Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Threatlocker Server

БесплатноНе проверен

MCP server for interacting with the ThreatLocker Portal API, enabling querying of computers, applications, policies, audit logs, and more through AI assistants.

GitHubEmbed

Описание

MCP server for interacting with the ThreatLocker Portal API, enabling querying of computers, applications, policies, audit logs, and more through AI assistants.

README

An MCP (Model Context Protocol) server for interacting with the ThreatLocker Portal API through Claude Desktop, Claude Code, or any MCP-compatible client.

About

This server exposes ThreatLocker Portal functionality as MCP tools, enabling AI assistants to query computers, applications, policies, audit logs, and more. It supports both local (stdio) and remote (HTTP/SSE) transports.

Current Status: Full read/write support for applications and policies. Set THREATLOCKER_READ_ONLY=true to enforce read-only mode.

Disclaimer

USE AT YOUR OWN RISK

This software is provided "as is" without warranty of any kind. This is an unofficial, community-developed integration and is not affiliated with, endorsed by, or supported by ThreatLocker.

  • API keys are currently stored in plain text (in environment variables, .env files, or MCP client config files). A more secure credential storage solution is planned for a future release.
  • Always test in a non-production environment first
  • Review the source code before deploying
  • Monitor API usage and audit logs
  • The authors are not responsible for any damages, security incidents, or unintended actions resulting from use of this software

By using this software, you accept full responsibility for its use in your environment.

Protecting API Keys with ThreatLocker Storage Control

Since API keys are stored in plain text, you can use ThreatLocker's own Storage Control to restrict which applications can read the config files. This ensures that even if an unauthorized process runs on your machine, it cannot access the keys.

Files to protect:

File Used By
.env MCP server (stdio mode)
claude_desktop_config.json Claude Desktop
.mcp.json / ~/.claude.json Claude Code

Recommended Storage Control policy:

  1. In ThreatLocker Portal, navigate to Application Control > Storage Control
  2. Create a Deny policy that blocks all applications from reading the config files listed above
  3. Create Permit policies that allow only the specific applications that need access. Example:
    • node.exe / node — for the MCP server process
    • Claude Desktop.exe / Claude Desktop — for Claude Desktop
    • claude — for Claude Code CLI
  4. Apply the policies to the relevant computer group

This way, ThreatLocker prevents any other process from reading your API keys, even though they are stored in plain text.

Installation

Prerequisites

Option 1: Docker (Recommended)

docker pull ghcr.io/bigfootbytes/threatlocker-mcp-server:latest

Option 2: From Source

git clone https://github.com/BigfootBytes/threatlocker-mcp-server.git
cd threatlocker-mcp-server
npm install
npm run build

Configuration

Claude Desktop / Claude Code

Add to your MCP config file:

Client OS Config Path
Claude Desktop macOS ~/Library/Application Support/Claude/claude_desktop_config.json
Claude Desktop Windows %APPDATA%\Claude\claude_desktop_config.json
Claude Desktop Linux ~/.config/Claude/claude_desktop_config.json
Claude Code All Project .mcp.json or ~/.claude.json

Docker configuration:

{
  "mcpServers": {
    "threatlocker": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "ghcr.io/bigfootbytes/threatlocker-mcp-server:latest"],
      "env": {
        "THREATLOCKER_API_KEY": "your-api-key",
        "THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi",
        "THREATLOCKER_ORG_ID": "optional-managed-org-id"
      }
    }
  }
}

Node.js configuration:

{
  "mcpServers": {
    "threatlocker": {
      "command": "node",
      "args": ["/path/to/threatlocker-mcp-server/dist/index.js"],
      "env": {
        "THREATLOCKER_API_KEY": "your-api-key",
        "THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi"
      }
    }
  }
}

Environment Variables

Variable Required Default Description
THREATLOCKER_API_KEY Yes* - API key (stdio mode)
THREATLOCKER_BASE_URL Yes* - Portal API URL
THREATLOCKER_ORG_ID No - Managed organization ID
TRANSPORT No stdio Transport mode: stdio or http
PORT No 8080 HTTP server port
LOG_LEVEL No INFO Logging: ERROR, INFO, DEBUG
ALLOWED_ORIGINS No - CORS origins (comma-separated)
THREATLOCKER_READ_ONLY No - Set to true, 1, or yes to block all write operations server-wide

*Required for stdio mode. HTTP mode uses per-request headers.

