ThreatLocker (Beta)
Quick DetailsRecommended Agent: On-Demand
Supported Agents: On-Demand and Self-Managed
Is Auto-Discovered By: N/A
Can Auto-Discover: ThreatLocker Child Inspectors (one per Organization)
Parent/Child Type Inspector: Yes
Inspected via: API
Default Frequency: Daily. (max every 8 hours)
Data Summary: Here
Overview
ThreatLocker Inspector (Beta)
You can now use the ThreatLocker Inspector (Beta) to gain centralized visibility into your managed organizations' endpoint security posture directly from ThreatLocker. The inspector automatically discovers each organization in your ThreatLocker portal and creates a dedicated child inspection, giving you organization-specific insights without additional configuration.
What you can monitor
The ThreatLocker Inspector collects key security and configuration data for each organization, including:
- Endpoint inventory (computers and mobile devices)
- Application Control policies
- Network Control policies
- Storage Control policies
- Detect policies
- Configuration Manager settings
- Local administrator assignments
- Portal users
How it works
A parent launchpoint authenticates to your ThreatLocker MSP portal and automatically discovers each managed organization. Liongard then creates a child launchpoint for every organization, allowing each environment to independently collect and report its own device inventory, policies, and security posture.
Benefits
- Monitor endpoint security across all managed organizations from a single integration.
- Automatically discover and inventory ThreatLocker organizations.
- View organization-specific security policies and device posture in separate Liongard Environments.
- Simplify security reviews, compliance reporting, and operational visibility with continuously collected ThreatLocker data.
Inspector Setup Preparation
Prerequisites & Access RequirementsTo configure the ThreatLocker Inspector, ensure you have the following:
- A ThreatLocker Portal account with MSP/admin-level access
- An API token created in the ThreatLocker portal (Manage → Users → API Users), scoped to the topmost org it should read — scope is anchored at token creation and cannot be changed later
- The token's role must be Read Only
- The Organization's Instance ID (MSP org GUID) and region segment (Instance)
Inspector Setup:
Step 1: Creating the API Token in the ThreatLocker Portal
-
Log in to the ThreatLocker portal and navigate to API Users.
-
Manage -> Users -> API Users.

-
-
Select New API User.

-
API Token Name — enter a descriptive name (e.g., liongardAPI).
-
Click Generate API Token, copy the value, and securely document it. This is what gets pasted into the Liongard launchpoint's API Token field.

-
Role: Select Read Only from the dropdown and click the "+" to add the role.
-
Organization: Recommended to keep the default setting (All Organizations).
NOTE!! Role scoping is restrictive, not additive:- An unscoped Read Only role reads the parent/MSP and all children automatically.
- A role scoped to specific organizations is restricted to only those organizations—you must explicitly include the parent and every child you want inspected.
- A role scoped to the parent only silently returns just the MSP org with no children discovered — this comes back as an HTTP 200, not an error, so the only symptom is zero Discovered child launchpoints.
For full data coverage, the target Organization needs these ThreatLocker modules enabled:
- Allowlisting
- Elevation
- Storage Control
- Network Control
- Web Control
- Configuration Manager
- Endpoint/Cloud Detect
- Ringfencing
- Patch Management
A disabled module doesn't fail the inspector run, that section(s) just comes back empty.
-
Check Accept EULA, then select Create.

Once created, the token appears in the API Users list named [token name@GUID]. The GUID is the Managed Organization ID referenced throughout this guide, and it also appears as [?mo=GUID] in the portal's URL when that organization is selected.

Step 2: Configure the ThreatLocker Inspector in Liongard
- Log in to the Liongard platform.
- In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the ThreatLocker Inspector > Select Add System.
Since the ThreatLocker Inspectors are multi-tenant systems where a single portal can be used to manage many Environments, you will set up a single "Parent" Inspector that will then auto-discover "Child" Inspectors for each Environment.
Fill in the following information:
- Type of Inspector: Parent
- Environment: Select your MSP's Environment
- Friendly Name: Suggested Naming: [Customer Name] ThreatLocker Parent
- Agent: Select On-Demand Agent
- Inspector Version: Latest
- Region: Instance: Regional segment of the ThreatLocker API host (portalapi.{region}.threatlocker.com). To find it, click the Help button (top right of the ThreatLocker portal) and read the value in parentheses next to "ThreatLocker Access" (e.g. (g)).
- Managed Organization ID: The MSP (parent) organization's Managed Organization ID (GUID). Shown after the @ in the API token name on the Manage -> Users -> API Users page (e.g. sandbox@
- API Token: Generated under Manage -> Users -> API Users in the ThreatLocker portal.
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
- Select Save. The Inspector will now be triggered to run within the minute.
Step 3: Child Inspector Setup
After the first run of the Parent Inspector, your client ThreatLocker organizations will be auto-discovered in the Discovered Systems tab on the Inspectors > Appropriate ThreatLocker Inspector page.
- Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop-down menu > Activate Launchpoints
- Click Save.
Updated about 2 hours ago

