prelude

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Prelude P2D Platform CLI Skill

Prelude P2D Platform CLI 技能文档

You are an expert operator of the Prelude platform CLI (

prelude

), which provides access to two distinct applications:

Detect - Continuous security testing: manage endpoints/probes, schedule and run security tests, view activity and results, manage threats and threat hunts
SCM (Security Control Monitor) - Endpoint posture and policy evaluation: query endpoints/users/inboxes, evaluate security control policies, manage exceptions, generate reports, monitor partner integrations

You help the user authenticate, explore both systems, query data, and perform operations across Detect and SCM.

你是Prelude平台CLI（

prelude

）的专家操作员，该平台可访问两个独立应用：

Detect - 持续安全测试：管理端点/探针、调度并运行安全测试、查看活动和结果、管理威胁与威胁狩猎
SCM (Security Control Monitor) - 端点态势与策略评估：查询端点/用户/收件箱、评估安全控制策略、管理例外情况、生成报告、监控合作伙伴集成

你可以帮助用户完成身份验证、探索两个系统、查询数据，并在Detect和SCM中执行操作。

Prerequisites

前置条件

CLI:
```
prelude
```
v2.6+ (requires Python 3.10+)
Config file:
```
~/.prelude/keychain.ini
```
Token store:
```
~/.prelude/tokens.json
```
(created after login)

CLI：
```
prelude
```
v2.6+（要求Python 3.10+）
配置文件：
```
~/.prelude/keychain.ini
```
令牌存储：
```
~/.prelude/tokens.json
```
（登录后创建）

Getting Started

快速入门

When a user invokes this skill and has not set up the CLI yet, walk them through this flow interactively. Do NOT dump all the steps at once. Guide them one step at a time.

当用户调用此技能但尚未设置CLI时，请交互式引导他们完成以下流程。不要一次性列出所有步骤，逐步指导。

Step 1: Check if the CLI is installed and working

步骤1：检查CLI是否已安装并正常工作

Run

prelude --version

. If it fails or is not found:

The CLI requires Python 3.10+. Check
```
python3.10 --version
```
.
Install with:
```
python3.10 -m pip install prelude-cli
```
If
```
prelude
```
in PATH points to an older Python, uninstall the old one and ensure the 3.10 version is first in PATH.

运行

prelude --version

。如果失败或未找到：

CLI需要Python 3.10+，检查
```
python3.10 --version
```
。
使用以下命令安装：
```
python3.10 -m pip install prelude-cli
```
如果PATH中的
```
prelude
```
指向旧版本Python，卸载旧版本并确保3.10版本在PATH中优先级最高。

Step 2: Check if a profile exists

步骤2：检查是否存在配置文件

Read

~/.prelude/keychain.ini

. A valid profile needs these fields:

ini

[default]
hq = <api_url>
account = <account_id>
handle = <email>

If the file is missing, empty, or lacks

handle

, the profile needs to be configured.

读取

~/.prelude/keychain.ini

。有效的配置文件需要包含以下字段：

ini

[default]
hq = <api_url>
account = <account_id>
handle = <email>

如果文件缺失、为空或缺少

handle

字段，则需要配置配置文件。

Step 3: Configure the profile

步骤3：配置配置文件

Since

prelude configure

is interactive and cannot be run non-interactively, write the keychain file directly. Collect the following from the user:

Account ID - Ask: "What is your Prelude account ID?" (a 32-character hex string)
Email - Ask: "What is the email address you use to log into Prelude?"
OIDC provider - Ask: "How do you log in?" Options:
```
google
```
(Google SSO),
```
custom
```
(custom OIDC), or
```
none
```
(password)
If OIDC is
```
custom
```
, also ask for the account slug

Default to production (US1):

https://api.us1.preludesecurity.com

Do NOT ask the user which environment they want. Assume production. Only if the user explicitly mentions a specific environment (e.g., "us2", "eu1", "staging") should you use a different API URL.

Environment URLs (only use when explicitly requested):

Environment	API URL
US1 (production)	`https://api.us1.preludesecurity.com`
US2	`https://api.us2.preludesecurity.com`
EU1	`https://api.eu1.preludesecurity.com`

Write the keychain file:

ini

[default]
hq = https://api.us1.preludesecurity.com
account = <account_id>
handle = <email>

Add

oidc = <provider>

only if not

none

. Add

slug = <slug>

only if OIDC is

custom

由于

prelude configure

是交互式命令，无法非交互式运行，请直接写入keychain文件。从用户处收集以下信息：

账户ID - 询问："你的Prelude账户ID是什么？"（32位十六进制字符串）
邮箱 - 询问："你用于登录Prelude的邮箱地址是什么？"
OIDC提供商 - 询问："你通过什么方式登录？"选项：
```
google
```
（Google SSO）、
```
custom
```
（自定义OIDC）或
```
none
```
（密码登录）
如果OIDC为
```
custom
```
，还需询问账户slug

默认使用生产环境（US1）：

https://api.us1.preludesecurity.com

不要询问用户想要使用哪个环境，默认使用生产环境。仅当用户明确提及特定环境（如"us2"、"eu1"、"staging"）时，才使用不同的API URL。

环境URL（仅在明确要求时使用）：

环境	API URL
US1（生产环境）	`https://api.us1.preludesecurity.com`
US2	`https://api.us2.preludesecurity.com`
EU1	`https://api.eu1.preludesecurity.com`

写入keychain文件：

ini

[default]
hq = https://api.us1.preludesecurity.com
account = <account_id>
handle = <email>

仅当OIDC不是

none

时，添加

oidc = <provider>

。仅当OIDC为

custom

时，添加

slug = <slug>

。

Step 4: Login

步骤4：登录

The user must run

prelude auth login

in their terminal because it requires interactive input (password prompt or browser-based SSO).

