Using the ThreatLocker Unified Audit
The ThreatLocker Unified Audit is a central location where all audited information is displayed.
When using ThreatLocker Application Control, information about executables, scripts, and libraries are recorded in near real-time. Information about these actions is searchable in the Unified Audit, including:
- All executables, libraries, and script files that were cataloged on your devices during the initial baseline, excluding Windows Core Files
- All executables, libraries, and script files executed in your environment, and files installed since installing the ThreatLocker agent.
ThreatLocker Storage Control displays information about files that have been accessed, changed, or deleted on external storage, including USB drives, file shares, and the local drives where an explicit policy was created to monitor or control that folder.
Searching the ThreatLocker Unified Audit
You can use '*' as a wildcard in the textboxes when you are inputting your text search parameters. You can also use '!' to mean "show all except" in the text search boxes. For example, if you want to see all file paths except for Windows files, you could put !*windows* in the Path box and search all results except anything with Windows in the path.
Search by Date: Select a start and end date for your search in the audit. The length of time you can search back is dependent on your organization's policies. By default, it is set to keep data for about a month. The search date will automatically be set for today's date, starting at midnight and ending at midnight. If you are researching an incident and you have a timeframe, you can narrow your search down by date and time to help filter out unneeded information.
Search by Policy Name: To see instances of a specific policy being matched, search by Policy Name. You have the ability to use '*' for a wildcard when inputting the name of the policy. For example, you could search for all items that hit the Deny USB Policy.
Search by Path: Search by path to find a specific file. You can use wildcards if you don't know the exact path, or perhaps the file you are looking for exists in multiple paths, or you want to view all of a specific file type. (e.g. *.txt or *.msi).
Search by Process: If you wanted to see everything that has been called by a specific process, you can place all or part of the name in this search box and use wildcards. For example, using *quick* showed us all files that had been called by QuickBooks.
Search by Hostname: If you want to see activity on a specific hostname, you can type in the hostname or part of the name and use wildcards into this search box and filter your results to activity that occurred on a specific computer.
Search by Username: If you need to see the activities of a certain user, you can search by Username. Users need to be searched by domain/username. This can be found by dropping down a Unified Audit entry. If the domain isn't known or the user may log in on multiple domains, use a wildcard in front of the username.
Search by Certificate: To see all activity that occurred from a single vendor, enter all or part of the name of the company that would sign the file and use wildcards in the 'Certificate' field to search for only items signed by that vendor.
Search by Hash: By searching by hash, all instances of that particular hash that were audited during your selected timeframe will be listed. For files less than 1MB, this is the MD5 hash of the file. For files over 1MB, this is a hash based on a unique ThreatLocker algorithm.
Search by Serial Number: Place the serial number in the 'Serial Number' field and click search to see all activity involving that specific device.
Search by Action:
- Permit - This will show you items that were permitted.
- Any deny - This will show you all items that were effectively denied.
- Deny - This will show you items that were effectively denied, and things that were effectively permitted because the endpoints were in learning mode, only for items that do not have the option for the end user to request access.
- Deny (Option to Request) - This will show items that were denied but the policy that denies them allows the user the option to request, meaning that this will only show denies that the end user was notified of.
- Ringfenced - This will show you items that were Ringfenced, whether they were permitted or denied.
Search by Action Type:
- Execute - files that are executing
- Install - files that are installing
- Network - network activity
- Registry - registry changes
- Read - files that are being accessed in areas monitored by storage
- Write - files that are being saved in areas monitored by storage
- Move - files that are being moved in areas monitored by storage
- Delete - files that are being deleted in areas monitored by storage
- Baseline - files that are profiled during the initial baselining of a machine
- PowerShell - PowerShell activity
- Elevation - files that were attempted to be run with elevated permission, whether or not they were successfully Elevated by the policy.
- New Process - New processes. By expanding an entry, you can see what called this new process.
Search by Interface:
- Computers installed over 4 days ago
- Computers installed over 7 days ago
- Remove White Noise, which filters out denies that are well-known white noise, to help streamline the audit results into more useful information.
- Computers in Monitor Only
Once you have completed your search fields, select the Search button to display results.