Security ๐งช Community โ Claude Code โ Claude Desktop Standalone โข Threatlocker
Threatlocker
ThreatLocker - zero-trust application allowlisting, approval triage, audit log investigation, computer inventory
Installation
Install this plugin individually:
/plugin marketplace add wyre-technology/msp-claude-plugins --plugin threatlocker Or install all MSP plugins at once:
/plugin marketplace add wyre-technology/msp-claude-plugins Features
- Approval Requests
- Audit Log
- Computer Groups
- Computer Management
- Organization Management
Skills
This plugin provides 6 skills that teach Claude about Threatlocker:
| Skill | Description |
|---|---|
approval-requests | Use this skill when triaging ThreatLocker application approval requests โ the heart of day-to-day ThreatLocker operations. |
audit-log | Use this skill when investigating events in the ThreatLocker Action Log (the API name is "audit") โ building incident timelines, tracing a file's history across endpoints, identifying repeated denials, and correlating policy bypasses or audit-only matches with user/computer context. |
computer-groups | Use this skill when working with ThreatLocker computer groups โ the policy-scoping boundary that determines which allow/deny rules apply to which endpoints. |
computers | Use this skill when working with ThreatLocker-protected endpoints โ fleet inventory, identifying offline agents, drilling into a single computer's check-in history, and correlating computers across organizations and groups. |
organizations | Use this skill when working with the ThreatLocker MSP multi-tenant model โ enumerating child organizations, retrieving per-org auth keys, and identifying valid move targets when relocating computers between tenants. |
api-patterns | Use this skill when working with the ThreatLocker MCP tools โ raw-key authentication (NO Bearer prefix), multi-tenant routing via organizationId header, POST-heavy "GetByParameters" endpoints, pagination shape, and child-organization fan-out patterns. |
Agents
This plugin provides 3 agents for autonomous task execution:
| Agent | Description |
|---|---|
approval-triage-analyst | Use this agent when reviewing the ThreatLocker pending approval queue, classifying application requests as high-confidence vs needs-review, recommending approve/deny decisions with documented reasoning, and escalating suspicious patterns. |
fleet-health-auditor | Use this agent when producing ThreatLocker fleet inventory and hygiene reports โ computer inventory by OS or group, offline-agent identification with check-in age tiering, computer-group hygiene analysis (orphans, oversized groups, OS-mismatched assignments), and multi-tenant pivots across child organizations. |
threat-investigator | Use this agent when investigating a ThreatLocker security event โ reconstructing a timeline around a host/user/file, tracing a file's history across the fleet, identifying repeated denials, and surfacing policy bypasses or audit-only matches that warrant new policy rules. |
Commands
Available slash commands:
| Command | Description |
|---|---|
/approval-triage | Triage pending ThreatLocker approval requests with approve/deny recommendations |
/audit-investigation | Build a timeline of ThreatLocker audit events around a security incident |
/computer-inventory | Generate a ThreatLocker computer inventory report |
/offline-agents | Find ThreatLocker agents that have not checked in recently |
/tenant-overview | Multi-tenant ThreatLocker overview across child organizations |
API Reference
| Base URL | |
| Authentication | |
| Rate Limit | |
| Documentation |
Example Usage
Triage pending ThreatLocker approval requests with approve/deny recommendations
/approval-triageBuild a timeline of ThreatLocker audit events around a security incident
/audit-investigationGenerate a ThreatLocker computer inventory report
/computer-inventoryFind ThreatLocker agents that have not checked in recently
/offline-agentsMulti-tenant ThreatLocker overview across child organizations
/tenant-overviewUsing Skills
/skill threatlocker:approval-requests
Use this skill when triaging ThreatLocker application approval requests โ the heart of day-to-day ThreatLocker operations.