Units

Security tests are separated into units

Suggest Edits

Each test is coded against a specific security policy unit.

Response

About

Response tests evoke feedback from each one of your endpoints: is it protected or unprotected from a known threat? Each test runs a series of behaviors associated to a real-world threat and records whether the endpoint prevented it or not. When a threat becomes high-impact enough to show up on a government advisory, the corresponding tests are promoted inside Detect.

Approach

Response tests exit with a granular code describing what happened during execution. This code determines at which point the test was stopped by a defensive control or configuration.

There are three primary control types that may block a test:

  1. Antivirus protection: static analysis identifies the test as malicious before execution.
  2. Next-Generation antivirus protection: the test is stopped during execution because of behaviors it displays.
  3. Network protection: an attempted download from the test is stopped by a firewall or IDS.

Resolution

If a response test fails in your environment, ensure you have an EDR running with appropriate policies. If you have a partner EDR attached to your account all failed tests will be reported so it can self-resolve. Running Detect tests continuously (daily) will highlight when a fix is pushed to the EDR.

Updated 12 days ago