Table of Contents
The ThreatLocker Unified Audit is a central location where all audited information is displayed.
When using ThreatLocker Application Control, information about executables, scripts, and libraries are recorded in near real-time. Information about these actions are searchable in the Unified Audit, including:
-
All executables, libraries, and script files that were cataloged on your devices during the initial baseline, excluding Windows Core Files.
-
All executables, libraries, and script files executed in your environment, and files installed, since installing the ThreatLocker agent.
ThreatLocker Storage Control and Ringfencing displays information about files that have been accessed, changed, or deleted on external storage, including USB drives, file shares, the local drives where an explicit policy was created to monitor or control that folder, and, with the addition of the SharePoint Connector, file activity for all mapped sites.
ThreatLocker Network Control and Ringfencing display information about network activity, such as inbound and outbound network traffic.
ThreatLocker Web Control will show information about websites that users with ThreatLocker might be accessing.
ThreatLocker Configuration Manager will show you information about changes made to your endpoints as a result of a Configuration Manager policy.
Elevation Control will show you information about when users use or attempt to use elevated permissions to access an application.
In this article, we will discuss all additional features of the Unified Audit.
Searching the ThreatLocker Unified Audit
The Unified Audit provides users with several filters for a more granular search. It can be accessed by selecting ‘Unified Audit’ from the left-hand menu in the ThreatLocker portal.
Once selected, you will now be in the Unified Audit. The Unified Audit will have several ways for you to search for logs. The page will automatically populate the Start Date and End Date filters with the current date, starting at 12:00 AM and ending at 11:59 PM. The other filter fields provided are as follows:
Unified Audit Search Fields
-
Action
-
-
Permit
-
-
-
Deny
-
-
-
Deny (Option to Request)
-
-
-
Ringfenced
-
-
-
Any Deny
-
-
Action Type
-
-
Execute
-
-
-
Install
-
-
-
Network
-
-
-
Registry
-
-
-
Read
-
-
-
Write
-
-
-
Move
-
-
-
Delete
-
-
-
Baseline
-
-
-
PowerShell
-
-
-
Elevate
-
-
-
New Process
-
-
-
Configuration
-
-
-
DNS
-
-
Group By
-
-
Action Type
-
-
-
Additional Policy
-
-
-
Application Id
-
-
-
Application Name
-
-
-
Asset Name
-
-
-
Certificates
-
-
-
Cmd Line Parameters
- ComputerId??
-
-
-
Created By Process
-
-
-
Current Threat Level
-
-
-
Data
-
-
-
Destination Domain
-
-
-
Destination IP Address
-
-
-
Destination Port
-
-
-
Encryption Status
-
-
-
Event Log Source Id
-
-
-
File Size
-
-
-
Full Path
-
-
-
Hash
-
-
-
Interface
-
-
-
Monitor Only
-
-
-
Network Direction
-
-
-
Notes
-
-
-
Parent Process Application Id
-
-
-
Parent Process Certificate
-
-
-
Parent Process File Size
-
-
-
Parent Process SHA256
-
-
-
Parent ProcessTLHash
-
-
-
Policy Id
-
-
-
Policy Name
-
-
-
Process ID
-
-
-
Process Path
-
-
-
Remote Presence
-
-
-
Serial Number
-
-
-
SHA256
-
-
-
Source IP Address
-
-
-
Source Port
-
ThreatLocker Version?
-
-
-
Transport Layer
-
-
-
Username
-
-
Asset Name
-
Search
-
Advanced Search
Combining these filters will allow you to complete a granular search for logs found within your Unified Audit.
You can also utilize the ‘Saved Searches’ button to save previous searches you have made for ease of access.
For more questions regarding how to use the Unified Audit’s search and filter features, please consult the following article:
The Unified Audit will differ based on the Action Type.
The Unified Audit Side Panel
The Unified Audit allows users to select and review each generated log. Selecting one of these logs opens a side panel that provides in-depth information about the log. The interactives of the side panel are determined by the log's Action Type. As we discuss the various Action Types that can be applied to information in the Unified Audit, we will uncover their different features.