Password auth (
```
oidc = none
```
): Tell them to run
```
prelude auth login
```
and enter their password when prompted. They can also pass it directly:
```
prelude auth login -p "password"
```
SSO auth (
```
oidc = google
```
or
```
custom
```
): Tell them to run
```
prelude auth login
```
. This opens a browser for authentication and gives them a code to paste back.

First login with temporary password:

prelude auth login -p "new_password" -t "temp_password"

After login, tokens are saved to

~/.prelude/tokens.json

automatically.

用户必须在终端中运行

prelude auth login

，因为该命令需要交互式输入（密码提示或基于浏览器的SSO）。

密码登录（
```
oidc = none
```
）：告知用户运行
```
prelude auth login
```
并在提示时输入密码。也可以直接传递密码：
```
prelude auth login -p "password"
```
SSO登录（
```
oidc = google
```
或
```
custom
```
）：告知用户运行
```
prelude auth login
```
。这会打开浏览器进行身份验证，并提供一个代码供用户粘贴回终端。

使用临时密码首次登录：

prelude auth login -p "new_password" -t "temp_password"

登录后，令牌会自动保存到

~/.prelude/tokens.json

。

Step 5: Verify the connection

步骤5：验证连接

Run

prelude iam account

to confirm everything works. This returns account details including users, controls, features, and mode.

运行

prelude iam account

以确认一切正常。该命令会返回账户详细信息，包括用户、控制项、功能和模式。

Multiple profiles

多配置文件

Users can maintain multiple profiles (e.g., different accounts or environments):

ini

[default]
hq = https://api.us1.preludesecurity.com
account = <account_id_1>
handle = <email>

[staging]
hq = https://api.us2.preludesecurity.com
account = <account_id_2>
handle = <email>

Switch profiles with:

prelude --profile staging <command>

用户可以维护多个配置文件（如不同账户或环境）：

ini

[default]
hq = https://api.us1.preludesecurity.com
account = <account_id_1>
handle = <email>

[staging]
hq = https://api.us2.preludesecurity.com
account = <account_id_2>
handle = <email>

使用以下命令切换配置文件：

prelude --profile staging <command>

Global Options

全局选项

bash

prelude --version              # Show CLI version
prelude --profile <name>       # Use a specific keychain profile
prelude --resolve_enums        # Show enum names instead of integer codes
prelude --help                 # Show available commands

Tip: Always use

--resolve_enums

when you want human-readable output (control names instead of codes, status names instead of numbers).

bash

prelude --version              # 显示CLI版本
prelude --profile <name>       # 使用特定的keychain配置文件
prelude --resolve_enums        # 显示枚举名称而非整数代码
prelude --help                 # 显示可用命令

提示：当你需要人类可读的输出时（如控制项名称而非代码、状态名称而非数字），始终使用

--resolve_enums

。

System Architecture

系统架构

The P2D platform has 9 command domains:

Domain	Purpose
`auth`	Login (password/SSO), token refresh
`configure`	Set up local keychain profiles
`iam`	Account management, users, permissions, OIDC, audit logs
`detect`	Endpoint management, test scheduling, activity queries, threat hunts
`build`	Create/update security tests, threats, detections, threat hunt queries
`partner`	Attach/manage EDR integrations (CrowdStrike, Defender, etc.), deploy probes
`scm`	Security Control Monitor - endpoints/users/inboxes posture, policy evaluation, exceptions, reports
`generate`	AI-powered test generation from threat intel PDFs and partner advisories
`jobs`	Monitor background jobs (SCM sync, probe deployment, exports)

P2D平台包含9个命令域：

命令域	用途
`auth`	登录（密码/SSO）、令牌刷新
`configure`	设置本地keychain配置文件
`iam`	账户管理、用户、权限、OIDC、审计日志
`detect`	端点管理、测试调度、活动查询、威胁狩猎
`build`	创建/更新安全测试、威胁、检测规则、威胁狩猎查询
`partner`	附加/管理EDR集成（CrowdStrike、Defender等）、部署探针
`scm`	安全控制监控 - 端点/用户/收件箱态势、策略评估、例外情况、报告
`generate`	基于威胁情报PDF和合作伙伴公告的AI驱动测试生成
`jobs`	监控后台作业（SCM同步、探针部署、导出）

Key Concepts

核心概念

Controls (Security Partners)

控制项（安全合作伙伴）

Integer-coded partner integrations. Important codes:

Code	Name	Category
1	CrowdStrike	XDR
2	Microsoft Defender	XDR
3	Splunk	SIEM
4	SentinelOne	XDR
7	Intune	Asset Manager
8	ServiceNow	Asset Manager
9	Okta	Identity
10	Microsoft 365	Email
11	Entra	Identity
12	Jamf	Asset Manager
13	CrowdStrike Identity	Identity
14	Gmail	Email
17	Tenable	Vuln Manager
23	Qualys	Vuln Manager
25	Rapid7	Vuln Manager
29	Cisco Meraki	Network/SASE
33	Netskope	SASE

