Company logoHelp Center
Visit www.threatlocker.com

Incident Center

20 min. readlast update: 11.20.2025

Table of Contents

Locating the ThreatLocker Incident Center | ThreatLocker Detect Alert Center | The Incident Center | Case | Alerts | Exclusions | Banners | Unified Audit | Runbook | Incident History | Asset Notes

ThreatLocker has now updated the ThreatLocker Detect Alert Center, making it the Incident Center. This is an upgraded version of the previous Alert Center, making it easier to investigate alerts as they arrive. With the development of the new Incident Center, users will be able to create their own cases, assigning Analysts to each case, and even including active alerts from other machines in the organization to a case.

Locating the ThreatLocker Incident Center

The ThreatLocker Incident Center is located in two areas of the portal. The first place it can be found is by navigating to the 'Response Center'.

From the 'Response Center' switch to the 'Threats' tab.

Now, in the 'Threats' tab, select any active alert in either your organization or a child organization. Doing so will automatically open the Incident Center and display the case associated with the selected ticket.

Alternatively, select the 'Modules' dropdown, then choose 'ThreatLocker Detect' from the list.

Ensure that you are in the 'Threats' tab. From here, you can select an active alert and have the Incident Center appear.

ThreatLocker Detect Alert Center

The ThreatLocker Detect Alert Center can be accessed via the 'Threats' tab. This section allows users to view all active alerts in their parent or child organizations and take action on them.

At the top of the page is a filter area where users can adjust the search parameters to find relevant alerts.

  1. Module Dropdown - This dropdown allows you to choose which module's alerts you are interacting with. By default, all alerts will be selected, but you can also filter between Endpoint Detect and Cloud Detect.
  2. Filter By - By default, alerts are filtered by active alerts. You can also choose to filter by the following:
    • All - Includes alerts from any category.
    • Cleared - Includes alerts that are no longer active and have since been cleared by another user.
    • Resolved - Includes alerts that came from a machine that was put into remediation but has since been taken out of remediation due to the alerts being cleared.
    • Escalated - The alerts have been marked as 'Escalated' for the customer's further review.
    • Remediated - The machine has been put in lockdown or isolation during the investigation of the alerts.
  3. Search - Allows you to search for keywords that are associated with alerts. You can search by Object Name, Organization, and Alert Name.
  4. Severity - Allows you to search for alerts based on the severity level. By default, 'All' is selected, but you can also choose between 'Severe' or 'Warning'.
  5. Include Child Organizations - A checkbox that lets you select between including child organizations in the list or remaining solely at the parent organization. This checkbox is not selected by default.

Beneath the filters area are all of the available columns of the ThreatLocker Detect Alert Center. The following are displayed:

  1. Date Created - The date and time that the alert was generated.
  2. Object Name / Organization - The names of both the object (machine) and the organization that it is associated with. Selecting the Object Name will open the Computer Details Sidebar. A button linking to the Unified Audit can also be viewed here.
  3. Most Recent Alert - The name of the most recent alert that was detected.
  4. Severity - The Severity of the alert, whether it is 'Severe' or 'Warning'.
  5. Active Alerts - The number of active alerts that are on the machine at this time. This area will also display a yellow exclamation mark if the alert has been escalated to the customer.
  6. Threat Level - The combined threat level of all active alerts on the associated machine.
  7. Case - The name of the case that is associated with the alert.
  8. Assigned Analyst - A list of analysts who are assigned to this particular case. Can have multiple analysts appearing here.
  9. Actions - Buttons to select remediation for an alert. If the alert is for 'Endpoint Detect', your button options will be to 'Lockdown' or 'Isolate' the machine. If the alert is for 'Cloud Detect', the option will be to 'Lock Account'.

The Incident Center

The ThreatLocker Incident Center comprises several fields that allow you to customize active cases within your organization. In contrast to the original ThreatLocker Detect Alert Center style, which only allowed users to view alerts on one machine at a time, users can now combine alerts into a Case. You can also add or remove analysts from a case, as well as view the Unified Audit in the designated area. This section of the article will inform you of all the new ways to interact with the ThreatLocker Incident Center.

Case

In the top left corner of the Incident Center is a section for changing the properties of the Case you are viewing. The following actions can be performed in this section:

  1. This section allows you to change the name of the Case you are in. You can select the 'Pencil Icon' to the right of the 'Case Name' field to edit the Case name. Once you have changed the Case name, select either the green checkmark to solidify your changes or the red 'x' to cancel.

