Get Action Logs By Parameters. NOTE: this endpoint runs in two modes depending on the usenewsearch header. The MCP defaults to usenewsearch=true (the new search path the portal SPA uses), which is the only mode that returns data. Required: sourceTableId (1=ActionLog, 2=DenyActionLog, 3=BaselineActionLog, 4=EventLogActionLog), startDate, endDate, and paramsFieldsDto (the MCP defaults this to []; the server returns HTTP 500 when the field is absent under the new search path). Omitting sourceTableId returns HTTP 500; omitting both date forms returns 417 'Invalid Date Range'. Pass usenewsearch=null to opt out into the legacy path -- but note the legacy path returns an empty body even when data exists, so this is only useful for back-compat probing.

Action Log: Get By Id V2

Get All File History by hostname and fullpath NOTE: spec marks every parameter optional, but the API returns 417 'Missing Parameters. Unable to load details.' unless fullPath plus one of (hostname, computerId) is supplied.

Action Log: Get File Download Details By Id

Get Application by Id.

Get Matching Applications

Load Application List custom + built-in applications available to permit a file into. Use this when the permit_application flow needs useExistingApplication: true -- i.e., adding the requested file to an app discovered through means other than application_get_matching_list. Filter by osType (1=Windows, 2=MAC, 3=Linux, 5=Windows XP), optional searchText to narrow by name, and includeBuiltIn to include master-org BUILT-IN apps. (Renamed from the KB's ApplicationGetListForAddToApplication.)

Get Application Options for Maintenance Scheduling List applications eligible for use with a Maintenance Mode when processing an approval request. Filter by osType (1=Windows, 2=MAC, 3=Linux, 5=Windows XP). Maintenance Modes (Installation/Learning/Monitor) are selected on the permit_application body via policyConditions.ruleId (1/2/3 respectively).

Get Application Research Details by Id. Optional. Get ThreatLocker's research data (description, risks, mitigations) for an application before permitting it. Useful for decision support when the chosen matchingApplication or existingApplication is a sensitive built-in or unknown app.

Approval Request: Get By Parameters NOTE: statusId is required (e.g. 1 for Pending). Calls without it return HTTP 500. Each result's requestorReason is base64-encoded -- decode before display. For the decoded reason plus richer file/policy context, follow up with approval_request_get_permit_application_by_id.

Get Approval Request By ID NOTE: requestorReason is base64-encoded -- decode before display. approval_request_get_permit_application_by_id returns the same request with the reason already decoded under fileDetails.requestorReason, plus file/policy/ringfencing context.

Get Approval Request Pending Count

Get Permit Application Details By Approval Request Id

Approve Permit Application Request WORKFLOW: take_ownership -> get_permit_application_by_id -> application_get_matching_list -> permit_application. Start from the DTO returned by get_permit_application_by_id and modify the choices below. REQUIRED FIELDS (KB-documented, all must be present): approvalRequest.approvalRequestId; approvalRequest.json -- copy verbatim from get_permit_application_by_id (server uses it to reconstruct file/action context, omitting it causes silent failures); userinstance -- the portal shard ('h', 'g', etc.), parsed from the request's portalApiUrl subdomain; isFromApproval: true; hasOriginApprovalCenter: true; actionType (copy from request: 'elevate'/'execute'/'install'); osType (1=Windows, 2=Mac, 3=Linux, 5=WinXP); organizationId, computerId (copy from request); organizationIds -- list of parent org IDs above the request's org ([] for top-level); fileDetails.fullPath. APP SELECTION (set exactly ONE mode on matchingApplications): (a) PREFERRED -- use application_get_matching_list result. Prefer tenant-owned match (its organizationId equals the call's organizationId) over master-org/BUILT-IN (organizationName: "master"). Set useMatchingApplication: true, populate matchingApplication with the chosen result; set others false and their objects to null. The DTO's hasMatchingApplication flag is UNRELIABLE -- trust application_get_matching_list.hasMatching instead. *** CRITICAL -- BUILT-IN match REQUIRES entire-org scope. When the chosen match has organizationName: "master", you MUST set policyLevel.toEntireOrganization: true. Pairing a BUILT-IN with computer-scope returns HTTP 401 "Missing the '' permission" (misleading -- it's actually a body-shape error). Verified 2026-05-21. Tenant-owned matches and new apps use the default all-flags-false scope. (b) FALLBACK -- add to existing custom app (discover via application_get_for_application_options). Set useExistingApplication: true, populate existingApplication; others null. (c) LAST RESORT -- create new app. Set useNewApplication: true and newApplicationName to a non-null derived name (e.g. file stem title-cased: vlc.exe -> "VLC"). Null returns HTTP 417 'Must enter a name for a new application'. POLICY (policyConditions.ruleId): 0=manual rules, 1=Install Mode 1hr, 2=Learning Mode 1hr, 3=Monitor Mode 1hr. Set useExistingPolicy: true to reuse an existing policy (manualOptions then carries the rule criteria). SCOPE (policyLevel): default 'this computer' = ALL THREE flags false (toEntireOrganization/toComputerGroup/toComputer); scope is inferred from top-level computerId. Setting toComputer: true returns HTTP 417 'Provided applies to ID does not associate with a known OS type'. For computer group, set toComputerGroup: true and populate selectedComputerGroup (discover via computer_group_get_dropdown_by_organization_id). For entire-org, set toEntireOrganization: true. ACTION TYPE: for elevate set isElevationRequest: true and isExecutionRequest: false; for execute reverse. Both are spec-readOnly but MUST be sent matching the action. SHAPE: send null (not omit) for unused sub-objects -- matchingApplication, existingApplication, selectedComputerGroup, policyExpirationDate, elevationExpirationDate. Wrong shape = opaque HTTP 500. PERMISSIONS: API key user needs one of 'Approve for Entire Organization', 'Approve for Group', 'Approve for Single Computer', or 'Approve for Single Computer Application Only' in Administrators.

