Definitions of ThreatLocker Detect Variables

13 min. readlast update: 06.30.2025

When creating Detect Policies, using the 'Policy Actions' section, you can customize how alerts meeting your conditions will appear within the Response Center. These customizations are called 'Variables' and take information directly from the Unified Audit to display in each individual alert. This article will review all of the variables and how they will appear differently depending on the action type of the alert. The Action Type will determine what information will be provided to users as logs of information in the Unified Audit change depending on the Action Type.

ThreatLocker Detect Variables

  • Action Type - The log type generated based on an action on the machine. These action types are primarily used in the Unified Audit to indicate the action that happens on a machine or file. The following action types can appear:
    • Execute
    • Install
    • Network
    • Registry
    • Read
    • Write
    • Move
    • Delete
    • Baseline
    • PowerShell
    • Elevate
    • NewProcess
    • Configuration
    • DNS
  • Application ID — The Application ID is a unique identification number applied to custom applications within your organization or Built-In applications regulated by ThreatLocker. If the alert generated is related to an application, the ID matching the application will appear here. If not, the ID will appear as a string of zeroes.
  • Application Name - The Application Name is the name of the application that matches the ApplicationId generated along with the alert. If the alert generated is unrelated to an application in particular, this field will be left blank.
  • Canary File Path - The Canary File Path is the path you have selected to be monitored for file manipulation, or is the full path of the file that triggered the alert.
  • Certificates - The certificate is a part of a file that confirms a file was generated by a specific vendor. If the log does not have a certificate, this section is left blank.
  • CmdLine Parameters - Command Line Parameters are additional commands that can be inserted alongside an application to change the program's functionality. If a log contained Command Line Parameters, it would appear here. If not, this is left blank.
  • Computer ID — The Computer ID is a series of characters unique to each computer, providing information on which machine this alert is associated.
  • Created By ProcessThe created by process is the process that created a file being executed. If there is no created by process associated with this log, this field will be left blank.
  • Current Threat Level - The Current Threat Level is the combined Threat Level of the active alerts on the machine. The Threat Level will be calculated by combining all of the active alerts and their Threat Levels.
  • Date Time - This displays the date and time an alert was generated. The date will be viewable in the MM/DD/YYYY format, whereas the time will be shown in a 24-hour format, which matches the time associated with the machine from which it was generated.
  • Destination Domain - The Destination Domain is the domain a user is trying to reach, and it will appear here. If there is no destination domain, it will appear blank.
  • Destination IP Address - The Destination IP address is the address a user is trying to reach. If it exists, it will appear here; otherwise, this area will appear blank.
  • Destination Port - The Destination Port is the port number used to access the user's destination. If this number exists, it will appear here; otherwise, this area will appear as a zero if the Action Type does not involve Network Activity.
  • Detect Policy Name - The Detect Policy name is the ThreatLocker Detect policy within your organization that generated this alert. This field will always hold a policy name, as an alert cannot be generated without matching a ThreatLocker Detect policy.
  • Device Serial Number - The device serial number is the unique identifier of the device that generated the log. This number will appear primarily for logs related to Storage Request, such as read, write, move, and delete. It will also display on Execute action types. If the alert generated does not hold this information, it will appear blank.
  • Device Type - Displays the type of device that generated the alert. This section will remain blank if the type of alert does not contain this information.
  • Disk Serial Number - This section shows the serial number associated with the storage device that generated the log. This will generally hold a response if it is related to Storage Control action types such as read, write, move, and delete. This will also display on logs with the execute action type. If this is not available, it will appear blank.
  • Effective Action - The Effective Action is the action that was actually taken on the log. Effective actions are different from the action, specifically when considering a machine in a maintenance mode. If the machine is in a maintenance mode, such as Application Control Learning Mode, the action can display as deny while the effective action is 'Permitted'. This means that had the machine not been in a maintenance mode at the time the log was generated, it would have been denied. If no 'Effective Action' is detected, it will display as 'None'.
  • Elevation Status - The Elevation Status is related to users gaining administrator access to specific applications. If this log is not associated with elevation, such as not having the 'Elevation' action type, it will appear blank.
  • Encryption Status - The Encryption Status determines if the drive associated with this log has BitLocker enabled. The status appearing here can have three different possible logs:
    • Encrypted - The drive has BitLocker enabled
    • Not Encrypted - The drive does not have BitLocker enabled
    • Unknown - It cannot be determined, or this action type is unrelated
  • Event Log Source - The Event Log Source displays the Event Log Source Name, which is associated with the software that generated the Event Log.
  • Event Log Keywords - The Event Log Keywords are specific keywords that might appear based on the generated event. Seven different types of keywords can appear in this field; however, there are times when a log does not contain a keyword:
    • Audit Failure
    • Audit Success
    • Classic
    • Correlation Hint
    • Response Time
    • SQM
    • WDI Diag
  • Event Log Level - The Event Log Level is a series of keywords that can be used to denote the severity of specific event logs. Windows event logs can contain a few different types of event levels:
    • Critical
    • Warning
    • Verbose
    • Error
    • Information
  • Event Log Message - The Event Log Message describes what caused the event log to be generated. If a Windows event was generated, it will appear here.
  • Event Log Name - The Event Log Name denotes the location where the Event ID is saved. Four different types of Event Log Names are created by default; however, custom locations can also be created. The four default Event Log Names are:
    • Application - Logs events that are related to applications and software that are installed on the machine.
    • Security - Logs events related to system security, such as event deletion or entering an invalid password during login.
    • Setup - Logs events that occur during Windows Installation and machine configuration. This portion of the Windows Event Viewer will also display new logs relating to Windows updates.
    • System - Logs events generated by the Windows Operating System. Alerts related to hardware or software issues can also be generated here.
  • Event Log OpCode - An OpCode, also known as 'Operation Code', is a code usually with a numerical value that translates to an event being performed on the system. The numerical value will then be translated into a value readable by humans. The possible values are as follows:
    • Info - Indicates that it was an informational event.
    • Start - Indicates that an application has started a new transaction or activity.
    • Stop - Indicates that an application's transaction or activity has ended.
    • Data Collection Start - Indicates a trace collection start event.
    • Data Collection Stop - Indicates a trace collection stop event.
    • Extension - Indicates an extension event.
    • Reply - Indicates when an application's activity replies to an event.
    • Resume - Indicates that an activity was resumed after being suspended.
    • Suspend - Indicates that an activity was resumed after being suspended.
    • Send - Indicates when an activity transfers data or system resources to another activity.
    • Receive - Indicates when an activity in an application receives data.