ThreatLocker API URLs

Environment Base URL
Production https://portalapi.g.threatlocker.com/portalapi
Beta https://betaportalapi.g.threatlocker.com/portalapi

Available Tools

CRUD Capabilities

Tool Create Read Update Delete Description
computers - :white_check_mark: - - Query computers, check-ins, install info
computer_groups - :white_check_mark: - - List groups, dropdowns
applications - :white_check_mark: - - Search apps, research details, files
policies - :white_check_mark: - - View policies by ID or application
action_log - :white_check_mark: - - Unified audit logs, file history
approval_requests - :white_check_mark: - - Pending approvals, permit details
organizations - :white_check_mark: - - Child orgs, auth keys
reports - :white_check_mark: - - List and run reports
maintenance_mode - :white_check_mark: - - Computer maintenance history
scheduled_actions - :white_check_mark: - - Scheduled agent updates
system_audit - :white_check_mark: - - Portal audit logs, health center
tags - :white_check_mark: - - Network and policy tags
storage_policies - :white_check_mark: - - Storage control policies
network_access_policies - :white_check_mark: - - Network access control policies
versions - :white_check_mark: - - Available ThreatLocker agent versions
online_devices - :white_check_mark: - - Currently online/connected devices

Tool Details

Tool Actions
computers list, get, checkins, get_install_info
computer_groups list, dropdown, dropdown_with_org, get_for_permit, get_by_install_key
applications search, get, research, files, match, get_for_maintenance, get_for_network_policy
policies get, list_by_application
action_log search, get, file_history, get_file_download, get_policy_conditions, get_testing_details
approval_requests list, get, count, get_file_download_details, get_permit_application, get_storage_approval
organizations list_children, get_auth_key, get_for_move_computers
reports list, get_data
maintenance_mode get_history
scheduled_actions list, search, get, get_applies_to
system_audit search, health_center
tags get, dropdown
storage_policies get, list
network_access_policies get, list
versions list
online_devices list

HTTP Mode (Remote Server)

For remote deployments, run in HTTP mode:

docker run -d -p 8080:8080 -e TRANSPORT=http ghcr.io/bigfootbytes/threatlocker-mcp-server:latest

Endpoints

Method Endpoint Auth Description
GET /health No Health check
GET /tools No List available tools
GET /sse Yes SSE stream (Claude Desktop)
POST /messages Session SSE client messages
POST /mcp Yes Streamable HTTP MCP
POST /tools/:name Yes Direct REST API

Authentication Headers

Header Required Description
Authorization Yes ThreatLocker API key
X-ThreatLocker-Base-URL Yes Portal API base URL
X-ThreatLocker-Org-ID No Managed organization ID

Claude Remote Configuration

Streamable HTTP via mcp-remote (Claude Desktop):

Claude Desktop does not yet support Streamable HTTP natively. Use mcp-remote as a proxy:

{
  "mcpServers": {
    "threatlocker": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://your-server.example.com/mcp",
        "--header",
        "Authorization:${THREATLOCKER_API_KEY}",
        "--header",
        "X-ThreatLocker-Base-URL:${THREATLOCKER_BASE_URL}"
      ],
      "env": {
        "THREATLOCKER_API_KEY": "your-api-key",
        "THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi"
      }
    }
  }
}

SSE (legacy):

{
  "mcpServers": {
    "threatlocker": {
      "url": "https://your-server.example.com/sse",
      "headers": {
        "Authorization": "your-api-key",
        "X-ThreatLocker-Base-URL": "https://portalapi.g.threatlocker.com/portalapi"
      }
    }
  }
}

Development

npm install       # Install dependencies
npm run build     # Compile TypeScript
npm test          # Run tests
npm run dev       # Watch mode

License

GPL-3.0 - see LICENSE for details.

from github.com/BigfootBytes/threatlocker-mcp-server

Установка Threatlocker Server

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/BigfootBytes/threatlocker-mcp-server

FAQ

Threatlocker Server MCP бесплатный?

Да, Threatlocker Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Threatlocker Server?

Нет, Threatlocker Server работает без API-ключей и переменных окружения.

Threatlocker Server — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Threatlocker Server в Claude Desktop, Claude Code или Cursor?

Открой Threatlocker Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Threatlocker Server with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai