Processing Application Control Approval Requests through API

• Method: POST
• Description: This API, using one of the request bodies below, returns a list of all pending requests for your organization(s), including those from Application Control, Elevation Control, and Storage Control. When managing a parent organization, you have the option to view all pending requests for all your child organizations, including grandchild organizations. This is demonstrated below by setting the showChildOrganizations field to true in the second request body. To view just a child organization's Approval Requests, use the managedOrganizationId header as described below. Any valid integer can be entered for the pageNumber and pageSize fields, and it will be returned in the selected format. For instance, if “pageNumber”: 1 and “pageSize”: 2, 2 entries will be returned per page, and the first two requests will be returned.
• Permission Requirements
  • Assign any one of the following permissions:

  • • Approve for Entire Organization
    • Approve for Entire Organization (Hash Only)
    • Approve for Group
    • Approve for Group (Hash Only)
    • Approve for Single Computer
    • Approve for Single Computer (Application Only)
    • Approve for Single Computer (Hash Only)
    • Elevation Administrator
    • View Approvals

Checking for Matching Applications

Before approving a ThreatLocker Built-In application from an Approval Request, ensure that the file being permitted matches that of the application you believe the request originated from. There are cases where a requested file can be a common DLL or other configuration or system file that can be used by multiple applications. This causes the file to match into multiple applications which are potentially unrelated to the original Approval Request. When applying a ThreatLocker Built-In, the entire Built-In application is permitted.

ApplicationGetMatchingList

https://portalapi.INSTANCE.threatlocker.com/portalapi/Application/ApplicationGetMatchingList

• Method: POST
• Description: This API returns a list of matching applications when provided with fields that uniquely identify the requested file, such as its ThreatLocker hash value, SHA256 hash value, and/or certificate name. ThreatLocker recommends entering at least one identifying field per call. Entering multiple fields that do not all align to the same unique file/Approval Request may return inaccurate matching applications. Ensure that all fields used contain information that pertains only to the requested file. If the Approval Request you are evaluating is from a child organization, use the managedOrganizationId header and set it to the organization that contains the request, as described below. The request body below expects each field to match the fields returned by the requested file. The following options can be used for the OSType in the body below:
  • Windows = 1
  • MAC = 2
  • Linux = 3
  • Windows XP = 5
• Permission Requirements
  • Assign any one of the following permissions:

  • • Approve for Entire Organization
    • Approve for Entire Organization (Hash Only)
    • Approve for Group
    • Approve for Group (Hash Only)
    • Approve for Single Computer
    • Approve for Single Computer (Application Only)
    • Approve for Single Computer (Hash Only)
    • View Application Control Applications
    • View Approvals

Getting custom applications to add the requested file/file rules into

ApplicationGetListForAddToApplication

https://portalapi.INSTANCE.threatlocker.com/portalapi/Application/ ApplicationGetListForAddToApplication 

• Method: GET
• Description: This API returns all applications available for use with the Approval Request, including parent organization applications when viewing a request from a child organization. Parent applications use a different naming convention, shown in the name field as "parentOrganizationName\\parentOrganizationApplicationName". The applicationName field will return only the application name, without any parent nomenclature. If the Approval Request you are evaluating is from a child organization, use the managedOrganizationId header and set it to the organization that contains the request, as described below. To search for an available application by name, enter any text into the searchText field, as shown below. The osType parameter should match the osType of the computer that made the request when searching for available applications to use with the request. The following options can be used for the OSType below:
  • Windows = 1
  • MAC = 2
  • Linux = 3
  • Windows XP = 5
• Permission Requirements

  • Assign any one of the following permissions:

  • • Edit Application Control Applications
    • View Application Control Applications

Getting an Application to use when using a Maintenance Mode

ApplicationGetForMaintenanceMode

https://portalapi.INSTANCE.threatlocker.com/portalapi/Application/ApplicationGetForMaintenanceMode

