(Unified Audit) - /portalAPI/ActionLog/*

This article will encompass all portalAPI calls that are related to /portalAPI/ActionLog/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance:

Locating Your Organization's Instance | ThreatLocker Help Center

ActionLogGetByParametersV2

https://portalapi.INSTANCE.threatlocker.com/portalapi/ActionLog/ActionLogGetByParametersV2

• Method: POST
• Description: This API is used on the Unified Audit page when loading Unified Audit logs with the selected filtering. A separate article on using the Advanced Search options/filters will be released at a later date; this section will not cover these. To view Unified Audit logs from a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below. If you want more information on using the Unified Audit, please review the following article:

Using the ThreatLocker Unified Audit | ThreatLocker Help Center

• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • In header: "usenewsearch": set to true
  • Fields
    • endDate: This field specifies the date and time the Unified Audit search will end. This expects a time entered in UTC in the format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
      • Expects end date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
    • pageNumber and pageSize: This value determines how many Unified Audit logs will be returned as if the response were on the Unified Audit page. However, this field does not follow the same conventions of the pageNumber and pageSize values as the Portal does (pageSize in the Portal is 100, 250, or 500). Any valid integer up to 10000 can be entered, and it will return in the selected formatting. For instance, if there are 5 logs to be returned but “pageNumber”: 1 and “pageSize”: 2, 2 entries will be returned per page, and the first two logs will be shown.
      • Expects: An Integer value
    • paramsFieldsDto: This field is where all the Advanced Search options are utilized. The "Remove White Noise" filter, included by default when searching the Unified Audit in the ThreatLocker Portal, is listed below. This field is required to use this API. However, it can be empty/contain no filters, as shown in the required body below. All Advanced Search options will be listed in a separate KB article that will be created at a later date.

      • Expects: Any combination of filters separated by a comma after each }

       

      {

            "name": "filter",

            "filterType": 1,

            "fieldType": 1,

            "value": "Remove White Noise",

            "label": "Filter",

            "dropdownLabel": "Remove White Noise",

            "isDropDown": true

      }

       
    • startDate: This field specifies the date and time the Unified Audit search will start. This expects a time entered in UTC in the format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.

      • Expects start date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
  • Required body:

• Optional Body/Parameters
  • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Fields
    • actionId: This field narrows the logs returned to a specific policy action. If nothing is entered (null) or this field is omitted entirely, all policy actions will be returned. This field expects the Integer associated with the policy action you want to narrow your search by to be entered:
      • Permit = 1
      • Deny = 2
      • Deny (Option to Request) = 3
      • Ringfenced = 6
      • Any Deny = 99
    • actionType: This field narrows the logs returned to a specific action type. If nothing is entered (null) or this field is omitted entirely, all action types will be returned. This field expects the exact text, matching case and spelling, of one of the following options to be entered: 
      Action Type Options

      • execute
      • install
      • network
      • registry
      • read
      • write
      • move
      • delete
      • baseline
      • powershell
      • elevate
      • configuration
      • dns
    • exportMode: In the ThreatLocker Portal, this field is used when clicking the "Export Results" button in the top right corner of the Unified Audit page. When clicking this button, all the Unified Audit logs will be exported to a CSV file. Through API, this field is used to prepare the Unified Audit logs for export to a CSV file. If nothing is entered (null) or this field is set to false or omitted entirely, the Unified Audit logs will be returned like normal. When this field is set to true, all the returned logs are pulled at once instead of returning depending on the pageSize and pageNumber fields to navigate through each page. When using this field, the API may respond more slowly than usual since it may be returning many logs.
      • Expects: true or false
    • fullPath: This field narrows down the logs returned to either an individual path or a range of paths. Everything related to what is entered will be returned when using this field. For example, if "*dropbox*" is entered, anything that contains the text "dropbox" will be searched for. This means that any log containing either a file path, process path, or created by process path that matches what is entered will be returned. If nothing is entered (null) or this field is omitted entirely, all logs will be returned. This field expects either a full or partial file path, a full or partial process path, or a full or partial created by process path.
      • Expects: Any text input with or without wildcards (*)
    • groupBys: This field allows grouping of the returned Unified Audit logs based on the options listed below. One or two options can be selected/entered. When using any group by option(s) in the ThreatLocker Portal, a new column called "Count" appears. This indicates the number of occurrences of a Unified Audit log that matches the current group by option(s) and is returned in the "groupByCount" field in the response. This field expects the Integer associated with the group by option(s) you want to use to be entered: 
      Group By Options

