Comprehensive Endpoint Detection and Response so you can be proactive in the fight against cyber threats.
ThreatLocker® Detect is a policy-based Endpoint Detection and Response (EDR) solution. This EDR addition to the ThreatLocker Endpoint Protection Platform watches for unusual events or Indicators of Compromise (IoCs). ThreatLocker Detect can send alerts and take automated actions if an anomaly is detected.
ThreatLocker Detect leverages the vast telemetry data collected from other ThreatLocker modules and Windows Event logs. This info gives essential insights into an organization's security, enabling them to identify and remediate possible cyber threats.
ThreatLocker Detect has an edge over other EDR tools in detecting and responding to potential threats. Its advanced technology identifies and addresses known malicious activities while providing extensive coverage of events beyond just known ones.
ThreatLocker Detect automated responses can give information, enforce rules, disconnect machines from the network, or activate lockdown mode quickly. When Lockdown mode starts, it blocks all activities, including task execution, network access, and storage access, ensuring maximum security.
With the capability of detecting remote access tools or PowerShell elevation, ThreatLocker Detect also identifies events such as abnormal RDP traffic or multiple failed login attempts. Furthermore, the platform can determine if an event log is erased or if Windows Defender finds malware on a device. This proactive approach enables organizations to swiftly identify and respond to potential threats before they can cause significant damage.
ThreatLocker Detect continuously monitors the behavior of trusted and untrusted applications across all devices where the ThreatLocker Agent is installed. IT Experts can make custom rules and policies for decision-making instead of relying on AI or undisclosed criteria. These policies can have a set of conditions or responses that look for behaviors based on a threshold that indicates a compromise may have occurred.
When conditions are met, ThreatLocker Detect will automatically respond based on the rules created. These policies are constantly evaluated in real-time by the ThreatLocker agent on your endpoint, which means your policies are enforced in milliseconds whether or not your endpoint is connected to the internet. IT experts can have complete control over their priorities and event responses. This level of automation and control ensures that incident response actions align with the organization's overall security strategy.
Additionally, ThreatLocker offers recommended policies based on frameworks such as MITRE and CISA Indicators of Compromise. ThreatLocker has introduced a platform known as "ThreatLocker Community". IT experts can share policies they created with other members of the ThreatLocker Community on the platform.
ThreatLocker Detect will identify unexpected and unwanted behavior in your Microsoft 365 cloud environment, which could indicate a cyberattack. ThreatLocker Detect cloud policies will use Microsoft 365 Logs and Detect policies to communicate with ThreatLocker administrators about any potential indications of compromise discovered.
Policies can be customized to meet your specific requirements using any fields from the Microsoft 365 or Microsoft Graph API logs.
ThreatLocker Detect can work with Microsoft Entra P2 to alert on:
No, you don't need a separate antivirus - but ThreatLocker Detect plays very nicely with Windows Defender!
While we do not have a separate antivirus, we do manage a large list of Indicators of Compromise (IoCs) as well as a list of known bad files we can discover during the baseline. The detections in this baseline can be used to deny any known bad files that already existed on the machine at the time of deployment.
While not all modules are technically required, ThreatLocker Detect uses telemetry from our existing Zero Trust controls to identify indicators of compromise and other suspicious activity. It also enables swift responses to detections by allowing you to enable or disable any control policies.
When used in conjunction with the other modules, it delivers a more comprehensive solution and enhanced protection.
Yes, ThreatLocker detection exceptions can be configured with granularity, even on a per-machine basis. This allows you to filter out false positives by tailoring exceptions to specific details included in any alert.
Our approach minimizes reliance on IOC, as such its role in the cybersecurity protocols is very different between the two companies. With Zero Trust controls in place, malicious activities are typically blocked proactively—long before detection would even be necessary.
No. ThreatLocker Detect is fully functional without the MDR service. The MDR service provides 24/7 monitoring and response to Detect alerts.
No. ThreatLocker Community provides a repository of policies created by ThreatLocker but also gives you the ability to subscribe to customer libraries and access their policies if desired. To that point, you can also create and publish your own policies to your own library.
Yes, this is possible via our API. See our knowledge base article for more information: https://threatlocker.kb.help/api-users/
Using industry-known indicators of compromise, ThreatLocker Detect can identify and alert IT professionals that their organization may be under an attempted attack based on customizable thresholds and notification methods.
Set policies to enable, disable, or create Application Control, Storage Control, or Network Control policies in response to specified observations.
Policies can be tailored to alert and respond differently based on the threat level to reduce alert fatigue.
IT admins can easily share their own ThreatLocker Detect policies or “shop” for vetted policies shared by their industry peers and the ThreatLocker team.