  1. The 'Assets' section shows you the name of the organization associated with this case. You can select the organization's name to pull up the 'Edit Organization Settings' sidebar. To the right of this is a 'link' icon that, when selected, will copy the link to your current case. Underneath this is a list of all asset names that have active alerts within the case. Depending on the case, the names displayed might be either asset names or names of Microsoft 365 accounts associated with Cloud Detect. If an asset needs to be removed from a case, and there is more than one asset, an 'x' button will appear next to each one. This can be selected to remove the asset and all associated alerts from the case.

  1. This section shows you a list of analysts who are associated with a case. If a user performs an action on a case and has not already been added, ThreatLocker will add them immediately. Users who have performed actions on a case cannot be removed from it. By selecting the 'Add User' button, a list of all available analysts in your organization will appear. Checking the checkbox to the left of a user's name will add them to the case, whereas deselecting the checkbox will remove them. Circles to the left of the 'Add User' button will display each associated analyst's initials, along with a complete list of all analysts when hovered over, if there are more than three associated analysts.

Alerts

The 'Alerts' section is found underneath the 'Case' section. It is comprised of all the alerts associated with a particular case and provides valuable information, such as categories into which cases might fall.

Categories

The top section of the 'Alerts' portion of the Incident Center is a list of buttons labeled as different MITRE Framework categories. In each ThreatLocker-created alert, ThreatLocker has provided the alert with a label corresponding to a MITRE Framework category. If one of these categories is detected within alerts on the assets in the case, the category's button will turn red.

If a category does not have detected alerts within the assets, it will remain white.

ThreatLocker has buttons for the following MITRE categories:

  • Initial Access
  • Execution
  • Peristence
  • Privilege Escalation
  • Evasion
  • Discovery
  • Exfiltration
  • Impact

Underneath the name of the MITRE category are numbers. These numbers appear if alerts belonging to that category are detected in the organization. The number on the left indicates the number of alerts detected on that machine or user that fit into that category. In contrast, the number on the right indicates the total number of alerts detected in the organization that fit into that category.

When you select any of these buttons, ThreatLocker will automatically apply the associated label to the search bar, displaying all relevant alerts per category.

All Alerts

Located under the list of categories to the right is a button that, when selected, displays a pop-up window showing every active alert on all machines in the organization.

First, this section provides a selection of filters that allow users to search for specific active alerts:

  1. Start Date - The earliest point in time at which ThreatLocker is indicated to search for active alerts in the case. By default, this filter will be set to 12:00 AM of the current day.
  2. End Date - The latest point in time at which ThreatLocker is indicated to search for active alerts in the case. By default, this filter will be set to 11:59 PM of the current day.
  3. Severity - What severity level the alerts you are searching for will be at. By default, 'All' will be selected, but users can also choose to view only 'Information', 'Warning', or 'Severe' alerts.
  4. Search - A search bar that lets users enter keywords that are relevant to alerts.
  5. Search Button - Searches for alerts based on the filters a user has entered.
  6. Clear - Clears all current filters.
  7. CSV Button - A button that allows users to export all alerts that apply to the current filters to a .csv file for easy viewing capability.

Underneath the 'All Alerts' filters are columns that display information about the alerts you are viewing.

  1. Date Created - The date and time that the alert was generated on. This matches the time zone that the organization is set to.
  2. System Time - The system time on an asset when the alert was generated.
  3. Occurrences - The number of occurrences for that particular alert.
  4. Threat Level - The total threat level of the chosen alert.
  5. User - The name of the user associated with this alert.
  6. Policy Name - The policy matching the alert that was triggered.
  7. Policy Description - A brief message regarding what the alert is for, or even a link to a resource about the alert if one is provided.
  8. Severity - The severity level of the alert, which can be 'Information', 'Warning', or 'Severe'.
  9. Policy Labels - Labels that are associated with an alert to help identify what kind of alert it is.
  10. Action Type - The action type that matches the corresponding alert. The action type provides users with valuable information, such as whether a file was executed, moved, etc.
  11. Action - The official way that this particular alert/log was handled. Users will be able to determine in this area whether the log was permitted or denied. Users can also view whether the log would have been denied, but was permitted because the machine was not secured.
  12. Summary - A summary of the alert that was triggered.
  13. Details - Details that are related to the alert.
  14. Full Path - The full path associated with an alert, if one is available.
  15. ExclusionCount - The number of exclusions that are associated with that particular alert. There is a plus button to the right of this field that allows users to create a new exclusion using the information garnered from the alert.

