Company logoHelp Center
Visit www.threatlocker.com

The ThreatLocker Detect Incident Center

29 min. readlast update: 03.05.2026
Table of Contents

ThThreatLocker Detect Alert Center has undergone significant changes to improve the quality of investigating alerts within your organization. While there have been only minor changes to the ThreatLocker Detect Alert Center page, ThreatLocker has now implemented a new way to evaluate alerts, the Incident Center, within the ThreatLocker Portal. This article covers changes to the Alert Center and Incident Center, and explains how to navigate them effectively.

Navigating to the ThreatLocker Detect Alert Center 

To locate the ThreatLocker Detect Alert Center, select the ‘Detect’ button from the left-hand side of the page. This will open the ‘ThreatLocker Detect Alert Center’ by default. 

 

OR 

Hover over the ‘Detect’ button on the left-hand side of the page. A hover-over menu will appear, and from here, you can select the ‘Threats’ option from the menu. Selecting this option will bring you to the ‘ThreatLocker Detect Alert Center’. 

 

Changes to Detect With New Menu

You will notice how the ‘Detect’ button in the new sidebar appears red and includes a notification with a number in it. The block of red will appear on the button when at least one alert is active within the ‘ThreatLocker Detect Alert Center’. Additionally, depending on the total number of active alerts in the organization, a notification showing that total will be visible.

 

Note: This number will change based on whether the ‘Include Child Organizations’ checkbox is checked or not. If the ‘Include Child Organizations’ checkbox is checked, and there are child organizations that have active alerts, the total number of active alerts will display. If the number of active alerts exceeds 99, the notifications will display ‘99+’.

 This notification will also appear in the ‘Threats’ portion of the hover-over menu, as well as over the ‘Threats’ tab found in the top-right corner of any page within the ‘Detect’ button. 

If there are no active alerts in your organization, the ‘Detect’ button will appear as follows:

 

These changes were implemented in the ThreatLocker Portal to make it easily visible that an alert is active in your organization.

The ThreatLocker Detect Alert Center 

The ‘ThreatLocker Detect Alert Center’ is optimized to provide the most efficient way to evaluate your alerts. The Alert Center page offers users several options for viewing and sorting alerts. 

Filters 

At the top of the ‘ThreatLocker Detect Alert Center’ is section with filters to search for alerts in your organization. 

 

  1. Module – Set to ‘All’ by default, this filter lets you choose whether to display only Endpoint or Cloud Detect alerts. You can also display both alert types at once. The following options are available within this dropdown:

    • All – Displays both Endpoint and Cloud Detect alerts

    • Endpoint Detect – Displays only Endpoint Detect alerts

    • Cloud Detect – Displays only Cloud Detect alerts

  1. Filter By – Set to ‘Active’ by default, this filter lets you filter alerts by their current status. The following options are available within this dropdown:

    • All – Displays all alerts that have occurred within the organization. 

    • Active – Provides all alerts that have not yet been cleared or resolved and still require investigation. 

    • Cleared – A list of all alerts that have been investigated and cleared by an admin or Cyber Hero.

    • Resolved – A list of alerts where the object was taken out of Lockdown or Isolation mode, OR for Cloud Detect alerts, the user was taken out of Lockout or Revoke Access mode. 

    • Remediated – Alerts where the object is currently placed into Lockdown or Isolation mode, OR for Cloud Detect alerts, the user’s account was placed into Lockout or Revoke Access mode.

  1. Search – A field to search for terms associated with alerts. You can use this field to search for object names (names of assets or Microsoft 365 accounts) that have previously had alerts triggered on them. Additionally, you can search for terms that are found in the ‘Most Recent Alert’ category, which provides a small snippet of details outlining the most recent alert that has been triggered on the object. 

  1.  Severity – Set to ‘All’ by default, this filter lets you choose which severity of alerts to show in your search. The following options are available within this dropdown: 

    • All – Shows both alert severities, which are ‘Warning’ and ‘Severe’, within the provided list.

    • Severe – Shows alerts that have been designated as ‘Severe’ by either pre-existing ThreatLocker policies or a Detect Policy created by users in your organization. 