Copy Link Button
The Unified Audit includes a 'Copy Link' button at the top of every log's side panel. This lets you quickly generate a link that will bring you directly to the log you have selected.
Actionable Buttons
Most logs generated in the Unified Audit will have actionable buttons at the top of the side panel. These buttons permit easy access when interacting with files you see while examining your Unified Audit. The following are buttons that you might find within a log:
-
Permit Application: The ‘Permit Application’ button lets you open the Permit Application window from the Unified Audit. The window will populate all the information you would receive if this log entry appeared in the Response Center as an Approval Request. This allows you to create a permit or permit with Ringfence™ policy with or without elevation for this application. You cannot create deny policies using this button.
-
Deny Application: The ‘Deny Application’ button works similarly to the ‘Permit Application’ button, except this time, you are creating a deny policy for the file associated with the log you have selected. Selecting this button will open a window like the Permit Application window, but you cannot create a permit or permit with Ringfence™ policy. You will also not be able to set Elevation for this application. This window will show you information about the file you have chosen and allow you to create a permanent deny policy for the computer, group, or organization.
-
Add to Application: The ‘Add to Application’ button allows you to search through your list of existing custom applications and select an application to add the selected file. Once the custom application has been selected, you will be brought to the ‘Application Files’ tab of the custom application’s page. You must then use the ‘Condition’ dropdown to select the values you want to add to this application. This is particularly useful if you want to make a custom rule using the information provided by a log.
-
Check Virus Total: The ‘Check Virus Total’ button opens a page directly to the Virus Total log of the selected file. This is done by using the SHA256 or IP address and searching for it in Virus Total. The results will allow you to evaluate and determine if a security vendor has ever reported this hash as malicious.
-
Create Network Policy: The ‘Create Network Policy’ button will open a page for you to create a new Network Policy based on your selected log. Depending on the log, the information will automatically populate into the ‘Create Network Policy’ side panel with the IPv4 or IPv6 address. It will also populate the port number. This page will appear the same when creating a new Network Control policy from the ‘Network Control’ module. This includes permitting, denying, and/or setting a policy expiration/policy schedule.
-
Add Web Control Policy: If a user visits a website that does not match an existing Web Control Policy, the ‘Add Web Control Policy’ button will be available. Selecting this button will allow you to create a Web Control policy using the information provided by the selected log. Selecting this button will open the ‘Create Web Control Policy’ page, automatically populating it with the domain name as the policy name and the domain in the conditions section. This page will appear the same when creating a new Web Control policy from the ‘Web Control’ module.
-
Add Storage Device: The ‘Add Storage Device’ button allows you to create a new storage device based on your selected log. It will automatically populate the device’s Serial Number within the provided field. This area will provide you with all the same fields you would see when creating a Storage Device from the ‘Storage Control’ module.
Note: Only external storage devices can be added.
- Permit Elevation: This button appears only for Elevate Action Types. It acts similarly to the 'Permit Application' button, allowing you to create a new policy for the log you choose. The only difference is that 'Elevate' will automatically be selected when the Permit Elevation window is opened.
Tabs
The Unified Audit also provides users with two tabs to switch between. The side panel opens to the ‘Audit Details’ tab by default.
Audit Details
This tab provides all the information the ThreatLocker agent receives about your chosen log. The ‘Audit Details’ tab can be divided into sections depending on the log's Action Type. These are the possible sections that can be shown in the 'Audit Details' tab:
-
Computer & User: This provides information about the organization the machine is from, the asset name, and the username. The organization name can be selected to open the 'Edit Organization Settings' side panel, and the asset name can be selected to open the 'Computer Details' page.
-
Action & Policy: This shows the log's Action Type, the date and time it was generated, the policy that was used to permit or deny it (if applicable), the policy action (permit or deny), and the effective action (permitted or denied if applicable). The policy name can be selected if a policy is provided, bringing you to the 'Edit Application Policy' side panel. The button to the right of the 'Date/Time' section will also open a new page in the Unified Audit showing you all the logs within 20 minutes of this log being generated. The start date will be set 10 minutes before the selected log was generated, and the end date will be set 10 minutes after. The asset name will also populate into the asset name field on the new page associated with the log.
