2.0
4 months ago by James Evans
Detect 2.0 was released on Aug 20, 2024
Prelude is excited to announce Detect 2.0. This major update delivers Observed, Detected, Prevented and AI powered Automated Threat Intelligence Analysis along with many other enhancements and bug fixes:
Observed, Detected, and Prevented
Detect has always reported Prevention information for tests. In addition to Prevention stats, Detect now collects Observed and Detection information from EDRs, initially CrowdStrike.
- Prevented - A test is Prevented when the test's execution was stopped on the endpoint.
- Detected - A test is Detected when your EDR generates a detection due to the test's activity. To determine Detection we check EDR alerts on the target endpoint, if we find a matching alert the test was Detected.
- Observed - A test is Observed when your EDR has telemetry that captures information about the test running. To determine Observed we query EDR's log events on the target endpoint, if we find events matching the test then the test was Observed.
Tests in Detect now come with an expected outcome: Observed, Detected, or Prevented. For customers who enable EDR integration we track and report all three stats for all tests.
Detect's dashboards and detail view tables now provide Observed, Detected, Prevented, and Expected Outcome columns for all tests.
A few things to note:
- Endpoints without EDR protection will not be evaluated for Observed or Detected outcomes.
- When calculating overall Protection percentages for environments, hosts, and Threats Detect only considers tests who's expected outcome is Prevented.
- Contact your TAM about enabling this functionality in your account.
- When this feature is enabled Detect attempts to fetch Observed and Detected results from your Integrated EDR for the last 30 days subject to EDR data retention.
Automated Threat Intelligence Analysis
- Detect now generates Threats, Tests, Custom Detections, and Threat Hunt Queries from Threat Intelligence. Customers can upload Threat Intelligence to Detect's Automated Threat Intelligence Analysis tool. Detect will analyze the threat intelligence, identifying attack techniques referenced in the intelligence. Detect will then generate context specific tests complete with custom detections and threat hunt queries. These tests, detections, and queries can be reviewed, edited, or regenerated with user modified context. Once satisfied with the content a user can import into Detect, schedule tests, import detections to your EDR and hunt for threats.
- When generating Threats and Tests from user provided Threat Intelligence, users can opt to use Prelude Authored tests where applicable rather than using AI generated bespoke tests. Prelude authored tests are rigorously tested by Prelude to ensure test accuracy and safety, but they are less specific to your threat intelligence. Users should always review generated Threats and Tests to ensure that the content will produce desired results.
- When generating tests for user provided threat intelligence Detect may opt to exclude attack techniques from the generated tests. Users are provided with a list of the t-codes that were excluded.
- Generated Tests come with an AI generated readme that describes the test's objective and technique.
- AI generated tests include explanatory comments that describe the objectives of the test. The code is also organized so that users can easily identify the main test function.
- Automated Threat Intelligence Analysis will produce up to 100 attack technique tests from a single threat intelligence document. Attack techniques beyond 100 will be listed as excluded in the generation results page.
- Users can regenerate AI Generated tests from the test detail view. Context used in the previous generation is preserved and presented to the user when regenerating tests. Users can modify the context prior to submitting for regeneration. Regenerated source code for Tests, Custom Detections, and Threat Hunt Queries can be reviewed and edited before being saved or discarded.
Detect Management
- Detect's CLI now supports undeleting tests that have not been purged.
- Rescheduling a test for Run-Once will prompt the test to be run again immediately. Users no longer need to wait 24 hours for run-once to run tests again.
- The Probe now logs its version when it starts.
- Company Name is now a required field when editing account settings.
- We've improved our user expiration behavior:
- Expiration is optional for native and sso accounts
- The default is no expiration
- Users get an email warning them of pending expiration 30 days before expiration
- User accounts that expire can be restored
- Detect now supports deleting customer authored and AI generated Threats from the UI. Deleted Threats are unscheduled and removed from the threats list. Results for the Threat are retained for 30 days, then purged.
- Prelude has increased the number of Tests and Threats that can be scheduled from 250 to 500.
- Prelude's Probe on Windows has tracked log entries as individual events, making tracing a test's full log time consuming and painful. The Probe now provides a single log entry per test run. Hurray!
- We resolved an issue in which some tests scheduled to Run Once would run a 2nd time after 24 hours.
- We resolved an issue that would prevent users from adding Tags to hosts with Inactive Probes.
Insights Dashboard
- Tables in Detect have been significantly expanded and improved. Additional columns have been added and users can now select the columns that they want to see in each table. Dashboard tables for Threats, Tests, and Endpoints have been updated, as have tables in their respective detail views.
- Users can now view and edit the source code for custom and AI Generated Tests, Detections, and Threat Hunt Queries directly in the Test Detail view. The test editor provides compilation result messages and allows the user to save an updated Test, Detection, or Threat Hunt Query.
- The Events list for endpoints and tests has been replaced with a new Results table. The Results table is customizable, adds additional fields, and supports export to .csv. Users can search through results to quickly find a particular tests results on an endpoint. The limit of results shown in this table has been increased from 100 events to 500 results.
- Detect now excludes Not relevant test results when calculating protection percentages.
- Detect now shows supported platforms for Tests in the Test Detail view and in all Test Tables.
- Detect now includes the author in Test and Threat detail views and tables.
- Test, Threat, and Endpoint detail views are now resizable.
- Prelude now supports both dark and light modes for our UI.
- Prelude now supports deleting tests from the test detail view.
- We've resolved an issue in which long host tag names could be improperly displayed.
Integrations
- Prelude now provides custom detections for some tests. Detections are published as Sigma rules and can be imported into CrowdStrike as a Custom IOA through the detect UI. IOAs can be sent to CrowdStrike directly from the Test Detail view, All Tests Dashboard, and Threat Detail table.
- Detect now provides Threat Hunt Queries for some tests. Threat Hunt Queries deep link to EDRs SEIM query interface allowing users to hunt across their infrastructure for malicious activity identified in Threat Intelligence.
- Detect's API now supports uploading JSON when uploading detections.