After the Atomic Red Team has been enabled for your organization, a Run Atomic Tests button will appear inside the Overview of any Windows sensor.
Before running, you can select a set of tests from the full suite. The list of available tests is updated every time the window is opened so you can be sure you are getting all available options.
Once tests are selected and run, the output can be viewed inside a job on the Dashboard of your organization. Depending on the number of tests selected, it may take a few minutes for the job to finish.
Once complete, you can check the results of the test by opening the job details view.
If any detections have been generated, they will appear as regular detections at the Detections dashboard.
Additionally, if you are looking to run the Atomic Red Team tests on multiple endpoints, you can do it at the Services tab.
To do it,
Select an action (required) - list (to list available tests) or run (to run Atomic Red Team tests on the endpoint)
Select a sensor (required if you want to run tests; not needed for list). The sensor must be online to run tests.
List comma separated test IDs (test IDs are required if you want to run tests but are optional for listing)
Choose if you want to clean after running a test. "Clean" will cleanup after the test has run (i.e., if settings were changed, it will revert the system to its original state)
Choose if you want a service to impersonate current user. Impersonate is a general parameter that gets the service to use your own Permissions (and not the permissions the Service was set to have)
Choose if you want a service to run as a background job. Atomic Red Team run action will always run as a background job.
Once complete, you can check the results of the test by opening the job details view on the Dashboard. If any detections have been generated, they will appear as regular detections at the Detections dashboard.