The ThreatLocker Ops module validates your zero trust policies by allowing you to create rules that notify or respond to specified events. ThreatLocker Ops uses telemetry data, your threat levels, and your policies to define and communicate the current level of attack on your system.
Navigating to ThreatLocker Ops
To navigate to the ThreatLocker Ops module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Ops'.
ThreatLocker Ops Terminology
Policy Conditions: Monitored parameters which may indicate potential compromise or weakness. Example policy conditions include, but are not limited to:
- Policy Name
- Cmd Line Parameters
- Remote Presence
- Event Log Source ID
- Encryption Status
Policy Actions: Actions which are triggered based on meeting designated policy conditions. Example policy actions include, but are not limited to:
- Health Center Alert
- Send Email
- Enable Application Policy
- Increase Threat Level
- Isolate Machine
Threat Levels: Custom numerical levels which contain a specific set of action policies that activate when a specified threat level is reached. More information about Threat Levels will be found later in this course.
Adding a New Policy
To add a new policy, navigate to the ThreatLocker Ops module and click the '+ New Policy' button.
This will open the 'Create New Policy' side panel.
Policy Level & Policy Info
Open the 'Policy Level' dropdown menu to select the desired policy level.
In the 'Policy Info' section, enter the policy name into the dedicated text field. Then, select your desired policy icon from the dropdown menu. Finally, type out a description of your policy.
First, decide if all conditions must be met before the policy action(s) will take place or if the policy action(s) will take place when any one of the conditions are met.
Then, select the condition, operator, and value from the corresponding dropdown menus. Click the green '+' icon add more conditions. If you do not require any additional conditions, move onto the next section of the panel.
To remove a condition, click the red '-' icon.
Expand the Action dropdown menu to select the desired response(s).
Certain actions will prompt additional required fields. Once all fields are completed, click the green '+' icon to add an additional policy action. If you do not require any additional actions, move onto the next section of the panel.
Policy Expiration & Order
Choose if this policy will be active when created by using the provided toggle.
Choose an optional expiration date.
Choose where the policy will show up in the overall order of ThreatLocker Ops policies. Policies process from top to bottom.
Create Policy & Deploy Policies
Once you have configured the policy as desired, select '+ Create Policy'. The new policy will now appear on your policy list.
Select 'Deploy Policies' to apply your new policy to your environment.
Need Additional Assistance?
For more information about ThreatLocker Ops or Threat Levels, please see our ThreatLocker Ops course in ThreatLocker University or reach out to the Cyber Heroes who are always available to help.