Help CenterThe ThreatLockerDetect module validates your zero-trust policies by allowing you to create rules that notify or respond to specified events. ThreatLocker Detect uses telemetry data, threat levels, and policies to define and communicate the current level of attack on your system.
ThreatLocker Detect Prerequisites
For ThreatLocker Detect to create alerts as expected, it is recommended to ensure certain configurations are in place for the endpoints to match policies properly.
We recommend enabling the following options on either the organization or computer group level:
- ArgumentsForElevation
- ArgumentsForExecution
- ArgumentsForNewProcess
For additional information on these options and how to add them, please review this KB:
Options Tab: Choices and Descriptions: for the Computers Page, the Computer Groups Page, and the Entire Organization Page | ThreatLocker Help Center (kb.help)
Navigating to ThreatLocker Detect
To navigate to the ThreatLocker Detect module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Detect'.
ThreatLocker Detect Terminology
Policy Conditions: Monitored parameters that may indicate potential compromise or weakness.
- Action Type
- Application
- Canary File Path - specify the full path of a file to be monitored for manipulation
- Category - select a software category to monitor for
- Certificates
- CMD Line Parameters - insert a CMD Line parameter to monitor - Before a CMD Line Parameter can be specified, you must first specify a Full Path condition.
- Country - select a software country of origin to monitor for
- Created By Process - input a process to monitor if/when that process creates another file
- Current Threat Level - input a threat level threshold to trigger the policy once that threshold has been passed
- Destination Domain
- Destination IP Address
- Destination Port
- Device Type
- Elevation Status
- Encryption Status
- Windows Event Log Parameters - Before any other Event Log parameter can be selected, an Event Log ID condition must be set.
- Event Log Description - input an Event Log Provider Name to monitor for
- Event Log ID - input an Event Log ID to monitor for
- Event Log Keywords - Input a 64-bit mask to monitor for
- Event Log Level - select a severity or importance to monitor for
- Critical: Events with a critical level indicate severe problems that require immediate attention. These events often signify a critical failure or system crash.
- Error: Error-level events represent significant issues but are not as severe as critical events. They indicate problems that need attention but might not necessarily lead to a system crash.
- Warning: Warning-level events highlight situations that may lead to issues if not addressed but do not represent an immediate problem. It's a cautionary level indicating potential problems.
- Information: Information-level events provide general information about the system's normal operation. These events are not warnings or errors but serve to document normal activities or system events.
- Audit Success: Events with this level indicate a successful security audit event, such as a user logging in successfully.
- Audit Failure: Events with this level indicate a failed security audit event, such as a failed login attempt.
- Event Log Message - input here will be checked against the "General" tab in Windows Event Log.
- Event Log Name - input a Channel name to monitor for
- Event Log Opcode- input a numeric Event Log Opcode to monitor for
- 0: Undefined or General Operation
- 1: Start
- 2: Stop
- 3: Info (Informational)
- 4: Success
- 5: Failure
- Event Log Task Category - input a numeric task code to monitor for
- File Size (Bytes) - input the byte size to monitor for
- Full Path - input a full path to monitor for
- Hostname - select a hostname to monitor
- Monitor Only
- Network Direction
- Occurrences
- Parent Process: Application
- Parent Process: Certificate
- Parent Process: File Size (Bytes)
- Parent Process: SHA256
- Parent Process: ThreatLocker Hash
- Policy
- Policy Action
- Process Path
- Registry Key Change
- Risk- select from risks identified by the ThreatLocker MDR team to monitor for.
- Serial Number
- SHA256
- Source IP Address
- ThreatLocker Hash
- Transport Layer
- Username
Policy Actions: Actions that are triggered based on meeting designated policy conditions.
- Call Rest API - send a JSON to the API URL specified
- Call Rest API(Client) - send a JSON to the API URL specified directly from the endpoint
- Call Webhook - send a JSON to the specified URL
- Call Webhook(Client) - send a JSON to the specified URL directly from the endpoint
- Create Alert - send an alert to the Response Center and allow an increase in the threat level. Alerts set with a severity of 'Information' will not be visible on the main grid, but will be shown in the slideout.
- Create Ticket (Requires an active integration with a ticketing system) - when configured, this will send a ticket directly to the integrated ticketing system
- Disable Application Control Policy
- Disable Network Control Policy
- Disable Storage Control Policy
- Enable Application Control Policy
- Enable Network Control Policy
- Enable Storage Control Policy
- Isolate Machine - blocks new inbound and outbound network communication attempts on the target machine except for communication with ThreatLocker.
- Lockdown Machine - block new inbound and outbound network communication attempts on the target machine except for communication with ThreatLocker, and all programs will be blocked from running, including Windows
- Send Email
Threat Levels: Custom numerical levels that contain a specific set of action policies that activate when a specified threat level is reached.
For a general guideline on determining which Threat Level to assign on a policy, we recommend keeping these values in mind:
- 1 to 50 - Low Threat
- 100 - Medium Threat
- 200 or more - High Threat
Please note: Once a policy has created an alert, the Threat Level will not increase, even if the same policy condition continues to occur until the active alert has been cleared.
Adding a New Policy
To add a new policy, navigate to the ThreatLocker Detect module and click the '+ New Policy' button.
This will open the 'Create New Policy' side panel.
Policy Info
In the 'Policy Info' section, enter the policy name into the dedicated text field. Then, select your desired policy icon from the dropdown menu. Finally, type out a description of your policy.
Policy Conditions
Caution: Starting with the 1.7.5 Portal release, and the addition of grouped All/Any conditions, all endpoints need ThreatLocker Version 8.7 for the grouped conditions to function as intended.
With ThreatLocker versions pre-8.7, both Any and All conditions, when combined, will function as an Any, leading to possible false positives and their resulting actions.
First, decide if all conditions must be met before the policy action(s) will occur or if the policy action(s) will occur when any of the conditions are met.
Then, select the condition from the corresponding dropdown menus. Click the green '+' icon to add more conditions. If you do not require any additional conditions, move on to the next section of the panel.
To remove a condition, click the red '-' icon.
Policy Actions
Expand the Action dropdown menu to select the desired response(s).
Certain actions will prompt additional required fields. Once all fields are completed, click the green '+' icon to add an additional policy action. If you do not require any additional actions, move on to the next section of the panel.
Policy Expiration & Order
Choose if this policy will be active when created by using the provided toggle.
Choose an optional expiration date.
Choose where the policy will show up in the overall order of ThreatLocker Detect policies. Policies process from top to bottom.
Create Policy & Deploy Policies
Once you have configured the policy as desired, select '+ Create Policy'. The new policy will now appear on your policy list.
Select 'Deploy Policies' to apply your new policy to your environment.
Need Additional Assistance?
For more information about ThreatLocker Detect or Threat Levels, please see our ThreatLocker Detect course in ThreatLocker University or reach out to the Cyber Heroes, who are always available to help.