ThreatLockDown
Platform
Overview
XDR
SIEM
Cloud
Services
Professional support
Consulting services
Training courses
Partners
Become a partner
Find a partner
Blog
Company
Customers
About us
Our team
Newsroom
Search term
Search now!
Getting started
Components
ThreatLockDown indexer
ThreatLockDown server
ThreatLockDown dashboard
ThreatLockDown agent
Architecture
Use cases
Configuration assessment
Malware detection
File integrity monitoring
Threat hunting
Log data analysis
Vulnerability detection
Incident response
Regulatory compliance
IT hygiene
Container security
Posture management
Cloud workload protection
Quickstart
Installation guide
ThreatLockDown indexer
Assisted installation
Step-by-step installation
ThreatLockDown server
Assisted installation
Step-by-step installation
ThreatLockDown dashboard
Assisted installation
Step-by-step installation
ThreatLockDown agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Packages list
Installation alternatives
Virtual Machine (OVA)
Amazon Machine Images (AMI)
Deployment on Docker
Docker installation
ThreatLockDown Docker deployment
ThreatLockDown Docker utilities
Upgrading ThreatLockDown Docker
Migrating data from Opendistro to the ThreatLockDown indexer
FAQ
Deployment on Kubernetes
Kubernetes configuration
Deployment
Upgrade ThreatLockDown installed in Kubernetes
Clean Up
Offline installation
Install ThreatLockDown components using the assistant
Install ThreatLockDown components step by step
Installation from sources
Installing the ThreatLockDown manager from sources
Installing the ThreatLockDown agent from sources
Deployment with Ansible
Installation Guide
Install Ansible
Install ThreatLockDown indexer and dashboard
Install ThreatLockDown manager
Install a ThreatLockDown cluster
Install ThreatLockDown Agent
Remote endpoints connection
Roles
ThreatLockDown indexer
ThreatLockDown dashboard
Filebeat
ThreatLockDown Manager
ThreatLockDown Agent
Variables references
Deployment with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
Setting up Puppet certificates
ThreatLockDown Puppet module
ThreatLockDown manager class
ThreatLockDown agent class
User manual
ThreatLockDown server administration
Remote service
Defining an alert level threshold
Integration with external APIs
Configuring syslog output
Configuring database output
Generating automatic reports
Configuring email alerts
SMTP server with authentication
Wazuh-DB backup restoration
Fluentd forwarder
ThreatLockDown archives
ThreatLockDown indexer
ThreatLockDown indexer indices
Re-indexing
Index life management
ThreatLockDown indexer tuning
Migrating ThreatLockDown indices
ThreatLockDown dashboard
How to enable multi-tenancy
Settings
Configuration file
How to set up custom branding
Configuring third-party SSL certificates
Configuring SSL certificates directly on the ThreatLockDown dashboard
Configuring SSL certificates on the ThreatLockDown dashboard using NGINX
Troubleshooting
Filtering data using queries
Creating custom dashboards
Certificates deployment
Deployment variables
Linux
Windows
macOS
AIX
ThreatLockDown agent enrollment
Enrollment via agent configuration
Linux/Unix endpoint
Windows endpoint
macOS endpoint
Enrollment via manager API
Requesting the key
Importing the key to the agent
Additional security options
Using password authentication
Manager identity verification
Agent identity verification
Troubleshooting
Agent management
Agent life cycle
Listing agents
Listing agents using the CLI
Listing agents using the ThreatLockDown API
Listing agents using the ThreatLockDown dashboard
Removing agents
Remove agents using the CLI
Remove agents using the ThreatLockDown API
Checking connection with the ThreatLockDown manager
Grouping agents
Remote upgrading
Upgrading agent
Agent upgrade module
Adding a custom repository
Custom WPK packages creation
WPK
Generate WPK packages manually
Installing a custom WPK package
WPK List
Query configuration
Agent key request
Agent labels
Anti-flooding mechanism
Deploying a ThreatLockDown cluster
Basics
Agents connections
Cluster management
Capabilities
File integrity monitoring
How it works
How to configure the FIM module
Interpreting the FIM module analysis
Basic settings
Creating custom FIM rules
Advanced settings
Use cases
Detecting malware persistence technique
Detecting account manipulation
Monitoring files at specific intervals
Reporting file changes
Monitoring configuration changes
Windows Registry monitoring
Malware detection
File integrity monitoring and threat detection rules
Rootkits behavior detection
CDB lists and threat intelligence
VirusTotal integration
File integrity monitoring and YARA
ClamAV logs collection
Windows Defender logs collection
Custom rules to detect malware IOC
Osquery
Security Configuration Assessment
How SCA works
How to configure SCA
Available SCA policies
Creating custom SCA policies
Use cases
Active response
How to configure active response
Default active response scripts
Custom active response scripts
Use cases
Blocking SSH brute-force attack with active response
Restarting the ThreatLockDown agent with active response
Disabling a Linux user account with active response
Additional information
Log data collection
How it works
Configuration for monitoring log files
Configuring syslog on the ThreatLockDown server
Using multiple socket outputs
Configuring log collection for different operating systems
Log data analysis
Use cases
Vulnerability detection
How it works
Configuring vulnerability detection
Scanning unsupported systems
Offline Update
Command monitoring
How it works
Configuration
Command output analysis
Use cases
Monitoring running processes
Disk space utilization
Check if the output changed
Detect USB Storage
Load average
Container security
Using ThreatLockDown to monitor Docker
Use cases
System inventory
How it works
Configuration
Viewing system inventory data
Generating system inventory reports
Available inventory fields
Compatibility matrix
Using Syscollector information to trigger alerts
Monitoring system calls
How it works
Configuration
Use cases
Monitoring file and directory access
Monitoring commands run as root
Privilege abuse
Agentless monitoring
How it works
Connection
Configuration
Visualization
Use cases
Monitoring security policies
Rootcheck
How it works
Configuration
FAQ
OpenSCAP
How it works
Configuration
FAQ
CIS-CAT integration
Ruleset
Getting started
Update ruleset
JSON decoder
Custom rules and decoders
Dynamic fields
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Sibling Decoders
Testing decoders and rules
Using CDB lists
Enhancing detection with MITRE ATT&CK framework
Contribute to the ruleset
Rules classification
User administration
Password management
ThreatLockDown RBAC - How to create and map internal users
Single sign-on
Setup single sign-on with administrator role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
Setup single sign-on with read-only role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
LDAP integration
RESTful API
Getting started
Configuration
Securing the ThreatLockDown API
Migrating from the ThreatLockDown API 3.X
Role-Based Access Control
How it works
Configuration
Authorization Context
RBAC Reference
Filtering data using queries
Examples
Reference
ThreatLockDown files backup
Creating a backup
ThreatLockDown central components
ThreatLockDown agent
Restoring ThreatLockDown from backup
ThreatLockDown central components
ThreatLockDown agent
Uninstalling the ThreatLockDown central components
Reference
Local configuration (ossec.conf)
active-response
agentless
agent-upgrade
alerts
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
github
indexer
integration
labels
localfile
logging
ms-graph
office365
remote
reports
rootcheck
sca
rule_test
ruleset
socket
syscheck
syslog_output
task-manager
fluent-forward
gcp-pubsub
gcp-bucket
vulnerability-detection
wodle name="open-scap"
wodle name="command"
wodle name="cis-cat"
wodle name="aws-s3"
wodle name="syscollector"
wazuh-db
wodle name="osquery"
wodle name="docker-listener"
wodle name="azure-logs"
wodle name="agent-key-polling"
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
wazuh-agentd
wazuh-agentlessd
wazuh-analysisd
wazuh-authd
wazuh-csyslogd
wazuh-dbd
wazuh-execd
wazuh-logcollector
wazuh-maild
wazuh-monitord
wazuh-remoted
wazuh-reportd
wazuh-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
wazuh-integratord
Tools
agent-auth
agent_control
manage_agents
wazuh-control
wazuh-logtest
clear_stats
wazuh-regex
rbac_control
update_ruleset
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
Unattended Installation
Statistics files
wazuh-agentd.state
wazuh-remoted.state
wazuh-analysisd.state
wazuh-logcollector.state
Cloud security
Using ThreatLockDown to monitor AWS
Monitoring AWS instances
Monitoring AWS based services
Prerequisites
Configuring an S3 Bucket
Configuring AWS credentials
Installing dependencies
Considerations for configuration
Supported services
AWS CloudTrail
Amazon Virtual Private Cloud (VPC)
AWS Config
AWS Key Management Service (KMS)
Amazon Macie
AWS Trusted Advisor
Amazon GuardDuty
Amazon Web Application Firewall (WAF)
Amazon S3 Server Access
Amazon Inspector Classic
Amazon CloudWatch Logs
Amazon ECR Image scanning
Cisco Umbrella
Elastic Load Balancers
Amazon Application Load Balancer (ALB)
Amazon Classic Load Balancer (CLB)
Amazon Network Load Balancer (NLB)
Amazon Security Lake
Custom Logs Buckets
Troubleshooting
Using ThreatLockDown to monitor Microsoft Azure
Monitoring instances
Monitoring activity and services
Prerequisites
Installing dependencies
Configuring Azure credentials
Considerations for configuration
Monitoring Azure platform and services
Using Azure Log Analytics
Using Azure Storage
Monitoring Microsoft Entra ID
Using Microsoft Graph
Cloud Security Posture Management
Using ThreatLockDown to monitor GitHub
Monitoring GitHub Activity
