Company logoHelp Center
Visit www.threatlocker.com

The ThreatLocker Detect Alert Center

12 min. readlast update: 10.28.2024

The ThreatLocker Detect Alert Center is divided into two areas: Threats and Remediation. 

ThreatLocker Detect Alert Center: Threats

The main grid in the Threats tab contains the most recent active alerts received from both Cloud and Endpoint Detect, along with summary Threat Level information and quick action buttons. By default, only the logged-in Organization's alerts will be displayed. Select the checkbox next to 'Include Child Organizations' to view alerts from all child organizations as well.

The Threats page contains filtering and searching abilities as follows:

  1. Module- Select to show alerts from all modules, Endpoint Detect or Cloud Detect.
  2. Filter By - Select to view all alerts or choose between:
    1. Active - Alerts that have not been cleared or resolved.
    2. Cleared - Alerts that have been cleared by Clear All Alerts.
    3. Resolved - Alerts that resulted in a Remediation action that was later Resolved. (i.e., a computer was Locked Down, and then the Lockdown was removed)
    4. Snoozed - Alerts that are currently Snoozed.
  3. Search - Input text in the search bar to find alerts that contain matching text in the Object Name or alert description.
  4. Severity - Select to view alerts with all severities (Severe and Warning), or choose to view only Severe or only Warning level alerts.

The Threats grid is comprised of the following columns:

  1. Date Created - This is the date that the most recent Alert was received on the specified "Object". 
  2. Object Name - This is the name of the ThreatLocker Object. For Endpoint Detect, this will be the hostname, and for Cloud Detect this will be the user account.  The blue icon located beside the Object Name will link directly to the Unified Audit. The Unified Audit will be filtered to show that specific object for a time period from one minute before the alert was created to one minute after the alert was created.
  3. Most Recent Alert - This column will show the description of the most recent alert received for the specific object. 
  4. Severity—This column will display the Severity of the most recent alert. The main grid will only show Warning and Severe alerts. Information alerts are only visible in the sidebar to reduce the amount of noise on this main grid.
  5. Active Alerts - This column will display a count of the number of active alerts on the specific object.
  6. Threat Level - This column will display the total current Threat Level on the specific object.
  7. Actions - This column contains quick action icons.

Endpoint

      1. Lockdown - Locks down the endpoint, blocking all network traffic except for communication with ThreatLocker,  and all application executions except for vital Windows functions.
      2. Isolate - Blocks all network traffic, isolating the computer from the rest of the network. Only communication with ThreatLocker is permitted.
      3. Clear All Alerts - Clear all active alerts on the endpoint.

Cloud

      1. Lock Account - Locks the account to prevent further access to 365 resources by this account name.

The main grid also contains multi-select options to quickly address multiple objects at the same time.

ThreatLocker Detect Sidebar

The ThreatLocker Detect sidebar displays data collected on a specific object relevant to investigating cyber incidents. It can be accessed by selecting an alert from the Response Center or by selecting an endpoint and pressing the 'ThreatLocker Detect' tab on the left edge of the computer sidebar.

The top of the sidebar contains quick action buttons.

Endpoint

  1. Deploy Policies - Deploy pending policies to this specific endpoint. If Exclusions are made for this endpoint, press Deploy Policies to apply the Exclusions to the endpoint.
  2. Lockdown - Locks down the endpoint blocking all network traffic except for communication with ThreatLocker, all application executions except for vital Windows functions, and all read/write storage activity on monitored folders.
  3. Isolate - Isolates the endpoint, blocking all network traffic except for communication with ThreatLocker.

Cloud

Lock Account - Locks the account to prevent further access to O365 resources by this account name.

 

Below the quick action buttons, there are up to 10 tabs for Endpoint Detect and 3 tabs for Cloud Detect.

  1. Alert Details (Cloud and Endpoint) - This tab displays the details of all active alerts on the specific object, including Information level alerts.

    1. Anatomy of an Alert

      1. Policy Name - This is the name of the policy from which this alert was created. When selected, it will open the policy's Edit sidebar.
      2. Description - When expanded, this will display the Alert Details, Policy Notes, and Policy Details.
      3. View Action Log - When selected, this will display the full Action Log received from the ThreatLocker Agent.
      4. Date/Time - This is the date time the alert was created.
      5. Actions — This will display all policy actions specified in the policy, such as Create Ticket or Send Email.
      6. Threat Level Impact - This is the amount that is specified in this policy to increase the Threat Level.
      7. Number of Occurrences — This is the number of times this alert has been triggered since the last time alerts were cleared.
      8. Exclusion Count - This is the number of exclusions that have been created for this endpoint on this policy.