整数编码的合作伙伴集成。重要代码：

代码	名称	分类
1	CrowdStrike	XDR
2	Microsoft Defender	XDR
3	Splunk	SIEM
4	SentinelOne	XDR
7	Intune	资产管理器
8	ServiceNow	资产管理器
9	Okta	身份管理
10	Microsoft 365	邮件
11	Entra	身份管理
12	Jamf	资产管理器
13	CrowdStrike Identity	身份管理
14	Gmail	邮件
17	Tenable	漏洞管理器
23	Qualys	漏洞管理器
25	Rapid7	漏洞管理器
29	Cisco Meraki	网络/SASE
33	Netskope	SASE

Control Categories

控制项分类

Code	Name
1	Cloud
2	Email
3	Identity
4	Network
5	XDR (EDR)
6	Asset Manager
7	Discovered Devices
8	Vuln Manager
9	SIEM
10	Private Repo
11	Hardware
12	SASE

代码	名称
1	云
2	邮件
3	身份管理
4	网络
5	XDR (EDR)
6	资产管理器
7	已发现设备
8	漏洞管理器
9	SIEM
10	私有仓库
11	硬件
12	SASE

Run Codes (Scheduling)

调度代码

Code	Name
1	DAILY
2	WEEKLY
3	MONTHLY
4	SMART
5	DEBUG
6	RUN_ONCE
10-16	MONDAY-SUNDAY

代码	名称
1	DAILY（每日）
2	WEEKLY（每周）
3	MONTHLY（每月）
4	SMART（智能调度）
5	DEBUG（调试）
6	RUN_ONCE（仅运行一次）
10-16	MONDAY-SUNDAY（周一至周日）

Exit Codes (Test Results)

退出代码（测试结果）

Code	Meaning	State
100	PROTECTED	Protected
137	BLOCKED	Protected
126	EXECUTION_PREVENTED	Protected
101	UNPROTECTED	Unprotected
102	TIMED_OUT	Error
104	TEST_NOT_RELEVANT	Not Relevant
-1	MISSING	None

代码	含义	状态
100	PROTECTED（已防护）	已防护
137	BLOCKED（已阻止）	已防护
126	EXECUTION_PREVENTED（执行被阻止）	已防护
101	UNPROTECTED（未防护）	未防护
102	TIMED_OUT（超时）	错误
104	TEST_NOT_RELEVANT（测试不相关）	不相关
-1	MISSING（缺失）	无

Account Modes

账户模式

Code	Name	Behavior
0	MANUAL	Tests only run when explicitly scheduled
1	FROZEN	No tests run
2	AUTOPILOT	Tests run automatically

代码	名称	行为
0	MANUAL（手动）	仅在明确调度时运行测试
1	FROZEN（冻结）	不运行任何测试
2	AUTOPILOT（自动）	自动运行测试

Permissions

权限

Code	Role
0	ADMIN
1	EXECUTIVE
2	BUILD
3	SERVICE
5	SUPPORT
6	SCHEDULER

代码	角色
0	ADMIN（管理员）
1	EXECUTIVE（高管）
2	BUILD（构建者）
3	SERVICE（服务账户）
5	SUPPORT（支持）
6	SCHEDULER（调度员）

Command Reference

命令参考

AUTH - Authentication

AUTH - 身份验证

bash

undefined

bash

undefined

Login with password

使用密码登录

prelude auth login -p "password"

Login with temporary password (first login), sets new password

使用临时密码首次登录，设置新密码

prelude auth login -p "new_password" -t "temp_password"

Login with SSO (opens browser for OIDC flow)

使用SSO登录（打开浏览器进行OIDC流程）

prelude auth login

Refresh access tokens

刷新访问令牌

prelude auth refresh

undefined

prelude auth refresh

undefined

CONFIGURE - Keychain Setup

CONFIGURE - Keychain设置

bash

prelude configure

bash

prelude configure

Interactive prompts for: profile, API URL, account ID, email, OIDC provider

交互式提示：配置文件、API URL、账户ID、邮箱、OIDC提供商

undefined

undefined

IAM - Account & User Management

IAM - 账户与用户管理

bash

undefined

bash

undefined

Get account details (shows users, controls, queue, features, mode)

获取账户详细信息（显示用户、控制项、队列、功能、模式）

prelude iam account

Update account settings

更新账户设置

prelude iam update-account --company "Acme Corp" prelude iam update-account --mode AUTOPILOT # MANUAL, FROZEN, AUTOPILOT prelude iam update-account --slug "acme" prelude iam update-account --inactivity_timeout 90

prelude iam update-account --company "Acme Corp" prelude iam update-account --mode AUTOPILOT # 可选值：MANUAL, FROZEN, AUTOPILOT prelude iam update-account --slug "acme" prelude iam update-account --inactivity_timeout 90

Invite a user

邀请用户

prelude iam invite-user -e "user@example.com" --oidc google -p ADMIN

Permissions: ADMIN, EXECUTIVE, BUILD, SCHEDULER

权限选项：ADMIN, EXECUTIVE, BUILD, SCHEDULER

Create service user (for API/automation)

创建服务账户（用于API/自动化）

prelude iam create-service-user -n "CI Bot"

Returns: handle + token (save the token!)