    • Warning – Shows alerts that have been designated as ‘Warning’ by either pre-existing ThreatLocker policies or a Detect Policy created by users in your organization. 

Note: Informational alerts will not appear as the most recent alert in the Alert Center, as they require an active Warning or Severe alert to become visible. Informational alerts will only be visible in the Incident Center.

  1. Include Child Organizations – This checkbox is not selected by default. When selected, any alerts from Child Organizations that match the filters you have inserted will also populate in the list below. 

These filters can be combined, allowing you to narrow down search results for various alerts in your organization. 

Alerts Table 

Under the ‘Filters’ section is the ‘Alerts Table’. Here, you can see all alerts, categorized by various columns. 

 

  1. Date Created – The date and time that the most recent alert was triggered on the object. By default, this section will populate the most recent alerts at the top of the page. Active alerts on objects already on the page will move to the top when a new alert is generated. By selecting the ‘Date Created’ field, you can reverse the order of alert appearances by making the oldest alerts appear at the top. 

  1. Object Name / Organization – The name of the asset or Microsoft 365 account that is associated with the alert. By selecting the ‘Object Name / Organization’ field, you can group alerts from the same organization together in either alphabetical or reverse alphabetical orderObjects will either be from Endpoint Detect alerts or Cloud Detect alerts: 

    • Endpoint Detect – If an alert was generated from Endpoint Detect, a computer icon will be displayed to the left of the asset name. The asset name provides the user with a link to open the ‘Computer Details’ sidebar for the selected asset. If the ‘Include Child Organizations’ checkbox is selected, and an alert is from a child organization, the name of the child organization will be visible beneath the asset name. Finally, to the right of the asset name is a button labeled ‘View Unified Audit’. When selected, this button will take you to the Unified Audit with the following filters applied: 

      • Start Date – Set to two minutes before the Date Created on the alert. 

      • End Date – Set to match the time in the Date Created field, but will round up if necessary. 

      • Asset Name – The name of the machine that generated the alert. 

      • Include Child Organizations – Included by default, will show Unified Audit logs from child organizations if the selected alert is from one. 

      1. Remove White Noise – Included by default. 

 

    • Cloud Detect – If an alert was generated from Cloud Detect, a cloud icon will be displayed to the left of the object name. To the right of the cloud icon is the name of the user associated with the Microsoft 365 account, marked as bold. Underneath is the Microsoft 365 account address. Lastly, if the ‘Include Child Organizations’ checkbox is selected, and an alert was generated from a child organization, the name of the Child Organization will display underneath the Microsoft 365 account address. 

  1. Most Recent Alert – This column displays what is put into the ‘Summary’ field in the ‘Policy Actions’ section when creating or editing a Detect Policy. This summary can be created by users in your organization if the alert is from a custom policy, or by a Cyber Hero if it is from a policy created by ThreatLocker. These summaries aim to give a brief description of what the most recent alert is flagging. 

  1. Severity – This column shows the alert's severity. This severity can be designated by a user in your organization when creating a ThreatLocker Detect policy, or by a Cyber Hero if it is from a ThreatLocker-created policy. There are only two types of severities that will display on this page: 

Note: Informational alerts will not appear as the most recent alert in the Alert Center, as they require an active Warning or Severe alert to become visible. Informational alerts will only be visible in the Incident Center. 

    • Warning  Warning alerts can indicate malicious behaviors or activities, such as lateral movement within an organization or persistence. An alert categorized as ‘Warning’ might help build context for a more intense situation in your organization if it is triggered alongside other Informational, Warning, or Severe alerts.   

  • Severe – Severe alerts can indicate a more serious problem than a Warning alert. Severe alerts are typically categorized by ThreatLocker as symptoms of an active compromise, direct impact, or policies that chain multiple Informational or Warning alerts in order to generateThis allows for very high fidelity. A Severe alert appearing alongside other Warning or Informational alerts can also indicate a compromised environment.

  1. Active Alerts  This column shows the total number of alerts on an object. This number counts only the total number of Severe and Warning alerts and does not include Informational alerts.

  1. Threat Level – The combined total of the Threat Level Impact on each active alert on the object. Threat levels can be designated by the user who created the Detect policy, or if it is a ThreatLocker Policy, by a Cyber Hero. The Threat Level will not be changed based on the ‘Number of Occurrences’ that an alert has undergone. 

  1. Case – The name of the case that this triggered alert is associated with. 

  1. Assigned Analyst – A list of analysts who have been assigned to a case in the Incident Center. Analyst initials will be displayed here, and hovering over each set of initials will show you the full name of the assigned analyst.

Note: If a Cyber Hero has been assigned as an analyst to this case, this will show with the initials 'TL' and display as 'Cyber Hero MDR' when hovered over.

  1. Actions – Buttons that provide users with the ability to Lockdown or Isolate machines associated with Endpoint Detect, or Lock Account for Cloud Detect users. Once one of these buttons is selected, the user will be prompted to provide a reason for why the action is being taken on the machine. After confirming the action, the alert will be moved to the ‘Remediations’ section of the ‘Filter By’ tab. You will then be able to remove whatever action you have placed on the object from this area or from within the case that the object is associated with. This section will also provide a ‘Clear All Alerts’ action, which allows you to clear all alerts on the object you’ve chosen. 

Incident Center

The Incident Center is the streamlined way to investigate alerts in your organization. With the addition of the Incident Center, you can combine related alerts from across your organization into a single case, keeping all information in one place for you to review. To navigate to the Incident Center, simply select any available alert on your ThreatLocker Detect Alert Center. 

The Incident Center can also be accessed from the ‘Computer Details’ page. To access this, hover over the ‘Assets’ tab on the left-hand side of the ThreatLocker Portal. Then, select the ‘Devices’ button from the pop-out menu. 

 

Now on the ‘Devices’ page, select the name of the device you are investigating to open the ‘Computer Details’ sidebar. Once here, select the ‘ThreatLocker Detect’ tab on the left side of the ‘Computer Details’ sidebar. 

 

Selecting this button will automatically open the Incident Center with the case that the device is attached to

Case Name

 

In the top left corner of your case is the ‘Case Name’ section. Here, you can view the name of your case, view assets associated with the case, and assign analysts to it. 

 

  1. Case Name – This field contains the name of your case. ThreatLocker will automatically assign a name to your case when an alert is generated, and the object is not currently in a case.

  1. Edit Case Name – Selecting this button lets you change the case name. Once this button is selected, the field becomes accessible, allowing a new name to be entered. Once you have entered the desired case name, you can select the ‘check’ button or select the ‘X’ button if you would like to cancel editing your case name. 

   

  1. This field provides users with the name of the organization that devices in the case belong to. Selecting the organization name will open the ‘Edit Organization Settings’ sidebar. To the left of the organization name is a button labeled ‘Copy Case Link’ that lets you easily add the case link to your clipboard.

  1. Objects – This section lists all objects associated with the case. Multiple objects can appear here, and both Endpoint and Cloud Detect objects can be added to the same case. An object that has had an action taken on it in the case cannot be removed from it, but if the object has an ‘X’ to the right of the object name, it can be. 

Additionally, if there are multiple objects in a case, you can select the object name to filter out all case activity EXCEPT for activity pertaining to the selected object. By selecting the object name again, the page will revert to providing information for all objects in the case.

 

  1. Assigned Analysts – This section lists the analysts assigned to the case. Analysts can be assigned by selecting the ‘+’ button. Upon selection of this button, a pop-up menu will appear with a list of all admins in your organization. From here, you can search for specific users and select the checkbox next to their name to add them to a case. 

 

Analysts can also be added to a case when a user performs an action on it. Adding an exclusion, clearing an alert, putting a machine into isolation mode, and more will all count as actions being taken on a case. 

Alerts

The Alerts section of the Incident Center is the main area where you can view alerts generated for objects in your current case.

