Quick start

Managing your endpoints and tests

The Prelude CLI is the primary driver for managing Detect. Commands shown in this guide use the CLI.

A typical workflow for Detect administrators is to:

  • Register endpoints
  • Enable security tests to run against the endpoints
  • Monitor activity

Register endpoints

Endpoints are simply hosts running a Prelude probe. A Prelude account is required to create endpoints. Visit the CLI documentation to learn how to create an account if you don't already have one.

To register a new endpoint, start by generating a token via the CLI. Endpoint identifiers should be unique within your organization and using an IP, hostname, mac address, or other host identifier is recommended. Tags are optional (comma-separated) groups you can assign per endpoint. The following command registers a new endpoint:

Hostname and serial number are required to ensure your probe is unique to you environment

prelude detect create-endpoint -h <HOSTNAME> -s <SERIAL_NUM>

A token will print to console, which you can use to deploy a probe anywhere in your environment.

Enable tests

Once you have a few probes deployed, you can send security tests their way by enabling them. Start by reviewing the available tests for your account:

prelude detect tests

Select a test by identifier and enable it through this command:

prelude detect enable-test <ID> --run_code DAILY --tags server,laptop

The arguments are optional.

The default run_code is DAILY. Run codes represent the interval you want to run the test at, with options of:


Additionally, you can enable a test to only run against a set of endpoint tags. By default, all tags are enabled.

Verify your test is enabled by checking your queue:

prelude detect queue

At any point, you can disable tests from your queue by running prelude detect disable-test <ID>.

Monitor activity

As endpoints check in to the Prelude Service, they will receive instructions to run the tests you've enabled. You can keep track of this through this command:

prelude detect activity --days 30

Days is an optional argument that will display activity for n-number of days.

The activity command support multiple "views" to analyze your results, which you can engage through the -v parameter:

  • logs (default): show a time-based log stream
  • insights: interesting findings from your results, ordered by most impactful
  • days: aggregate statistics per day
  • probes: a list of your active endpoint probes
  • rules: aggregate statistics per Verified Security Rule

You can additionally pass filters into your command to cut your data by:

  • tests
  • endpoints
  • tags
  • dos

Each accepts a comma-separated list of values.

To view my per day activity for endpoints with a "server" or "laptop" tag, I would enter:

prelude detect activity -v days --tags server,laptop

Executive dashboard

At this time, you can head to the executive dashboard to view results in a more visual manner. Import your ~/.prelude/keychain.ini file to authenticate as the same user.