Using the ThreatLocker Audit
Every time an application or library is opened on a computer that is running ThreatLocker, an entry is logged into the ThreatLocker audit. The audit is an essential tool for identifying potential security threats, and identifying what applications are being blocked in the event on an issue.
Opening and Searching the ThreatLocker Audit
- To access the ThreatLocker Audit select Application Control > Audit from the navigation menu.
- To search for a file in the ThreatLocker Application Audit, you can enter a file name in the search box on the top right, and select the Search button. This will search for all matching files executed that day.
- A list of files will be returned in the results grid. The grid will display the following information:-
- Date/Time - The date and the time the file was executed.
- Hostname/Username - The computer name, and the username that opened the file. Files that are opened under a system account, will show SYSTEM as the username.
- Application - The full path of the file that was executed, along with the process name that opened the path.
- Action - The action that was taken:- Possible values are:
- Permit - execution was permitted.
- Deny - execution was blocked.
- Request - execution was blocked, but the user was given the option to request permission.
- Install Mode - The application would have been denied, but because the ThreatLocker was in installation was in installation mode it was permitted.
- Policy - Displayed the policy that was matched.
Locating Blocked Files in the Audit
You can search the ThreatLocker audit for items that match a certain policy. To locate items that triggered a certain policy you can use the advanced search filter.
To search for the Default policy, which is normally a deny policy:-
- Select the Advanced Search Options button;
- Enter Default in the Policy name;
- Select Search;
A list of all entries that match that policy will be displayed. If you want to de-duplicate the search results, you can select Group By to see a specific item.
Adding Files into an Application Directory from the Audit.
When an application is blocked, or hits a certain policy, you may decide you want to add that file to an existing application or a new application so you can stop it from being blocked. To add a file to a specific application:-
- Right-click on the file in the audit;
- Select Add to Application;
- The New Application page will be displayed. If you wish to add a file to an existing application, you can select the Application from the Application Name drop down list. You can also enter a new application name.
- You can add files using hashes, certificates, paths or process or a combination of any of them. For more information about adding files to applications, please see (Applications);
- Select the Save button.
The changes will not take affect until you select Deploy Policies.