Reject Approval Request

Ignore Approval Request

Take Ownership of Approval Request

Get Storage Approval Request By Id

Approve Storage Request NOT YET LIVE-TESTED -- expect shape sensitivity similar to approval_request_permit_application. WORKFLOW: take_ownership -> get_storage_approval_by_id -> permit_storage_approval. Start from the DTO returned by approval_request_get_storage_approval_by_id and modify the choices below. LIKELY REQUIRED (by analogy with the application-permit flow): approvalRequest -- copy verbatim from get_storage_approval_by_id; json -- verbatim copy from the same response, used by the server to reconstruct the storage-request context. DEVICE / SCOPE FLAGS (set exactly one mode): addDeviceToExisting -- add the storage device to an existing storage policy (populate existingStoragePolicy); deviceExists -- the device is already known to ThreatLocker; allStorageDevices -- apply to all storage devices in scope; allFilePaths -- apply to all paths rather than just selectedPath; allUserGroups -- apply to all users/groups rather than the populated usersList/userGroups. Set unused companion objects (existingStoragePolicy, newStorageDevice) to null, not omitted. EXPIRATION: expirationDate is ISO 8601 UTC; null = permanent. RESPONSE: responseSubject and responseReason are shown to the requester; notifyOnResponse controls whether they're emailed. If the server returns HTTP 401 "Missing the '' permission" (empty interpolation), suspect body-shape rather than permissions -- same root cause as the application-permit flow.

Get File Download Details By Approval Request Id

Load Computers By All Parameters

Get Computer Information By Id.

Update Computer

Computer Enable Protection

Disable Computer Protection

Updates a device's maintenance mode settings.

Move Computer

Update Baseline Rescan Computer

End Maintenance Mode Ends ACTIVE maintenance mode on a specific computer immediately. Distinct from maintenance_mode_end_by_id, which ends a SCHEDULED maintenance window (in progress or not) identified by maintenanceModeId. Use this when you have a computerId and want enforcement re-enabled now. WARNING: may break in-progress installs.

Get Groups and Computer NOTE: this endpoint can return very large payloads (>100KB for a single populated group) when called without scoping. Pass a specific computerGroupId and set only the include_* flags you actually need; unscoped calls may exceed downstream output limits.

Get Computer Groups by OrganizationId

Get Maintenance Schedule By Computer Id

Add to Maintenance Schedule

End Maintenance Schedule

Updated Maintenance Mode End Date Time. Reschedules the end time of an existing maintenance window for a specific computer without terminating it. Pass the new maintenanceEndDate (ISO 8601 UTC). To END maintenance immediately use computer_update_to_finish_maintenance_mode (by computer) or maintenance_mode_end_by_id (by maintenance schedule).

View Online Devices

Get Organizations For Move Computers Returns the organizations the current API key can target. Use this FIRST to discover org GUIDs to pass as organization_id to other tools. Despite the path name (the endpoint also feeds the portal's 'move computers' org picker), the result is the canonical list of accessible orgs for this key. searchText filters by display name; pass an empty string for the full list.

Get Policy by Id.

Get report(s) by organization id.

Retrieves System Audit records based on specified parameters.

Retrieves System Audit data for the Health Center, specifically focused on login attempts.

Get Tag by Id.

Get Tag Dropdown Options.

Update Tag. Updates an existing tag. tagId (spec-nullable) must be a valid existing tag GUID; passing an empty or omitted tagId may cause the server to interpret the request as a new-tag creation. Use tag_get_dropdown_options_by_organization_id to discover existing tag GUIDs first. tagType enum (verify against tenant): 1=Computer tag, 2=Application tag, 3=Network tag. Sending one of tagItemsText / tagItemsIPv4 / tagItemsIPv6 replaces (not merges) that list for the tag. NOT YET LIVE-TESTED -- verify behaviour against the dev tenant before relying on it.