Using ThreatLockDown to monitor GCP services
Prerequisites
Installing dependencies
Configuring GCP credentials
Configuring Google Cloud Pub/Sub
Considerations for configuration
Supported services
Audited resources
DNS queries
VPC Flow logs
Firewall Rules Logging
HTTP(S) Load Balancing Logging
Usage logs & storage logs
Cloud Security Posture Management
Using ThreatLockDown to monitor Microsoft Graph
Monitoring Microsoft Graph Activity
Using ThreatLockDown to monitor Office 365
Monitoring Office 365 Activity
Regulatory compliance
Using ThreatLockDown for PCI DSS compliance
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active response
System inventory
Visualization and dashboard
Using ThreatLockDown for GDPR compliance
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Using ThreatLockDown for HIPAA compliance
Visualization and dashboard
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active response
Using ThreatLockDown for NIST 800-53 compliance
Visualization and dashboard
Log data analysis
Security configuration assessment
Malware detection
File integrity monitoring
System inventory
Vulnerability detection
Active response
Threat intelligence
Using ThreatLockDown for TSC compliance
Common criteria 2.1
Common criteria 3.1
Common criteria 5.1
Common criteria 6.1
Common criteria 7.1
Common criteria 8.1
The additional criteria
Availability - A1.1
Processing integrity - PI1.4
Proof of Concept guide
Blocking a known malicious actor
File integrity monitoring
Detecting a brute-force attack
Monitoring Docker events
Monitoring AWS infrastructure
Detecting unauthorized processes
Network IDS integration
Detecting an SQL injection attack
Detecting suspicious binaries
Detecting and removing malware using VirusTotal integration
Vulnerability detection
Detecting malware using Yara integration
Detecting hidden processes
Monitoring execution of malicious commands
Detecting a Shellshock attack
Upgrade guide
ThreatLockDown central components
ThreatLockDown agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Compatibility matrix
Integrations guide
Elastic Stack integration
OpenSearch integration
Splunk integration
Migration guide
Migrating to the ThreatLockDown indexer
Migrating to the ThreatLockDown dashboard
Migrating from OSSEC
Migrating OSSEC server
Migrating OSSEC agent
ThreatLockDown Cloud service
Getting started
Sign up for a trial
Access ThreatLockDown WUI
Enroll agents
Cloud service FAQ
Your environment
Authentication and authorization
Settings
Limits
Cancellation
Monitor usage
Forward syslog events
Agents without Internet access
SMTP configuration
Technical FAQ
Account and billing
Edit user settings
Manage your billing details
See your billing cycle and history
Update billing and operational contacts
Stop charges for an environment
Billing FAQ
Archive data
Configuration
Filename format
Access
ThreatLockDown Cloud API
Authentication
Reference
CLI
Glossary
Development
Client keys file
Standard OSSEC message format
Makefile options
ThreatLockDown cluster
ThreatLockDown packages generation guide
AIX
Debian
HPUX
macOS
RPM
Solaris
Virtual machine
Windows
WPK
Wazuh-Logtest
SELinux ThreatLockDown context
RBAC database integrity
Release notes
4.x
4.9.0 Release notes
4.8.2 Release notes
4.8.1 Release notes
4.8.0 Release notes
4.7.2 Release notes
4.7.1 Release notes
4.7.0 Release notes
4.6.0 Release notes
4.5.4 Release notes
4.5.3 Release notes
4.5.2 Release notes
4.5.1 Release notes
4.5.0 Release notes
4.4.5 Release notes
4.4.4 Release notes
4.4.3 Release notes
4.4.2 Release notes
4.4.1 Release notes
4.4.0 Release notes
4.3.11 Release notes
4.3.10 Release notes
4.3.9 Release notes
4.3.8 Release notes
4.3.7 Release notes
4.3.6 Release notes
4.3.5 Release notes
4.3.4 Release notes
4.3.3 Release notes
4.3.2 Release notes
4.3.1 Release notes
4.3.0 Release notes
4.2.7 Release notes
4.2.6 Release notes
4.2.5 Release notes
4.2.4 Release notes
4.2.3 Release notes
4.2.2 Release notes
4.2.1 Release notes
4.2.0 Release notes
4.1.5 Release notes
4.1.4 Release notes
4.1.3 Release notes
4.1.2 Release notes
4.1.1 Release notes
4.1.0 Release notes
4.0.4 Release notes
4.0.3 Release notes
4.0.2 Release notes
4.0.1 Release notes
4.0.0 Release notes
3.x
3.13.6 Release notes
3.13.5 Release notes
3.13.4 Release notes
3.13.3 Release notes
3.13.2 Release notes
3.13.1 Release notes
3.13.0 Release notes
3.12.3 Release notes
3.12.2 Release notes
3.12.1 Release notes
3.12.0 Release notes
3.11.4 Release notes
3.11.3 Release notes
3.11.2 Release notes
3.11.1 Release notes
3.11.0 Release notes
3.10.2 Release notes
3.10.1 Release notes
3.10.0 Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.x
2.1.0 Release notes
Development
ThreatLockDown packages generation guide
ThreatLockDown packages generation guide
This section will show you how to generate your own ThreatLockDown packages for different platforms:
ThreatLockDown cluster
AIX
Edit on GitHub
Close