Units
Security tests are separated into units
Each test is coded against a specific security policy unit.
Response
About
Response tests evoke feedback from each one of your endpoints: is it protected or unprotected from a known threat? Each test runs a series of behaviors associated to a real-world threat and records whether the endpoint prevented it or not. When a threat becomes high-impact enough to show up on a government advisory, the corresponding tests are promoted inside Detect.
Approach
Response tests exit with a granular code describing what happened during execution. This code determines at which point the test was stopped by a defensive control or configuration.
There are three primary control types that may block a test:
- Antivirus protection: static analysis identifies the test as malicious before execution.
- Next-Generation antivirus protection: the test is stopped during execution because of behaviors it displays.
- Network protection: an attempted download from the test is stopped by a firewall or IDS.
Resolution
If a response test fails in your environment, ensure you have an EDR running with appropriate policies. If you have a partner EDR attached to your account all failed tests will be reported so it can self-resolve. Running Detect tests continuously (daily) will highlight when a fix is pushed to the EDR.
Updated 5 months ago