返回：handle + 令牌（请保存令牌！）

Delete service user

删除服务账户

prelude iam delete-service-user -h "service_handle"

Update user permissions

更新用户权限

prelude iam update-account-user -e "user@example.com" -p BUILD --oidc google

Remove user

移除用户

prelude iam remove-user -e "user@example.com" --oidc google

OIDC management

OIDC管理

prelude iam attach-oidc --client_id "xxx" --client_secret "xxx" --issuer google --oidc_url "https://..." prelude iam detach-oidc

Audit logs

审计日志

prelude iam logs # Last 7 days, 1000 limit prelude iam logs -d 30 -l 500 # Last 30 days, 500 results

prelude iam logs # 最近7天，最多1000条记录 prelude iam logs -d 30 -l 500 # 最近30天，最多500条记录

Delete account (DESTRUCTIVE)

删除账户（破坏性操作）

prelude iam purge-account

User-level commands

用户级命令

prelude iam user accounts # List all accounts you belong to prelude iam user update-user -n "Name" # Update your display name prelude iam user forgot-password # Send password reset email prelude iam user confirm-forgot-password -c "code" -p "newpass" prelude iam user change-password # Change password (prompts for current/new) prelude iam user purge-user # Delete your user everywhere (DESTRUCTIVE)

undefined

prelude iam user accounts # 列出你所属的所有账户 prelude iam user update-user -n "Name" # 更新你的显示名称 prelude iam user forgot-password # 发送密码重置邮件 prelude iam user confirm-forgot-password -c "code" -p "newpass" prelude iam user change-password # 更改密码（提示输入当前/新密码） prelude iam user purge-user # 在所有位置删除你的用户（破坏性操作）

undefined

DETECT - Endpoints, Tests, Scheduling & Activity

DETECT - 端点、测试、调度与活动

bash

undefined

bash

undefined

--- Endpoints ---

--- 端点 ---

prelude detect endpoints # List endpoints (default: active in last 90 days) prelude detect endpoints -d 30 # Active in last 30 days prelude detect create-endpoint -h "hostname" -s "serial123" -r "<account_id>/<service_token>" prelude detect create-endpoint -h "hostname" -s "serial123" -r "<account_id>/<service_token>" -t "tag1,tag2" prelude detect update-endpoint <endpoint_id> -t "new_tag1,new_tag2" prelude detect delete-endpoint <endpoint_id>

prelude detect endpoints # 列出端点（默认：最近90天内活跃的端点） prelude detect endpoints -d 30 # 最近30天内活跃的端点 prelude detect create-endpoint -h "hostname" -s "serial123" -r "<account_id>/<service_token>" prelude detect create-endpoint -h "hostname" -s "serial123" -r "<account_id>/<service_token>" -t "tag1,tag2" prelude detect update-endpoint <endpoint_id> -t "new_tag1,new_tag2" prelude detect delete-endpoint <endpoint_id>

--- Tests ---

--- 测试 ---

prelude detect tests # List all security tests prelude detect tests --techniques "T1059,T1053" # Filter by MITRE techniques prelude detect test <test_id> # Get test details + attachments prelude detect download <test_id> # Download test files locally prelude detect clone # Download ALL tests locally

prelude detect tests # 列出所有安全测试 prelude detect tests --techniques "T1059,T1053" # 按MITRE技术过滤 prelude detect test <test_id> # 获取测试详情 + 附件 prelude detect download <test_id> # 下载测试文件到本地 prelude detect clone # 下载所有测试到本地

--- Threats ---

--- 威胁 ---

prelude detect threats # List all threats prelude detect threat <threat_id> # Get threat details

prelude detect threats # 列出所有威胁 prelude detect threat <threat_id> # 获取威胁详情

--- Techniques ---

--- 技术 ---

prelude detect techniques # List all MITRE ATT&CK techniques

prelude detect techniques # 列出所有MITRE ATT&CK技术

--- Detections ---

--- 检测规则 ---

prelude detect detections # List all detection rules prelude detect detection <detection_id> # Get detection details prelude detect detection <detection_id> -o rule.yaml # Export Sigma rule to file

prelude detect detections # 列出所有检测规则 prelude detect detection <detection_id> # 获取检测规则详情 prelude detect detection <detection_id> -o rule.yaml # 导出Sigma规则到文件

--- Threat Hunts ---

--- 威胁狩猎 ---

prelude detect threat-hunts # List all threat hunts prelude detect threat-hunts --tests "test1,test2" # Filter by tests prelude detect threat-hunt <hunt_id> # Get hunt details prelude detect do-threat-hunt <hunt_id> # Execute a threat hunt query

prelude detect threat-hunts # 列出所有威胁狩猎任务 prelude detect threat-hunts --tests "test1,test2" # 按测试过滤 prelude detect threat-hunt <hunt_id> # 获取威胁狩猎任务详情 prelude detect do-threat-hunt <hunt_id> # 执行威胁狩猎查询

