naftiko: 1.0.0-alpha2 info: label: Tanium Endpoint Management description: Workflow capability for unified endpoint management and security operations using Tanium. Combines the Platform REST API, Threat Response API, and Connect API to enable endpoint visibility, action deployment, threat investigation, and data delivery automation. Designed for security operations teams, IT administrators, and incident responders who need real-time control across all managed endpoints. tags: - Compliance - Endpoint Management - Incident Response - Patch Management - Security - Threat Detection - Unified Endpoint Management created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: TANIUM_API_TOKEN: TANIUM_API_TOKEN TANIUM_SERVER: TANIUM_SERVER capability: consumes: - type: http namespace: tanium-platform baseUri: https://{{TANIUM_SERVER}} description: Tanium Platform REST API for endpoint visibility and control authentication: type: apikey key: session value: '{{TANIUM_API_TOKEN}}' placement: header resources: - name: questions path: /api/v2/questions description: Create and manage endpoint questions operations: - name: create-question method: POST description: Create and ask a question across managed endpoints body: type: json data: query_text: '{{tools.query_text}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: question-by-id path: /api/v2/questions/{id} description: Get a specific question operations: - name: get-question method: GET description: Get a question by ID inputParameters: - name: id in: path type: integer required: true description: Question ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: question-results path: /api/v2/result_data/question/{id} description: Get question results from endpoints operations: - name: get-question-results method: GET description: Get question results from endpoints inputParameters: - name: id in: path type: integer required: true description: Question ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: saved-questions path: /api/v2/saved_questions description: List saved questions operations: - name: list-saved-questions method: GET description: List all saved questions outputRawFormat: json outputParameters: - name: result type: object value: $. - name: saved-question-results path: /api/v2/result_data/saved_question/{id} description: Get results for a saved question operations: - name: get-saved-question-results method: GET description: Get latest results for a saved question inputParameters: - name: id in: path type: integer required: true description: Saved question ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: actions path: /api/v2/saved_actions description: Deploy actions to endpoints operations: - name: create-action method: POST description: Create and deploy an action to targeted endpoints body: type: json data: name: '{{tools.name}}' package_spec: '{{tools.package_spec}}' action_group: '{{tools.action_group}}' target_group: '{{tools.target_group}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: packages path: /api/v2/packages description: Manage deployment packages operations: - name: list-packages method: GET description: List all deployment packages outputRawFormat: json outputParameters: - name: result type: object value: $. - name: sensors path: /api/v2/sensors description: Manage endpoint sensors operations: - name: list-sensors method: GET description: List all sensors outputRawFormat: json outputParameters: - name: result type: object value: $. - name: groups path: /api/v2/groups description: List computer groups operations: - name: list-groups method: GET description: List all computer groups outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: tanium-threat-response baseUri: https://{{TANIUM_SERVER}} description: Tanium Threat Response API for incident investigations authentication: type: apikey key: session value: '{{TANIUM_API_TOKEN}}' placement: header resources: - name: alerts path: /plugin/products/threat-response/api/v1/alerts description: Manage threat alerts operations: - name: list-alerts method: GET description: List threat alerts inputParameters: - name: limit in: query type: integer required: false description: Maximum alerts to return - name: offset in: query type: integer required: false description: Pagination offset - name: state in: query type: string required: false description: Filter by alert state outputRawFormat: json outputParameters: - name: result type: object value: $. - name: connections path: /plugin/products/threat-response/api/v1/conns description: Live endpoint connections for investigations operations: - name: list-connections method: GET description: List endpoint investigation connections outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-connection method: POST description: Create a live connection to an endpoint body: type: json data: target: '{{tools.target}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: events path: /plugin/products/threat-response/api/v1/conns/{cid}/events/{type} description: View Recorder events from endpoints operations: - name: list-events method: GET description: List events by type from an endpoint connection inputParameters: - name: cid in: path type: string required: true description: Connection ID - name: type in: path type: string required: true description: Event type (e.g., process, network, file) outputRawFormat: json outputParameters: - name: result type: object value: $. - name: process-tree path: /plugin/products/threat-response/api/v1/conns/{cid}/processtrees/{pid} description: Get process tree for a specific process operations: - name: get-process-tree method: GET description: Get the process tree for a specific process inputParameters: - name: cid in: path type: string required: true description: Connection ID - name: pid in: path type: integer required: true description: Process ID outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: tanium-connect baseUri: https://{{TANIUM_SERVER}} description: Tanium Connect API for data pipeline management authentication: type: apikey key: session value: '{{TANIUM_API_TOKEN}}' placement: header resources: - name: connections path: /plugin/products/connect/v1/connections description: Manage data delivery connections operations: - name: list-connections method: GET description: List all data delivery connections inputParameters: - name: limit in: query type: integer required: false description: Maximum connections to return - name: offset in: query type: integer required: false description: Pagination offset outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-connection method: POST description: Create a new data delivery connection body: type: json data: name: '{{tools.name}}' source: '{{tools.source}}' destination: '{{tools.destination}}' schedule: '{{tools.schedule}}' enabled: '{{tools.enabled}}' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: destinations path: /plugin/products/connect/v1/destinations description: Manage connection destinations operations: - name: list-destinations method: GET description: List all configured destinations outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: tanium-endpoint-management-api description: Unified REST API for Tanium endpoint management, threat response, and data integration. resources: - path: /v1/questions name: questions description: Query endpoint state using natural language questions operations: - method: