ThreatLocker® Cloud Detect
ThreatLocker® Detect cloud policies use Microsoft 365 Logs and Detect policies to communicate with ThreatLocker administrators about any potential indications of compromise.
Detect anomalies in Microsoft 365
ThreatLocker® Detect will identify unexpected and unwanted behavior in your Microsoft 365 cloud environment, which could indicate a cyberattack.
Access policies in Community
Clients will have access to Cloud Detect policies in Community, including all master policies developed by ThreatLocker. Active policies include:
- Detects when a TAP (temporary access pass) is added to an account
- Detects users consenting to applications.
- Logins in a time period shorter than the time it takes to travel from the first location to the second.
- Use of legacy authentication protocols: Alert if legacy authentication has been used on an account.
How does ThreatLocker Cloud Detect work?
Policies can be customized to meet your specific requirements using any fields from the Microsoft 365 or Microsoft Graph API logs. ThreatLocker® Detect can work with Microsoft Entra P2 to alert on:
- Users with leaked credentials: If a user’s credentials have been compromised (e.g., due to a data breach), it raises a risk flag.
- Sign-ins from anonymous IP addresses: It’s considered risky when a user signs in from an IP address without proper identification.
- Impossible travel to atypical locations: if a user’s sign-in location is geographically implausible (e.g., sudden travel across continents), it’s flagged.
- Sign-ins from infected devices: if a user signs in from a device known to be infected with malware, it’s considered risky
