threatlocker-mcp

threatlocker-mcp

MCP server for ThreatLocker — zero-trust application allowlisting, approval requests, audit logs

Category
Visit Server

README

ThreatLocker MCP Server

A Model Context Protocol (MCP) server that provides AI assistants with access to the ThreatLocker Portal API. Manage computers, approval requests, audit logs, and organizations through natural language interactions.

Features

  • Stateless Architecture: No session state required, fresh connections per request
  • Decision-Tree Navigation: Navigate domains with threatlocker_navigate
  • Gateway Mode: Multi-tenant support via HTTP headers
  • Elicitation Support: Interactive prompts for missing parameters
  • Comprehensive Error Handling: Detailed error messages and logging
  • Docker Support: Production-ready containerization

Tools

Navigation

  • threatlocker_navigate - Navigate to a domain to see available tools
  • threatlocker_status - Check API connection status and available domains

Computers

  • threatlocker_computers_list - List computers with filters (search, group, pagination)
  • threatlocker_computers_get - Get detailed computer information
  • threatlocker_computers_get_checkins - Get computer checkin history

Computer Groups

  • threatlocker_computer_groups_list - List computer groups with filters
  • threatlocker_computer_groups_dropdown - Get computer groups for dropdown selection

Approval Requests

  • threatlocker_approvals_list - List approval requests with status filters
  • threatlocker_approvals_get - Get detailed approval request information
  • threatlocker_approvals_pending_count - Get count of pending approvals
  • threatlocker_approvals_get_permit_application - Get permit application details

Audit Log

  • threatlocker_audit_search - Search audit log entries with filters
  • threatlocker_audit_get - Get detailed audit log entry
  • threatlocker_audit_file_history - Get audit history for specific file

Organizations

  • threatlocker_organizations_list_children - List child organizations
  • threatlocker_organizations_get_auth_key - Get organization auth key
  • threatlocker_organizations_for_move_computers - Get organizations for computer moves

Configuration

Environment Variables

Stdio Mode (Direct API Access)

THREATLOCKER_API_KEY=your_api_key_here
THREATLOCKER_ORGANIZATION_ID=your_org_id_here
MCP_TRANSPORT=stdio

Gateway Mode (Multi-tenant)

AUTH_MODE=gateway
MCP_TRANSPORT=http
MCP_HTTP_PORT=8080
MCP_HTTP_HOST=0.0.0.0

Gateway Mode Headers

When running in gateway mode, include these headers with each request:

  • X-Threatlocker-Api-Key: Your ThreatLocker API key
  • X-Threatlocker-Organization-Id: Your organization ID

Logging

LOG_LEVEL=debug|info|warn|error  # Default: info

Local Development

  1. Clone the repository:
git clone https://github.com/wyre-technology/threatlocker-mcp.git
cd threatlocker-mcp
  1. Install dependencies:
npm install
  1. Set environment variables:
cp .env.example .env
# Edit .env with your ThreatLocker credentials
  1. Build and run:
npm run build
npm start

# Or for development with hot reload:
npm run dev
  1. Test the server:
# Stdio mode
echo '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}' | npm start

# HTTP mode
curl http://localhost:8080/health

Docker

Using Docker Compose

# Pull and run latest image
docker compose up -d

# Or build locally
docker compose -f docker-compose.dev.yml up --build

Using Docker directly

# Gateway mode (recommended)
docker run -d \
  --name threatlocker-mcp \
  -p 8080:8080 \
  -e AUTH_MODE=gateway \
  ghcr.io/wyre-technology/threatlocker-mcp:latest

# Stdio mode
docker run -d \
  --name threatlocker-mcp \
  -e THREATLOCKER_API_KEY=your_key \
  -e THREATLOCKER_ORGANIZATION_ID=your_org_id \
  -e MCP_TRANSPORT=stdio \
  ghcr.io/wyre-technology/threatlocker-mcp:latest

Architecture

Directory Structure

src/
├── domains/           # Domain-specific handlers
│   ├── computers.ts
│   ├── computer_groups.ts
│   ├── approval_requests.ts
│   ├── audit_log.ts
│   ├── organizations.ts
│   ├── navigation.ts
│   └── index.ts
├── utils/             # Utilities
│   ├── client.ts      # ThreatLocker API client
│   ├── logger.ts      # Structured logging
│   ├── types.ts       # TypeScript types
│   ├── server-ref.ts  # Server reference for elicitation
│   └── elicitation.ts # Interactive prompts
├── server.ts          # MCP server creation
├── index.ts           # Stdio transport entry
└── http.ts            # HTTP transport entry

Design Patterns

  • Domain Handlers: Each API area has its own handler with getTools() and handleCall()
  • Lazy Loading: Domain handlers are imported on-demand
  • Fresh Connections: New server instance per HTTP request for stateless operation
  • Credential Invalidation: Client is reset when credentials change
  • Elicitation Framework: Interactive prompts for missing parameters

License

Apache-2.0 - see LICENSE for details.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured