docs: add ThreatLocker adapter and extension pages#244
Merged
Conversation
Documents both halves of the LimaCharlie + ThreatLocker integration: - The threatlocker USP adapter (Sensors → Adapters → Security Tools): delivers Application Control approval-request events plus the unified and system audit streams. Covers the instance-letter quirk, the three default feeds, the generic *GetByParameters feed schema, polling semantics, and a custom-feed example. - The ext-threatlocker extension (Integrations → Extensions → Third-Party): thin proxy to the ThreatLocker Portal API. Covers per-org config, all thirteen actions (approval-request reads, application/computer/group/policy enrichment, and the three permit / reject / ignore decisions), and the MSP parent-token scoping via managed_organization_id. Cross-links the two pages so the "adapter delivers events, extension enriches and writes back the decision" workflow is discoverable from either side. Adds the ext-threatlocker readme.io redirect for the legacy slug. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
markdownlint-cli2's MD038 flagged the four `Bearer ` code spans on both the adapter and the extension page (trailing space inside backticks). Drop the trailing space; the surrounding prose still reads "no Bearer prefix". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
maximelb
added
the
to-code-review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents both halves of the LimaCharlie + ThreatLocker integration:
threatlockerUSP adapter (Sensors → Adapters → Security Tools): delivers Application Control approval-request events plus the unified and system audit streams. Covers the instance-letter quirk, the three default feeds, the generic*GetByParametersfeed schema, polling semantics, and a custom-feed example.ext-threatlockerextension (Integrations → Extensions → Third-Party): thin proxy to the ThreatLocker Portal API. Covers per-org config, all thirteen actions (approval-request reads, application / computer / group / policy enrichment, and the three permit / reject / ignore decisions), and MSP parent-token scoping viamanaged_organization_id.The two pages cross-link so the "adapter delivers events, extension enriches and writes back the decision" workflow is discoverable from either side. Adds the
ext-threatlockerreadme.io redirect for the legacy slug, and lists ThreatLocker under Security Tools on the adapters index.Test plan
mkdocs build --strictis clean — no new pages-not-in-nav warnings and no broken cross-references.instance_letter/instancewording — both pages call out that a wrong instance letter masquerades asTOKEN_REVOKED, which is the single most common config mistake.🤖 Generated with Claude Code