/portalAPI/ApplicationFile/*

This article will encompass all portalAPI calls that are related to /portalAPI/ApplicationFile/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance:

Locating Your Organization's Instance | ThreatLocker Help Center

ApplicationFileDeleteById

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileDeleteById

• Method: POST
• Description: This API is used when navigating to the Application Control page of the ThreatLocker Portal, locating and selecting the application you would like to remove an application file entry from, navigating to the "Application Files" tab, selecting the trash can icon, and selecting "Yes" to confirm the deletion of the application rule. This API is responsible for deleting the application file rule from your custom application in your organization. Multiple file rules cannot be deleted in one call to this API; One file rule is deleted for each call to this API. To delete a file rule from an application in a different organization than the currently logged in/managed organization, use the managedOrganizationId header as described below.

For accurate System Audit logging of the removal of the application file rule, please review the Optional Body/Parameters section below.

• Required Body/Parameters
  • Valid APIKey/Authorization Token in header
  • Fields
    
    • applicationFileId: This field determines which file rule will be removed from the selected application.
      • Expects: An Integer value
    • applicationId: This field determines which application will have the file rule removed.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"

• Optional Body/Parameters
  • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Fields
    • applicationName: This field determines the name that will be logged in the System Audit. This field should match the name of the application from which the file rule is being removed.
      • Expects: Text of the application's name
    • For the application rule itself, the rule's conditions should also be entered.  For instance, when deleting a file path, certificate, and created by process path rule, the full text of each condition (file path, certificate, and created by process path) should be entered with their respective fields. Only the file rule fields directly related to the rule being deleted need to be included. The following application file rule fields can be used and are all shown in the Optional body section below:
      
      • fullPath
      • processPath
      • installedBy (Created By Process)
      • cert
      • hash (TL and SHA256)

• Permissions Needed for User
  • Edit Application Control Applications

ApplicationFileInsert

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileInsert

• Method: POST
• Description: This API is used when navigating to the Application Control page of the ThreatLocker Portal, locating and selecting the application you would like to add an application file entry to, navigating to the "Application Files" tab, entering your file rule conditions, and selecting "Add Rule". This API is responsible for inserting the new application file rule into a custom application in your organization. Multiple file rules cannot be created in one call to this API; One file rule is created for each call to this API based on what is entered into the body. Listed below in the Required body section are all the fields (file rule options) available for use with this API; However, they are limited per the terms listed below.

• Required Body/Parameters
  • Valid APIKey/Authorization Token in header

Note: The hash field below is used when creating a ThreatLocker hash-only rule or a SHA256 hash-only rule and should not be used in combination with any other file rule fields. When creating a file rule that specifies a type of file path (fullPath, processPath, installedBy), use \\ for the existing slashes (\) in the path you enter. Wildcards can be used when using the fullPath, processPath, and installedBy fields. When using the cert field, use \" for any existing quotation marks (") in the certificate path you enter. The processPath or installedBy fields cannot be used alone without specifying at least one additional application file rule field. For more information on creating custom rules, see the KB article below:

Creating Custom Rules | ThreatLocker Help Center

• • All available application file rule fields are listed below, but only the file rule fields directly related to the rule being added need to be included. The following application file rule fields can be used:
    
    • cert
    • fullPath
    • hash (TL and SHA256)
    • installedBy (Created By Process)
    • processPath

• • Fields
    • applicationId: This field determines which application will have the new file rule added.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • isHashOnly: This field is used when creating a hash only rule. When creating a hash only rule, this field must be set to true. Otherwise, this field can be set to false or omitted completely.
      • Expects: true or false
    • notes: This field is designed to provide information on when the definition was added, what rule was added, who added/edited it, and any further information. While nothing can be entered into this field using a pair of quotation marks (""), it is recommended to include the above information to assist you and your users in identifying the context of why the application file rule may have been added.
      • Expects: Any text input
    • osType: The same OS Type as the application that will have the file rule added is expected. This field expects the Integer associated with the OSType:
      • Windows = 1
      • MAC = 2
      • Linux = 3
      • Windows XP = 5

• Optional Body/Parameters
  • N/A
• Permissions Needed for User
  • Edit Application Control Applications

ApplicationFileUpdate

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApplicationFile/ApplicationFileUpdate

• Method: POST
• Description: This API is used when navigating to the Application Control page of the ThreatLocker Portal, selecting an application to edit, navigating to the "Application Files" tab, selecting the file rule you want to edit, making the desired changes, and then selecting the "Save" button, where this API is called. This API is responsible for updating an application file rule in a custom application in your organization. Multiple file rules cannot be modified in one call to this API; One file rule is modified for each call based on what is entered into the body. Listed below in the Required body section are all the fields (file rule options) available for use with this API; However, they are limited per the terms listed below.
• Required Body/Parameters
  • Valid APIKey/Authorization Token in header

Note: The hash field below is used when editing a ThreatLocker hash-only rule or a SHA256 hash-only rule and should not be used in combination with any other file rule fields. When editing a file rule that specifies a type of file path (fullPath, processPath, installedBy), use \\ for the existing slashes (\) in the path you enter. Wildcards can be used when using the fullPath, processPath, and installedBy fields. When using the cert field, use \" for any existing quotation marks (") in the certificate path you enter. The processPath or installedBy fields cannot be used alone without specifying at least one additional application file rule field. For more information on creating custom rules, see the KB article below:

Creating Custom Rules | ThreatLocker Help Center

• • All available application file rule fields are listed below, but only the file rule fields directly related to the rule being modified need to be included. The following application file rule fields can be used:
    
    • cert
    • fullPath
    • hash (TL and SHA256)
    • installedBy (Created By Process)
    • processPath

• • Fields
    
    • applicationFileId: This field determines which file rule will be edited from the selected application. When a file rule is modified, a new applicationFileId is assigned with each saved modification.
      • Expects: An Integer value
    • applicationId: This field determines which application will have the file rule edited.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • isHashOnly: This field is used when editing a hash only rule. When editing a hash only rule, this field must be set to true. Otherwise, this field can be set to false or omitted completely.
      • Expects: true or false
    • notes: This field is designed to provide information on when the definition was added, what rule was added, who added/edited it, and any further information. While nothing can be entered into this field using a pair of quotation marks (""), it is recommended to include the above information to assist you and your users in identifying the context of why the application file rule may have been added/modified. If notes are already attached and "" is entered when calling this API, the notes will be removed. Also, when notes are already attached, any text entered into this field will overwrite anything existing.
      • Expects: Any text input
    • osType: The same OS Type as the application that will have the file rule edited is expected. This field expects the Integer associated with the OSType:
      • Windows = 1
      • MAC = 2
      • Linux = 3
      • Windows XP = 5

• Optional Body/Parameters
  
  • N/A
• Permissions Needed for User
  • Edit Application Control Applications