--- Scheduling ---

--- 调度 ---

prelude detect queue # Show active test queue prelude detect schedule <id> -t TEST # Schedule test (daily) prelude detect schedule <id> -t TEST -r WEEKLY # Schedule weekly prelude detect schedule <id> -t TEST -r SMART --tags "prod" # Smart schedule for tagged endpoints prelude detect schedule <id> -t THREAT -r DAILY # Schedule a threat prelude detect unschedule <id> -t TEST # Remove from queue prelude detect unschedule <id> -t THREAT --tags "prod" # Remove for specific tags

prelude detect queue # 显示活跃测试队列 prelude detect schedule <id> -t TEST # 调度测试（每日） prelude detect schedule <id> -t TEST -r WEEKLY # 调度测试（每周） prelude detect schedule <id> -t TEST -r SMART --tags "prod" # 为带标签的端点智能调度 prelude detect schedule <id> -t THREAT -r DAILY # 调度威胁（每日） prelude detect unschedule <id> -t TEST # 从队列中移除 prelude detect unschedule <id> -t THREAT --tags "prod" # 移除特定标签的任务

--- Activity & Reporting ---

--- 活动与报告 ---

prelude detect activity # Default: logs view, last 29 days

prelude detect activity # 默认：日志视图，最近29天

Views: logs, tests, threats, endpoints, techniques, findings, metrics, protected

视图选项：logs, tests, threats, endpoints, techniques, findings, metrics, protected

prelude detect activity --view tests prelude detect activity --view endpoints prelude detect activity --view protected prelude detect activity --view findings prelude detect activity --view metrics prelude detect activity --view threats prelude detect activity --view techniques

Filters

过滤条件

prelude detect activity --view logs --start "2024-01-01" --finish "2024-01-31" prelude detect activity --view tests --control CROWDSTRIKE prelude detect activity --view logs --tests "test1,test2" prelude detect activity --view logs --threats "threat1" prelude detect activity --view logs --endpoints "ep1,ep2" prelude detect activity --view logs --dos "windows-x86_64" prelude detect activity --view logs --statuses "100,101" prelude detect activity --view logs --os "Windows 11" prelude detect activity --view logs --policy "Default" prelude detect activity --view protected --social # Social (cross-account) stats

Threat hunt activity

威胁狩猎活动

prelude detect threat-hunt-activity <id> -t THREAT_HUNT prelude detect threat-hunt-activity <id> -t TEST prelude detect threat-hunt-activity <id> -t THREAT

undefined

prelude detect threat-hunt-activity <id> -t THREAT_HUNT prelude detect threat-hunt-activity <id> -t TEST prelude detect threat-hunt-activity <id> -t THREAT

undefined

BUILD - Create & Manage Security Tests

BUILD - 创建与管理安全测试

bash

undefined

bash

undefined

--- Tests ---

--- 测试 ---

prelude build create-test -n "My Test" --unit "go" --technique "T1059.001" prelude build create-test -n "My Test" --unit "go" --test_id <custom_uuid> prelude build clone-test <source_test_id> prelude build update-test <test_id> -n "New Name" prelude build update-test <test_id> --technique "T1059.001" prelude build update-test <test_id> --expected_crowdstrike PREVENT # OBSERVE, DETECT, PREVENT prelude build delete-test <test_id> # Soft delete (tombstone) prelude build delete-test <test_id> --purge # Permanent delete prelude build undelete-test <test_id> # Restore tombstoned test

prelude build create-test -n "My Test" --unit "go" --technique "T1059.001" prelude build create-test -n "My Test" --unit "go" --test_id <custom_uuid> prelude build clone-test <source_test_id> prelude build update-test <test_id> -n "New Name" prelude build update-test <test_id> --technique "T1059.001" prelude build update-test <test_id> --expected_crowdstrike PREVENT # 可选值：OBSERVE, DETECT, PREVENT prelude build delete-test <test_id> # 软删除（标记为已删除） prelude build delete-test <test_id> --purge # 永久删除 prelude build undelete-test <test_id> # 恢复已标记删除的测试

Upload test attachment

上传测试附件

prelude build upload <test_id> -p /path/to/file.go prelude build upload <test_id> -p /path/to/file.go --compile # Upload and compile prelude build compile-code-file -p /path/to/file.go # Test compilation only

prelude build upload <test_id> -p /path/to/file.go prelude build upload <test_id> -p /path/to/file.go --compile # 上传并编译 prelude build compile-code-file -p /path/to/file.go # 仅测试编译

--- Threats ---

--- 威胁 ---

prelude build create-threat <directory> # Create from directory containing test files prelude build create-threat <directory> -n "Threat Name" --published "2024-01-01" prelude build update-threat <threat_id> -n "Updated Name" prelude build delete-threat <threat_id> prelude build delete-threat <threat_id> --purge prelude build undelete-threat <threat_id>

prelude build create-threat <directory> # 从包含测试文件的目录创建威胁 prelude build create-threat <directory> -n "Threat Name" --published "2024-01-01" prelude build update-threat <threat_id> -n "Updated Name" prelude build delete-threat <threat_id> prelude build delete-threat <threat_id> --purge prelude build undelete-threat <threat_id>

--- Detection Rules (Sigma) ---

--- 检测规则（Sigma） ---

prelude build create-detection <test_id> -r /path/to/rule.yaml prelude build update-detection <detection_id> -r /path/to/rule.yaml prelude build delete-detection <detection_id>

--- Threat Hunt Queries ---

--- 威胁狩猎查询 ---

prelude build create-threat-hunt <test_id> --name "Hunt Name" --query "query_string" --control CROWDSTRIKE prelude build update-threat-hunt <hunt_id> --name "New Name" --query "new_query" prelude build delete-threat-hunt <hunt_id>

undefined

undefined

PARTNER - EDR & Security Partner Integration

PARTNER - EDR与安全合作伙伴集成

bash

undefined

bash

undefined

Attach a partner (connect your security tool)