-
Application & File: Shows all the information that can be gathered about the file, depending on what is provided. This can include:
-
-
Application Name
-
-
-
Full Path
-
-
-
Process Path
-
-
-
Hash
-
-
-
SHA256
-
-
-
Created By Process
- Notes
-
This section also allows you to upload a copy of the file for review if the computer or agent is online. To do so, select the 'Upload File' button.
Note: This feature is only available if the log has an Execute or Install Action Type.
Lastly, the ‘More Details’ menu can be dropped down to reveal additional information about your selected log. The following is a list of possible details that can be generated within the ‘More Details’ dropdown. Select the dropdown arrow to view them:
More Details Section
Username
Process Path
Process ID
Created By Process
Policy Id
Policy Name
Application Id
Application Name
Action Type
Full Path
Hash
SHA256
File Size
Interface
Certificates
Source IP Address
Asset Name
Source Port
Destination Port
Notes
Data
Remote Presence
Network Direction
Destination IP Address
Cmd Line Parameters
Encryption Status
Monitor Only
Serial Number
Destination Domain
Parent ProcessTLHash
Parent Process SHA256
Parent Process File Size
Parent Process Certificate
Transport Layer
Parent Process Application Id
Additional Policy
ThreatLocker Version
Computer Id
Organization Id
-
Additional Details: The 'Additional Details' section can provide more information about the machine and the file you have selected. The following information can be displayed in the 'Additional Details' section:
- Device Type
- Serial Number
- Transport Layer
- Encryption Status
- File Size
- Permitted Condition (if the machine was in a maintenance mode)
- Option to Request (Denies Only)
- Certificate (will display as green if the certificate is verified and red if it is unverified)
- Remote Presence
- Network: The Network section only appears for logs with the 'Network' Action Type. This section will show you details on the network traffic, such as the destination or source IP Address, domain name, and whether the traffic is outbound or inbound. It will also show you the process path of the network activity. This section also contains a 'More Details' dropdown, similar to the one in the 'Application & File' section.
File History
The 'File History' tab is also available for some Action Types within the side panel. This tab shows the log's history and how it has interacted with that machine. Users will be able to view if the file has ever been permitted before in the environment, along with the application name that was used to permit it, and other information such as: hash, full path, process path, created by, and certificate. The user can also see if this file has been denied, along with additional information like the Action Type and user.
The 'File History' tab is helpful if you are trying to view applications related to the log. It can also help you determine whether other files like it can be permitted within your environment.
Variations of Audit Logs
The Unified Audit and its side panels are here to help you view information relating to user interactions on machines in your organization. Depending on the Action Type, the appearance of the side panels and the information you can view will be different. This section will cover all Action Types and their potential appearance within the Unified Audit.
The Unified Audit During Baselining
When the ThreatLocker agent is first installed onto a user’s machine, it begins baselining. Baseline is an automatic learning period in which ThreatLocker searches for driver files that are unique to that machine. If a driver on the machine is not covered by the ThreatLocker Windows Core Files (Built-In), this driver will be learned into a $hostname/Drivers or $hostname/Windows application. This ensures that all applications the computer requires to operate will be learned and permitted for the machine.
Baseline and Application Control Learning Mode do not profile the Documents folder, Downloads folder, Desktop folder, Users folders, or files at the root of C:\ UNLESS ThreatLocker is able to match them to an existing application name.
When a computer is Baselining, logs with the Action Type of ‘Baseline’ will be generated.
You will notice that all the logs with a Baseline Action Type come from the username ‘THREATLOCKER’ as ThreatLocker learns and interacts with your machine.
Baseline times vary for each machine but can usually be completed in 1-2 hours. Once Baseline has finished, a log with the details “baseline complete” will appear.
Selecting one of the logs created by Baseline will open a side panel with information about that log.
The actionable buttons at the top of the side panel for Baseline Action Types are:
-
Permit Application
-
Deny Application
-
Add To Application
You can also navigate between the ‘Audit Details’ and ‘File History’ tabs on this page.
Selecting the ‘File History’ tab will show you a list of cases in which the file you selected has been permitted or denied within your organization.
