Each test is coded against a specific security policy unit.
Health tests monitor various configurations and settings on an endpoint to ensure they are in good standing.
A basic health check is scheduled by default for new Prelude accounts. This test ensures the "pipes are clean" for running future security tests. There are a variety of other health checks that can be enabled which focus on the health and safety of the endpoint.
If an endpoint is failing a health test, it should be investigated and resolved. Health tests are expected to report 100% protected and a failure means the host is not in good standing.
Response tests evoke feedback from each one of your endpoints: is it protected or unprotected from a known threat? Each test runs a series of behaviors associated to a real-world threat and records whether the endpoint prevented it or not. When a threat becomes high-impact enough to show up on a government advisory, the corresponding tests are promoted inside Detect.
Response tests exit with a granular code describing what happened during execution. This code determines at which point the test was stopped by a defensive control or configuration.
There are three primary control types that may block a test:
- Antivirus protection: static analysis identifies the test as malicious before execution.
- Next-Generation antivirus protection: the test is stopped during execution because of behaviors it displays.
- Network protection: an attempted download from the test is stopped by a firewall or IDS.
If a response test fails in your environment, ensure you have an EDR running with appropriate policies. If you have a partner EDR attached to your account all failed tests will be reported so it can self-resolve. Running Detect tests continuously (daily) will highlight when a fix is pushed to the EDR.
Update tests monitor the software and hardware in place on each endpoint to ensure it is of the latest version.
File tests monitor the hard drives to ensure nothing sensitive is written to disk.
Updated 6 months ago