Table of Contents
Ways to Search the Unified Audit within the ThreatLocker Portal | Search Bar Filters | Advanced Search Filters | Explanation of the 'Rule' Dropdown Menu | Save Search Parameters
Ways to Search the Unified Audit within the ThreatLocker Portal
There are many ways to search the Unified Audit. Combining two or more fields in the search request will reduce the number of query returns. Each of the search fields is outlined below.
Search Bar Filters
-
Search by Date: You can select a start and end date for your search in the audit. The length of time you can search back depends on your organization's Policies. By default, it is set to keep data for about a month. The search date will automatically be set for today's date, starting at midnight and ending at 11:59 PM. If you are researching an incident and you have a timeframe, you can narrow your search down by date and time to help filter out unneeded information. Selecting the date will open a calendar where you can change the date and time to fit your needs.
-
Search by Policy Action: You can further filter your Unified Audit results by choosing a specific policy action to filter by. Using the dropdown menu, you can search by:
-
Permit: This will show you items that were permitted.
-
-
-
Deny: This will show you all items that were effectively denied.
-
-
-
Deny (Option to Request): This will show items that were denied, but the policy that denies them gives the user the option to request, meaning that this will only show denies that the end user was notified of.
-
-
-
Ringfenced: This will show you items that were Ringfenced, whether they were permitted or denied.
-
-
-
Any Deny: This will show you items that were effectively denied and items that were effectively permitted because the endpoints were in learning mode.
-
-
Search by Action Type: You can search for a specific action type.
-
-
Execute: Files that are executing.
-
-
-
Install: Files that are installing.
-
-
-
Network: Network activity.
-
-
-
Registry: Registry changes.
-
-
-
Read: Files that are being accessed in areas monitored by storage.
-
-
-
Write: Files that are being saved in areas monitored by storage.
-
-
-
Move: Files that are being moved in areas monitored by storage.
-
-
-
Delete: Files that are being deleted in areas monitored by storage.
-
-
-
Baseline: Files that are profiled during the initial baselining of a machine.
-
-
-
PowerShell: PowerShell activity.
-
-
-
Elevate: Files that were attempted to be run with elevated permissions, whether or not the policy successfully elevated them.
-
-
-
New Process: New processes. By expanding an entry, you can see what called this new process.
-
-
-
Configuration: Information relating to Configuration Manager policies.
-
-
-
DNS: Shows logs that are generated from the ThreatLocker DNS service via machines regulated by Web Control without a ThreatLocker agent installed.
-
-
Group By: As of the 2.16.3 ThreatLocker Portal release, the Unified Audit now allows you to select up to 2 Group By functions when using search features. If you have questions regarding the use of the improved Group By function, please refer to the following article:
-
Search by Asset Name: If you want to see activity on a specific asset, you can enter the asset's name into the search box and filter your results to activity that occurred on a particular computer. Beginning to type the name of the machine you are searching for will show results of machines that match what you’ve entered.
-
By using the search bar, you can search for details that are relevant to what you are wanting to find within the unified audit. This search will encompass anything that matches your input, including certificate, username, or even the application name with which the log was permitted. To make a more granular search, insert wildcards (expressed as the * symbol) along with your term.
Advanced Search Filters
The Advanced Search Filters can be located to the right of the ‘Search’ button.
The ‘Advanced Search’ allows you to make a more precise search. With this feature, you can combine multiple rules to create a search that fits your parameters. You are also provided with two check boxes: ‘Include Child Organizations’, which allows you to include Unified Audit results from Child Organizations, and ‘Simulate Denies’, which shows you files that would have been denied had the machine not been in Application Control Learning Mode.
- Change these parameters to make your search precise.
- Choose the ‘+’ button to add a new search parameter or the ‘X’ button to delete one.
- Select the check boxes to ‘Include Child Organizations’ or ‘Simulate Denies’.
Once you have added all your search parameters, you can select the ‘Search’ button to show your results.
The following are all the search parameters that can be combined using the ‘Advanced Search’ feature:
-
Search by Action: Searching by the Action will allow you to search for specific actions that have happened in the Unified Audit. The actions provided are: Permit, Deny, Deny (Option to Request), Ringfenced, and Any Deny. With Advanced Search, you are also given a 'Rule' filter, which allows you to select from the following options:
-
-
Equals
- Not Equals
-
-
Search by Action Type: Searching by the Action Type will allow you to search for different Action Types that have occurred in the Unified Audit. The Action Types provided are: Execute, Install, Network, Registry, Read, Write, Move, Delete, Baseline, PowerShell, Elevate, New Process, Configuration, and DNS. With Advanced Search, you are also given a 'Rule' filter, which allows you to select from the following options:
-
-
Equals
- Not Equals
-
-
Search by Additional Policy: Coming soon!
