Help CenterFor the best experience, the playbook should be discussed during onboarding with Cyber Hero Managed Detection and Response.
Cyber Hero Managed Detection and Response (MDR) allows the ThreatLocker Cyber Heroes to triage Detect alerts and make decisions on your behalf following your playbook. This helps reduce alert fatigue, as you will only be contacted when alerts indicate a high probability of an incident.
By default, ThreatLocker has policies for known IoCs that will be applied to all organizations using Cyber Hero MDR, and alerts for those policies will automatically be monitored by the Cyber Heroes. Custom policies can also be eligible for monitoring, but they must first go through an approval process.
Configuring the Response Playbook
Once Cyber Hero MDR has been enabled on an organization, the playbook needs to be configured.
Navigate to Modules > ThreatLocker Detect.
At the top left-hand side of the screen, select the 'Response Settings' button.
The Cyber Hero Response Settings sidebar will slide out from the right.
From this sidebar, playbooks can be configured for the entire organization, for specific computer groups, and for individual computers, based on an organization's specific needs.
*At a minimum, organizations will need to have playbook instructions specified at the 'Entire Organization' level.
1. Select the level for the playbook you wish to configure from the 'Applies To' dropdown.
2. Select 'Enabled' to make the playbook active once the settings are saved.
3. Add the name of a contact that will be contacted if the Cyber Heroes observe suspicious behavior.
4. Add the phone number of the listed contact.
5. Select the 'Add' button to commit the contact to the list of contact.
Multiple contacts can be entered by repeating steps 3-5.
6. In the text box, insert the instructions the Cyber Heroes need to follow in the event there is a suspected cyber incident.
Key Information to include in the text of the playbook:
What should the Cyber Heroes do in the event no one answers the phone?
How many times should the Cyber Heroes attempt to call before defaulting to the fallback response?
Should the Cyber Heroes Isolate or Lockdown machines if certain alerts trigger?
Press 'Save' to save the playbook.
If needed, change the 'Applies To' dropdown selection and create a new set of playbook instructions for all areas that require different instructions from the 'Entire Organization' level, being sure to press 'Save' when finished to commit the changes.
When an alert is received by the Cyber Heroes, the instructions outlined in the playbook level closest to the computer experiencing the alert will be followed. For example, if there is a computer-level playbook for that computer, those instructions will be followed. If there are no computer-level instructions, group-level instructions will be followed. If there are no group-level instructuctions, the organization-level instructions will be followed.
It is very important that the playbook includes accurate contact information and instructions so the Cyber Hero team can act appropriately in the event IoCs are observed.
Submitting Custom Policies for Cyber Hero MDR
To submit custom ThreatLocker Detect policies for Cyber Hero MDR, policies will need to have an action to 'Create Alert'.
In the Policy Action section, select 'Create Alert'. Set the Severity, Threat Level, Summary, and Details as desired.
Press the 'Request Monitoring' button.
Press the 'Create' button at the bottom of the policy to save and submit the policy for approval. Once a policy has been submitted for approval, it will no longer be editable. Until you receive notification that a policy has been approved, it will be your responsibility to triage any alerts received from that policy.
Press 'Yes' to acknowledge the information and proceed with submitting the policy for Cyber Hero MDR review.
You will receive a link to the Help Desk ticket associated with this request where you can follow the progess of this request.
The Cyber Hero team will continually evaluate policies and can decline or remove a policy from management if it is causing too many false alerts.