Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Prerequisites
- Windows client devices must be running Windows 11, Windows 10 version 1709 build 16273 or newer, Windows 8.1, or Windows 7 SP1.
- Windows server devices must be running Windows Server 2008 R2 SP1, Windows Server 2012 R2 and later, or Azure Stack HCI OS, version 23H2 and later.
- Linux servers must be running a supported version (see Prerequisites for Microsoft Defender for Endpoint on Linux)
- Devices must be onboarded to Defender for Endpoint
Endpoint detection and response (EDR) in Microsoft Defender for Endpoint provides advanced, near real-time, actionable detections. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. You can run an EDR detection test to verify that the device is properly onboarded and reporting to the service. This article describes how to run an EDR detection test on a newly onboarded device.
Run an EDR detection test
Run the EDR detection test on Windows
Tip
The Windows device must be listening for requests on TCP port 80 for the following commands to work. You can verify by running the following PowerShell command: Test-NetConnection 127.0.0.1 -Port 80.
In a Command Prompt window, run the following commands:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference='silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
If the command runs successfully and the test file executes, the detection test is marked as completed and a new alert appears within a few minutes.
Run the EDR detection test on Linux
Perform the following steps to run the EDR detection test on Linux.
Download the MDE Linux EDR DIY package to an onboarded Linux server so you can extract and run the test script locally. For more information, see the script file.
curl -o ~/Downloads/MDE-Linux-EDR-DIY.zip -L https://aka.ms/MDE-Linux-EDR-DIYExtract the downloaded archive to access the DIY test script and supporting files.
unzip ~/Downloads/MDE-Linux-EDR-DIY.zipMake the script executable so it can be launched from the terminal:
chmod +x ./mde_linux_edr_diy.shRun the DIY script to start the EDR test scenario and verify endpoint detection behavior:
./mde_linux_edr_diy.shAfter a few minutes, a detection should be raised in the Microsoft Defender portal. Look at the alert details, machine timeline, and perform your typical investigation steps.
Run the EDR detection test on macOS
Perform the following steps to run the EDR detection test on macOS.
In your browser, Microsoft Edge for Mac or Safari, download MDATP macOS DIY.zip from the macOS EDR DIY test file download page and extract the zipped folder.
The following prompt appears:
Do you want to allow downloads on "mdatpclientanalyzer.blob.core.windows.net"?
You can change which websites can download files in Websites Preferences.Select Allow to permit downloads from "mdatpclientanalyzer.blob.core.windows.net".
Open Downloads.
You must be able to see MDATP MacOS DIY.
Tip
If you double-click MDATP MacOS DIY, you'll get the following message:
"MDATP MacOS DIY" cannot be opened because the developer cannot be verified.
macOS cannot verify that this app is free from malware.
[Move to Trash] [Done]In the developer-verification warning dialog, click Done.
Right-click MDATP MacOS DIY, and then click Open.
The system displays the following message:
macOS cannot verify the developer of MDATP MacOS DIY. Are you sure you want to open it?
By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.In the macOS security confirmation dialog, click Open.
The system displays the following message:
Microsoft Defender for Endpoint - macOS EDR DIY test file
Corresponding alert will be available in the MDATP portal.In the EDR DIY test file dialog, click Open.
In few minutes, an alert macOS EDR Test Alert is raised.
Go to Microsoft Defender portal (https://security.microsoft.com/).
Go to the Alert Queue.
The macOS EDR test alert shows severity, category, detection source, and a collapsed menu of actions. Look at the alert details and the device timeline, and perform the regular investigation steps.
Next steps
If you're experiencing issues with application compatibility or performance, you might consider adding exclusions. See the following articles for more information:
- Configure and validate exclusions for Microsoft Defender for Endpoint on macOS
- Address false positives/negatives in Microsoft Defender for Endpoint
- Manage suppression rules
- Create indicators of compromise (IoC)
- Create and manage custom detections rules
Also, see the Microsoft Defender for Endpoint Security Operations Guide.