How to review audit logs in ThreatLocker?
This document outlines the step-by-step process of how to review audit logs in ThreatLocker Dashboard.
This article is a part of our ThreatLocker How-to Guides series, Chapter 10 – Monitoring, Logs and Reports.
Introduction
The Unified Audit feature in ThreatLocker provides detailed visibility into all actions across your environment, including permitted and denied executions, network requests, and configuration changes. Using filters, you can quickly find specific events and investigate them.
Implementation
Step 1: Access the Unified Audit
- Log in to the ThreatLocker Portal.
- Navigate to Unified Audit from the left-hand menu.
Step 2: Review Logs Using Filters
- In the Unified Audit section, use the Filter options to narrow down results:
- Start Date and End Date – Define the period to review.
- Action – Choose one of the following:
- Permit
- Deny
- Deny (Option to Request)
- Ringfenced
- Any Deny
- Action Type – Choose one, such as:
- Execute
- Install
- Network
- Registry Read / Write / Modify / Delete
- Baseline
- PowerShell
- Elevate
- New Process
- Configuration
- DNS
- Group By – Optionally group logs by:
- Application ID
- Computer ID
- Data Destination
- Domain
- Etc.
- Search – You can search by Asset Name or by Directory Path directly.
- After configuring all filter fields, click Search.
- The results will display with full event details, such as:
- Date & Time
- Asset Name
- Username
- Action & Action Type
- Additional event details
Conclusion
The Unified Audit in ThreatLocker is a powerful tool for investigating security events and user activity. By applying filters effectively, you can quickly locate relevant logs and gain a detailed understanding of what happened, when, and by whom.