Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find directions for using multiple parameters in a single search field in the Unified Audit, by scrolling down in the article.
Ways to Search the Unified Audit within the ThreatLocker Portal
There are many ways to search the Unified Audit. Combining two or more fields in the search request will reduce the number of query returns. Each of the search fields is outlined below.
Note: The default rule for search parameters is contains. Wildcards are no longer required when searching.
Search Bar Filters:
- Search by Date: You can select a start and end date for your search in the audit. The length of time you can search back depends on your organization's Policies. By default, it is set to keep data for about a month. The search date will automatically be set for today's date, starting at midnight and ending at midnight. If you are researching an incident and you have a timeframe, you can narrow your search down by date and time to help filter out unneeded information.
- Search by Policy Action: You can further filter your Unified Audit results by choosing a specific policy action to filter by. Using the dropdown menu you can search by:
- Permit - This will show you items that were permitted.
- Deny - This will show you all items that were effectively denied.
- Deny (Option to Request) - This will show items that were denied but the policy that denies them allows the user the option to request, meaning that this will only show denies that the end user was notified of.
- Ringfenced - This will show you items that were Ringfenced, whether they were permitted or denied.
- Any Deny - This will show you items that were effectively denied, and things that were effectively permitted because the endpoints were in learning mode.
- Search by Action Type: You can search for a specific action type.
- Execute - files that are executing
- Install - files that are installing
- Network - network activity
- Registry - registry changes
- Read - files that are being accessed in areas monitored by storage
- Write - files that are being saved in areas monitored by storage
- Move - files that are being moved in areas monitored by storage
- Delete - files that are being deleted in areas monitored by storage
- Baseline - files that are profiled during the initial baselining of a machine
- PowerShell - PowerShell activity
- Elevation - files that were attempted to be run with elevated permission, whether or not they were successfully Elevated by the policy.
- New Process - New processes. By expanding an entry, you can see what called this new process.
- Configuration
- OS Event Log
- Group By: You can choose to group your audit results to condense your search results. The options are:
- Path
- Hash
- Cert
- Hostname
- Username
- Process
- Source IP
- Search by Hostname: If you want to see activity on a specific Hostname, you can type in the Hostname or part of the name into the search box and filter your results to activity that occurred on a specific computer.
Advanced Search Filters:
- Search by Details/Path: If you are looking for a certain file, you can search by path.
- Search by Username: If you need to see the activities of a certain user, you can search by Username. Input all or part of the Username into the (Advanced) search box.
- Search by Process: You can also search by process. If you want to see everything that has been called by a specific process, you can place all or part of the name in the (Advanced) search box.
- Search by Certificate: Perhaps you need to see all activity from a single vendor. You can enter all or part of the name of the company that would sign the file in the 'Certificate' field to search for only items signed by that vendor.
- Search by Policy Name: If you want to see instances of a specific policy being matched, you can search by Policy Name.
- Search by Hash/Source: An easy way to search for a specific file is to use the hash. You can copy the hash from an entry in the Unified Audit and paste it in the 'Hash' field and then click search. All instances of that particular hash that were audited during your selected timeframe will be listed. For files less than 1MB, this is the MD5 hash of the file. For files over 1MB, the hash is based on a unique ThreatLocker algorithm.
- Search by Serial Number: You can also search for the activity of a specific device by searching by serial number. Place the serial number in the 'Serial Number' field and click search to see all activity involving that specific device.
- Search by Interface: You can search for activity on a specific interface by selecting your choice from the dropdown menu. The options are:
- USB
- UNC
- SATA
- SAS
- DVD
- SCSI
- Filter By: You can also choose to filter your audit results. You can filter by:
- Computers installed over 4 days ago
- Computers installed over 7 days ago
- Remove White Noise, which filters out denies that are well-known white noise, to help streamline the audit results into more useful information.
- Computers in Monitor Only
- Computers in Secured Mode
Explanation of the 'Rule' Dropdown Menu
Depending on the search field parameters, the rule dropdown menu options will change. Selections can include:
- Equals
- Not Equals
- Starts With
- Ends With
- Contains
- Not Contains
Save Search Parameters
Once you have completed your search fields and advanced search fields, you can click the 'Search' button to display results. You also have the option of saving your selected search parameters for future use.
To save your search parameters, once your search is complete, click on the 'Saved Search' icon and you will see a small popup window.
Click on the plus icon and enter the name of your search parameters. Click on 'Save Current Search'.
For future searches, you will only have to click on the 'Saved Searches' button and you will find your saved search parameters listed in the 'Saved Searches' popup window.
Ways to Search the Unified Audit within the ThreatLocker Legacy Portal
To assist you in creating the most concise search results possible, ThreatLocker has added the ability to specify multiple parameters within a single search field in the Unified Audit. Utilizing the pipe symbol "|", you can combine the exact parameters you wish to include, exclude, or use a combination of both. All textboxes in the Unified Audit page will support the use of the "|" symbol.
The Policy Name, Path, Process, Hostname, Username, Certificate, Hash, and Serial Number textboxes all accept the | to input multiple parameters. You can combine | with wildcards "*" and/or "!".
For example, if you wanted to see only items that matched your policy for Quickbooks and your policy for Turbotax, in the Policy Name text box you could input all or part of the policy names separated by a | (e.g. quick*|turbo*).
If you wanted to see everything but items that match Tamper Protection and Defender, you could insert !*tamper*|!*defender* in the Policy Name box.
You can input !*tamper*|*defender* to see items that do not match tamper but do match defender. Combine the exact specifics you need to hone in on the exact results you need to review.
To review the activity of just a few users, input the usernames into the Username box, separated by a |.