ThreatLocker Insights

2 min. readlast update: 02.24.2025

ThreatLocker Insights displays anonymized information about files. File data is gathered across the ThreatLocker customer base, and Insights displays the data based on how that file behaves in 90% of environments. 

Insights will show:

  • The common name of the file
  • The hash of the file
  • Permit History - show how often this file is permitted and denied across 90% of ThreatLocker environments
  • Connections 
    • Parent processes seen in 90% of occurrences
    • Network connections seen in 90% of occurrences
    • Child processes/dependencies seen in 90% of occurrences 
    • File extensions seen used by the file in 90% of occurrences
  • The date the file was first seen in the world
  • The popularity of the file - how commonly it is observed
  • The risk score of the file - based on behavior and potential for abuse, how much risk does permitting this file introduce

Insights data can be retrieved from an Approval Request and an expanded Unified Audit Entry.

Approval Request Insights

Navigate to Response Center > Approvals.

Select an Approval Request to open the sidebar.

Located below the File Details section, select the Insights button to open Insights.

To view known dependencies, select 'Do not use known application' and provide a name for the application. The 'Add Dependencies' button will populate, and by selecting it, the known dependencies will be added below the hash-only rule with a label showing the dependency came from  ThreatLocker Insights.

Using this option can eliminate the need to put a machine in installation or learning mode.

Unified Audit Insights

Navigate to the Unified Audit. Press the 'Search' button to populate entries.

Select an entry for an executable file to open the sidebar. The Insights button will be located at the top of the sidebar.

Select the Insights button to open the Insights window.

Was this article helpful?