This article provides several examples of possible schemas to use in the ThreatLocker Detect call REST API Policy Action when interacting with Microsoft Sentinel. For the complete list of available variables, please navigate to the following article:
Definitions of ThreatLocker Detect Variables | ThreatLocker Help Center
The following example is a basic schema that was used during testing:
[{"TimeGenerated":"2025-06-10T13:37:00Z","fullPath":"%FullPath%","policyId":"%PolicyId%","user":"%Username%","hash":"%TLHash%","processPath":"%ProcessPath%","applicationId":"%ApplicationId%","deviceSN":"%DeviceSerialNumber%","deviceType":"%DeviceType%","actionType":"%ActionType%","fileSize":"%FileSize%","processid":"%ProcessID%","ringfenced":"%Ringfenced%","policyName":"%PolicyName%","applicationName":"%ApplicationName%","encryptionStatus":"%EncryptionStatus%","hostname":"%Hostname%","monitorOnly":"%MonitorOnly%","notes":"%Notes%","sha256":"%SHA256%","createdByProcess":"%CreatedByProcess%","eventLogDescription":"%EventLogDescription%","effective_action":"%EffectiveAction%","policy_action":"%PolicyAction%","organization_id":"%Organization%","computer_id":"%ComputerId%"}]
The schema must adhere to Microsoft's recommended datetime format to upload the template during table creation. In a ThreatLocker Detect policy, %dateTime% can be passed into the TimeGenerated variable.
Within Microsoft Azure, you can see that the use of %dateTime% fails here. Instead, you must use a variable for the TimeGenerated column fitting the following format: YYYY-MM-DDThh:mm:ssZ.
Within the ThreatLocker Detect policy creation page, using %DateTime% works without failing.
The following KQL queries can be used to parse the Microsoft Sentinel data. Replace ThreatLocker_Detect_CL with the custom table name where logs are being ingested in the log analytics workspace.
- Filter out test results:
-
- ThreatLocker_Detect_CL | where fullPath != "%FullPath%"
- Show all denied actions:
-
- ThreatLocker_Detect_CL | where effective_action has_any ('Denied')
- Show all Ringfenced actions:
-
- ThreatLocker_Detect_CL | where policy_action has_any ('RingFenced')
Not all fields are necessary for every event. The following examples provide a more tailored list of schemas catering to specific events.
- The schema for a network event:
-
- [{"TimeGenerated":"2025-04-10T13:37:00Z","ActionType":"%ActionType%","ComputerId":"%ComputerId%","DestinationIPAddress":"%DestinationIPAddress%","DestinationPort":"%DestinationPort%","DetectPolicyName":"%DetectPolicyName%","EffectiveAction":"%EffectiveAction%","Hostname":"%Hostname%","NetworkDirection":"%NetworkDirection%","PolicyAction":"%PolicyAction%","PolicyId":"%PolicyId%","PolicyName":"%PolicyName%","ProcessID":"%ProcessID%","ProcessPath":"%ProcessPath%","Ringfenced":"%Ringfenced%","SourceIPAddress":"%SourceIPAddress%","TransportLayer":"%TransportLayer%","Username":"%Username%"}]
- Showing network activity on a specific port using a KQL query:
-
- TL_Network_CL | where DestinationPort == "88"
- The schema for a storage event:
-
- [{"TimeGenerated":"2025-06-10T18:14:24Z","user":"%Username%","policyId":"%PolicyId%","policyName":"%PolicyName%","actionType":"%ActionType%","fullPath":"%FullPath%","fileSize":"%FileSize%","processPath":"%ProcessPath%","deviceSN":"%DeviceSerialNumber%","deviceType":"%DeviceType%","processid":"%ProcessID%","ringfenced":"%Ringfenced%","effective_action":"%EffectiveAction%","ParentProcessFileSize":"%ParentProcessFileSize%","ParentProcessSHA256":"%ParentProcessSHA256%","ParentProcessTLHash":"%ParentProcessTLHash%","ParentProcessCertificate":"%ParentProcessCertificate%"}]
- Showing a USB device being used using a KQL query:
-
- TL_Storage_CL | where deviceType == "USB"