附加合作伙伴（连接你的安全工具）

prelude partner attach CROWDSTRIKE -u "client_id" --secret "client_secret" --api "https://api.crowdstrike.com" prelude partner attach DEFENDER -u "client_id" --secret "client_secret" --api "https://graph.microsoft.com" prelude partner attach OKTA -u "api_token" --api "https://your-org.okta.com" prelude partner attach <PARTNER> -u "user" --secret "secret" --api "url" -i "instance_id" -n "Friendly Name"

Detach partner

分离合作伙伴

prelude partner detach <PARTNER> -i "instance_id"

List endpoints from a partner

列出合作伙伴的端点

prelude partner endpoints <PARTNER> --platform windows # windows, linux, darwin prelude partner endpoints CROWDSTRIKE --platform windows --hostname "web*" prelude partner endpoints DEFENDER --platform linux --offset 0 --count 100

prelude partner endpoints <PARTNER> --platform windows # 可选平台：windows, linux, darwin prelude partner endpoints CROWDSTRIKE --platform windows --hostname "web*" prelude partner endpoints DEFENDER --platform linux --offset 0 --count 100

Deploy probes to partner hosts

向合作伙伴主机部署探针

prelude partner deploy CROWDSTRIKE --host_ids "id1,id2"

Block a test (deploy detection rule to partner)

阻止测试（向合作伙伴部署检测规则）

prelude partner block <test_id> -p CROWDSTRIKE

Get partner reports

获取合作伙伴报告

prelude partner reports CROWDSTRIKE -t <test_id>

Get observed/detected statistics

获取已观察/已检测统计数据

prelude partner observed-detected prelude partner observed-detected -t <test_id> --lookback 48

List partner advisories

列出合作伙伴公告

prelude partner advisories CROWDSTRIKE prelude partner advisories CROWDSTRIKE --start "2024-01-01" --offset 0 --limit 50

List partner groups

列出合作伙伴分组

prelude partner groups <PARTNER> -i "instance_id"

undefined

prelude partner groups <PARTNER> -i "instance_id"

undefined

SCM - Security Control Monitor

SCM - 安全控制监控

bash

undefined

bash

undefined

--- Query Resources (OData-powered) ---

--- 查询资源（基于OData） ---

prelude scm endpoints # List all SCM endpoints prelude scm endpoints --odata_filter "hostname eq 'web01'" prelude scm endpoints --odata_filter "controls/any(c: c eq 1)" # Has CrowdStrike prelude scm endpoints --top 50 --skip 0 --order_by "hostname asc" prelude scm users # List all SCM users prelude scm users --odata_filter "email eq 'user@example.com'" prelude scm inboxes # List all SCM inboxes prelude scm network_devices # List network devices

prelude scm endpoints # 列出所有SCM端点 prelude scm endpoints --odata_filter "hostname eq 'web01'" prelude scm endpoints --odata_filter "controls/any(c: c eq 1)" # 已集成CrowdStrike的端点 prelude scm endpoints --top 50 --skip 0 --order_by "hostname asc" prelude scm users # 列出所有SCM用户 prelude scm users --odata_filter "email eq 'user@example.com'" prelude scm inboxes # 列出所有SCM收件箱 prelude scm network_devices # 列出网络设备

--- Policy Evaluation ---

--- 策略评估 ---

prelude scm evaluation-summary # Summary across all partners prelude scm evaluation CROWDSTRIKE -i "instance_id" # Detailed evaluation for partner prelude scm technique-summary --techniques "T1059,T1053" # Policy summary per technique prelude scm sync CROWDSTRIKE -i "instance_id" # Trigger policy sync

prelude scm evaluation-summary # 所有合作伙伴的评估摘要 prelude scm evaluation CROWDSTRIKE -i "instance_id" # 合作伙伴的详细评估 prelude scm technique-summary --techniques "T1059,T1053" # 按技术分类的策略摘要 prelude scm sync CROWDSTRIKE -i "instance_id" # 触发策略同步

--- Export ---

--- 导出 ---

prelude scm export ENDPOINT # Export endpoints CSV prelude scm export USER # Export users CSV prelude scm export INBOX # Export inboxes CSV prelude scm export ENDPOINT --odata_filter "hostname eq 'web01'"

prelude scm export ENDPOINT # 导出端点为CSV prelude scm export USER # 导出用户为CSV prelude scm export INBOX # 导出收件箱为CSV prelude scm export ENDPOINT --odata_filter "hostname eq 'web01'"

--- Exceptions ---

--- 例外情况 ---

Object exceptions (exclude resources from monitoring)

对象例外（将资源排除在监控之外）

prelude scm exception object list prelude scm exception object create <CATEGORY> -f "hostname eq 'test*'" -n "Test Exception" -c "Excluding test hosts" prelude scm exception object update <exception_id> -f "new filter" -n "Updated Name" prelude scm exception object delete <exception_id>

prelude scm exception object list prelude scm exception object create <CATEGORY> -f "hostname eq 'test*'" -n "测试例外" -c "排除测试主机" prelude scm exception object update <exception_id> -f "新过滤条件" -n "更新后的名称" prelude scm exception object delete <exception_id>

Policy exceptions (exclude specific policy settings)

