How to Use Multiple Parameters in a Single Search Field in the Unified Audit

Search by Date: You can select a start and end date for your search in the audit. The length of time you can search back depends on your organization's Policies. By default, it is set to keep data for about a month. The search date will automatically be set for today's date, starting at midnight and ending at 11:59 PM. If you are researching an incident and you have a timeframe, you can narrow your search down by date and time to help filter out unneeded information. Selecting the date will open a calendar where you can change the date and time to fit your needs. 

Search by Policy Action: You can further filter your Unified Audit results by choosing a specific policy action to filter by.  Using the dropdown menu, you can search by:

• Permit: This will show you items that were permitted.  

Search by Action Type: You can search for a specific action type.   

Group By: As of the 2.16.3 ThreatLocker Portal release, the Unified Audit now allows you to select up to 2 Group By functions when using search features. If you have questions regarding the use of the improved Group By function, please refer to the following article: 

Search by Asset Name: If you want to see activity on a specific asset, you can enter the asset's name into the search box and filter your results to activity that occurred on a particular computer. Beginning to type the name of the machine you are searching for will show results of machines that match what you’ve entered. 

By using the search bar, you can search for details that are relevant to what you are wanting to find within the unified audit. This search will encompass anything that matches your input, including certificate, username, or even the application name with which the log was permitted. To make a more granular search, insert wildcards (expressed as the * symbol) along with your term. 

Search by Action: Searching by the Action will allow you to search for specific actions that have happened in the Unified Audit. The actions provided are: Permit, Deny, Deny (Option to Request), Ringfenced, and Any Deny. With Advanced Search, you are also given a 'Rule' filter, which allows you to select from the following options: 

Search by Action Type: Searching by the Action Type will allow you to search for different Action Types that have occurred in the Unified Audit. The Action Types provided are: Execute, Install, Network, Registry, Read, Write, Move, Delete, Baseline, PowerShell, Elevate, New Process, Configuration, and DNS. With Advanced Search, you are also given a 'Rule' filter, which allows you to select from the following options:

Search by Additional Policy: Coming soon!

Search by Application Id: Each application has a unique ID that is associated with it. This search allows you to input the Application ID and find logs that match. This search allows you to select from the following options within the ‘Rule’ field: 

Search by Application Name: Searching by the Application Name allows you to input keywords associated with the application name with which a file was permitted. This search field requires a keyword to be entered with information on the name of the application you are looking for, or to exclude from your search. Within the ‘Rule’ field, it has the following options: 

Search by Asset Name: The Asset Name is the name of the device. Searching by the asset name will allow you to view logs related to the asset that you have entered, making it device-specific. The ‘Rule’ field allows you to select from the following: 

Search by Certificates: If you need to see all activity from a certain vendor, you can enter all or part of the company's name that would sign the file in the 'Certificate' field to search for only items signed by that vendor. Within the ‘Rule’ field, it has the following options: 

Search by Cmd Line Parameters: Command Line Parameters are additional commands that can be inserted alongside an application to change the program's functionality. These parameters might be the same for multiple applications. This search allows you to view other applications that used the same command line parameters as another application or exclude those parameters from your search. The ‘Rule’ column allows you to choose from the following: 

Search by Computer Group: Searching by the computer group will search for all computers within the specified computer group. The ‘Rule’ field options are: 

Search by Created By Process: Searching by the Created By Process allows you to search for keywords that are associated with the process that created the application log. This search requires a keyword input and provides you with the following ‘Rule’ options: 

Search by Current Threat Level: Allows you to search by the threat level, which will be generated through alerts. The ‘Rule’ field provides you with the following options: 

Search by Data: The data field contains the maintenance mode ID that has been applied to the machine during that maintenance mode period. The ‘Rule’ field will have the following options: 

Search by Destination Domain: Searching by the Destination Domain will show you results containing a domain name that pertains to the keyword search parameters you enter. This search requires a keyword input and provides you with the following ‘Rule’ options: 

Search by Destination IP Address: Searching by the Destination IP will show you results containing the qualities of the IP address that was entered into the keyword section. This search requires a keyword input and provides you with the following ‘Rule’ options: 

Search by Destination Port: Searching by the Destination Port will show you all results related to the port number inserted into the keyword section. This search requires a keyword input and provides you with the following ‘Rule’ options: 

Search by Encryption Status: This can be used to verify whether the device is encrypted. The ‘Rule’ options are as follows: 

Search by Event Log Source Id: This allows you to search by the Event Log Source ID, which is generated by the Windows Event Viewer and used by ThreatLocker Detect to generate alerts. The 'Rule' field gives you the following options:

• Equals

• Not Equals

Search by File Size: Allows you to search by the file size of the file. File size is logged in ThreatLocker in bytes and can be viewed within the individual logs. The ‘Rule’ field for this search can be set to: 