  1. Configure Columns - A wrench button that, when selected, provides a list of all columns for alerts. By default, all columns are selected; however, you can use this button to add or remove columns as needed to cater to your specific requirements.

Below this section is the list of alerts that match the filter criteria you have entered. To view each alert, select one of the alerts on the list. This will drop down and show all relevant information about the alert.

Searching and Viewing Alerts

The alerts tied to a case will all appear beneath the categories. Users can search through alerts using the provided search bar.

To the right of the search bar is the 'Group By Policy' checkbox, which groups all alerts that have the same policies together.

The section below your search bar displays all active alerts associated with the machines or accounts in the case.

From this section, you will be able to view alert information, such as the name of the machine or account the alert was generated from, the alert policy, the Full Log containing all provided alert information, and more. Selecting the name of the alert policy will open the 'Edit Endpoint Detect Policy' sidebar if you have permissions. Alongside this, this section allows you to create new exclusions for the selected alert by choosing the '+' button to the right of the exclusion count.

If the 'Group By Policy' checkbox is selected, the alerts will be grouped. If an alert is selected, a dropdown list of all alerts that match the chosen policy will appear.

This section will provide you with the same alert information.

At the top of this section, you will see two icons labeled 'View Alerts in Case' and 'View Alerts in Organization'.

By default, 'View Alerts in Case' will be selected when you open a case. This page displays all alerts currently tied to a case, including all machines or accounts associated with it. By selecting the 'View Alerts in Organization' button, you will be able to see other alerts that are active in the same organization.

By selecting one of the listed Active Threats, you will be brought to the case for that threat. After reviewing the case, if you feel that it is related to the one you are currently reviewing, you can select the 'Add to Case' button. This will add the active alerts and machines from that case to the current one.

Exclusions

The 'Exclusions' section is found beneath the 'Alerts' section. This is a list containing all exclusions related to the case.

  1. Exclusion information, which includes the policy name, the level the exclusion applies to, what is being excluded, and the expiration of the exclusion, if applicable.
  2. This button can be used to expand or close the 'Exclusions' panel. By default, this panel is closed.
  3. A button that allows you to delete exclusions.

Banners

Banners appear above the Unified Audit within the Incident Center.

These banners only appear if any of the following is detected within the organization:

  • There are Known Threats detected in the case:
    • Known Threats are hashes or IP addresses that have been classified as a Threat by VirusTotal. When the 'View Threats' button is selected, the Unified Audit panel filters the logs classified as threats for easy viewability.
  • Computers in Monitor Mode in the Organization:
    • ThreatLocker will check if there are assets in the associated organization in Application Control Monitor Only Mode. If one of these assets is a computer that is generating alerts, selecting the 'View Assets' button will bring you to the 'Devices' page, where you can change it back to 'Secured' mode.
  • High/Critical Failed DAC Checks within the Organization:
    • If an organization has any high/critical failed DAC checks, this banner will appear. Selecting the 'View DAC' button will bring you to the DAC Dashboard, where you can view your list of DAC checks.

If any of these issues are resolved, such as a computer being removed from Application Control Monitor Only Mode and placed into Secured Mode, the banner will disappear.

Unified Audit

The ThreatLocker Incident Center now has a section for the Unified Audit. This panel can be found in the middle of the page and automatically applies the following filters:

  • Start and End Date set to the current date from 12:00 AM to 11:59 PM.
  • Remove White Noise Filter
  • Asset Names of all assets associated with the Case.

To the right of the filter button is a button that, when selected, will open the full Unified Audit page, including the search parameters you indicated on this page.

This Unified Audit panel features the same Advanced Search function as the full 'Unified Audit' page. For questions regarding 'Advanced Search', please navigate to the following article:

How to Use Multiple Parameters in a Single Search Field in the Unified Audit | ThreatLocker Help Center

When the Unified Audit logs populate, you will be shown a list of information, including the asset name, user name, process path, date and time, and the Action Type. Selecting any of these logs will open a sidebar supplying the full information of that Unified Audit log.

Runbook

The Runbook is an area where Instructions from the Endpoint or Cloud Response Settings pages will populate.

Customers fill out the Instructions section to emphasize directions to analysts on how to process alerts. This specific field can be used to insert directions, such as clearing alerts automatically if specific parameters are met or emphasizing the need to Lockdown a machine in a particular situation.

The runbook categorizes the instructions by the areas to which they apply. This means that if instructions apply to the entire organization, they will appear for all assets. If there are individual instructions for a machine, they will appear for only that machine.

