Company logoHelp Center
Visit www.threatlocker.com

/portalAPI/Report/*

4 min. readlast update: 06.05.2026

This article will encompass all portalAPI calls that are related to /portalAPI/Report/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance:

Locating Your Organization's Instance | ThreatLocker Help Center

 

Table of Contents

ReportGetByOrganizationId

ReportGetDynamicData

 

ReportGetByOrganizationId

https://portalapi.INSTANCE.threatlocker.com/portalapi/Report/ReportGetByOrganizationId

  • Method: GET
  • Description: This API is used when navigating to the Reporting icon and selecting the Custom Reports page from the popout menu in the ThreatLocker Portal. This API returns a list of all the reports available for you to run in your organization. To get a list of reports available to run in a different organization than the currently logged-in/managed organization, use the managedOrganizationId header as described below.

 

Note: The list of fields below are important when calling the ReportGetDynamicData API to run a report as reports have different fields expected.

  • dateOption: When this field returns true, the associated report expects the endDate and startDate fields to be used.
  • dataOption: When this field returns true, the associated report expects the data field to be used. The dataOptionName field indicates what is expected in the data field.
  • guidOption: When this field returns true, the associated report expects the id field to be used. The guidOptionName field indicates what is expected in the id field.

 

  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Permissions Needed for User
    • View Reports
    • Create Custom Schedule Reports
    • Schedule DAC Report
    • View DAC Results

 

ReportGetDynamicData

https://portalapi.INSTANCE.threatlocker.com/portalapi/Report/ReportGetDynamicData

  • Method: POST
  • Description: This API is used when navigating to the Reporting icon and selecting the Custom Reports page from the popout menu in the ThreatLocker Portal, selecting a report to run, entering any fields/parameters to run the report, and clicking "Generate Report." This API is used to generate reports in your organization. To run a report in a different organization than the currently logged-in/managed organization, use the managedOrganizationId header as described below.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • Fields
      • reportId: This field determines which report will be run in the organization. To get a list of available reports and the required fields for each, use the ReportGetByOrganizationId endpoint.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
Required body
{
    "reportId": "00000000-0000-0000-0000-000000000000"
}
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Fields

 

Note: When running any report relating to Override Codes, the user must also have the "View Override Codes" permission.

 

      • data: This field specifies specific text for a report. For instance, the "Files Learned in Applications" report expects a full hostname to be entered into this field.
        • Expects: Valid text for the report
      • endDate: This field specifies the date and time the report ends its search. This expects a time entered in UTC in format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
        • Expects end date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
      • id: This field specifies a specific ID for a report. For instance, the "Override Code History by ComputerId (Agent 7.6 or above)" report requires a computerId to be entered into this field.
        • <GUID> in format "00000000-0000-0000-0000-000000000000"
      • startDate: This field specifies the date and time the report starts its search. This expects a time entered in UTC in format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
        • Expects start date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
Optional body

{
    "data": "<String>",
    "endDate": "YYYY-MM-DDTHH:MM:SSZ",
    "id": "00000000-0000-0000-0000-000000000000",
    "reportId": "00000000-0000-0000-0000-000000000000",
    "startDate": "YYYY-MM-DDTHH:MM:SSZ"
}

  • Permissions Needed for User
    • View Reports
    • Create Custom Schedule Reports
    • Schedule DAC Report
    • View DAC Results
Was this article helpful?