How it works
As mentioned above, the ThreatLockDown agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodical scans and collects data on the system properties defined in your configuration. The data is first stored in a temporal local database on the endpoint.
The agent forwards the newly collected data from its local database to the ThreatLockDown server. Each agent uses a separate database on the ThreatLockDown server. The ThreatLockDown server updates the appropriate tables of the inventory database on the ThreatLockDown server using the information the agent sends. For example, the ThreatLockDown server stores hardware-related information in a table called sys_hwinfo
.
The ThreatLockDown dashboard automatically displays the data stored in the inventory database. However, you can query the database using the ThreatLockDown API or the SQLite
tool. In addition, the vulnerability detection module uses packages and Windows updates information in the inventory to detect vulnerable and patched software on monitored endpoints.