Filter By: Selecting the Filter option will show you only results based on the option you select in the ‘Filter By’ dropdown. The ‘Rule’ section is permanently set to ‘Equals’ here, and the ‘Filter By’ options are:  

Search By Full Path: Searching by the Full Path will show you Full Paths that are related to the keyword you’ve inserted in this section. This search requires a keyword input and provides you with the following ‘Rule’ options: 

Search by Hash: An easy way to search for a specific file is to use the hash. You can copy the hash from an entry in the Unified Audit and paste it into the 'Hash'. All instances of that particular hash that were audited during your selected timeframe will be listed. For files less than 1MB, this is the MD5 hash of the file. For files over 1MB, the hash is based on a unique ThreatLocker algorithm. The ‘Rule’ field provides the following options: 

Search by Interface: You can search for activity on a specific interface by selecting your choice from the dropdown menu. The only ‘Rule’ options are 'Equals' and 'Not Equals'. The options for ‘Interface’ are:  

Search by Monitor Only: Used to determine if Application Control Monitor Only mode was enabled when the log was generated. If Monitor Only is ‘true’, this means it was enabled. The ‘Rule’ field allows for: 

Search by Network Direction: You can search for activity based on the network direction. The ‘Rule’ field is set to only 'Equals'. This also provides a dropdown with two options in the ‘Direction’ field: Outbound and Inbound. 

Search by Notes: Notes are generated automatically for some logs by ThreatLocker, indicating if the log was generated while the machine was in a maintenance mode. Some of the notes that might be generated are “learning mode” or “monitoring computer”. The ‘Rules’ field has the options of: 

Search by Parent Process Application Id: Allows you to search by the parent process’s application ID. The ‘Rules’ field has the options of: 

Search by Parent Process Certificate: You can search by the parent process’s certificate. The ‘Rules’ field has the options of: 

Search by Parent Process File Size: Allows you to search by the parent process’s file size. The ‘Rules’ field has the options of: 

Search by Parent Process SHA256: Allows you to search by the SHA256 of the parent process. The ‘Rules’ field has the options of: 

Search by Parent ProcessTLHash: Allows you to search by the ThreatLocker generated hash of the parent process. The ‘Rules’ field has the options of: 

Search by Policy Id: Each policy has a unique ID generated along with it. This allows you to search for the policy ID and find results of every time that policy was hit. The ‘Rules’ field has the options of: 

Search by Policy Name: If you want to see instances of a specific policy being matched, you can search by Policy Name. The following options are available within the ‘Rule’ field: 

Search by Process ID: The Process ID is a unique identifier assigned to each process running on an Operating System. As these numbers are unique to the process, they can be used to identify when the process was used to call an application. This requires a keyword entry, which will be the Process ID number. The ‘Rule’ options are Equals and Not Equals. 

Search by Process Path: You can also search by process. If you want to see everything that has been called by a specific process, you can place all or part of the name in the Advanced search field. The following options are available within the ‘Rule’ field: 

Search by Remote Presence: Searching by Remote Presence lets you see if the machine has ThreatLocker installed. If ThreatLocker is not detected, the Remote Presence will be 'false'. The following options are available for the 'Rule' category:

Search by Serial Number: You can also search for the activity of a specific device by searching by serial number. Place the serial number in the 'Serial Number' field and select search to see all activity involving that specific device. The following options are available for the ‘Rule’ category: 

Search by SHA256: SHA256 is another type of hashing algorithm that can be included with files alongside their unique ThreatLocker hash. The Sha256 can be located within individual logs of the Unified Audit and can be used to search for uses of that application. The following options are given for the ‘Rule’: 

Search by Source IP Address: The Source IP address is the IP address of where the initial request was made. This can be used to identify network activity related to IP addresses associated with specific hostnames. This requires a keyword, and the following options for ‘Rule’ are: 

Search by Source Port: This allows you to see what port was used at the source location of a log. The ‘Rule’ field contains the following options: 

Search by Transport Layer: This allows you to search by the Transport Layer Protocol that was used for this log. The ‘Rules’ field includes the following options: 

Search by Username: If you need to see the activities of a certain user, you can search by Username. Input all or part of the Username into the Advanced search box. The following options for ‘Rule’ are: 

Equals: Search results will equal exactly what you enter within the ‘Keyword’ field. 

Not Equals: Search results will omit results that include the keyword you entered. 

Starts With: Search results will populate based on the keyword appearing at the beginning of a result (i.e., entering ‘Notepad’ as a keyword would yield results permitted by the ‘Notepad++ (Built-In)’, as the keyword appears at the beginning of the Application Name). 

Ends With: Search results will populate based on the keyword appearing at the end of a result (i.e., entering ‘++ (Built-In)’ as a keyword would yield results permitted by the ‘Notepad++ (Built-In)’, as the keyword appears at the end of the Application Name) 

Contains: Search results will include the entire keyword entered. 

Not Contains: Search results will be for everything except for logs that contain the keyword entered.