Long Arrow Right External Link angle-right Search Send Times Loader chevron-down thumb-up thumb-down Spinner angle-left
Go to ThreatLocker

Email on Policy Match

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.
Be aware of the scope of policies you apply this to. Setting this up on a Workstations Default Deny policy or a directory-wide storage policy may lead to a large amount of unwanted emails.

Storage and Application Control policies can be configured to notify administrators via email whenever a policy is matched. This can be useful for alerting administrators when files are blocked on servers, by configuring notification on a Servers group Default Deny, or when a prohibited action is attempted. 

Configuring Match Notification on Application Control Policies 

To configure emails on an Application Control policy, navigate to the Application Control Policies page and select the policy that will notify on match. The configuration process will be identical for Application Control and Storage Control policies. 

undefined

This will open an 'Update Application Policy' or 'Update Storage Policy' side panel. The policy shown below, for example, is configured to prevent users from starting popular game launchers and notify administrators when they try, without giving the user an opportunity to request access. 

undefined

The last section, Policy Match Events, will determine how logging and notifications are handled for the selected policy. Enable the option labeled 'Send email' and list any inbox which should receive notification on a match to this policy. These emails are not required to be administrators within the ThreatLocker portal, any email can be specified. Click 'Update Policy'. Remember to deploy policies to commit and deploy the change. 

undefined

Configuring Match Notification on Storage Control Policies

Notification on Storage Control policy matches can be configured in the same way as Application Control policies. Be aware that configuring this notification on a permitted file read/write will alert the administrator every time a specified file is read or written, or every time any file is read or written if the policy specifies a directory. 

Open the Storage Control module in the ThreatLocker portal, then identify the policy which should notify on match. In the example policy, Workstations are permitted to read but not write to USB drives, and any attempt to write to a USB drive notifies the administrator. 

undefined

Clicking the policy name will open the 'Update Storage Policy' side panel, and in the Storage Policy Details tab, the last option allows you to specify recipients for these policy match emails. These emails are not required to be administrators within the ThreatLocker portal, any email can be specified. 

undefined

Enable the option 'Do you want to send an email when this policy is matched?', enter the recipient, click the + button to the right of the text field, click 'Update Policy', and deploy policies to save this change.

Legacy Portal

We do not suggest doing this to a default policy. Setting this up on a default policy may lead to a large amount of unwanted emails.

If you would like to set up ThreatLocker to email you when a particular policy is matched, first navigate to the Organizations page and manage the organization you want to enable this on.  

Navigate to Application Control > Policies.

Change the dropdown in the Applies To menu to reflect your desired policy location.

Select the policy, and click the pencil icon to edit it. 

Enter the email address you want the matched policy alerts to go to, be sure to click the 'Add' directly to the right of it. This will populate the email address in the lower box.

Save the policy.

Deploy the policy.

Did this answer your question?
Thanks so much for your feedback!
%s of people found this helpful.