Help CenterHealth Center
Health Center is a dynamic dashboard containing all the information you need to keep your network and endpoints secure and operational.
To access the Health Center, select ‘Health Center’ from the left-hand side of the page.
The Health Center is where you can get an “at-a-glance" overview of your organization. The Health Center provides quick access to vulnerability information in your organization such as:
-
Permit All Policies - Policies that permit use of all applications. This would effectively bypass the default deny policy and is not recommended by ThreatLocker.
Selecting the ‘Permit All Policies’ section will open a pop-up page with a list of all Policies that permit the use of all applications.
From within this area, you can quickly delete the Policy by using the trash can icon to the right of the Policy.
You can also switch the ‘Active’ switch off to easily turn off the policy.
Lastly, you can select the policy name to be brought to the ‘Edit Application Policy’ side-panel, allowing you to make more granular changes to this policy.
By deleting ‘Permit All’ policies, you are limiting the amount of potentially harmful applications that can be run in your environment.
-
Network Default Deny Policy - This verifies that machines within your organization are secured by the ThreatLocker Network Control deny policy. This denies access to network connections that are not covered by a permit policy.
Selecting this section will open a popout window, which shows you all groups in the organization that are missing the Network Control deny all policy.
From here, you can select the '+ New NC Policy’ button to create a new Network Control policy.
You can also select the trashcan icon to the right of the policy to delete it.
-
Monitor Only Policies/Computers - This section shows you all policies within your organization that are set to ‘Monitor’: Policies that should be denied but can be used for as long as they’re in monitor mode. This will also show you if there are devices in your organization that have not been in ‘Secured Mode’ for over 21 days.
Selecting this section will open a popout window with a list of applications that have been set to a Monitor status. Computers that have been in Application Control Monitor Only OR Application Control Learning Mode for more than 21 days will also appear here.
This page provides you with the ’Status’ column, which will allow you to quickly switch the policy out of ’Monitor’ mode and into ’Secured’ mode.
You can also select each of the policies listed to quickly open the ‘Edit Application Policy’ side panel, allowing you to make more granular changes to your policy. This includes being able to switch it into ‘Secured Mode’ once more.
-
Allow File Access Policies - This shows policies that have Ringfencing enabled within your organization but still allow access to some of your files.
Selecting this option brings you to a page with a list of all policies that are Ringfenced but still permit file access.
From this page, you can use the switches on the left side of the page to make a policy active or inactive, or you can delete the policy using the trashcan icons on the right-hand side of the page. The best way to remediate these findings, however, is to select an application and navigate to the 'Edit Application Policy’ page.
Here, you can navigate to the ‘Actions’ section to view your Ringfencing parameters.
Switching the ‘Restrict this application from accessing files?’ option ‘On’ will remove this application from the ‘Allow File Access Policies’ section of the ‘Health Center’.
-
Permitted Path Only Rules - This section will show you all applications within your organization that have a path only rule within it. This means that this application is permitted by the path name only, allowing for a broad number of applications to be permitted.
Selecting this section will open a popout window with a list of all applications that have a path only rule within them.
From here, you can switch the policy from being active to inactive. You can also select the trashcan icon to quickly delete the policy from the page. The best way to remediate rules that appear in this section is to select the ‘Rules’ bar from the top of the page.
Once this is selected, you will be shown all rules in the organization that are path only. You can delete the rule if it is not necessary by using the trashcan icon. Otherwise, you can select the individual rules to open an ‘Edit Rule’ window, which gives you the ability to add on to this path-only custom rule.
Select the ‘Update’ button at the bottom of the page once you have added more to this rule than just the path. Once done, the fixed rule will disappear from the list.
-
Remote Management - This feature shows you instances of policies that permit applications created by your RMM in the last 7 days. ThreatLocker shows you this so you can be informed of what your RMM is permitting.
Selecting this section, you will be brought to a popout window that shows you all policies that are in this category.
From here, you can select to keep the policy active using the switch on the left-hand side of the page.