-
Search by Application Id: Each application has a unique ID that is associated with it. This search allows you to input the Application ID and find logs that match. This search allows you to select from the following options within the ‘Rule’ field:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Application Name: Searching by the Application Name allows you to input keywords associated with the application name with which a file was permitted. This search field requires a keyword to be entered with information on the name of the application you are looking for, or to exclude from your search. Within the ‘Rule’ field, it has the following options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Asset Name: The Asset Name is the name of the device. Searching by the asset name will allow you to view logs related to the asset that you have entered, making it device-specific. The ‘Rule’ field allows you to select from the following:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Certificates: If you need to see all activity from a certain vendor, you can enter all or part of the company's name that would sign the file in the 'Certificate' field to search for only items signed by that vendor. Within the ‘Rule’ field, it has the following options:
-
-
Contains
-
-
-
Not Contains
-
-
Search by Cmd Line Parameters: Command Line Parameters are additional commands that can be inserted alongside an application to change the program's functionality. These parameters might be the same for multiple applications. This search allows you to view other applications that used the same command line parameters as another application or exclude those parameters from your search. The ‘Rule’ column allows you to choose from the following:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Computer Group: Searching by the computer group will search for all computers within the specified computer group. The ‘Rule’ field options are:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Created By Process: Searching by the Created By Process allows you to search for keywords that are associated with the process that created the application log. This search requires a keyword input and provides you with the following ‘Rule’ options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Current Threat Level: Allows you to search by the threat level, which will be generated through alerts. The ‘Rule’ field provides you with the following options:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Data: The data field contains the maintenance mode ID that has been applied to the machine during that maintenance mode period. The ‘Rule’ field will have the following options:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Destination Domain: Searching by the Destination Domain will show you results containing a domain name that pertains to the keyword search parameters you enter. This search requires a keyword input and provides you with the following ‘Rule’ options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Destination IP Address: Searching by the Destination IP will show you results containing the qualities of the IP address that was entered into the keyword section. This search requires a keyword input and provides you with the following ‘Rule’ options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Destination Port: Searching by the Destination Port will show you all results related to the port number inserted into the keyword section. This search requires a keyword input and provides you with the following ‘Rule’ options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Encryption Status: This can be used to verify whether the device is encrypted. The ‘Rule’ options are as follows:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Event Log Source Id: This allows you to search by the Event Log Source ID, which is generated by the Windows Event Viewer and used by ThreatLocker Detect to generate alerts. The 'Rule' field gives you the following options:
-
Equals
- Not Equals
-
-
Search by File Size: Allows you to search by the file size of the file. File size is logged in ThreatLocker in bytes and can be viewed within the individual logs. The ‘Rule’ field for this search can be set to:
-
-
Equals
-
-
-
Not Equals
-
-
Filter By: Selecting the Filter option will show you only results based on the option you select in the ‘Filter By’ dropdown. The ‘Rule’ section is permanently set to ‘Equals’ here, and the ‘Filter By’ options are:
-
-
Computers installed over 4 days ago
-
-
-
Computers installed over 7 days ago
- Remove White Noise: This filters out well-known white noise denies, helping to streamline the audit results into more useful information.
- Unsecured: Shows results from machines that are not in Secured Mode.
- Secured: Shows results from machines in Secured Mode.
-
-
Search By Full Path: Searching by the Full Path will show you Full Paths that are related to the keyword you’ve inserted in this section. This search requires a keyword input and provides you with the following ‘Rule’ options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Hash: An easy way to search for a specific file is to use the hash. You can copy the hash from an entry in the Unified Audit and paste it into the 'Hash'. All instances of that particular hash that were audited during your selected timeframe will be listed. For files less than 1MB, this is the MD5 hash of the file. For files over 1MB, the hash is based on a unique ThreatLocker algorithm. The ‘Rule’ field provides the following options:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
Search by Interface: You can search for activity on a specific interface by selecting your choice from the dropdown menu. The only ‘Rule’ options are 'Equals' and 'Not Equals'. The options for ‘Interface’ are:
-
-
USB
-
-
-
UNC
-
-
-
SATA
-
-
-
SAS
-
-
-
DVD
-
-
-
SCSI
-
-
Search by Monitor Only: Used to determine if Application Control Monitor Only mode was enabled when the log was generated. If Monitor Only is ‘true’, this means it was enabled. The ‘Rule’ field allows for:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Network Direction: You can search for activity based on the network direction. The ‘Rule’ field is set to only 'Equals'. This also provides a dropdown with two options in the ‘Direction’ field: Outbound and Inbound.
