Threatlocker - Set Learning Mode Implement and Audit
Purpose
This solution is built to set ThreatLocker to learning mode using the API. It also performs auditing for ThreatLocker, providing details like the learning mode start and end times, duration, status, logs, the LT user who set the learning mode, and the reason for being recorded.
Associated Content
| Content | Type | Function |
|---|---|---|
| Script - ThreatLocker - Set Learning Mode | Script | This script gathers API keys from the client's EDF and securely uses them to set the machine to learning mode in ThreatLocker. User Parameters LearningDuration Accepts a numerical value and sets the computer to learning mode in ThreatLocker for the specified number of hours. Reason This is required to provide a reason for setting the learning mode. |
| Dataview - ThreatLocker LearningMode Set Audit | Dataview | This dataview stores the results of the ThreatLocker learning mode setting done via the script, "Script - ThreatLocker - Set Learning Mode." |
| Table - pvl_threatlocker-disable_audit | Custom Table | This table stores data from the script "Script - ThreatLocker - Set Learning Mode," including the computer ID, learning mode duration, start and end times, reason, the LT user who set the mode, status, and the complete log. |
Implementation
-
Import the following content using the ProSync Plugin:
- Script - ThreatLocker - Set Learning Mode
- Dataview - ThreatLocker LearningMode Set Audit
-
Reload the system cache.
-
This script can be run on-demand or called from another script to first enable ThreatLocker’s learning mode, allowing LT users to disable blocking internally.
The client needs to obtain report keys and maintenance auth keys from ThreatLocker support for each organization where they want to enable the learning mode setup via the script. Note: The user needs to have the phone associated with their profile on hand.
Support will send an SMS to validate the user, after which they will provide the auth keys.
Once the keys are provided, they need to be entered into the client's password tab with the title as shown below:
After setting the keys, it is necessary to whitelist the file hash 9FA61A436668967C26CB76858275EC17 to allow the script to execute the PowerShell script (.ps1) and perform the learning mode setup in ThreatLocker for the specified duration.
FAQ
Does ThreatLocker block this script from setting it to learning mode?
Answer: Yes, ThreatLocker will block the .ps1 file generated by this script. To ensure the script works, the partner needs to whitelist the file hash 9FA61A436668967C26CB76858275EC17 and deploy the policy for proper script execution.
What kind of error messages can the script return?
Answer: Possible error messages include the following:
