Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker Ops

7 min. readlast update: 04.10.2024

The ThreatLocker Ops module validates your zero trust policies by allowing you to create rules that notify or respond to specified events. ThreatLocker Ops uses telemetry data, your threat levels, and your policies to define and communicate the current level of attack on your system. 

Navigating to ThreatLocker Ops

To navigate to the ThreatLocker Ops module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Ops'. 

undefined

 

ThreatLocker Ops Terminology

Policy Conditions: Monitored parameters which may indicate potential compromise or weakness. 

  • Action Type 
  • Application 
  • Canary File Path - specify the full path of a file to be monitored for manipulation 
  • Category - select a software category to monitor for
  • Certificates
  • CMD Line Parameters - insert a CMD Line parameter to monitor - Before a CMD Line Parameter can be specified, you must first specify a Full Path condition.
  • Country - select a software country of origin to monitor for
  • Created By Process - input a process to monitor if/when that process creates another file 
  • Current Threat Level - input a threat level threshold to trigger the policy once that threshold has been passed
  • Destination Domain 
  • Destination IP Address 
  • Destination Port
  • Device Type 
  • Elevation Status
  • Encryption Status 
  • Windows Event Log Parameters - Before any other Event Log parameter can be selected, there must be an Event Log ID condition set.
    • Event Log Description - input an Event Log Provider Name to monitor for
    • Event Log ID - input an Event Log ID to monitor for
    • Event Log Keywords - Input a 64-bit mask to monitor for
    • Event Log Level - select a severity or importance to monitor for
      • Critical: Events with critical level indicate severe problems that require immediate attention. These events often signify a critical failure or system crash.
      • Error: Error-level events represent significant issues but not as severe as critical events. These events indicate problems that need attention but might not necessarily lead to a system crash.
      • Warning: Warning-level events highlight situations that may lead to issues if not addressed but do not represent an immediate problem. It's a cautionary level indicating potential problems.
      • Information: Information-level events provide general information about the system's normal operation. These events are not warnings or errors but serve to document normal activities or system events.
      • Audit Success: Events with this level indicate a successful security audit event, such as a user logging in successfully.
      • Audit Failure: Events with this level indicate a failed security audit event, such as a failed login attempt.
    • Event Log Message - input here will be checked against the "General" tab in Windows Event Log.
    • Event Log Name - input a Channel name to monitor for
    • Event Log Opcode- input a numeric Event Log Opcode to monitor for  
      • 0: Undefined or General Operation
      • 1: Start
      • 2: Stop
      • 3: Info (Informational)
      • 4: Success
      • 5: Failure
    • Event Log Task Category - input a numeric task code to monitor for
  • File Size (Bytes) - input the byte size to monitor for
  • Full Path - input a full path to monitor for
  • Hostname - select a hostname to monitor
  • Monitor Only 
  • Network Direction
  • Occurrences
  • Parent Process: Application
  • Parent Process: Certificate
  • Parent Process: File Size (Bytes)
  • Parent Process: SHA256
  • Parent Process: ThreatLocker Hash
  • Policy
  • Policy Action
  • Process Path
  • Registry Key Change
  • Risk- select from risks identified by the ThreatLocker Ops team to monitor for
  • Serial Number
  • SHA256
  • Source IP Address
  • ThreatLocker Hash
  • Transport Layer
  • Username 

Policy Actions: Actions which are triggered based on meeting designated policy conditions. 

  • Call Rest API - send a json to the API url specified 
  • Call Rest API(Client) -  send a json to the API url specified directly from the endpoint
  • Call Webhook - send a json to the specified URL
  • Call Webhook(Client) - send a json to the specified URL directly from the endpoint
  • Create Alert -  send an alert to the Response center, and allow an increase in the threat level. Alerts set with a severity of 'Information' will not be visible on the main grid, but will be shown in the slideout.
  • Create Ticket (Requires an active integration with a ticketing system) - when configured this will send a ticket directly to the integrated ticketing system
  • Disable Application Control Policy
  • Disable Network Control Policy
  • Disable Storage Control Policy
  • Enable Application Control Policy
  • Enable Network Control Policy
  • Enable Storage Control Policy
  • Isolate Machine - blocks new inbound and outbound network communication attempts on the target machine except for communication with ThreatLocker.
  • Lockdown Machine - block new inbound and outbound network communication attempts on the target machine except for communication with ThreatLocker, and all programs will be blocked from running, including Windows
  • Send Email

 

Threat Levels: Custom numerical levels which contain a specific set of action policies that activate when a specified threat level is reached. More information about Threat Levels will be found later in this course. 

Adding a New Policy

To add a new policy, navigate to the ThreatLocker Ops module and click the '+ New Policy' button. 

This will open the 'Create New Policy' side panel. 

undefined

Policy Level & Policy Info

Open the 'Policy Level' dropdown menu to select the desired policy level.

In the 'Policy Info' section, enter the policy name into the dedicated text field. Then, select your desired policy icon from the dropdown menu. Finally, type out a description of your policy.

undefined

 

Policy Conditions

First, decide if all conditions must be met before the policy action(s) will take place or if the policy action(s) will take place when any one of the conditions are met.

Then, select the condition, operator, and value from the corresponding dropdown menus. Click the green '+' icon add more conditions. If you do not require any additional conditions, move onto the next section of the panel. 

To remove a condition, click the red '-' icon.

undefined

 

Policy Actions

Expand the Action dropdown menu to select the desired response(s). 

Certain actions will prompt additional required fields. Once all fields are completed, click the green '+' icon to add an additional policy action. If you do not require any additional actions, move onto the next section of the panel. 

undefined

 

Policy Expiration & Order

Choose if this policy will be active when created by using the provided toggle.

Choose an optional expiration date.

Choose where the policy will show up in the overall order of ThreatLocker Ops policies. Policies process from top to bottom.

undefined

 

Create Policy & Deploy Policies

Once you have configured the policy as desired, select '+ Create Policy'. The new policy will now appear on your policy list.

Select 'Deploy Policies' to apply your new policy to your environment. 

undefined

 

 

Need Additional Assistance?

For more information about ThreatLocker Ops or Threat Levels, please see our ThreatLocker Ops course in ThreatLocker University or reach out to the Cyber Heroes who are always available to help.

 

Was this article helpful?