/portalAPI/ApplicationFile/*

This article will encompass all portalAPI calls that are related to /portalAPI/ApplicationFile/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance:

Locating Your Organization's Instance | ThreatLocker Help Center

ApplicationFileDeleteById

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileDeleteById

• Method: POST
• Description: This API is used when navigating to the Application Control page of the ThreatLocker Portal, locating and selecting the application you would like to remove an application file entry from, navigating to the "Application Files" tab, selecting the trash can icon, and selecting "Yes" to confirm the deletion of the application rule. This API is responsible for deleting the application file rule from your custom application in your organization. Multiple file rules cannot be deleted in one call to this API; One file rule is deleted for each call to this API. To delete a file rule from an application in a different organization than the currently logged in/managed organization, use the managedOrganizationId header as described below.

For accurate System Audit logging of the removal of the application file rule, please review the Optional Body/Parameters section below.

• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • Fields
    
    • applicationFileId: This field determines which file rule will be removed from the selected application.
      • Expects: An Integer value
    • applicationId: This field determines which application will have the file rule removed.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"

• Optional Body/Parameters
  • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Fields
    • applicationName: This field determines the name that will be logged in the System Audit. This field should match the name of the application from which the file rule is being removed.
      • Expects: Text of the application's name
    • For the application rule itself, the rule's conditions should also be entered.  For instance, when deleting a file path, certificate, and created by process path rule, the full text of each condition (file path, certificate, and created by process path) should be entered with their respective fields. Only the file rule fields directly related to the rule being deleted need to be included. The following application file rule fields can be used and are all shown in the Optional body section below:
      
      • fullPath
      • processPath
      • installedBy (Created By Process)
      • cert
      • hash (TL and SHA256)

• Permissions Needed for User
  • Edit Application Control Applications

ApplicationFileGetByApplicationId

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileGetByApplicationId

• Method: GET
• Description: This API is used when navigating to the Apps icon and selecting the Applications page from the popout menu in the ThreatLocker Portal, locating and selecting the application you would like to view application files for, and navigating to the "Application Files" tab. This API returns the application file rules for the selected custom application in your organization. For security purposes, you will not be able to access any ThreatLocker Built-In application's application file rules.
• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • Parameters
    • applicationId: This field determines which application's file rules will be returned. To get a list of applicationIds available, use the ApplicationGetByParameters endpoint and select any of your custom applications.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • pageNumber and pageSize: These fields determine how many application file rules will be returned as if the response were on the Applications page. However, these fields do not follow the same conventions for pageNumber and pageSize as the Portal does (the Portal uses 25, 50, or 250 for pageSize). Any valid integer can be entered, and it will return in the selected formatting. For instance, if there are 5 application file rules to be returned but “pageNumber”: 1 and “pageSize”: 2, 2 entries will be returned per page, and the first two application file rules will be shown.
      • Expects: An Integer value
• Optional Body/Parameters
  • Parameters
    • hashOnly: This field determines whether only the application file rules that are hash-only rules will be returned. When this field is omitted or set to false, all application file rules will be displayed, depending on the other fields used. When this field is set to true, only application file rules that consist of a hash-only rule (ThreatLocker or SHA256) will be returned. This field should not be set to true when the isCustomRule field is set to true, as the results returned may not be accurate.
      • Expects: true or false
    • isCustomRule: This field determines whether only the application file rules that are NOT hash-only rules (only custom rules) will be displayed. When this field is omitted or set to false, all application file rules will be displayed, depending on the other fields used. When this field is set to true, only application file rules that consist of a custom rule (NOT a hash-only rule) will be returned. This field should not be set to true when the hashOnly field is set to true, as the results returned may not be accurate.
      • Expects: true or false
    • searchText: This field allows you to search through the application file rules by inputting any text/details you want to search for. When this field is omitted, all application file rules will be shown based on the other fields used. This field searches the file rules AND notes attached to each file rule, with wildcards on either end of the text you enter, and returns only those that match. For example, when entering "proc" into this field, any file rule/note that contains the text "proc" anywhere will be returned.
      • Expects: Any text input
• Permissions Needed for User
  • Edit Application Control Applications
  • View Application Control Applications