-
Search by Notes: Notes are generated automatically for some logs by ThreatLocker, indicating if the log was generated while the machine was in a maintenance mode. Some of the notes that might be generated are “learning mode” or “monitoring computer”. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Parent Process Application Id: Allows you to search by the parent process’s application ID. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Parent Process Certificate: You can search by the parent process’s certificate. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Parent Process File Size: Allows you to search by the parent process’s file size. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Parent Process SHA256: Allows you to search by the SHA256 of the parent process. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Parent ProcessTLHash: Allows you to search by the ThreatLocker generated hash of the parent process. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Policy Id: Each policy has a unique ID generated along with it. This allows you to search for the policy ID and find results of every time that policy was hit. The ‘Rules’ field has the options of:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Policy Name: If you want to see instances of a specific policy being matched, you can search by Policy Name. The following options are available within the ‘Rule’ field:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Process ID: The Process ID is a unique identifier assigned to each process running on an Operating System. As these numbers are unique to the process, they can be used to identify when the process was used to call an application. This requires a keyword entry, which will be the Process ID number. The ‘Rule’ options are Equals and Not Equals.
-
Search by Process Path: You can also search by process. If you want to see everything that has been called by a specific process, you can place all or part of the name in the Advanced search field. The following options are available within the ‘Rule’ field:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Remote Presence: Searching by Remote Presence lets you see if the machine has ThreatLocker installed. If ThreatLocker is not detected, the Remote Presence will be 'false'. The following options are available for the 'Rule' category:
-
Equals
-
Not Equals
-
Starts With
-
Ends With
-
Search by Serial Number: You can also search for the activity of a specific device by searching by serial number. Place the serial number in the 'Serial Number' field and select search to see all activity involving that specific device. The following options are available for the ‘Rule’ category:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by SHA256: SHA256 is another type of hashing algorithm that can be included with files alongside their unique ThreatLocker hash. The Sha256 can be located within individual logs of the Unified Audit and can be used to search for uses of that application. The following options are given for the ‘Rule’:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
Search by Source IP Address: The Source IP address is the IP address of where the initial request was made. This can be used to identify network activity related to IP addresses associated with specific hostnames. This requires a keyword, and the following options for ‘Rule’ are:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
-
Search by Source Port: This allows you to see what port was used at the source location of a log. The ‘Rule’ field contains the following options:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Transport Layer: This allows you to search by the Transport Layer Protocol that was used for this log. The ‘Rules’ field includes the following options:
-
-
Equals
-
-
-
Not Equals
-
-
Search by Username: If you need to see the activities of a certain user, you can search by Username. Input all or part of the Username into the Advanced search box. The following options for ‘Rule’ are:
-
-
Equals
-
-
-
Not Equals
-
-
-
Starts With
-
-
-
Ends With
-
-
-
Contains
-
-
-
Not Contains
-
Explanation of the 'Rule' Dropdown Menu
Depending on the search field parameters, the rule dropdown menu options will change. Selections can include:
-
Equals: Search results will equal exactly what you enter within the ‘Keyword’ field.
-
Not Equals: Search results will omit results that include the keyword you entered.
-
Starts With: Search results will populate based on the keyword appearing at the beginning of a result (i.e., entering ‘Notepad’ as a keyword would yield results permitted by the ‘Notepad++ (Built-In)’, as the keyword appears at the beginning of the Application Name).
-
Ends With: Search results will populate based on the keyword appearing at the end of a result (i.e., entering ‘++ (Built-In)’ as a keyword would yield results permitted by the ‘Notepad++ (Built-In)’, as the keyword appears at the end of the Application Name)
-
Contains: Search results will include the entire keyword entered.
-
Not Contains: Search results will be for everything except for logs that contain the keyword entered.
Save Search Parameters
Once you have entered your search fields and advanced search fields, you can select the 'Search' button to display results. You also have the option of saving your selected search parameters for future use.
To save your search parameters, select the ‘Saved Searches’ icon once your search is complete, which is shown to the right of the ‘Advanced Search’ button.
Selecting this icon will show you a list of your last 3 most recent searches and any of your saved search parameters.
To create a new saved search, select the floppy disk icon to the right of the recent search you have completed.
Once selected, a field will open allowing you to rename your saved search to make it easier to locate. This is not required but is recommended for ease of use. Once the name has been entered, select the save button.
For future searches, you will only have to select the 'Saved Searches' button and you will find your saved search parameters listed in the 'Saved Searches' popup window.