What is ThreatLocker® Detect?

ThreatLocker® Detect is a policy-based Endpoint Detection and Response (EDR) solution. It is part of the ThreatLocker Endpoint Protection platform and monitors for anomalous activity or indicators of compromise (IoCs). When a threat is detected, the system automatically sends alerts and takes appropriate actions.

ThreatLocker Detect leverages telemetry data from other ThreatLocker modules and Windows event logs.
This provides deep security analytics within your organization, helping to detect and neutralize potential cyberattacks.

Why Choose ThreatLocker® Detect?

ThreatLocker Detect offers significant advantages over other EDR solutions in detecting and responding to potential threats. Its advanced algorithms identify known malicious activities and cover a broader range of events, including unknown attacks.
Automated actions in Detect allow you to enforce policies, disconnect devices from the network, provide administrators with critical information, or activate Lockdown mode.In Lockdown mode, process execution, network access, and storage access are blocked—providing the highest level of protection.
Detect can also identify remote access tools, suspicious PowerShell activity, unusual RDP traffic, or repeated failed login attempts.It also logs attempts to delete event logs or evade Windows Defender malware detection.
This proactive approach enables organizations to detect threats quickly and respond before significant damage occurs.

How Does ThreatLocker Detect Work?

ThreatLocker Detect continuously monitors the behavior of trusted and untrusted applications on all devices with the ThreatLocker agent installed.
IT professionals can create custom rules and decision policies without relying on AI or closed algorithms.

These policies can include a set of conditions or responses to specific behaviors that indicate a potential security breach.

When conditions are met, ThreatLocker Detect automatically responds according to the defined rules.
The agent continuously evaluates events in real time—even without an internet connection.
This ensures millisecond-level response times and allows full control over system priorities and actions.

This level of automation guarantees that all incident response actions align with your organization’s overall cybersecurity strategy.

Anomaly Detection in Microsoft 365

ThreatLocker Detect identifies suspicious or unwanted activity in your Microsoft 365 cloud environment that may indicate a cyberattack.
Detect policies for the cloud analyze Microsoft 365 logs and Microsoft Graph API data, alerting administrators to potential signs of compromise.

Policies can be customized to your needs using any fields from Microsoft 365 logs or the Graph API.

In conjunction with Microsoft Entra P2, ThreatLocker Detect tracks:
● Users with compromised credentials
If credentials are leaked, an elevated risk level is triggered.
● Logins from anonymous IP addresses
Considered risky if a user logs in from an unidentified IP without proper identification.
● Logins from geographically impossible locations
For example, alerts are triggered if logins occur from different continents within a short timeframe.
● Logins from infected devices
If a user logs in from a device known to have malware, it is considered a high risk.

Intuitive Analytics with ThreatLocker Detect Dashboard

The ThreatLocker Detect Dashboard transforms incident and alert data from your environment into easy-to-understand visuals — bar charts, line graphs, and pie charts.
With a thoughtfully designed interface, you instantly gain insights complete with prompts for deeper analysis and swift action.
All response actions are logged along with the reasons for their execution.

With the Detect Dashboard, you gain access to key information:- The most critical alerts- Impacted assets- Incidents that have been resolved- False positives- Affected device or user groups- Cyber Hero recommendations with options for automated remediation
The dashboard also serves as an audit tool:
You can review all past incidents, how responses were handled, and why — promoting knowledge continuity, improving future cybersecurity decisions, and ensuring strategic alignment in incident response.