策略例外（排除特定策略设置）

prelude scm exception policy list prelude scm exception policy create <PARTNER> -i "instance_id" -p "policy_id" -s "setting1,setting2" -c "Exception reason" prelude scm exception policy update <PARTNER> -i "instance_id" -p "policy_id" -s "setting1,setting2" prelude scm exception policy delete <PARTNER> -i "instance_id" -p "policy_id"

prelude scm exception policy list prelude scm exception policy create <PARTNER> -i "instance_id" -p "policy_id" -s "setting1,setting2" -c "例外原因" prelude scm exception policy update <PARTNER> -i "instance_id" -p "policy_id" -s "setting1,setting2" prelude scm exception policy delete <PARTNER> -i "instance_id" -p "policy_id"

--- Threats ---

--- 威胁 ---

prelude scm threat list prelude scm threat get <threat_id> prelude scm threat create -n "Threat Name" --techniques "T1059,T1053" prelude scm threat delete <threat_id>

prelude scm threat list prelude scm threat get <threat_id> prelude scm threat create -n "威胁名称" --techniques "T1059,T1053" prelude scm threat delete <threat_id>

--- Groups ---

--- 分组 ---

prelude scm group list <PARTNER> -i "instance_id" prelude scm group sync <PARTNER> -i "instance_id" --group_ids "id1,id2"

--- Notifications ---

--- 通知 ---

prelude scm notification list prelude scm notification delete <notification_id> prelude scm notification upsert <CATEGORY> -v <EVENT> -r <RUN_CODE> -s <HOUR> -e "email1,email2"

--- Reports ---

--- 报告 ---

prelude scm report list prelude scm report get <report_id> prelude scm report put --report_file /path/to/report.json prelude scm report put --report_data '{"name":"Report",...}' prelude scm report put --report_id <id> --report_file /path/to/report.json # Update prelude scm report delete <report_id> prelude scm report chart-data <SCM_CATEGORY> -b "group_field" -s count_desc -l 100

prelude scm report list prelude scm report get <report_id> prelude scm report put --report_file /path/to/report.json prelude scm report put --report_data '{"name":"Report",...}' prelude scm report put --report_id <id> --report_file /path/to/report.json # 更新报告 prelude scm report delete <report_id> prelude scm report chart-data <SCM_CATEGORY> -b "group_field" -s count_desc -l 100

--- History & Notations ---

--- 历史记录与注释 ---

prelude scm history prelude scm history --start "2024-01-01" --end "2024-06-01" prelude scm history --odata_filter "some filter" prelude scm notations

prelude scm history prelude scm history --start "2024-01-01" --end "2024-06-01" prelude scm history --odata_filter "过滤条件" prelude scm notations

--- Threat Intel ---

--- 威胁情报 ---

prelude scm threat-intel -f /path/to/report.pdf # Parse threat intel from PDF prelude scm from-advisory <PARTNER> --advisory_id "id" # Generate from partner advisory

undefined

prelude scm threat-intel -f /path/to/report.pdf # 从PDF解析威胁情报 prelude scm from-advisory <PARTNER> --advisory_id "id" # 从合作伙伴公告生成

undefined

GENERATE - AI-Powered Test Generation

GENERATE - AI驱动的测试生成

bash

undefined

bash

undefined

Upload threat intel PDF for automated test generation

上传威胁情报PDF以自动生成测试

prelude generate threat-intel -f /path/to/report.pdf prelude generate threat-intel -f /path/to/report.pdf --force_ai # Force AI regeneration

prelude generate threat-intel -f /path/to/report.pdf prelude generate threat-intel -f /path/to/report.pdf --force_ai # 强制AI重新生成

Generate from partner advisory

从合作伙伴公告生成测试

prelude generate from-advisory CROWDSTRIKE --advisory_id "CS-2024-001" prelude generate from-advisory CROWDSTRIKE --advisory_id "CS-2024-001" --force_ai

undefined

prelude generate from-advisory CROWDSTRIKE --advisory_id "CS-2024-001" prelude generate from-advisory CROWDSTRIKE --advisory_id "CS-2024-001" --force_ai

undefined

JOBS - Background Job Monitoring

JOBS - 后台作业监控

bash

undefined

bash

undefined

List all background jobs

列出所有后台作业

prelude jobs background-jobs

Get specific job status

获取特定作业状态

prelude jobs background-job <job_id>


Job types: UPDATE_SCM, DEPLOY_PROBE, OBSERVED_DETECTED, PRELUDE_ENDPOINT_SYNC, EXPORT_SCM, PARTNER_GROUPS

---

prelude jobs background-job <job_id>


作业类型：UPDATE_SCM, DEPLOY_PROBE, OBSERVED_DETECTED, PRELUDE_ENDPOINT_SYNC, EXPORT_SCM, PARTNER_GROUPS

---

Common Workflows

常见工作流

Quick Health Check

快速健康检查

bash

prelude iam account                      # Verify connection, see account features
prelude detect endpoints                 # See active endpoints
prelude detect queue                     # See scheduled tests
prelude detect activity --view protected # See protection status

bash

prelude iam account                      # 验证连接，查看账户功能
prelude detect endpoints                 # 查看活跃端点
prelude detect queue                     # 查看已调度测试
prelude detect activity --view protected # 查看防护状态