The Audit Details tab will provide you with the following sections for the Baseline Action Type:
- Computer & User
- Action & Policy
- Application & File
- The Baseline Action Type does not permit uploading the file, so the 'Upload File' button will not be available here.
- Additional Details
The Baseline Action Type will appear if a Baseline is in progress, which is done once the ThreatLocker agent is installed, or if 'Rescan Baseline' is initiated on the 'Devices' page.
The Execute Action Type
The Execute Action Type is one of the most common Action Types in your Unified Audit. A log is generated with this Action Type every time a user executes or attempts to execute a file on the machine. This can be done by a user or the system.
Viewing this Action Type regularly will allow you to see what applications users in your organization use. This Action Type is also what triggers an application request, enabling the user to request access to an application if the 'Option to Request' is enabled.
Logs for the Execute Action Type can be from various users on the system, depending on who is logged in. When selecting a log with this Action Type, the side panel will provide you with the following actionable buttons:
- Permit Application
- Deny Application
- Add To Application
- Check Virus Total
The side panel will also give you both tab options of 'Audit Details' and 'File History'. The 'Audit Details' tab provides you with the following sections:
- Computer & User
- Action & Policy
- Application & File
- The Execute Action Type includes the 'Upload File' button in this section.
- Additional Details
The Execute Action Type can be used to observe files that have been or are attempted to be accessed within your organization.
The Install Action Type
The Install Action Type is another common Action Type found within the Unified Audit. Logs with this Action Type will be generated whenever a file is installed on the machine. This Action Type can appear for multiple usernames, depending on whether it was a user or the system installing the application. This Action Type appears very similar to Execute.
Opening a log with the Install Action Type shows you the following actionable buttons:
- Permit Application
- Deny Application
- Add To Application
- Check Virus Total
The side panel will provide the 'Audit Details' and 'File History' tabs. The 'Audit Details' tab shows you all of the following sections:
- Computer & User
- Action & Policy
- Application & File
- The Install Action Type includes the 'Upload File' button in this section.
- Additional Details
Searching for logs with the Install Action Type can help you view what users are installing onto their machines. It is particularly useful in allowing you to see which applications might also require custom rules. For help with creating custom rules, please refer to the following article:
Creating Custom Rules | ThreatLocker Help Center
The Network Action Type
Logs with the Network Action Type will appear when network traffic is generated. This Action Type monitors inbound and outbound traffic, whether it is the user navigating the web, remote access connections, etc. Network logs in the unified audit show which user created the log alongside the domain name (if applicable), IP address, and port number.
The side panel for a Network Action Type will have the following actionable buttons:
- Create Network Policy
- Add Web Control Policy
- This button will only be available if:
- The Web Control module is enabled for the organization
- The log you have selected does not match an existing Web Control policy
- This button will only be available if:
- Check Virus Total
Only the 'Audit Details' tab is visible for network logs. 'File History' does not account for network traffic, so it is not necessary here. The 'Audit Details' tab provides you with the following sections:
- Computer & User
- Action & Policy
- Network
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
Logs of the Network Action Type are useful in viewing network activity from machines in your organization. You can see what sites your users are viewing or attempts at remote access connectivity, which is useful in creating a secure environment alongside the use of Network and Web Control policies.
The Registry Action Type
The Registry Action Type appears in your Unified Audit whenever changes to the Windows Registry are made or attempted. This can be used to view if applications are installed within your organization, if users are trying to make changes to your Registry, and what changes they are making. As this is largely used for viewing the logs, there are no actionable buttons in this side panel. There is no 'File History' tab either; only the 'Audit Details' tab will be visible. The sections provided for the 'Audit Details' tab are:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
This Action Type helps verify Registry activity that is happening on your machines.
The Read, Write, Move, and Delete Action Types
The Read, Write, Move, and Delete Action Types relate to Storage Control. These Action Types reflect when a user takes a specific action on a file. These Action Types mean the following if the action is permitted:
- Read: This Action Type will appear whenever a user or application views a file.
- Write: This Action Type will appear whenever a user or application writes or changes a file.