MITRE Framework Filters 

At the top of the Alerts section is a list of different MITRE categories. Here, you can see immediately whether there are any active alerts in the organization that match one of the frameworks. If there is at least one active alert that matches the categories listed in the current case or that has been discovered in the entire organization, the category will turn red. Additionally, a number will appear under the category name, showing the number of alerts categorized as this.

 

The number to the left shows the total number of alerts in this category in the case, whereas the number to the right shows the total number of alerts in this category across the entire organization. 

By selecting one of the MITRE Framework filters, the Alerts tab will ONLY display alerts flagged as relevant to this category. Selecting the filter again will remove the filter and display all alerts for the case.

 

All Alerts Popout Window

Located under the list of categories to the right is a button that, when selected, displays a pop-up window showing all active alerts across all machines in the organization.

First, this section provides a selection of filters that allow users to search for specific active alerts:

  1. Start Date - The earliest point in time at which ThreatLocker is indicated to search for active alerts in the case. By default, this filter will be set to 12:00 AM of the current day.
  2. End Date - The latest point in time at which ThreatLocker is indicated to search for active alerts in the case. By default, this filter will be set to 11:59 PM of the current day.
  3. Severity - What severity level the alerts you are searching for have. By default, 'All' will be selected, but users can also choose to view only 'Information', 'Warning', or 'Severe' alerts.
  4. Search - A search bar that lets users enter keywords that are relevant to alerts.
  5. Search Button - Searches for alerts based on the filters a user has entered.
  6. Clear - Clears all current filters.
  7. CSV Button - A button that allows users to export all alerts that apply to the current filters to a .csv file for easy viewing capability.

Under the 'All Alerts' filters, columns display information about the alerts you are viewing.

  1. Date Created - The date and time that the alert was generated on. This matches the organization's time zone.
  2. System Time - The system time on an asset when the alert was generated.
  3. Occurrences - The number of occurrences for that particular alert.
  4. Threat Level - The total threat level of the chosen alert.
  5. User - The name of the user associated with this alert.
  6. Policy Name - The policy matching the alert that was triggered.
  7. Policy Description - A brief message regarding what the alert is for, or even a link to a resource about the alert if one is provided.
  8. Severity - The severity level of the alert, which can be 'Information', 'Warning', or 'Severe'.
  9. Policy Labels - Labels that are associated with an alert to help identify what kind of alert it is.
  10. Action Type - The action type that matches the corresponding alert. The action type provides users with valuable information, such as whether a file was executed, moved, etc.
  11. Action - The official way that this particular alert/log was handled. Users will be able to determine in this area whether the log was permitted or denied. Users can also view whether the log would have been denied, but was permitted because the machine was not secured.
  12. Summary - A summary of the alert that was triggered.
  13. Details - Details that are related to the alert.
  14. Full Path - The full path associated with an alert, if one is available.
  15. ExclusionCount - The number of exclusions that are associated with that particular alert. There is a plus button to the right of this field that lets users create a new exclusion using information from the alert.

  1. Configure Columns - A wrench button that, when selected, provides a list of most columns for alerts. By default, all columns are selected; however, you can use this button to add or remove columns as needed to cater to your specific requirements.

Below this section is the list of alerts that match the filter criteria you have entered. To view each alert, select one of the alerts on the list. This will drop down and show all relevant information about the alert. This dropdown provides the same information as the ‘View Full Log’ button on the alerts page. Multiple dropdowns can be viewed at the same time, and selecting the alert again will close the dropdown. 

Alerts Advanced Filter

The alerts section provides users with an advanced filter, allowing you to create a more granular search through alerts in your case. 

The search bar allows you to search for keywords from the policy name or alert summary. Additionally, each MITRE Framework filter is associated with a label. The search bar lets you find labels related to the MITRE Framework filters.

To the right of the search bar is the ‘Advanced Filter’ button. When this button is selected, a pop-up window appears with additional filters you can apply to your list of alerts. 

 

  • Show Cleared Alerts – This checkbox adds a filter that shows only cleared alerts. 

  • Only Show Evidence – This checkbox adds a filter that displays only alerts added to case evidence.