ApplicationFileInsert

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileInsert

• Method: POST
• Description: This API is used when navigating to the Apps icon and selecting the Applications page from the popout menu in the ThreatLocker Portal, locating and selecting the application you wish to add an application file rule to, navigating to the "Application Files" tab, entering your file rule conditions, and selecting "Add Rule". This API adds a new application file rule to your selected custom application in your organization. Multiple file rules cannot be added in a single call to this API; One file rule is added per call, based on the request body. Listed below in the Required body section are all the fields (file rule options) available for use with this API; However, they are limited per the terms listed below. To create a file rule in an application in a different organization than the currently logged-in/managed organization, use the managedOrganizationId header as described below.
• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • Fields

Note: The hash field below is used when adding a ThreatLocker hash-only rule or a SHA256 hash-only rule and should not be used in combination with any other file rule fields. When adding a file rule that specifies a type of file path (fullPath, processPath, installedBy), use \\ for the existing slashes (\) in the path you enter. Wildcards can be used when using the fullPath, processPath, and installedBy fields. When using the cert field, use \" for any existing quotation marks (") in the certificate path you enter and do not use any wildcards. The processPath and installedBy fields cannot be used alone without specifying at least one additional application file rule field. For more information on creating and adding custom rules, see the KB article below:

Creating Custom Rules | ThreatLocker Help Center

• • • All available application file rule fields are listed below. Only the fields directly related to the rule being added need to be included. The following application file rule fields can be used:
      
      • cert
      • fullPath
      • hash (TL and SHA256)
      • installedBy (Created By Process)
      • processPath

• • • applicationId: This field determines which application will have the new file rule added.

      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • applicationName: This field determines the name that will be logged in the System Audit. This field should match the name of the application from which the file rule is being added.

      • Expects: Text of the application's name
    • isHashOnly: This field is used when adding a hash-only rule. When adding a hash-only rule, this field must be set to true. Otherwise, this field can be omitted or set to false.

      • Expects: true or false
    • notes: This field is used to provide information on when the definition was added, what rule was added, who added/modified it, and any further information. While nothing can be entered into this field using a pair of quotation marks (""), it is recommended to include the above information to assist you and your users in identifying the context of why the application file rule may have been added.

      • Expects: Any text input
    • osType: The same OS Type as the application that will have the file rule added is expected. This field expects the Integer associated with the OSType:

      • Windows = 1
      • MAC = 2
      • Linux = 3
      • Windows XP = 5

• Optional Body/Parameters
  • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
• Permissions Needed for User
  • Edit Application Control Applications

ApplicationFileUpdate

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileUpdate

• Method: POST
• Description: This API is used when navigating to the Apps icon and selecting the Applications page from the popout menu in the ThreatLocker Portal, locating and selecting the application you wish to modify a file rule in, navigating to the "Application Files" tab, selecting the file rule you want to modify, making the desired changes, and then selecting the "Save" button. This API modifies an application file rule in your selected custom application in your organization. Multiple file rules cannot be modified in a single call to this API; One file rule is modified per call, based on the request body. Listed below in the Required body section are all the fields (file rule options) available for use with this API; However, they are limited per the terms listed below. To modify a file rule in an application in a different organization than the currently logged-in/managed organization, use the managedOrganizationId header as described below.
• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • Fields

Note: The hash field below is used when modifying a ThreatLocker hash-only rule or a SHA256 hash-only rule and should not be used in combination with any other file rule fields. When modifying a file rule that specifies a type of file path (fullPath, processPath, installedBy), use \\ for the existing slashes (\) in the path you enter. Wildcards can be used when using the fullPath, processPath, and installedBy fields. When using the cert field, use \" for any existing quotation marks (") in the certificate path you enter and do not use any wildcards. The processPath or installedBy fields cannot be used alone without specifying at least one additional application file rule field. For more information on creating custom rules, see the KB article below:

Creating Custom Rules | ThreatLocker Help Center

• Optional Body/Parameters
  
  • N/A
• Permissions Needed for User
  • Edit Application Control Applications