- Move: This Action Type will appear whenever a user or application moves a file to another location.
- Delete: This Action Type will appear whenever a user or application deletes a file.
These Action Types all appear the same in the portal because they are related to similar activities. The only actionable button at the top of the side panel is 'Add Storage Device'.
The 'Audit Details' tab is also the only tab that will appear. The 'Audit Details' tab will include the following sections:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
Searching for logs with these Action Types can help you see which files your users interact with. This can also inform you of what applications are interacting with files on your system.
The PowerShell Action Type
Generating logs for the PowerShell Action Type requires enabling the option 'MonitorPowerShell' within your organization. This option will allow logs to be created for any PowerShell actions taken on machines in your organization. These logs are purely informational, allowing you to see if any PowerShell processes should not be happening within your organization. No actionable buttons are available in the side panel, and the only tab shown is 'Audit Details'. The following sections appear in the 'Audit Details' tab:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
The Elevate Action Type
The Elevate Action Type occurs when users use elevated permissions to access an application. This can happen with the user being a local administrator, which will be displayed in the 'Notes' details, or if the user has an Elevate policy associated with the application. Logs for Elevation can also be displayed if the user attempts to access a file as an administrator but is unable to. Logs like this will appear with no 'Notes' or policy action. When a user has been granted elevation access and runs the application as an administrator, the 'Notes' section will say "elevated application". Elevated logs show information surrounding the application that was elevated. The following actionable buttons are available in the side panel:
- Permit Elevation
- Add to Application
The 'Audit Details' tab is the only tab available for this Action Type. The sections shown are:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
This Action Type can be used and reviewed in cases where you want to see what applications users are trying to get elevation for. To generate logs with this Action Type, you must have the 'Elevation' module enabled within your organization.
The Configuration Action Type
The Configuration Action Type is directly related to the ThreatLocker Configuration Manager. The Configuration Management module must be enabled for your organization in order for these logs to appear. Any time a change is made through Configuration Manager or an action related to a Configuration Manager Policy is taken, the log will appear with this Action Type. Logs like these are more informational, so no actionable buttons are available when opening the side panel. The only visible tab as well is 'Audit Details', as there is no file to provide 'File History'. The sections appearing in 'Audit Details' are:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
The DNS Action Type
The DNS Action Type shows you logs that are generated from the ThreatLocker DNS service via machines that are regulated by Web Control without a ThreatLocker agent installed. The DNS Action Type only has the 'Check Virus Total' button as an actionable button.
The 'Audit Details' tab is also the only tab, as no file is provided to include the 'File History' tab. The sections in the 'Audit Details' tab are:
- Computer & User
- Action & Policy
- Application & File
- No 'Upload File' button is available with this, as no file is provided.
- Additional Details
Policy Action
Policy actions appear on the main page and in the side panel of the Unified Audit. Policy actions show you what action was taken on a particular log. There are a few different types of policy actions that can be taken:
- Permit: This means that the log was allowed. This policy action will appear green, and the Effective Action will be 'Permitted'.
- Deny (Red): A policy action of 'Deny' that appears red means that this log was denied. The action could not be completed, and the user did not gain access. Deny policy actions that are red will have the Effective Action of 'Denied'.
- Deny (Green): Occasionally, you might see a 'Deny' policy action that is green. Also known as a Simulated Deny, a policy action of 'Deny' in green means that the machine or policy was not set to Secured. In these cases, ThreatLocker will permit the action by displaying the policy action as 'Deny' so the user knows that had their machine or policy been Secured, the log would have been effectively denied. The Effective Action for Deny policy actions that are green will be 'Permitted'.
- Ringfenced (Red): Ringfenced policy actions that are red mean that the log was Ringfenced and that the action could not be completed. Ringfenced policy actions that are red will have the Effective Action be 'Denied'.
- Ringfenced (Green): Green Ringfenced policy actions operate similarly to simulated denies. If the machine or policy is not Secured, the policy action will display as 'Ringfenced' so that the user knows that this log would have been Ringfenced had the machine or policy been Secured. The Effective Action for these green Ringfenced policy actions will be 'Permitted'.