Company logoHelp Center
Visit www.threatlocker.com

Using the Group By Function in the Unified Audit

2 min. readlast update: 04.24.2025

As of the 2.16.3 ThreatLocker Portal release, the Unified Audit now allows you to select up to 2 Group By functions when using search features. To utilize this, first navigate to the unified audit using the left-hand side of the page. 

The Group By dropdown can be seen at the top of the page. 

Select this to view a list of all Group By parameters available. The list is as follows: 

  • Action Type 

  • Additional Policy 

  • Application Id 

  • Application Name 

  • Certificates 

  • Cmd Line Parameters 

  • Created By Process 

  • Current Threat Level 

  • Data 

  • Destination Domain 

  • Destination IP Address 

  • Destination Port 

  • Encryption Status 

  • Event Log Source Id 

  • File Size 

  • Full Path 

  • Hash 

  • Hostname 

  • Interface 

  • Monitor Only 

  • Network Direction 

  • Notes 

  • Parent Process Application Id 

  • Parent Process Certificate 

  • Parent Process File Size 

  • Parent Process SHA256 

  • Parent ProcessTLHash 

  • Policy Id 

  • Policy Name 

  • Process ID 

  • Process Path 

  • Remote Presence 

  • Serial Number 

  • SHA256 

  • Source IP Address 

  • Source Port 

  • Transport Layer 

  • Username 

You can search for these specific parameters using the search bar at the top of the dropdown list or scroll through to see which ones are available.

 

These parameters will determine the number of results that show up when you search. In searching by one parameter, all instances of that parameter will show up as one result (i.e. Grouping by Action Type will yield one result from each Action Type that appears in the Unified Audit during that time frame). 

With the addition of another Group By option, more data can be obtained at once. Selecting to Group By two different parameters will display a log for each possible combination of parameters within the given time frame. In this example, the parameters are Action Type and Application Name. The list provided displays at least one log per Action Type, and an additional log for every time a different Application Name appears. 

Additionally, a new column has been added that only appears when a Group By search has been started. This column is titled ’Count’ and shows you the number of logs that match the same information as the result that has populated based on those search parameters.

Was this article helpful?