      • Action Type = 9
      • Activity = 77
      • Additional Policy = 63
      • Application Id = 7
      • Application Name = 8
      • Asset Name = 17
      • Certificates = 15
      • Cmd Line Parameters = 27
      • Computer Id = 65
      • Created By Process = 4
      • Current Threat Level = 42
      • Data = 21
      • Destination Domain = 45
      • Destination IP Address = 25
      • Destination Port = 19
      • Encryption Status = 29
      • Event Log Source Id = 23
      • Event Time = 66
      • Facility = 75
      • File Size = 13
      • Full Path = 10
      • Full Path With CmdLine = 80
      • Hash = 11
      • Interface = 14
      • Location = 69
      • Mac Address = 78
      • Monitor Only = 34
      • Network Direction = 24
      • Notes = 20
      • Packet Size = 79
      • Parent Process Application Id = 58
      • Parent Process Certificate = 49
      • Parent Process File Size = 48
      • Parent Process SHA256 = 47
      • Parent ProcessTLHash = 46
      • Policy Id = 5
      • Policy Name = 6
      • Priority = 74
      • Process ID = 3
      • Process Path = 2
      • Process Path With CmdLine = 81
      • Protocol = 57
      • Remote Presence = 22
      • Result Status = 68
      • Risk Score = 70
      • Risk State = 71
      • Serial Number = 37
      • Service = 73
      • Severity = 76
      • SHA256 = 12
      • Source = 72
      • Source IP Address = 16
      • Source Port = 18
      • Threat Type = 67
      • ThreatLocker Version = 64
      • Username = 1
    • hostname: This field narrows the logs returned to either an individual or a range of hostnames/computers. This field expects either a full or partial hostname with wildcards to be entered. Example: If "W-*" is entered into this field, any hostname that begins with "W-" will have its Unified Audit logs returned. If nothing is entered or this field is omitted entirely, the Unified Audit logs from all hostnames will be returned.
      • Expects: Any text input with or without wildcards (*)
    • onlyTrueDenies: This field narrows the logs returned based on only logs with a Deny or Ringfenced Policy Action and to what ThreatLocker deems a "true" (red) deny, meaning the action attempted on the computer was effectively denied. "Simulated" (green) denies will not be shown when setting this field to true, only "true" (red) denies. If this field is set to false or is omitted entirely, all logs will be returned. When using this field, the field actionId must be set to 99 to search for "Any Deny," and the body above must be inserted into the paramsFieldsDto field.
      • Expects: true or false

• • • showTotalCount: This field displays the total number of Unified Audit logs and the total number of pages returned in the response headers when set to true. All fields discussed below are contained in the response headers, except for pageNumber and pageSize. If this field is set to false or is omitted entirely, neither total will be displayed. When this field is set to false or omitted and not all Unified Audit logs can be returned on the current pageNumber with the selected pageSize, the totalItems field will show the last log number + 1, and the totalPages field will show the current page number + 1. Example: There are 510 logs that are returned from the Unified Audit search. The pageNumber is 2 and the pageSize is 100. Unified Audit log number 101 (firstItem) through 200 (lastItem) will be shown, totalItems is 201, and totalPages is 3.
      • Expects: true or false
    • showChildOrganizations: This field will determine whether the Unified Audit logs from direct child organizations will be returned. When set to true, Unified Audit logs from Devices in direct child organizations will be returned. When set to false, or if this field is omitted completely, just the Unified Audit logs from the currently managed organization will be returned; Typically, this will be the parent organization.
      • Expects: true or false
    • simulateDeny: This field narrows the logs returned based on only logs with a Deny or Ringfenced Policy Action and to what ThreatLocker deems a "simulated" (green) deny, meaning the action attempted on the computer was effectively permitted, but would have been denied if the computer was in a secured state. "True" (red) denies will not be shown when setting this field to true, only "simulated" (green) denies. When using this field, the field actionId must be set to 99 to search for "Any Deny," and the body below must be inserted into the paramsFieldsDto field. If this field is set to false or is omitted entirely, all logs will be returned.
      • Expects: true or false

• • Optional body:

• Permissions Needed for User
  • View Unified Audit