Release Notes
      Back to home
      1. Knowledge Base
      2. Release Notes

      2.1

      Prelude is excited to announce Detect 2.1. This update delivers a new offering, Control Monitor. It also revises the authentication model.

      Control Monitor

      Control Monitor is Prelude’s exciting new security monitoring platform providing continuous visibility into the coverage and efficacy of an organization's security controls. With Control Monitor, users will quickly and easily see how effective their security controls are, and identify what changes they need to make to optimize their use.


      Users will provide Control Monitor with read only credentials to EDR, Asset Inventory, Identity, and Inbox Protection tools. Control Monitors ingests configuration information from these tools and reports on:

      • Coverage of Endpoint, User, and Inbox Protection
      • Protection Tools Health
      • Policy Correctness

      Coverage of Endpoint, User, and Inbox protection - Control Monitor will identify endpoints that are missing EDR protection or are not under endpoint management. It will also identify users that don't have inbox protection or MFA configured.


      Protection Tools Health - Control Monitor will find devices whose protection tooling is not functioning properly, as in Reduced Functionality Mode, Passive Mode, or an inoperative Operational State.


      Policy Correctness - Control Monitor will evaluate your policies against the guidelines provided by the respective protection tool vendors and highlight discrepancies. Control Monitor highlights a list of configuration recommendations that Prelude Security Researchers have enumerated as especially critical to keeping your users and infrastructure safe.


      When users configure a new integration, Control Monitor immediately collects and analyzes new data from all integrations. Thereafter, data is collected nightly from all integrations. Users can prompt data collection at any time by clicking on Sync all integrations from the Integrations page.


      Control Monitor supports integration with Crowdstrike, Microsoft Defender, and Sentinel One, 


      Control Monitor supports multiple instances of integrated controls. For instance, your EDR may have a production environment, and a pre-production environment. You can connect both to Control Monitor to see a single view with all your policies and endpoints, users, and inboxes.


      CISA advisories included in Detect are available for Threat Analysis in Control Monitor. Users can select a CISA advisory from the Threat dropdown to see attack techniques in the Advisory and highlight the Policy Configurations that could be changed to optimize defenses against these threats and the endpoints, users, and inboxes that will benefit.


      Control Monitor also has the capability to analyze threat intelligence to identify attack techniques and 

      then highlights policy configurations that should be made to optimize protection against those techniques. 


      Control Monitor provides email and slack notifications and supports exceptions. An Executive Summary highlights top areas of concern across endpoints, users, and inboxes. Users can explore their data with robust filtering.

      Detect Updates

      Authentication

      Prelude has updated the authentication system for Detect and Control Monitor. Prelude now supports authentication via username and password, social login with Google, and from custom OIDC providers configured in Okta, Microsoft, and Google. This aligns Detect and Control Monitor’s logon experience  with industry standard leading security tools.


      Detect and Control Monitor users can now reset their passwords by clicking on Forgot your password? when logging in. Users provide their email address, if it matches a known account, users will receive a reset password email with a temporary password, and are then required to change their password on logging in.


      When users complete a password reset, current tokens are expired, prompting the user to login with their new credentials on all existing sessions.


      CLI users can now authenticate via OIDC. After a successful redirect and authentication to their respective OIDC provider, an authentication and refresh token are created and used for subsequent CLI interactions. The refresh token is valid for 90 days. 


      Detect and Control Monitor continue to support authentication via custom OIDC providers such as Okta, Microsoft, or Google. In addition, Administrators can now configure their environment to allow authentication via Google's public OIDC provider (Aka Social Login). After a user is invited to an org as a “Google” user, the user can then click on Authenticate with Google avoiding the need to remember an organizational slug of a custom OIDC provider.


      As part of this update, all token authenticating users will have received an email prompting them to reset their password. Existing custom OIDC authenticating users will experience no change. Existing Microsoft Entra users are encouraged to update their custom OIDC application to furnish the UPN claim instead of the default “email” claim. 

      Bug Fixes and Improvements

      • Users who have enabled an integration with Crowdstrike and are entitled to CS Threat Intelligence will now see a list of CS Threat Intel available for AI analysis in Prelude's platform. Simply press Generate Tests and Detections to submit an Intelligence report for analysis. As with all Threat Intel uploads, Prelude will identify attack techniques, craft tests to evaluate defences against those threats, and create detections ready for use in identifying attacks in your environment
      • Support uploading IOA detections and Threat Hunt Queries to Microsoft Defender
      • Collect Observed, Detected, and Prevented stats from Microsoft Defender
      • Users can see a history of data collection activity by going to the Integrations page in Account settings and clicking on Event log
      • Users can clone Prelude authored tests and edit the resulting new vst
      • Allow users to flag tests currently in threats for deletion
      • Users can specify the expected outcome (observed, detected, or prevented) for Prelude authored tests in their environment
      • In Test detail view for user authored Tests, users can now edit the Test name, Technique ID, and Expected Outcome
      • In Threat detail view for user authored Threats, users can now edit the Source ID, Threat Name, included Test and the order of execution for those tests
      • Resolved: in Detect that could prevent copied tests with attachments from successfully compiling
      • Resolved: issue that prevented tests that use a file dropper from compiling