Help CenterPrerequisites: Requires Active ThreatLocker Detect Purchase
ThreatLocker Query Language (TQL) allows you to search and filter ThreatLocker Unified Audit data using structured query statements. TQL is useful when you need to narrow results by policy, application, file path, hash, hostname, IP address, result status, event time, or other available event fields.
When to Use TQL
Use TQL when you want to:
- Combine multiple search conditions
- Use lists instead of repeating the same condition
- Use regular expressions for advanced matching
Accessing TQL Search
- Log in to the ThreatLocker Portal.
- Navigate to Unified Audit.
- Enable the toggle: Use Query Search (Beta).
- Enter your TQL query in the search field.
- Select Search to apply the query.
TQL Query Format
A basic TQL query uses the following structure:
Attribute Operator Value
Example:
PolicyName = "Chrome (Built-In)"
The above searches for records where the PolicyName equals Chrome (Built-In).
Combining Conditions
You can combine mulitiple conditions using AND and OR.
Example:
PolicyName = "Chrome (Built-In)" AND EffectiveAction = Deny.
This searches for records where the policy name is Chrome (Built-In) and the effective action is Deny.
Example:
PolicyName = "Chrome (Built-In)" OR PolicyName = "Firefox (Built-In)".
This searches for record where the policy name is Chrome (Built-In) or Firefox (Built-In).
Use Parentheses for Complex Logic
TQL processes queries from left to right unless prarentheses are used. Parentheses group specific queries to be processed together. For complex searches, use parentheses to make your logic clear.
Example:
(PolicyName = "Chrome (Built-In)" OR PolicyName = "Firefox (Built-In)") AND EffectiveAction = Deny.
This searches for record where the policy name is Chrome (Built-In) or Firefox (Built-In) and the effective action is Deny.
Operators
Operators are not case-sensitive.
The following is a list of all supported operators:
| Operator | Description |
|---|---|
| = | Matches an exact value |
| != | Does not match a value |
| AND | Both statements must be true |
| OR | At least one statement must be true |
| CONTAINS | Searches for a substring within a value |
| IN | Matches any value in a list |
| LIKE | Matches a regular expression |
| NOT CONTAINS | Excludes values containing a substring |
| NOT IN | Excludes values in a list |
| NOT LIKE | Excludes values matching a regular expression |
| > | Greater than |
| >= | Greater than or equal to |
| < | Less than |
| <= | Less than or equal to |
Attributes
Attributes are not case-sensitive.
The following is a list of supported attributes:
| Attribute |
|---|
| username |
| ProcessPath |
| ProcessID |
| CreatedByProcess |
| policyID |
| policyName |
| ApplicationId |
| ApplicationName |
| actionType |
| FullPath |
| TLHash / hash |
| SHA256 |
| FileSize |
| DeviceType |
| Certificates |
| SourceIPAddress |
| Hostname |
| SourcePort |
| DestinationPort |
| Notes |
| Data |
| RemotePresence |
| EventLogSourceId |
| NetworkDirection |
| DestinationIPAddress |
| actionId |
| CmdLineParameters |
| ElevationStatus |
| EncryptionStatus |
| IsDotNetDLL |
| KillRunningProcess |
| MaintenanceModeId |
| MD5Hash |
| MonitorOnly |
| Ringfenced |
| RingfencePolicyId |
| HarddriveSerialNumber |
| VolumeSerialNumber |
| SHA1 |
| EventLogDescription |
| EventLogOccurrences |
| CurrentThreatLevel |
| ActionOccurrences |
| CanaryFilePath |
| DestinationDomain |
| ParentProcessTLHash |
| ParentProcessSHA256 |
| ParentProcessFileSize |
| ParentProcessCertificate |
| Message |
| LogName |
| Level |
| Opcode |
| TaskCategory |
| Keywords |
| RegistryKeyChange |
| TransportLayer |
| ParentProcessApplicationId |
| EffectiveAction |
| ActionLogId |
| OrganizationId |
| ActionId |
| AdditionalPolicy |
| ThreatLockerVersion |
| computerId |
| EventTime |
| ThreatType |
| ResultStatus |
| Location |
| RiskScore |
| RiskState |
| Source |
| Service |
| Priority |
| Facility |
| Severity |
| Activity |
| MacAddress |
| PacketSize |
| FullPathWithCmdLine |
| ProcessPathWithCmdLine |
| BatchId |
| IsProtectedProcess |
| MemoryBytes |
| ProcessName |
| ParentProcessName |
| ParentProcessId |
| FileIcon |
| DestinationPath |
| HexCode |
| TagId |
| DnsServerName |
| ApplicationMatchType |
| ParentProcessApplicationMatchType |
| UseMonitorModeUntil |
| PolicyIds |
| EventLogOpCode |
| EventLogLevel |
| EventLogTaskCategory |
| EventLogTaskName |
| EventLogTaskMessage |
| EventLogTaskKeywords |
| EventLogOpCodeDisplayName |
| SystemLogMessage |
| SystemLogProcess |
| SystemLogSender |
| SystemLogCategory |
| SystemLogSubsystem |
| SystemLogType |
| SystemLogFormat |
| DeviceManufacturer |
| DiskBusType |
| CreatorProcessId |
| ThreadId |
| ThreadStartAddress |
| ProcessFileSize |
| BrokerServer |
Formatting Rules
Spacing is Flexible
Spaces are recommended for readability, but they are not always required.
Both of the examples below are valid.
PolicyName = "Chrome (Built-In)"
PolicyName="Chrome (Built-In)"
Strings Require Quotes
Text values should be enclosed in quotation marks.
Example:
PolicyName = "Chrome (Built-In)"
If you need to include a quotation mark inside a string, escape it with a backslash:
Notes = "User said \"approved\""
Lists Use Parentheses
Use parentheses when checking for multiple values.
Example:
PolicyName IN ("Chrome (Built-In)", "Firefox (Built-In)", "Edge (Built-In)")
Backslashes Must Be Escaped
When using backslashes (\) inside a string, each backslash must be escaped with another backslash.
Example:
Path CONTAINS "documents\\file.txt"
In this example:
- The first
\is an escape character - The second
\represents the actual backslash in the file path
This allows TQL to correctly interpret the path value.
Summary
TQL helps you build precise searches in ThreatLocker by combining attributes, operators, values, lists, and regular expressions. For best results, use correct attribute capitalization, quote string values, and add parentheses when combining multiple conditions.