Defender for EndPoint was enabled on the VM, so… I started playing:
The first thing, is when I tried to run mimikatz on the VM:
I leaved intentionally Windows Defender on, and not only it blocked the program, it was erased from the VM, so first thing cool.
Also, this execution fires some alerts in the defender for endpoint portal:
Wow, a lot of information to start… So iesn order to carry on my tests, it was necesary to deactivate Windows Defender Protection:
But once I have everything in place, and I have executed my test, what I can see from the different security products is the following:
Azure Defender has been talking a lot with all the products, firing a lot of alerts in my environment, I have to say that not only I have Defender for Identity, also Defender for Endpoint and Sentinel, so all my alerts are being correlated in my workspace.
So I can dig into the alerts in order to know what is really happening in my environment:
For me, all the variants of Defender & Sentinel, are great tools to protect our environments from external threats 🙂