        1. Anatomy of an Exclusion

          1. In the first dropdown, select an Applies To level for the exclusions. By default, this will be set to the object impacted by the alert, but it can be changed to include a Computer Group or the Entire Organization.
          2. The Exclusion Expiration is an optional field in which you can set a time to expire this exclusion.
          3. The Choose an Exclusion dropdown will contain all areas from which this specific alert can be excluded. When an item is selected here, when that exact condition is matched, this object will be excluded from the policy.
  2. Executes (Endpoint) - This tab displays Execute logs from the endpoint in the last 24 hours. The timeframe can be adjusted to show logs from the past month. 
    1. By default, it will show 'Known Threats Only', which will display execute actions that are flagged by at least 1 antivirus vendor as possibly malicious. You can also select to view All.
    2. By default, all Policy Actions will be displayed, but you can select to show Permit, Deny, Deny (Option to Request), or Any Deny.
    3. On any Known Threat entry, you will have the option to Upload and Delete. This red button will remove the file from the endpoint and upload it to ThreatLocker's file repository.
  3. Installs (Endpoint) —This section displays all Install actions on the endpoint in the last 24 hours. The timeframe can be adjusted to show logs from the past month.
    1. By default, it will show 'Known Threats Only', which will display install actions that are flagged by at least 1 antivirus vendor as possibly malicious. You can also select to view All.
    2. On any Known Threat entry, you will have the option to Upload and Delete. This red button will remove the file from the endpoint and upload it to ThreatLocker's file repository.
  4. Baseline (Endpoint) —This section displays all Baseline actions on the endpoint in the last 24 hours. The timeframe can be adjusted to show logs from anytime.
    1. By default, it will show 'Known Threats Only', which will display baseline actions that are flagged by at least 1 antivirus vendor as possibly malicious. You can also select to view All.
    2. On any Known Threat entry, you will have the option to Upload and Delete. This red button will remove the file from the endpoint and upload it to ThreatLocker's file repository.
  5. Network (Endpoint) - This section displays all Network activity on the endpoint in the last 24 hours. The timeframe can be adjusted to show logs from the past month.
    1. By default, it will show 'Known Threats Only', which will display network activity that is flagged by at least 1 antivirus vendor as possibly malicious. You can also select to view All.
    2. By default, it will show Policy Action Permit. This can be changed to display Permit, Deny, Ringfenced, or All.
  6. Elevation (Endpoint)- This tab will display Elevation actions in the last 24 hours. The timeframe can be adjusted to show logs from the past month.
    1. By default, it will show all Elevation actions, but it can be changed to show 'Known Threats Only'.
  7. Storage (Endpoint) - This tab displays Storage logs from the endpoint in the last 24 hours. The timeframe can be adjusted to show logs from the past month. 
    1. By default, it will display all Action Types, but you can select between Read, Write, Move, or Delete.
    2. By default, all Policy Actions will be displayed, but you can select to show Permit, Deny, or Ringfenced.
  8. Exclusions (Cloud and Endpoint) This tab displays all Exclusions made for the specific object.
  9. Snooze History (Cloud and Endpoint) - This tab will display a history of when the Snooze button was used, who used it, what time length was selected, and when it was started.
  10. Remediator (Endpoint)— The Remediator tab provides an interface for gaining shell access to the endpoint. For more information on how to use the Remediator, please see the associated article: The Remediator | ThreatLocker Help Center (kb.help).

 

The bottom of the sidebar contains buttons to Clear All Alerts, Snooze Alerts, or Cancel. 

  1. Clear All Alerts - This button clears all active alerts for this object. The alerts will be removed from the main grid, but can be viewed again at any time by filtering the main grid to show cleared alerts.
  2. Snooze Alerts - This button temporarily removes the alerts from the main grid. The time length of the Snooze is customizable, but will default to 10 minutes.
  3. Cancel -  This closed the sidebar without making any changes to the alerts.

ThreatLocker Detect Alert Center: Remediation

The Remediation tab contains all objects that have been placed into a Remediation state from both Cloud and Endpoint Detect, along with the most recent alert and summary Threat Level information. Quick action buttons are included to remove the Remediation state or switch between Remediation states. By default, only the logged-in Organization's objects will be displayed. Select the checkbox next to 'Include Child Organizations' to view objects from all child organizations as well.

The main Remediation page contains the ability to filter and search as follows:

  1. Module- Select to view objects in Remediation from all modules, or select between Endpoint or Cloud Detect.
  2. Filter By - Filter by the specific status of Lockdown, Isolate, or Account Lockout, or select all to view them all.
  3. Search - Input text in the search bar to find alerts that contain matching text in the Object Name or alert description.

The main grid has the following columns:

  1. Date Modified - This is the date/time that the object was placed into a remediation state.
  2. Object Name—In Endpoint Detect, this is the hostname, and in Cloud Detect, it is the account name that is in a Remediation state.
  3. Most Recent Alert - This column will show the description of the most recent alert received for the specific object. 
  4. Threat Level - This column displays the total Threat Level of the impacted object at the time the Remediation state was started.
  5. Notes - This column displays the notes that were inserted when the object was placed into a Remediation state.
  6. Actions - This column contains quick actions to Remediate the object, or change it to a different Remediation state as follows: 
      1. Cloud - Unlock Account
      2. Endpoint - Remove Lockdown, Remove Isolate, or switch from one to the other.

Selecting an object from the main grid will open the same Detect sidebar as outlined above.

 

If you need assistance with the Alert Center or any other area of the ThreatLocker portal, please contact a Cyber Hero.

 

Was this article helpful?