Incident History

The 'Incident History' section is a comprehensive list of all actions taken on a case. At the top of the 'Incident History' section is a list of buttons. The following are available actions that can be taken to remediate an alert:

  • Clear - This button will populate a field below where users can select the names of assets or users in the case. When an asset or cloud account has been provided and a response is entered, the user can choose 'Save Response', which will clear all active alerts on the selected assets.
  • Escalate - This button will populate a field below where users can select the names of assets or users in the case. When an asset or cloud account has been provided and a response is entered, the user can choose 'Save Response', which will escalate active alerts in the organization. When an alert is escalated, it will display a yellow '!' in the 'Active Alerts' column on the ThreatLocker Detect Alert Center page.

  • Recommendation - This button will populate a field where users can select the name of an asset or cloud account, as well as a response field. Once these have been entered, the user can choose from a list of recommendations. The dropdown includes a list of the following:

    • Enable Application Policy 

    • Disable Application Policy 

    • Enable Storage Policy 

    • Disable Storage Policy 

    • Enable Network Policy 

    • Disable Network Policy 

    • Enable Detect Policy 

    • Disable Detect Policy 

    • Enable Cloud Detect Policy 

    • Disable Cloud Detect Policy 

    • Enable Web Control  Policy 

    • Disable Web Control Policy

A details section will populate after you have selected the recommendation. The details provided depend on the chosen recommendation, but may include a list of application names, policies, and additional information. Once this is filled out and 'Save Response' is selected, the recommendation can be viewed in the organization's Detect Dashboard.

  • Call - Selecting this button will display a dropdown menu with the assets associated with this case. Additionally, a field will be provided underneath that lists user names and phone numbers to contact in the event of an alert. This is separated based on Cyber Hero Endpoint Response Settings and will display corresponding asset names if there are different ones to call, depending on the asset. Once a user has made a call, they can enter the response within this field, indicating what took place. Saving the response will make it viewable later on.

  • Email - Selecting this button will provide a dropdown with assets related to the case. From here, you are given a list of user emails to choose from. Emails are separated based on the Cyber Hero Response Settings, so only emails for users who are listed are given. You must select the email before entering a subject line, then you can insert your email body before selecting 'Save Response'.

  • Run Script - Selecting this button will provide a dropdown with assets related to the case. Below this section is a dropdown labeled 'Choose remediation script', which includes a list of remediation scripts available in your organization. If you have no saved remediation scripts in your organization, you can enter a script in the command-line field to be deployed to the selected machines. Once 'Save Response' is selected, the script should run immediately after the agent receives the action, provided the chosen assets are online.
    • Note: To enable this in your organization, you must have the 'Advanced Settings' 'Allow Run Script Action' applied in the organization. This setting has to have been applied for 3 days before you can use the 'Run Script' action. Additionally, these scripts will run as System, so users are not able to start processes that will display on the recipient's screen. Additionally, it will only be able to send a script, not receive a response.
  • Lockdown -  Selecting this button will provide a dropdown with assets related to the case. Below this will be a response field where users can input reasons as to why the asset(s) will be placed in lockdown. Upon saving the response, the chosen assets will be put into lockdown.
    • Note: This field will not be present if the only assets in the case are from Cloud Detect.
  • Isolate - Selecting this button will provide a dropdown with assets related to the case. Below this will be a response field where users can input reasons as to why the asset(s) will be placed in isolation. Upon saving the response, the selected assets will be isolated.
    • Note: This field will not be present if the only assets in the case are from Cloud Detect.
  • Lockout - Selecting this button will provide a dropdown with assets related to the case. Below this will be a response field where users can enter a reason why the accounts will be locked out. Upon saving the response, the selected assets will be locked out.
    • Note: This field will not be present if the only assets in the case are from Endpoint Detect.

Beneath these buttons is a list of all Incident Histories occurring within the case. You will be able to view any action taken by a user. This provides a detailed log of actions to track how users handle a case, which can be reviewed at a later point.

Select the log to expand it and view the actions analysts took on that machine during that time.

Asset Notes

Below the 'Incident History' is the 'Asset Notes' section. This area is where users can input notes related to the investigation of alerts and serves as a comprehensive reference point.

By default, the 'Asset Notes' section will be hidden, but you can use the expand button to display it.

To create a note, enter a note in the field, then use the 'Select Assets' dropdown to choose an asset or assets to apply the note to. Once you select the 'Save' button, the note will appear listing the associated asset, the note, the date and time of the note's inclusion, and the analyst's name who inserted it.

Was this article helpful?