How to Use Multiple Parameters in a Single Search Field in the Unified Audit
Currently available on the Beta portal
To assist you in creating the most concise search results possible, ThreatLocker has added the ability to specify multiple parameters within a single search field in the Unified Audit. Utilizing the pipe symbol "|", you can combine the exact parameters you wish to include, exclude, or use a combination of both. All textboxes in the Unified Audit page will support the use of the "|" symbol.
The Policy Name, Path, Process, Hostname, Username, Certificate, Hash, and Serial Number textboxes all accept the | to input multiple parameters. You can combine | with wildcards "*" and/or "!".
For example, if you wanted to see only items that matched your policy for Quickbooks and your policy for Turbotax, in the Policy Name text box you could input all or part of the policy names separated by a | (e.g. quick*|turbo*).
If you wanted to see everything but items that match Tamper Protection and Defender, you could insert !*tamper*|!*defender* in the Policy Name box.
You can input !*tamper*|*defender* to see items that do not match tamper but do match defender. Combine the exact specifics you need to hone in on the exact results you need to review.
To review the activity of just a few users, input the usernames into the Username box, separated by a |.