Prelude Detect verified security tests (VSTs) are designed to trigger a response from installed detection and response tools. Alert Suppression allows administrators to automatically comment and close any Prelude related detections. There are a number of ways to accomplish this based on the tools in use, below is a generic list of file and command line paths that will identify and exclude a Prelude VST.
Windows
- File Path:
\*Program Files\Prelude Security\Prelude Probe\* - CommandLine:
\*Program Files\Prelude Security\Prelude Probe\* - Grandparent Process CommandLine:
\*Program Files\Prelude Security\Prelude Probe\* - CommandLine:
*PRELUDE_CA* - Parent Process CommandLine:
*PRELUDE_CA* - Grandparent Process CommandLine:
*PRELUDE_CA*
Linux
- Parent Process username:
preludesecurity - Grandparent Process username:
preludesecurity - Grandparent Process file path:
*/preludesecurity/* - Parent process file path :
*/preludesecurity/*
Mac
- Username:
_preludesecurity - Grandparent Process File Path:
*/preludesecurity/* - Parent Process File Path:
*/preludesecurity/*