  • Filter by Severity Dropdown – Allows you to filter by alert severity, with four options. You can select only one option at a time, and selecting a severity will only show alerts that match that severity. 

    • All

    • Severe 

  • Warning 

  • Information

Lastly, ThreatLocker provides users with a ‘Group By Policy’ checkbox, which is selected by default. When checked, instead of showing each instance of a policy alerting individually, the policies will be grouped. This view will show you each type of alert that appears in the selected case.

 

This view will also show you how many times the alert type occurred, along with a timeframe indicating the first and most recent instances of the alert appearing within the organization. 

Selecting one of the grouped policies will display a list of all alerts that have matched the selected policy. 

If the number of triggered alerts exceeds the provided field, a button at the bottom of the list titled ‘View More Alerts’ is displayed. This button opens the ‘Alerts Popout Window’, which can be configured to display all information related to the policy you selected.

View Alerts in Case/Organization

To the right of the filters, you will see two icons labeled 'View Alerts in Case' and 'View Alerts in Organization'.

By default, 'View Alerts in Case' will be selected when you open a case. This page displays all alerts currently tied to a case, including all machines or accounts associated with it. By selecting the 'View Alerts in Organization' button, you will be able to see other active threats in the organization. These active threats will be presented in a list view with the object name, policy, summary, full log, and date/time the alert was received. If you see another alert in your organization that is related to the case you are in, you can use this area to add the object to the case.

  1. Active Threat - Information about the alert, allowing you to determine if this alert is related to your current case.
  2. Go to Case - This button links to the full case associated with this alert.
  3. Add to Case - This button adds the selected machine and its active alerts to the current case.

Anatomy of an Alert 

Alerts present on this page will look similar to our old version of the ThreatLocker Detect page. The following section will outline what information is provided within an alert, and what actions can be taken on an alert from the Incident Center: 

 

  1. Object Name – Provides the object name associated with the alert. If the name is too long for the field, you can hover over this area to reveal the full name. A computer or cloud icon will be visible to the right of the object, depending on the type of object that generated the alert. Selecting the object name of an Endpoint Detect alert will open the ‘Computer Details’ sidebar.

  1. Policy Name – This section shows the name of the policy that generated the alert. If the policy was created by a user in your organization, you can select it to open the Edit Endpoint/Cloud Detect Policy sidebar. This allows users to apply policy changes or view the policy's conditions directly from the Incident Center. If the policy is created by ThreatLocker, it will be grayed out and cannot be selected. 

  1. Alert Summary – The summary created for the alert. This will typically be a brief explanation of what the alert is for.

  1. View Full Log – A button that, when selected, provides a dropdown with a list of all relevant information from your alert. Information will vary depending on the generated alert, but it provides a quick summary of the logs important for investigating the selected alert. 

  1. Received On – Provides the date and time at which the alert was generated on the machine.

  1. Threat Level Impact - The Threat Level that was assigned to the selected alert.

  1. Number of Occurrences – The total number of times that an identical alert would have generated on the machine. This means that the alert generated would have created a separate alert in your organization, but the information in its logs matched identically to the other existing alert. ThreatLocker provides this information visually to show how many times this alert occurred without overloading your Alerts Center. 

  1. Exclusion Count/ Add Exclusion – If the policy does not have an exclusion applied to it, this section will show ‘Add Exclusion’ with a ‘+’ button to the right of it. If an exclusion does exist for this policy, this section will show ‘Exclusion Count’, followed by the number of exclusions for this policy in your organization and a ‘+’ button to the right of it.

  1. Alert Severity – The severity level of the alert. This section can display Information, Warning, or Severe depending on the severity that was designated to the policy.

  1. Add to/Remove From Evidence – When a case is closed, record of the closed case will exist in the ‘Case History’ tab. The Case History window combines information about alerts generated on the objects during the case's active period, Incident History, and Asset Notes. The ‘Alerts’ section here will display all alerts that had ‘Add to Evidence’ selected at the time that the case was closed. By default, ALL alerts with a Warning or Severe severity level will automatically have this button activated, which will include them in the closed case’s history. Information alerts can be added to evidence as well, but must be added manually by selecting this button. This feature allows you to curate your alerts in the event that there are alerts you deem not relevant to the final closed case.

