Using the ThreatLocker Unified Audit

6 min. readlast update: 09.18.2023

The ThreatLocker Unified Audit is a central location where all audited information is displayed. 

When using ThreatLocker Application Control, information about executables, scripts, and libraries are recorded in near real-time. Information about these actions is searchable in the Unified Audit, including:

  1. All executables, libraries, and script files that were cataloged on your devices during the initial baseline, excluding Windows Core Files
  2. All executables, libraries, and script files executed in your environment, and files installed since installing the ThreatLocker agent. 

ThreatLocker Storage Control displays information about files that have been accessed, changed, or deleted on external storage, including USB drives, file shares, and the local drives where an explicit policy was created to monitor or control that folder.

Searching the ThreatLocker Unified Audit

undefined

You can use '*' as a wildcard in the textboxes when you are inputting your text search parameters. You can also use '!' to mean "show all except" in the text search boxes. For example, if you want to see all file paths except for Windows files, you could put !*windows* in the Path box and search all results except anything with Windows in the path. 

Filtering using search bar Parameters:

Search by Date: Select a start and end date for your search in the audit. The length of time you can search back is dependent on your organization's policies. By default, it is set to keep data for about a month. The search date will automatically be set for today's date, starting at midnight and ending at midnight. If you are researching an incident and you have a timeframe, you can narrow your search down by date and time to help filter out unneeded information. 

Search by Policy Action: 

  • Permit - This will show you items that were permitted.
  • Deny - This will show you items that were effectively denied, and things that were effectively permitted because the endpoints were in learning mode, only for items that do not have the option for the end user to request access.
  • Deny (Option to Request) - This will show items that were denied but the policy that denies them allows the user the option to request, meaning that this will only show denies that the end user was notified of.
  • Ringfenced - This will show you items that were Ringfenced, whether they were permitted or denied.  
  • Any deny - This will show you all items that were effectively denied. 

Search by Action Type:  

  • Execute - files that are executing
  • Install - files that are installing
  • Network - network activity
  • Registry - registry changes
  • Read - files that are being accessed in areas monitored by storage
  • Write - files that are being saved in areas monitored by storage
  • Move - files that are being moved in areas monitored by storage
  • Delete - files that are being deleted in areas monitored by storage
  • Baseline - files that are profiled during the initial baselining of a machine
  • PowerShell - PowerShell activity
  • Elevation - files that were attempted to be run with elevated permission, whether or not they were successfully Elevated by the policy.  
  • New Process - New processes. By expanding an entry, you can see what called this new process.  
  • Configuration - When filtering by Configuration, you'll see configuration manager actions. This includes a policy that has been turned on or off, and configurations that have been modified or fixed.  
  • OS Event Log 

Group By:

  • Path
  • Hash
  • Cert
  • Hostname
  • Username
  • Process  
  • Source IP 

Search by Hostname: If you want to see activity on a specific hostname, you can type in the hostname or part of the name and use wildcards into this search box and filter your results to activity that occurred on a specific computer.    

Filtering using Advanced Search Parameters:

Search by Details/Path: Search by path to find a specific file. You can use wildcards if you don't know the exact path, or perhaps the file you are looking for exists in multiple paths, or you want to view all of a specific file type. (e.g. *.txt or *.msi).  

Search by Username: If you need to see the activities of a certain user, you can search by Username. Users need to be searched by domain/username. This can be found by dropping down a Unified Audit entry. If the domain isn't known or the user may log in on multiple domains, use a wildcard in front of the username.

Search by Process: If you wanted to see everything that has been called by a specific process, you can place all or part of the name in this search box and use wildcards. For example, using *quick* showed us all files that had been called by QuickBooks. 

Search by Certificate: To see all activity that occurred from a single vendor, enter all or part of the name of the company that would sign the file and use wildcards in the 'Certificate' field to search for only items signed by that vendor. 

Search by Policy Name: To see instances of a specific policy being matched, search by Policy Name. You have the ability to use '*' for a wildcard when inputting the name of the policy. For example, you could search for all items that hit the Deny USB Policy.   

Search by Hash/Source: By searching by hash, all instances of that particular hash that were audited during your selected timeframe will be listed. For files less than 1MB, this is the MD5 hash of the file. For files over 1MB, this is a hash based on a unique ThreatLocker algorithm. 

Search by Serial Number: Place the serial number in the 'Serial Number' field and click search to see all activity involving that specific device.

Search by Interface:

  • USB
  • UNC
  • SATA
  • SAS
  • DVD
  • SCSI

Filter By:

  • Computers installed over 4 days ago
  • Computers installed over 7 days ago
  • Remove White Noise, which filters out denies that are well-known white noise, to help streamline the audit results into more useful information.
  • Computers in Monitor Only 
  • Computers in Secured Mode 

Explanation of the 'Rule' Dropdown Menu 

Depending on the search field parameters, the rule dropdown menu options will change. Selections can include: 

  • Equals
  • Not Equals
  • Starts With
  • Ends With
  • Contains
  • Not Contains  

Save Search Parameters

Once you have completed your search fields and advanced search fields, you can click the 'Search' button to display results. You also have the option of saving your selected search parameters for future use.

undefined

To save your search parameters, once your search is complete, click on the 'Saved Search' icon and you will see a small popup window. Click on the plus icon and enter the name of your search parameters. Click on 'Save Current Search'.  

For future searches, you will only have to click on the 'Saved Searches' button and you will find your saved search parameters listed in the 'Saved Searches' popup window.

Was this article helpful?