• Method: GET
• Description: This API returns all applications available for use with a Maintenance Mode, including parent-organization applications when viewing a request from a child organization. When processing Approval Requests, you can select an existing application and use a Maintenance Mode. With the selected application, the Maintenance Mode will temporarily capture or monitor files that are installed and/or executed in association with the initially requested file. Parent applications use a different naming convention, shown in the label field as "parentOrganizationName\\parentOrganizationApplicationName". If the Approval Request you are evaluating is from a child organization, use the managedOrganizationId header and set it to the organization that contains the request, as described below. The osType parameter should match the osType of the computer that made the request when searching for available applications to use. The following options can be used for the OSType below:
  • Windows = 1
  • MAC = 2
  • Linux = 3
  • Windows XP = 5
• Permission Requirements

  • Assign this permission:

  • • Edit Application Control Applications

  • AND Assign any one of the following permissions:

  • • Edit Computers
    • View Computers

  • AND Assign any one of the following permissions:

  • • Manage All Maintenance Modes
    • Manage Application Control Installation Mode
    • Manage Application Control Installation Mode (Time Restricted)
    • Manage Application Control Learning Mode
    • Manage Application Control Learning Mode (Time Restricted)
    • Manage Application Control Legacy Installation Mode
    • Manage Application Control Legacy Installation Mode (Time Restricted)

Gathering Additional Information (Optional)

ApplicationGetResearchDetailsById

https://portalapi.INSTANCE.threatlocker.com/portalapi/Application/ApplicationGetResearchDetailsById

• Method: GET
• Description: This API returns all research data made available by the ThreatLocker Research Team based on the applicationId provided. This research data includes a product description, potential risks associated with the application, and a mitigation strategy to limit those risks in your organization(s). The applicationId parameter determines which application's research information will be returned, as shown below. Only one applicationId can be entered at a time.
• Permission Requirements

  • Assign any one of the following permissions:

  • • Approve for Entire Organization
    • Approve for Entire Organization (Hash Only)
    • Approve for Group
    • Approve for Group (Hash Only)
    • Approve for Single Computer
    • Approve for Single Computer (Application Only)
    • Approve for Single Computer (Hash Only)
    • Edit Application Control Applications
    • View Application Control Applications
    • View Approvals

Approving the Request

ApprovalRequestGetPermitApplicationById

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestGetPermitApplicationById

• Method: GET
• Description: This API returns all the details/Ids of an Approval Request, including the formatted JSON field that is needed to use the ApprovalRequestPermitApplication endpoint below. If the Approval Request you are evaluating is from a child organization, use the managedOrganizationId header and set it to the organization that contains the request, as described below.
• Permission Requirements

  • Assign any one of the following permissions:

  • • Approve for Entire Organization
    • Approve for Entire Organization (Hash Only)
    • Approve for Group
    • Approve for Group (Hash Only)
    • Approve for Single Computer
    • Approve for Single Computer (Application Only)
    • Approve for Single Computer (Hash Only)
    • View Approvals

ApprovalRequestPermitApplication

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestPermitApplication

• Method: POST
• Description: This API processes pending Application Control Approval Requests. The organizationIds list expects the organizationId of any parent organizations that are effectively "above" where the Approval Request originated from. The JSON value can be imported or copied from the endpoint listed above (ApprovalRequestGetPermitApplicationById) for processing. If the Approval Request you are processing is from a child organization, use the managedOrganizationId header and set it to the organization that contains the request, as described below.
• Permission Requirements
  • Assign this permission:

    • Approve Escalation
  • OR If the Approval Request has a status of "Rejected, Approved, Self-Approved, or Added to Application", assign this permission:

    • Edit Actioned Requests
  • AND When using an existing custom application, assign this permission:

    • Approve for Update Existing
  • OR When using a new application, assign this permission:

    • Approve for New Install
  • AND Assign any one of the following permissions:

    • Approve for Entire Organization
    • Approve for Entire Organization (Hash Only)
    • Approve for Group
    • Approve for Group (Hash Only)
    • Approve for Single Computer
    • Approve for Single Computer (Application Only)
    • Approve for Single Computer (Hash Only)

     

Note: The examples below cover some common scenarios for permitting applications from a child organization, but are not all inclusive. For more detailed documentation, review the KB below:

ApprovalRequestPermitApplication