Creating Monitoring Policies
When it comes to local drives, ThreatLocker, by default, will not monitor any activity unless there are explicit policies set in place. This ensures the best use of system resources while offering flexibility in the case that monitoring is needed. Such cases include the need to track certain shares or folders, or the need to protect local storage when ringfencing. The following steps will demonstrate how to create an explicit monitoring policy.
From the ThreatLocker Portal:
- Navigate to Storage Control > Policies > New Storage Policy.
- Enter a name for the policy. For example: "Monitoring assets on the C Drive".
- Select 'Read & Write' under 'What should this policy do?'.
- Select whether to apply for the entire organization, or to apply the policy to a specific group.
- Under 'What paths should this apply to (e.g. "\\server1\share\", ".jpg" or "regex:[0-9]abc")?', select 'Let me select file paths'.
- Select the desired path you would like monitored > Add.
- Select Save.
- Select Click to Deploy Policies.
This will include the specified path(s)/location(s) as a protected asset and will start monitoring within 60 seconds of deploying policies.