ThreatLocker Device Configuration

TABLE OF CONTENTS

• Overview
• Prerequisites
• Generate ThreatLocker API Credentials
• Configure ThreatLocker in ARIA SIEM
• Verification

Overview

This document provides step-by-step instructions to integrate ThreatLocker with ARIA SIEM (aiSIEM/aiXDR) using API credentials. Once configured, ThreatLocker logs and telemetry will be forwarded from the CCE (Collection and Control Engine) to the APE (Analytics and Policy Engine), enabling centralized visibility, policy enforcement monitoring, and proactive threat detection.

Prerequisites

Before beginning integration, ensure:

• Access to the ThreatLocker Console with permission to create API users.

• Administrative access to the ARIA SIEM UI and CCE server.

• Firewall rules allowing outbound HTTPS (443) from CCE to ThreatLocker API.

Generate ThreatLocker API Credentials

1. Log in to the ThreatLocker Console.

2. Navigate to: Administrators → API Users.

3. Click Create New User.

4. Name the token appropriately (e.g., aria-siem).

5. Click Generate API Token → copy the token immediately.

   • Note: The token will only be shown once. Store it securely.

6. Set token expiry (recommended: 365 days).

7. Assign a role to the API user. If needed, create a new role with at least the following permissions:

   • View Organization

   • View Computers

   • View Reports

   • View System Audit

   • View ThreatLocker Threats

   • View ThreatLocker Policies

   • View ThreatLocker Remediations

   • View Unified Audit

8. Select the Organizations the API user should have access to.

9. Click Create.

Configure ThreatLocker in ARIA SIEM

1. Log in to ARIA SIEM UI with admin rights.

2. Navigate to: Administration → Add-on Store → ThreatLocker → Add.

3. Fill in details: 

   Field	Value
   Device Name	ThreatLocker
   CCE Host (IP)	Enter the CCE IP
   Password / Secret Key	Enter the ThreatLocker API Key
   Config (JSON)	Keep JSON empty {}