Labsco
Space-C0wboy logo

ThreatLocker MCP

โ˜… 1

from Space-C0wboy

Threatlocker-mcp is a Model Context Protocol server that connects AI assistants such as Claude Desktop and Claude Code with the ThreatLocker Portal API.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredNeeds API keys

ThreatLocker MCP

threatlocker-mcp is a Model Context Protocol server that connects AI assistants such as Claude Desktop and Claude Code with the ThreatLocker Portal API. 44 tools โ€” generated directly from the official OpenAPI 3.0 spec โ€” give your AI assistant programmatic access to computers, approvals, action logs, tags, maintenance mode, reports, and more, across single-org and parent/child tenant setups.

[!IMPORTANT] Unofficial project. This is an independent, community-built MCP server developed against ThreatLocker's published API documentation. It is not an official ThreatLocker product and is not affiliated with, endorsed by, or supported by ThreatLocker, Inc. "ThreatLocker" is a trademark of ThreatLocker, Inc. For official support of the ThreatLocker platform itself, contact ThreatLocker directly.

[!WARNING] Beta software โ€” not yet recommended for production environments. This project is under active development. The tool surface and individual tool body shapes may still change between minor versions, and not every endpoint has been exhaustively exercised against every tenant configuration. Use against a lab or non-production tenant until you're confident in the behavior for your use case.

This server can also perform destructive actions against your ThreatLocker environment. Tools can enable/disable endpoint protection, approve security requests, modify tag membership, end active maintenance windows, approve storage devices, and move computers between organizations. A hallucinated tool argument from your AI assistant could alter your ThreatLocker configuration in ways that affect endpoint security.

Recommended posture:

  • Try the server against a non-production or lab tenant first.
  • Use a ThreatLocker API key scoped to the minimum permissions your use case requires.
  • Review every destructive tool call before allowing execution. Claude Desktop requires tool-call approval by default โ€” keep that enabled.
  • Treat the API key with the same care as portal admin credentials, because functionally it is one.
  • The HTTP transport binds to 127.0.0.1 by default. Do not expose it to the public internet without adding authentication.

Tools

AreaCountCapabilities
Computers9Search, get/edit details, enable/disable protection, update maintenance mode, baseline rescan, move between orgs, finish active maintenance
Approval Requests11Search, get by ID, count pending, get permit details, approve, reject, ignore, take ownership, storage approval read/permit, file download details
Application5Get by ID, get matching list, list available apps for permit-into, list apps for maintenance mode, research details
Action Log4Search by parameters, get by ID, file history, file download details
Maintenance Mode4Get schedule by computer, insert, end by ID, reschedule end time
Tag3Get by ID, dropdown options by org, update
System Audit2Search by parameters, health center
Computer Groups2Get groups with computers, dropdown by org
Policy1Get by ID
Online Devices1Get by parameters
Reports1Get by organization
Organization1list_organizations โ€” discover org GUIDs this API key can target

All request bodies are typed Pydantic models (63 generated from the spec), so the AI assistant receives full schema validation and autocomplete. The wire format preserves the original camelCase field names expected by the API.

Editor Integration

Add the following block to your Claude Desktop configuration file:

  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "threatlocker": {
      "command": "uvx",
      "args": [
        "threatlocker-mcp"
      ],
      "env": {
        "THREATLOCKER_API_KEY": "your-api-key",
        "THREATLOCKER_ORG_ID": "your-default-org-guid",
        "THREATLOCKER_BASE_URL": "https://portalapi.h.threatlocker.com"
      }
    }
  }
}

Fully quit Claude Desktop (tray icon โ†’ Quit on Windows; โŒ˜Q on macOS), then reopen it. uvx resolves and caches the package on first launch; subsequent launches are nearly instant.

Pinning to a specific version

"args": ["threatlocker-mcp@0.2.1"]

Forcing a refresh

"args": ["--refresh", "threatlocker-mcp"]

Example Prompts

Investigate denied activity:

"Search the action log for any denied executions on hostname SRV-DB-01 in the last 24 hours."

โ†’ Calls action_log_get_by_parameters_v2 with an ActionLogParamsDto.

Review pending approvals:

"Show me all pending approval requests for the Cloud Services org."

โ†’ Calls approval_request_get_by_parameters with organization_id=<cloud-svc-guid>.

Approve a request:

"Approve request abc-123 at computer scope with the note 'verified vendor'."

โ†’ Calls approval_request_permit_application with a PermitApplicationDto.

Schedule maintenance:

"Put workstation WS-FINANCE-04 into maintenance mode for the next two hours."

โ†’ Calls maintenance_mode_insert with a MaintenanceModeInsertDto.

Manage tags:

"Add corporate-vpn.example.com to the existing 'Corporate VPN' network tag."

โ†’ Calls tag_get_dropdown_options_by_organization_id and tag_update.