You can also change the Status of the policy using the ‘Status’ column. It is recommended that policies be kept in ‘Secured’ mode at all times.
You can also delete the policy using the trashcan icon on the right-hand side of the page.
Lastly, you can select the policy to open the ‘Edit Application Policy’ page to make more granular changes to the policy. All of these options combined allow you to quickly delete policies or rules related to RMMs in your organization to prevent unwanted or unnecessary files from remaining in the environment.
-
Unused Policies - This category shows you a list of policies that have not been matched in the last 6 weeks. This can aid in cleaning out your organization if you have several applications that have not been used in a long time.
Selecting this section will open a popout window with a list of all policies that fit this criterion.
This page allows you to switch between active or inactive on the policy using the switch on the left-hand side of the page. It also allows users to change the status of the policy, and to delete it using the trashcan icon on the right side of the page.
-
Missing Updates - This feature shows you all built-ins that you have in your organization and whether any of them are missing updates.
Selecting this section will open a popout window with a list of all applications that are missing updates. This information is only available if Patch Management is enabled in your organization.
From here, you can also view how many computers are affected by these missing updates. In the ’Action’ column, you will see three options: Patch All, Skip All, and Mark All Resolved. You can select one of these options at this time. If instead of ’Actions’ you see ’Not Managed’, this means that the application is not managed by the Patch Manager at this time. You can also select the application to open the Built-In's page where the same actions will be available. Here, you will be able to toggle between the different tabs for this application.
For further information regarding ’Patch Management’, please consult the following article:
-
Unified Audit Summary - This area shows the activity based on the Unified Audit within your organization for the last hour. This will populate as a graph with different colors indicating the action taken: Green (Permitted), Red (Denied), Orange (Ringfenced), Pink (Denied (Option to Request)), Black (No Policy Action).
You will also see a button titled ’Unified Audit’ on the bottom right-hand corner of the graph. Selecting this will bring you to the Unified Audit page, populating results from 12AM – 11:59PM of the current date.
-
Login Attempts - The Login Attempts map shows you areas where users have attempted to log in to the ThreatLocker portal. Selecting ‘Denied’ or ‘Success’ on the map will show you areas in which users were able to or attempted to login. You can toggle between having a map or a list view of all login attempts.
You can also choose the number of days that the lookback period will cover. By default, the Login Attempts section will show you the last 30 days, but by selecting the dropdown, you can choose to see only 14 or 7 days as well.
At the bottom right corner of the map, you will see a button labeled ‘Login Settings’. Selecting this will allow you to change login restrictions and ThreatLocker Access to your organization. For more information regarding the ‘Login Settings’ button, please refer to the following article:
Software Health Report
The Software Health Report offers valuable insights into ongoing activities within an organization's environment, supplemented by actionable recommendations empowering users to bolster their organization's overall protection.
To download your organization’s Software Health Report, navigate to the top right of the ‘Health Center’ page within your organization. Select the ‘Software Health Report’ button. This will download a PDF of your Health Report.
Details Included in the Software Health Report
-
Device Count:
-
-
The percentage of devices with ThreatLocker deployed.
-
-
-
Devices secured vs devices not secured in the organization.
-
-
Applications:
-
-
Permitted applications.
-
-
-
Policies that permit applications with known vulnerable files, such as Log4j.
-
-
-
Breakdown of applications and their countries of influence.
-
-
-
Telemetry data: descriptions of the applications permitted on the org.
-
-
-
Software to prioritize and review, including applications that have previous vulnerabilities or might be susceptible to them, such as:
-
-
-
-
Remote Tools and Software
-
-
-
-
-
Password Managers
-
-
-
-
-
Games and Entertainment
-
-
-
-
-
VPN Tools
-
-
-
Policies:
-
-
Policies that permit applications.
-
-
-
Policies that have not been used.
-
-
-
Storage policies that are restricted.
-
-
-
Elevation Policies
-
-
-
Default Deny Network Policies
-
-
-
Ringfenced Policies
-