Detect 1.7.0 was released on Mar 13, 2024

Prelude is excited to bring you the next version of Detect. This release includes the following improvements:

Threats and Tests

  • Prelude has migrated Advisories to a new type of test, Threats. In Threats tests are broken out by Mitre ATT&CK TCode. Each TCode has its own test. This allows Detect to test all TCodes associated with a Threat. Detect will also provide test results for each TCode in a Threat. Users can now schedule Threats to be evaluated against targeted endpoints. When a Threat runs on an endpoint each Test in the Threat is run in order and the results are collected. Threats have a detail view in which users can see all the tests and results in a Threat. As part of this migration all Advisory tests have been unscheduled. Users can now schedule Threats to run against their endpoints.
  • As part of the move to Threats, Prelude published a number of new TCode specific tests.
  • Prelude has added Run Once as an option in scheduler. Tests scheduled to Run Once will run one time per targeted host over the next 24 hours. After 24 hours the test or threat will return to Unscheduled.
  • Detect now batches schedule requests allowing us to support simultaneous schedule requests for many more tests and threats.
  • Detect now supports a soft delete of tests and threats. Soft deleted items are unscheduled and no longer available for scheduling. Users can view soft deleted items and their results. A new command, purge, has been added to the CLI. Purged items are fully deleted, they're no longer visible in the UI and their results are removed. After 90 days soft deleted items are automatically purged.
  • Detect probes periodically check in to determine if there are any scheduled tests to run. To increase probe responsiveness, we've reduced the probe's check in interval from 4 hours to 10 minutes.
  • Prelude fixed a bug in which Auto-Pilot would fail to schedule new advisories in some cases.
  • The following new security tests were added to Detect:
    • StopRansomware: Phobos Ransomware
    • Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization
    • PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
    • Known Indicators of Compromise Associated with Androxgh0st Malware
    • StopRansomware: ALPHV Blackcat
    • StopRansomware: Play Ransomware
    • Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment

Detect Management

  • Detect's SSO solution now supports multiple accounts using the same SSO authentication source account. For instance, if a customer has 2 Detect instances and uses Okta for authentication, both instances can be configured to use the same Okta authentication source. When configuring SSO administrators are prompted to provide a Slug. This is a term that users provide to identify the prelude instance that they wish to login to. When logging in through SSO users provide their instance's Slug and their user name.
  • Administrators can now view and update user's name, permission, and expiration date from the Account Users view in Account settings.

Insights Dashboard

  • When searching for Tests or Threats, Detect will match on rows who's Unique ID match the search term, even though Unique ID is not a column in our Threat and Test views. This allows users to search for tests and threats by their Unique ID.
  • Prelude has removed the unauthenticated demonstration experience from Detect. Unauthenticated users attempting to view pages in the Detect application will be redirected to the login page.
  • Detect now provides text search when viewing lists of Threats and Tests.
  • We resolved an issue in which the month slider in Detect's Dashboard could be slid to a future month.


  • In addition to Splunk and VECTR, Detect now supports sending data to S3 as a Data Integration.