Threatlocker¶
About¶
ThreatLocker is a Zero Trust cybersecurity solution that implements deny-by-default, allow-by-exception endpoint protection, effectively safeguarding businesses from malware and unauthorized access.
Product Details¶
Vendor URL: Threatlocker
Product Type: Endpoint Detection and Response (EDR)
Product Tier: Tier III
Integration Method: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: THREATLOCKER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| eActionLogId | metadata.product_log_id |
| username | principal.user.userid |
| organizationId | principal.resource.id |
| serialNumber | principal.asset.hardware |
| processId | principal.process.id |
| computerId | principal.asset.asset_id |
| observer_hostname | observer.hostname |
| size | target.file.size |
| processPath | process.file.full_path |
| sha256Hash | target.file.sha256 |
| sha256Hash | target.process.file.sha256 |
| hash | target.file.md5 |
| applicationName | target.application |
| path | observer.file.full_path |
| policyName | security_result.rule_name |
| encryptionStatus | additional.fields |
| osType | additional.fields |
| deviceType | additional.fields |
| applicationId | additional.fields |
| actionId | security_result.action |
| actionType | security_result.action_details |
| policyId | security_result.rule_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| General | GENERIC_EVENT |
Log Sample¶
<13>1 2025-09-03T14:05:01.000+00:00 dr1siem34pv threatlocker - - - {"sha256Hash":"1234455677abcdefg4b2556c658ce7f8154123456788cf4b7b3efb86","actionTypeId":5,"applicationOrganizationId":null,"networkDirection":0,"encryption":0,"chromeStoreUrl":null,"applicationIsBuiltIn":null,"certText":null,"username":"ABC123","edgeStoreUrl":null,"actionType":"execute","reportMissing":false,"organizationParents":[],"firefoxStoreUrl":null,"threatLockerItem":{"aid":0,"d":"2025-09-03T14:20:03Z","pid":null,"u":null,"pn":null,"at":0,"a":[]},"hostname":"abc12345","data":null,"actionLogId":0,"learningModeEndDate":null,"lastSortValue":0,"fullPath":"c:\\program files\\abcdefg\\currentversion\\abcdefglogging.dll","certificates":null,"processId":18084,"webControlPolicyExists":false,"isCloudActionType":false,"remotePresenceText":null,"policyName":"abcxxxx (built-in)","serialNumber":":1234567879078454564546.","host":"host1234pv","isExtension":false,"osType":0,"organizationName":null,"virusTotalCheckArgument":null,"sourceIPAddress":"","actionId":1,"isMonitorMode":false,"allowPermitVendorButton":false,"policyEnabled":false,"certExists":false,"certs":["{ \"sha\": \"1234455677abcdefg4b2556c658ce7f8154123456788cf4b7b3efb86\", \"subject\": \"cn=\\\"abcdefg, inc.\\\", o=\\\"abcdefg, inc.\\\", l=palo alto, s=california, c=us, serialnumber=5462396, oid.2.5.4.15=private organization, oid.1.3.6.1.4.1.311.60.2.1.2=delaware, oid.1.3.6.1.4.1.311.60.2.1.3=us\", \"validcert\": true, \"digestmismatch\": 0}"],"twPolicyExists":false,"remotePresence":true,"groupByCount":0,"policyId":"123bn12423mn4b2jk3h4kj2h34kj2hk32","action":"Permit","hasPolicyData":true,"hash":"ahjnsbdjh2j34j23jh4g2b34jhg2j34hk2","destinationIPAddress":null,"createdByProcess":null,"integrationTypeId":null,"policyExists":false,"applicationName":"abcdefg (built-in)","cert":"[{ \"sha\": \"1234455677abcdefg4b2556c658ce7f8154123456788cf4b7b3efb86\", \"subject\": \"cn=\\\"abcdefg, inc.\\\", o=\\\"abcdefg, inc.\\\", l=palo alto, s=california, c=us, serialnumber=5462396, oid.2.5.4.15=private organization, oid.1.3.6.1.4.1.311.60.2.1.2=delaware, oid.1.3.6.1.4.1.311.60.2.1.3=us\", \"validcert\": true, \"digestmismatch\": 0}]","computerId":"asvdsed345566-1ab2-abcd123-bdc7-12345","applicationId":"faasda6fd2-991234cszsd-1234-85f7-asdasre6","eActionLogId":"asvdsed345566-1ab2-abcd123-bdc7-12345","dateTime":"2025-09-03T14:05:01Z","remotePresenceThreatLockerDetected":false,"actionLogCreatedByProcesses":null,"optionToRequest":false,"policyOrganizationId":null,"@version":"1","logType":"threatlocker","storagePolicyExists":false,"monitorMode":null,"dateTimeImported":"2025-09-03T14:05:24Z","virusTotalCheckName":null,"totalCount":0,"organizationId":"asvdsed345566-1ab2-abcd123-bdc7-12345","size":40968,"effectiveAction":null,"notes":"","encryptionStatus":"Not Encrypted","policyLocation":null,"processPath":"c:\\program files\\file.exe","path":"/home/logstash/threatlocker/12334.278668.json","deviceType":"ABCD","nacPolicyExists":false,"isCloudLog":false,"@timestamp":"2025-09-03T14:05:01.000Z"}
Sample Parsing¶
additional.fields["Application Id"] = "faasda6fd2-991234cszsd-1234-85f7-asdasre"
additional.fields["Device Type"] = "NVME"
additional.fields["Encryption Status"] = "Not Encrypted"
additional.fields["OS Type"] = "0"
metadata.product_log_id = "nbmn32m3n4-32340-sds-a976-123456"
metadata.product_name = "THREATLOCKER"
metadata.vendor_name = "THREATLOCKER"
observer.file.full_path = "/home/logstash/threatlocker/123456.58393.json"
observer.hostname = "abc12345"
principal.asset_id = "ComputerId: asvdsed345566-1ab2-abcd123-bdc7-12345"
principal.asset.asset_id = "ComputerId: asvdsed345566-1ab2-abcd123-bdc7-12345"
principal.asset.hardware.serial_number = "1234456:01235_89E3_172637_9ABC."
principal.resource.id = "asvdsed345566-1ab2-abcd123-bdc7-12345"
principal.user.userid = "ABCD123"
security_result.action_details = "execute"
security_result.action = "ALLOW"
security_result.rule_id = "asvdsed345566-1ab2-abcd123-bdc7-12345"
security_result.rule_name = "rule1234"
target.application = "app_abc"
target.file.md5 = "1238abcdefg49cb5c12345656a5b5c"
target.file.sha256 = "1234455677abcdefg4b2556c658ce7f8154123456788cf4b7b3efb86"
target.file.size = 40968
target.process.file.full_path = "c:\\program files\\file.exe"
target.process.file.sha256 = "1234455677abcdefg4b2556c658ce7f8154123456788cf4b7b3efb86"