POST name: ask-question description: Ask a question to all managed endpoints call: tanium-platform.create-question outputParameters: - type: object mapping: $. - path: /v1/questions/{id}/results name: question-results description: Retrieve endpoint question results operations: - method: GET name: get-question-results description: Get results collected from endpoints for a question call: tanium-platform.get-question-results with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/saved-questions name: saved-questions description: Saved endpoint questions for recurring data collection operations: - method: GET name: list-saved-questions description: List all saved questions call: tanium-platform.list-saved-questions outputParameters: - type: object mapping: $. - path: /v1/saved-questions/{id}/results name: saved-question-results description: Results from saved questions operations: - method: GET name: get-saved-question-results description: Get latest results for a saved question call: tanium-platform.get-saved-question-results with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/actions name: actions description: Deploy actions and packages to endpoints operations: - method: POST name: deploy-action description: Deploy a package action to targeted endpoints call: tanium-platform.create-action outputParameters: - type: object mapping: $. - path: /v1/packages name: packages description: Endpoint deployment packages operations: - method: GET name: list-packages description: List all available deployment packages call: tanium-platform.list-packages outputParameters: - type: object mapping: $. - path: /v1/sensors name: sensors description: Endpoint data collection sensors operations: - method: GET name: list-sensors description: List all endpoint sensors call: tanium-platform.list-sensors outputParameters: - type: object mapping: $. - path: /v1/computer-groups name: computer-groups description: Endpoint targeting groups operations: - method: GET name: list-computer-groups description: List all computer groups for endpoint targeting call: tanium-platform.list-groups outputParameters: - type: object mapping: $. - path: /v1/alerts name: alerts description: Threat Response security alerts operations: - method: GET name: list-alerts description: List threat alerts from Threat Response call: tanium-threat-response.list-alerts outputParameters: - type: object mapping: $. - path: /v1/investigations name: investigations description: Live endpoint investigation connections operations: - method: GET name: list-investigations description: List active endpoint investigation connections call: tanium-threat-response.list-connections outputParameters: - type: object mapping: $. - method: POST name: start-investigation description: Start a live endpoint investigation connection call: tanium-threat-response.create-connection outputParameters: - type: object mapping: $. - path: /v1/data-connections name: data-connections description: Data export connections to downstream systems operations: - method: GET name: list-data-connections description: List data delivery connections call: tanium-connect.list-connections outputParameters: - type: object mapping: $. - method: POST name: create-data-connection description: Create a data delivery connection call: tanium-connect.create-connection outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: tanium-endpoint-management-mcp transport: http description: MCP server for AI-assisted endpoint management, threat investigation, and security operations. tools: - name: ask-endpoint-question description: Ask a natural language question to all Tanium-managed endpoints (e.g., 'Get Running Processes from all machines') hints: readOnly: true idempotent: false openWorld: true call: tanium-platform.create-question with: query_text: tools.query_text outputParameters: - type: object mapping: $. - name: get-question-results description: Get endpoint data results for a question by ID hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.get-question-results with: id: tools.id outputParameters: - type: object mapping: $. - name: list-saved-questions description: List all saved questions configured for recurring endpoint data collection hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.list-saved-questions outputParameters: - type: object mapping: $. - name: get-saved-question-results description: Get the latest collected results from a saved recurring question hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.get-saved-question-results with: id: tools.id outputParameters: - type: object mapping: $. - name: deploy-package-to-endpoints description: Deploy a package action to a targeted group of endpoints hints: readOnly: false destructive: false idempotent: false call: tanium-platform.create-action with: name: tools.name package_spec: tools.package_spec action_group: tools.action_group target_group: tools.target_group outputParameters: - type: object mapping: $. - name: list-packages description: List all available deployment packages on the Tanium server hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.list-packages outputParameters: - type: object mapping: $. - name: list-sensors description: List all endpoint sensors available for data collection in questions hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.list-sensors outputParameters: - type: object mapping: $. - name: list-computer-groups description: List all computer groups for endpoint targeting in actions and questions hints: readOnly: true idempotent: true openWorld: true call: tanium-platform.list-groups outputParameters: - type: object mapping: $. - name: list-threat-alerts description: List threat alerts detected by Tanium Threat Response hints: readOnly: true idempotent: true openWorld: true call: tanium-threat-response.list-alerts outputParameters: - type: object mapping: $. - name: start-endpoint-investigation description: Start a live investigation connection to an endpoint for incident response hints: readOnly: false destructive: false idempotent: false call: tanium-threat-response.create-connection with: target: tools.target outputParameters: - type: object mapping: $. - name: get-endpoint-events description: Get Recorder events from an endpoint connection (process, network, file events) hints: readOnly: true idempotent: true openWorld: true call: tanium-threat-response.list-events with: cid: tools.cid type: tools.type outputParameters: - type: object mapping: $. - name: get-process-tree description: Get the full process ancestry tree for a suspicious process on an endpoint hints: readOnly: true idempotent: true openWorld: true call: tanium-threat-response.get-process-tree with: cid: tools.cid pid: tools.pid outputParameters: - type: object mapping: $. - name: list-data-connections description: List all data delivery connections for exporting endpoint data to SIEM and other systems hints: readOnly: true idempotent: true openWorld: true call: tanium-connect.list-connections outputParameters: - type: object mapping: $. - name: create-data-connection description: Create a data delivery connection to export Tanium endpoint data to a downstream system hints: readOnly: false destructive: false idempotent: false call: tanium-connect.create-connection with: name: tools.name source: tools.source destination: tools.destination schedule: tools.schedule outputParameters: - type: object mapping: $.