Threatlocker
John Rogers
We use Threatlocker heavily and it would be great to integrate with our other tools by placing devices in monitor or learning mode automatically.
Log In
Alfredo Quiambao
It would be very beneficial for us where openai can help with analyzing threatlocker logs to give us the common paths that is getting blocked so we can get ahead of the client
Levi Anderson
Yes the ability to put agents into learning or monitoring mode would be helpful as it would automate some manual tasks in an existing workflow we use. As we typically during onboarding send an email to the client describing TL and what to expect and then deploy in learning mode, then after recommended set time of learning enable the monitoring. Our cyber tech had also previously requested automations for when a TL agent has not checked into the console in x number of days to alert him and if an agent is not up to date within x number of days to alert him.
Billy Fodor
The abillity to put things into learning/monitoring mode, and get client info/device counts
D
Danial Gagne
Canany voters help me with examples of automations they would build with a ThreatLocker integration? We'll bring these to ThreatLocker.
Mike Creed Jr
Danial Gagne I second Brent Kenreich's use case. I'd like to be able to place a TL agent into Learning/Installation mode in conjunction with a software deployment script.
I'd also like to monitor the status of TL endpoints to identify endpoints left/stuck in learning mode unexpectedly.
I'd like to be able to view/interact/close/respond to requests in the Response Center via API.
The ability to create/modify/edit application definitions and policies via API would be useful.
I'd also like to have access to the Unified Audit log via API to locate blocked items and run workflows to correct.
Rob Foit
Danial Gagne the way we use TL, we have an approved application list for each client. If we could have automation built that when a ticket comes in and the application is on the list, the ticket is updated with that info and can place the device in installation mode would be helpful.
Jamie Gondron
Danial Gagne New Client onboarding (create client, install computers via powershell), pull licensing numbers
Al Robison
Danial Gagne For me, one of the biggest uses would be device inventory. For example, get the devices for an organization in Threatlocker, and then I can compare that with the devices in our RMM so we can make sure everything is "trued-up."
John Rogers
Danial Gagne I second Al Robison's use case - API access to the Computer reporting functions per org and in the parent tenant would be extremely helpful. Being able to query the Unified Audit log would be great, as well. It would also be useful to have Rewst triggers for some events, like an agent signing in or a Deny for a specific path. If getting write access is an option, I definitely second the ability to put a computer into Installation or Monitor mode as part of a workflow.
Logan Cook
Danial Gagne I think a great idea would be to push approval requests over to a Teams card with press-able accept/deny buttons.
Another thing that would be nice is generally grab active policy information.
We have a bit of an issue with cleaning up learning mode policies that we do not want to persist, and I have a feeling Rewst could make gathering and aggregating this data bit easier.
Ethan Oscini
Danial Gagne the ability to disable tamper protection (or even removing devices) would be really valuable to automated device offboarding. as the API is locked down, my workflow unfortunately requires manually disabling tamper protection in threatlocker before it uninstalls the agent
Logan Cook
Threatlocker says if they get details around what the integration would entail they're on-board; Might be worth getting some power-users in touch with TL's MSP advisory board
Marco Alcala
That is a great idea!
Brent Kenreich
Putting a device in learning mode would be very helpful in conjunction with pushing out software in ImmyBot.