ThreatLocker now offers users the ability to schedule and build custom reports directly from the 'Custom Reports' page. This provides you with a method for custom-generating reports based on information provided by ThreatLocker and within your Unified Audit. With this new feature, you will be able to create custom reports that contain the important information you would like to view within your organization.
Please Note: It could take up to 24 hours for a newly created Scheduled Report to run in your organization.
Changes outlined below coming in Portal 4.6!
Location of the Schedule Reports Feature
Navigate to 'Analytics' > 'Reports'. 
There will be two options:
- Saved Reports: A page that will contain all of the Organization's saved reports
- Predefined Reports: A page where all ThreatLocker created reports can be generated and expirted.
Select 'Saved Reports'.

The list of saved reports can be sorted by type of report and/or by the scope of the report (the 'Applies to' of the report).
The last run report can be viewed by selecting the blue eye icon in the Actions column. Most reports can also be deleted by selecting the red garbage can icon in the Actions column.
Note: The default DAC report cannot be deleted, and will not have a delete icon next to it.

Select the blue 'New Report' button to open the New Report wizard.

First, you can select between DAC Report, Detect Report, Software Health Report, and Custom Report.
DAC Report
Selecting DAC Report will provide access to create a custom DAC report.


- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Scope - Select the organization, group, or computer this report will be compiled for
- Timeframe - Select the timeframe that will be queried for this report
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report

- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency.

Click 'Save' to save this report.
Detect Report
Selecting Detect Report provides access to create an MDR Report or an Executive Summary.

MDR Report
The MDR report is a report that details Cyber Hero MDR statistics for alert responses in the environment during the reporting period.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Logo - This option allows users to insert a link to an image to include branding in the report once it is generated
- Scope - Select the organization, group, or computer this report will be compiled for
- Module - Select between All, Endpoint Detect, or Cloud Detect

- Timeframe - Select the timeframe that will be queried for this report
- Include child organizations - This checkbox is not selected by default. Selecting this checkbox will include the child organizations of the parent organization picked in the 'Scope' section within the generated report.
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency
Click 'Save' to save this report.
New Executive Summary Report
The Executive Summary report provides an overview of events, alerts, incidents and recommendations within the selected reporting period.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Logo - This option allows users to insert a link to an image to include branding in the report once it is generated
- Scope - Select the organization, group, or computer this report will be compiled for
- Module - Select between All, Endpoint Detect, or Cloud Detect

- Timeframe - Select the timeframe that will be queried for this report
- Include child organizations - This checkbox is not selected by default. Selecting this checkbox will include the child organizations of the parent organization picked in the 'Scope' section within the generated report
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency
Click 'Save' to save this report.
Software Health Report
The Software Health Report provides visiblity of all the permitted software in the environment, including security ratings, countries of origin, and potential risks associated with using the software.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency.
Click 'Save' to save this report.
Custom Report
Select Custom Report to build your own report based on System Audit or Unified Audit data.

Administrator Activity Report
The Administrator Activity Report provides access to create a report pulling System Audit data to analyze administator activity and ThreatLocker configuration changes.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Logo - This option allows users to insert a link to an image to include branding in the report once it is generated
- Report Conditions > Field - Select what data field to build a report condition around

- Rule - Select the rule that will be use for evaluating the condition (such a matches, does not match, contains, etc)
- Select the Keyword that is being evaluated. For example, a condition could be Username matches admin@mycompany.com. Press the green + button to add this condition to the report. Build as many conditions as desired.
- Include Child Organizations - This checkbox is not selected by default. Selecting this checkbox will include the child organizations of the parent organization picked in the 'Scope' section within the generated report
- Timeframe - Select the timeframe that will be queried for this report
- Display Columns - Add or remove the columns that will be displayed in the report
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency
- Save - Press the Save button to save the report without previewing it.
- Generate - Press the Generate button to run the report instantly and view it before saving
Endpoint Activity Report
Select Endpoint Activity Report to either create an Advanced Report based on Unified Audit data or to access Predefined Reports (reports created for your organization by ThreatLocker).
Advanced Report
Select Advanced Report to create a report using Unified Audit data.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Logo—This option allows users to insert a link to an image to include branding in the report once it is generated
- Report Conditions > Field - Select what data field to build a report condition around
- Rule - Select the rule that will be use for evaluating the condition (such a matches, does not match, contains, etc)
- Select the Keyword that is being evaluated. For example, a condition could be Username matches admin@mycompany.com. Press the green + button to add this condition to the report. Build as many conditions as desired. How to Use Multiple Parameters in a Single Search Field in the Unified Audit | ThreatLocker Help Center
- Include Child Organizations - This checkbox is not selected by default. Selecting this checkbox will include the child organizations of the parent organization picked in the 'Scope' section within the generated report
- Simulate Deny - Will display green denies, items that would have been denied but were permitted because the endpoint was in a mode other than secure
- Group By - Up to 2 conditions can be selected to group results by. When group by is selected, 'Count' is automatically added as one of the Display Columns
- Timeframe - Select the timeframe that will be queried for this report
- Display Columns - Add or remove the columns that will be displayed in the report
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency
- Save - Press the Save button to save the report without previewing it.
- Generate - Press the Generate button to run the report instantly and view it before saving
Predefined Report
Select Predefined Report to create and schedule a report using ThreatLocker created reports.

- Report Name - Prefilled with the type of report, Organization Name, and the date, but can be changed to whatever is desired
- Report Logo—This option allows users to insert a link to an image to include branding in the report once it is generated
- Category - Select the category of report desired
- Report - Select the name of the report
- Report Recipients - Enter the email address(es) of the admins that will receive this report
- Pre-Auth Link - Select Pre-Auth Link to allow the recipient to view the report without the need to log into the ThreatLocker portal. Without a pre-auth link, recipients will be required to log into the ThreatLocker portal before they can access the report
- Schedule - Toggle on Schedule to schedule the report be sent on a selected frequency
- Save - Press Save to save the report
Creating Scheduled Reports From the Unified Audit
You can also create scheduled reports using the 'Saved Searches' feature in the Unified Audit. The 'Saved Searches' button is located in the Unified Audit to the right of the 'Advanced Search' button.

Select this button to see a list of recent searches alongside your saved searches. Select the 'Calendar' icon as shown below to open the Custom Report window with the saved parameters and add it as a new report.

Selecting the 'Calendar' icon will open the 'Custom Report' page, which will now be auto-populated with parameters that match those of the saved search you chose from the Unified Audit.
You can create the rest of your 'Custom Report' from here.
Help Center