Exclusions

The 'Exclusions' section is found beneath the 'Alerts' section. This is a list containing all exclusions related to the case.

  1. Exclusion information, which includes the policy name, the level the exclusion applies to, what is being excluded, and the expiration of the exclusion, if applicable.
  2. This button can be used to expand or close the 'Exclusions' panel. By default, this panel is closed.
  3. A button that allows you to delete exclusions.

Incident Center Banner 

On the Incident Center page, an optional banner might appear in the middle. 

 

There are three scenarios in which this banner will appear, and all three banners can appear simultaneously: 

  • Known Threats Within a Case – This banner appears when an alert in the case contains a known hash or IP address that VirusTotal has classified as a threat. This banner will include a ‘View Threats’ button that filters the Unified Audit in the Incident Center to show results related to the known threat. 

 

  • Computers in Monitor Mode in the Organization – This banner appears if one or more machines in the organization are in Monitor Mode. This banner will provide a button titled ‘View Asset’, which will take you to the ‘Devices’ page to view the asset that has had Monitor Mode applied to it. 

 

  • High/Critical Failed DAC Checks in Organization – This banner appears when at least one High Risk or Critical DAC check is failed in your organization. This banner will provide a button titled ‘View DAC’, which will redirect you to the DAC Dashboard to view all failed DAC checks within your organization. 

 

If none of the above situations apply in your environment, this banner will disappear and shift the ‘Task Manager’ and ‘Unified Audit’ sections to the top of the page. 

Task Manager

The ‘Task Manager’ section of the Incident Center is located above the ‘Unified Audit’ portion of the page. This section allows you to select between assets in the case to view the current process list on the device. It is required that the device agent is checking in. This feature is ONLY available for Windows machines. This section is collapsed by default, but selecting the ‘arrows’ to the right of the section will expand it. 

 

 

Once expanded, a dropdown menu listing all assets in the case will appear. Select this dropdown, then choose an asset to begin loading your process list details. 

 

 

Note: Please allow some time for the process list to populate, as process list details will load when the machine checks in next.

When the process list is populated, you will see a list of all processes running on the selected machine. 

 

A search bar is available to search for keywords relevant to the processes you are looking for. Additionally, you can refresh the process list for an updated view. The total number of processes that were running on the machine at the time that the list was generated will also be available in the ‘Process Count’ section. 

 

In the process list, you are shown each process run, including the user who ran it, the parent process, and the PID. To the left of each process, you can also see the process size. 

If the process is not run by Windows, it can be selected, and a pop-up window will appear. This window lets you kill the selected process by PID or process name. After selecting how you want to kill the process, selecting the ‘Kill Process’ button will kill it on the selected machine. 

 

Selecting the ‘Cancel’ button will close the window.

Unified Audit 

The Unified Audit section is a compact version of the Unified Audit page. The Unified Audit section will be expanded by default, but can be collapsed by using the arrow button to the right of the section title.

 

This section provides the same Advanced Search filters as in the full version of the Unified Audit. For questions regarding 'Advanced Search', please navigate to the following article:

How to Use Multiple Parameters in a Single Search Field in the Unified Audit | ThreatLocker Help Center

By default, the following filters will be applied to the Unified Audit whenever the Incident Center is opened:

  • Start Date – 12:00 AM on the current date 

  • End Date – 11:59 PM on the current date 

  • Filter to remove white noise 

  • Individual entries for each Asset Name in the case 

 

A search bar is provided for users to search for keywords associated with Unified Audit logs they are investigating.

To the right of the filter button is a button that, when selected, opens the full Unified Audit page, including the search parameters you specified on this page.

When the Unified Audit logs populate, you will see a list of information, including the asset name, user name, process path, date and time, and Action Type. Selecting any of these logs will open a sidebar that displays the full information for that Unified Audit log.

