Help CenterNote: To Monitor Endpoint Detect policies, assets where this policy applies must have ThreatLocker Windows Agent Version 10.8.1 or higher. Assets that do not meet this criteria will have policy actions be enforced immediately.
As of ThreatLocker Windows Agent Version 10.8.1, users are now able to create ‘Monitor Only’ policies for ThreatLocker Detect. When an Endpoint Detect Policy is in Monitor Only, any Affirmative Actions are paused. When the policy is triggered, instead of performing the Affirmative Action, an alert will be generated notifying users that the alert would have been triggered normally had the policy not been set to Monitor Only.
Monitoring an Endpoint Detect Policy requires that the policy be created with an Affirmative Action as the ‘Policy Action’. An Affirmative Action is any of the following Policy Actions:
- Disable Application Control Policy
- Disable Network Control Policy
- Disable Storage Control Policy
- Enable Application Control Policy
- Enable Network Control Policy
- Enable Storage Control Policy
- Initiate Windows Defender Full Scan
- Initiate Windows Defender Quick Scan
- Isolate Machine
- Kill Matching Process
- Lockdown Machine
An Endpoint Detect Policy will not permit ‘Monitor Only’ to be enabled unless at least one of the Policy Actions is set to an affirmative action.
Creating a Monitored Custom Endpoint Detect Policy
To create a Monitored Custom Endpoint Detect Policy, navigate to the ‘Detect Policies’ page by hovering over the ‘Detect’ option on the left side of the ThreatLocker Portal, then select ‘Detect Policies’.
On the ‘Detect Policies’ page, select the ‘Create New Endpoint Detect Policy’ from the top left corner of the page.
Selecting this button will open the ‘Create Endpoint Detect Policy’ sidebar. From here, using the provided fields, create your Endpoint Detect Policy. Once you reach the ‘Policy Actions’ section of the sidebar, ensure that you choose at least one Affirmative Action. After selecting this, a new section of the sidebar titled ‘Monitor Policy’ will appear.
By default, the policy will be set to ‘Enforce’. Selecting ‘Monitor Only’ will populate a new field titled ‘Enforce Policy Beginning On’.
By default, ThreatLocker will set the policy to be enforced two weeks from the current date. This date can be changed by selecting the provided field.
The policy will switch to ‘Enforce’ at 12:00 AM on the date that you select. Once the policy switches to ‘Enforce’, Policy Actions will be enforced if the policy is triggered.
Monitoring a Community Endpoint Detect Policy
Note: Community policies can be placed in Monitor Only without requiring an affirmative action as one of the policy actions. If you set a community policy where the only policy action is Create Alert, this will prevent this monitored alert from adding to the asset's threat score.
When downloading an Endpoint Detect Community Policy, users will also be given the opportunity to set this policy to ‘Monitor Only’. For Community Policies, this setting is enabled by default, with the policy being monitored for 3 days before enforcement.
These settings can be set to either immediately enforce the policy or monitor it for a shorter or longer period. ThreatLocker recommends monitoring new policies in your environment in case they frequently trigger alerts. This will allow you to adjust the policy for more granular alerting or to decide whether it is right for your organization’s needs.
The Monitor Only Alert
When a policy is being monitored, instead of applying the Affirmative Action (i.e., enabling an Application Control Policy) when the policy is triggered, it will instead create an informational alert. This alert will appear differently from others as it notifies the user that the policy is simply being monitored. The same information from a non-monitored policy will still appear in this area, but when a policy is being monitored, the following alert will appear:
- Banner indicating that the policy generating the alert is set to Monitor Only. The date to the right of the banner shows when the policy will be enforced again.
- Since the policy is set to Monitor Only, the generated alert is informational.
- The alert summary shows the policy name followed by ‘Monitor-Only Alert’.
- The alert details will provide users with information about the alert, such as the asset name, username, and the date and time in UTC when the policy will be enforced.
While a policy is being monitored, alerts that are generated allow users to view the full log, add exclusions, and add the alert to Case Evidence.