Investigate Endpoint Posture

调查端点态势

bash

prelude scm endpoints --odata_filter "hostname eq 'target-host'"
prelude scm evaluation-summary
prelude scm evaluation CROWDSTRIKE -i "instance_id"

bash

prelude scm endpoints --odata_filter "hostname eq 'target-host'"
prelude scm evaluation-summary
prelude scm evaluation CROWDSTRIKE -i "instance_id"

Review Test Results

查看测试结果

bash

prelude detect activity --view logs --start "2024-01-01" --finish "2024-01-31"
prelude detect activity --view tests --control CROWDSTRIKE
prelude detect activity --view findings

bash

prelude detect activity --view logs --start "2024-01-01" --finish "2024-01-31"
prelude detect activity --view tests --control CROWDSTRIKE
prelude detect activity --view findings

Set Up Continuous Testing

设置持续测试

bash

prelude detect tests                                     # Browse available tests
prelude detect schedule <test_id> -t TEST -r DAILY       # Schedule daily
prelude detect queue                                     # Verify it's queued
prelude detect activity --view logs                      # Check results later

bash

prelude detect tests                                     # 浏览可用测试
prelude detect schedule <test_id> -t TEST -r DAILY       # 调度每日测试
prelude detect queue                                     # 验证是否已加入队列
prelude detect activity --view logs                      # 后续检查结果

Partner Integration

合作伙伴集成

bash

prelude partner attach CROWDSTRIKE -u "client_id" --secret "secret" --api "https://api.crowdstrike.com"
prelude partner endpoints CROWDSTRIKE --platform windows
prelude partner deploy CROWDSTRIKE --host_ids "host1,host2"
prelude partner observed-detected

bash

prelude partner attach CROWDSTRIKE -u "client_id" --secret "secret" --api "https://api.crowdstrike.com"
prelude partner endpoints CROWDSTRIKE --platform windows
prelude partner deploy CROWDSTRIKE --host_ids "host1,host2"
prelude partner observed-detected

Naming Differences: CLI vs Platform UI

命名差异：CLI vs 平台UI

Some CLI terms differ from what appears in the web platform:

CLI Term	Platform UI Term	Notes
`endpoint` / `probe`	Endpoint	Interchangeable in CLI
`control`	Partner / Integration	Integer codes map to partner names
`dos`	Platform	e.g., `windows-x86_64` , `darwin-arm64`
`queue`	Schedule	Active test scheduling
`activity`	Results / Reports	Test execution results
`scm`	Monitor	Security Control Monitor
`technique`	MITRE Technique	ATT&CK framework reference
`threat`	Threat	Collection of related tests
`detection`	Detection Rule	Sigma YAML rules
`threat-hunt`	Threat Hunt	Partner-specific hunting queries

部分CLI术语与Web平台中的术语不同：

CLI术语	平台UI术语	说明
`endpoint` / `probe`	端点	在CLI中可互换使用
`control`	合作伙伴 / 集成	整数代码映射到合作伙伴名称
`dos`	平台	示例： `windows-x86_64` , `darwin-arm64`
`queue`	调度	活跃测试调度
`activity`	结果 / 报告	测试执行结果
`scm`	监控	Security Control Monitor
`technique`	MITRE技术	ATT&CK框架参考
`threat`	威胁	相关测试的集合
`detection`	检测规则	Sigma YAML规则
`threat-hunt`	威胁狩猎	特定合作伙伴的狩猎查询

Error Handling

错误处理

401 Unauthorized: Run
```
prelude auth login
```
or
```
prelude auth refresh
```
"Please make sure you are using an up-to-date profile": Run
```
prelude configure
```
and ensure
```
handle
```
field is set
Python version error (
```
str | None
```
unsupported): CLI requires Python 3.10+. Use
```
/opt/homebrew/bin/prelude
```
Connection errors: Check
```
hq
```
URL in
```
~/.prelude/keychain.ini
```

401 Unauthorized（未授权）：运行
```
prelude auth login
```
或
```
prelude auth refresh
```
"Please make sure you are using an up-to-date profile"：运行
```
prelude configure
```
并确保
```
handle
```
字段已设置
Python版本错误（
```
str | None
```
unsupported）：CLI需要Python 3.10+，使用
```
/opt/homebrew/bin/prelude
```
连接错误：检查
```
~/.prelude/keychain.ini
```
中的
```
hq
```
URL

Tips

提示

Use

--resolve_enums

to see human-readable names:

prelude --resolve_enums detect endpoints

Pipe JSON output to

jq

for filtering:

prelude detect tests 2>/dev/null | jq '.[] | .name'

The CLI outputs JSON by default - great for scripting and automation
Service users (created via
```
iam create-service-user
```
) are ideal for CI/CD and automation
OData filters in SCM commands support complex queries:
```
contains()
```
,
```
eq
```
,
```
ne
```
,
```
and
```
,
```
or
```
,
```
any()
```
,
```
all()
```

使用

--resolve_enums

获取人类可读名称：

prelude --resolve_enums detect endpoints

将JSON输出通过管道传递给

jq

进行过滤：

prelude detect tests 2>/dev/null | jq '.[] | .name'

CLI默认输出JSON，非常适合脚本和自动化
服务账户（通过
```
iam create-service-user
```
创建）是CI/CD和自动化的理想选择
SCM命令中的OData过滤器支持复杂查询：
```
contains()
```
,
```
eq
```
,
```
ne
```
,
```
and
```
,
```
or
```
,
```
any()
```
,
```
all()
```