Asset Actions

The 'Asset Actions' section provides information on the state of all assets in a case during evaluation. Based on the provided information, this can help you further determine if a machine should be remediated or if alerts can be cleared. The 'Asset Actions' section can be found in the top right corner of the Incident Center. The following is provided in this section:

  1. Asset Name - The name of the machine or cloud account. Selecting this button will open the 'Computer Details' sidebar associated with the selected asset.
  2. Asset State - A text field that displays the current state the asset is in. The following messages may appear here based on the asset's current status:

    • “This asset is currently Locked Down” - Will appear if the asset is in a Locked Down state.

    • “This asset is currently Isolated” - Will appear if the asset is in an Isolated state.

    • “This asset is currently Locked Out” - Will appear if the asset is a cloud account that has been Locked Out.

    • “This asset is currently Available” - Will appear if the asset is not a Locked Out cloud account, OR the machine is not in a remediated state.

    • “This asset has policy actions taken”- Will appear when a policy action is enabled on the asset.

      • If there is a policy action enabled on the asset, you can hover over this field to reveal a tooltip with information regarding the policies that have been applied to an asset while the case is active.

  1. Action Buttons - The 'Asset Actions' section also includes actionable buttons to remediate or clear alerts on an asset.
    • Endpoint Detect - Assets belonging to Endpoint Detect will display the following buttons in this area:

 

      • Lockdown - Makes the asset inaccessible. The asset can still communicate with ThreatLocker.
      • Isolate - Revokes all network activity except for communication with ThreatLocker.
      • Clear System - Clears all alerts associated with the asset and removes remediation.
      • More Actions - An ellipses button that, when selected, opens a dropdown with additional actions.
        • Call - If you made a call while investigating an asset, this button provides a field to add notes from that call. Selecting the 'Save Response' button will add a log to the 'Incident History' section with the notes you added.

    • Cloud Detect - Assets belonging to Cloud Detect will display the following buttons in this area:

      • Lockout - Locks the account, preventing users from logging in.
      • Revoke Session Token - Logs the user's account out of all devices.
      • Clear System - Clears all alerts associated with the asset and removes remediation.
      • More Actions - An ellipses button that, when selected, opens a dropdown with additional actions.
        • Call - If you made a call while investigating an asset, this button provides a field to add notes from that call. Selecting the 'Save Response' button will add a log to the 'Incident History' section with the notes you added.
        • Revoke & Lockout - Applies both the Lockout and Revoke Session Token remediation methods simultaneously, making it so that the associated user is logged out of their account on all devices, and that their account can't be logged into.

Incident History

The 'Incident History' section is a comprehensive list of all actions taken on a case. The Incident History updates for every action that is taken on the case. This can include actions such as assigning an analyst to the case, adding an exclusion, clearing the system, remediating machines, and more.

Actions that are exclusive to the Cyber Hero MDR team will also appear in this section. This includes actions such as escalating an alert, sending an email, sending notifications to machines, and more.

Any messages sent by users will be included in this log list as well. This includes emails sent by the Cyber Hero MDR team, as well as the reasons provided for why an asset was remediated.

Once the case is closed, the Incident History will be visible in the Case History page.

Asset Notes

Below the 'Incident History' is the 'Asset Notes' section. This area allows users to enter notes related to alert investigations and serves as a comprehensive reference.

By default, the 'Asset Notes' section will be hidden, but you can use the expand button to display it.

To create a note, enter a note in the field, then use the 'Select Assets' dropdown to choose an asset or assets to apply the note to. Once you select the 'Save' button, the note will appear listing the associated asset, the note, the date and time the note was added, and the analyst who inserted it.

Incident Center Case Tabs

If you have multiple active cases in your organization, ThreatLocker has configured the new ThreatLocker Detect Alert Center to create a separate tab for each case as you open them. Upon selecting a case, a tab will open at the top of the page, visible on the ThreatLocker Detect Alert Center and Incident Center case pages.

These tabs will let you quickly switch between the cases you are reviewing during your investigation. If you no longer need a tab open, you can select the 'X' button to remove it from the list of open tabs.

Was this article helpful?