Goal
Simulate attacker behaviors and verify detections + routing end-to-end.When to use
- After deploying/tuning detection rules
- After telemetry changes (Sysmon, agent configs)
Prereqs
- Atomic Red Team available on a test endpoint
- Velociraptor artifacts to execute tests remotely
Procedure (high level)
- Pick a safe atomic test
- Execute it via CoPilot/Velociraptor
- Confirm the expected alert fires
- Tune rules/telemetry if needed
Validation
- Alert fires and is visible in the expected UI surface(s)