Note: Please consult the following article from Microsoft for more information reegarding Event Log OpCode:

StandardEventOpcode Enum (System.Diagnostics.Eventing.Reader) | Microsoft Learn

  • Event Log Source ID - The Event Log Source ID is a number associated with the event log. These numbers relate to specific events on the machine and can be tied to similar actions. ThreatLocker uses these numbers to generate specific alerts.
  • Event Log Task Category The Event Log Task Category further defines the Event Source and provides additional information about where the Event originated.
  • File Size - The File Size shows how big a certain file is. This information is displayed in Bytes.
  • Hostname - This displays the hostname associated with the machine that generated the alert.
  • Maintenance Mode ID - This populates as a number generated for the maintenance mode session in which the machine that generated the alert is. If the machine is not in maintenance mode during the time of the alert, the Maintenance Mode ID will appear as 00000000-0000-0000-0000-000000000000. Otherwise, the maintenance mode's ID will appear and match the specific session.
  • Monitor Only - Monitor Only helps users identify if an alert was generated while the machine was in a maintenance mode. Monitor Only will be marked as 'True' if the log generated for the alert was denied with the 'Effective Action' being 'Permitted'. These are categorized as simulated denies and show that this would have been denied had the machine been in Secured Mode.
  • Network Direction - This provides you with information on whether the connection was inbound or outbound. If it is not related to network connectivity, it will display as 'UnKnown'.
  • Notes - Notes are generated based on the maintenance mode a machine is in when the alert is generated. Notes can contain different text based on the maintenance mode (e.g., "learning mode" or "monitoring computer").
  • Occurrences - The number of occurrences correlates with the number of times a specific action is detected on a user's machine.
  • Organization - Displays the Organization ID that the machine generating the alert belongs to. This Organization ID can be found within the 'Edit Organization Settings' page or as part of the link to that organization.
  • Organization Name - Displays the organization's name associated with the machine on which the alert was generated.
  • Parent Process: Application - Provides the application ID associated with the application's parent process. The parent process is the process that called the application or action that triggered the alert.
  • Parent Process: Certificate - Provides the certificate associated with the application's parent process.
  • Parent Process: File Size - Provides the file size in bytes associated with the parent process. This will display as zero if the file size is unavailable.
  • Parent Process: SHA256 - Displays the SHA256 associated with the alert's parent process. If nothing is available to display in this area, the section will remain blank.
  • Parent Process: TL Hash - Displays the unique ThreatLocker hash associated with the alert's parent process. If nothing is available to be displayed, the section will remain blank.
  • Policy Action - The Policy Action section contains information about the action taken on the file that triggered the alert. If there is no policy action, this will display as 'None'.
  • Policy ID - The Policy ID is a string of characters unique to the application. It can help you identify which policy was related to the alert that was triggered. If no policy is detected, it will show as a string of zeroes instead.
  • Policy Name - This will display as the name of the policy associated with the alert being triggered. If no policy is detected, this will be blank.
  • Process ID - The Process ID is a unique identifier assigned by the operating system to each process on the system. This will display here and can be located within the machine's Task Manager. If a Process ID is not found, it will display as  '0'.
  • Process Path - The Process Path is the path of the file that calls the application. This is useful in determining if specific applications interact with others and allows you to determine whether the application behaves normally.
  • Registry Key Change - Identifies and displays if a change was made to the Windows Registry in accordance with this log. If a change is made, the path to the Registry change will appear here.
  • Ringfenced - This will identify if the log was Ringfenced. If so, 'Yes' will be displayed. If not, 'No' will be shown instead.
  • SHA256 - A hashing algorithm that produces a unique identifier for every application. This will display a string of 64 alphanumeric characters that can be used to identify what an application is.
  • Source IP Address - The Source IP Address is the IP address of the device initiating the communication. It will likely be the IP address of the device that triggered the alert.
  • TL Hash -  The ThreatLocker Hash is ThreatLocker's unique hashing algorithm used to identify applications within the organization. Each application will have a ThreatLocker Hash comprised of 32 alphanumeric characters that can be used to identify what an application is.
  • Transport Layer - The Transport Layer identifies the protocol type used during end-to-end communication. It can display the protocol used, the most common being TCP and UDP, or it can also display 'none' if no end-to-end communication was generated.
  • Username - This displays the hostname and username of the user that generated the alert in a Hostname\Username format.
  • Volume Serial Number - The Volume Serial Number is a unique number assigned to the volume of the hard drive on the user's machine.
Was this article helpful?