Help CenterThreatLocker provides you with several ways to remediate machines or cloud accounts in your organization. This article explains what each remediation button does for assets in your environment. This article will also cover both Endpoint Detect and Cloud Detect versions of remediation.
Endpoint Detect
ThreatLocker Endpoint Detect will provide two types of remediation for machines in your environment. Remediation can be placed on a machine at any point while you are investigating a machine, and is conveniently located in the following areas:
- ThreatLocker Detect Alert Center - The 'Actions' column in the ThreatLocker Detect Alert Center will allow you to Lockdown or Isolate the object that the alert was triggered on.
Additionally, selecting the checkbox to the left of an Endpoint Detect alert will populate buttons to Lockdown or Isolate a machine. This will allow you to apply remediation to all selected machines at once.
- Asset Actions - The 'Asset Actions' section of the Incident Center will provide a list of all assets tied to the case. To the right of the 'Asset Actions' section, you will be able to Lockdown or Isolate the desired machine.
Lockdown and Isolate are remediation options that are essential for your environment during a potential breach, but these options serve different purposes:
- Lockdown - When a machine is placed into Lockdown mode, ThreatLocker ensures that the machine remains entirely unresponsive until Lockdown is removed. The following will be applied to the machine once it is placed into Lockdown mode.
- Inbound and outbound network traffic will be blocked.
- ThreatLocker will be able to communicate with this machine during Lockdown.
- Reads and writes on protected storage will be prevented.
- Programs, INCLUDING some Windows applications, cannot run.
- Inbound and outbound network traffic will be blocked.
- Isolate - When a machine is placed into Isolate mode, ThreatLocker will restrict all inbound and outbound network traffic on the machine until the Isolate mode is removed.
- ThreatLocker will be able to communicate with this machine during Isolate mode.
Isolate mode is a great tool for simply blocking network traffic, but if a more significant threat is on your machine, Lockdown mode provides a more robust solution to prevent attackers from engaging with your environment.
Cloud Detect
ThreatLocker Cloud Detect provides three remediation methods for your Office 365 accounts. Remediation can be applied to an Office 365 account when an active alert is present on the account, and is conveniently located in the following areas:
- ThreatLocker Detect Alert Center - The 'Actions' column in the ThreatLocker Detect Alert Center will allow you to lock the account that the alert was triggered on.
- Asset Actions - The 'Asset Actions' section of the Incident Center will provide a list of all assets tied to the case. To the right of the 'Asset Actions' section, you will be able to Lockout or Revoke Session Tokens for Office 365 accounts in the case.
By selecting the 'ellipses' button, an additional remediation option, Revoke & Lockout, is also available.
Lockout and Revoke Session Token serve different purposes in your environment during a potential breach:
- Lockout - Locks the selected user's account. Locking the account will prevent users from logging in to the associated account until the Lockout is removed. Applying this to an account will not log out any active sessions.
- Revoke Session Token - Revokes all current session tokens, logging the user's account out of all devices. This will require the user to re-enter credentials to regain access, but the account will not be locked.
- Revoke & Lockout - A combination of both Lockout and Revoke Session Token. Using this remediation option will revoke access to the current session token AND lock the user out of their account, preventing them from gaining or retaining access. This will log the user's account out of all devices while simultaneously preventing the selected account from logging back in.