Endpoint Detection and Response
      Back to home
      1. Knowledge Base
      2. Integrations
      3. Endpoint Detection and Response

      ThreatLocker

      How to connect ThreatLocker to Cork

      1. Locate your ThreatLocker instance:
        1. In your ThreatLocker portal under the “Help” button on the top right written next to the “ThreatLocker Access” text in parentheses.
        2. This may be a single letter like B, C, G, etc
      2. Create an API User
        1. Navigate to the Administrators page and select "API Users"
        2. Create a new user and name the token something like "Cork Integration"
        3. Press "Generate API Token", copy this first
        4. Keep it set to expire for 365 days
        5. Select a Role
          1. You may need a new API User Role, if so, please ensure it has the following permissions:
            • View organization
            • View computers
            • View reports
            • View system audit
            • View ThreatLocker threats
            • View ThreatLocker policies
            • View ThreatLocker remediations
            • View unified audit
        6. Select All Organizations
        7. Press "Create"
      3. Enter the credentials in Cork
        1. Use just the single letter for the instance (c, d, e, etc)
        2. Paste the API token from Step 2C
        3. Press "Connect & Continue"
          1. If this fails, and you regenerated the token in step 2C, make sure you click "Save" on ThreatLocker