Tanium · Capability

Tanium Endpoint Management

Workflow capability for unified endpoint management and security operations using Tanium. Combines the Platform REST API, Threat Response API, and Connect API to enable endpoint visibility, action deployment, threat investigation, and data delivery automation. Designed for security operations teams, IT administrators, and incident responders who need real-time control across all managed endpoints.

Run with Naftiko ComplianceEndpoint ManagementIncident ResponsePatch ManagementSecurityThreat DetectionUnified Endpoint Management

What You Can Do

POST
Ask question — Ask a question to all managed endpoints
/v1/questions
GET
Get question results — Get results collected from endpoints for a question
/v1/questions/{id}/results
GET
List saved questions — List all saved questions
/v1/saved-questions
GET
Get saved question results — Get latest results for a saved question
/v1/saved-questions/{id}/results
POST
Deploy action — Deploy a package action to targeted endpoints
/v1/actions
GET
List packages — List all available deployment packages
/v1/packages
GET
List sensors — List all endpoint sensors
/v1/sensors
GET
List computer groups — List all computer groups for endpoint targeting
/v1/computer-groups
GET
List alerts — List threat alerts from Threat Response
/v1/alerts
GET
List investigations — List active endpoint investigation connections
/v1/investigations
POST
Start investigation — Start a live endpoint investigation connection
/v1/investigations
GET
List data connections — List data delivery connections
/v1/data-connections
POST
Create data connection — Create a data delivery connection
/v1/data-connections

MCP Tools

ask-endpoint-question

Ask a natural language question to all Tanium-managed endpoints (e.g., 'Get Running Processes from all machines')

read-only
get-question-results

Get endpoint data results for a question by ID

read-only idempotent
list-saved-questions

List all saved questions configured for recurring endpoint data collection

read-only idempotent
get-saved-question-results

Get the latest collected results from a saved recurring question

read-only idempotent
deploy-package-to-endpoints

Deploy a package action to a targeted group of endpoints

list-packages

List all available deployment packages on the Tanium server

read-only idempotent
list-sensors

List all endpoint sensors available for data collection in questions

read-only idempotent
list-computer-groups

List all computer groups for endpoint targeting in actions and questions

read-only idempotent
list-threat-alerts

List threat alerts detected by Tanium Threat Response

read-only idempotent
start-endpoint-investigation

Start a live investigation connection to an endpoint for incident response

get-endpoint-events

Get Recorder events from an endpoint connection (process, network, file events)

read-only idempotent
get-process-tree

Get the full process ancestry tree for a suspicious process on an endpoint

read-only idempotent
list-data-connections

List all data delivery connections for exporting endpoint data to SIEM and other systems

read-only idempotent
create-data-connection

Create a data delivery connection to export Tanium endpoint data to a downstream system

Capability Spec

endpoint-management.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Tanium Endpoint Management
  description: Workflow capability for unified endpoint management and security operations using Tanium. Combines the Platform
    REST API, Threat Response API, and Connect API to enable endpoint visibility, action deployment, threat investigation,
    and data delivery automation. Designed for security operations teams, IT administrators, and incident responders who need
    real-time control across all managed endpoints.
  tags:
  - Compliance
  - Endpoint Management
  - Incident Response
  - Patch Management
  - Security
  - Threat Detection
  - Unified Endpoint Management
  created: '2026-05-03'
  modified: '2026-05-06'
binds:
- namespace: env
  keys:
    TANIUM_API_TOKEN: TANIUM_API_TOKEN
    TANIUM_SERVER: TANIUM_SERVER
capability:
  consumes:
  - type: http
    namespace: tanium-platform
    baseUri: https://{{TANIUM_SERVER}}
    description: Tanium Platform REST API for endpoint visibility and control
    authentication:
      type: apikey
      key: session
      value: '{{TANIUM_API_TOKEN}}'
      placement: header
    resources:
    - name: questions
      path: /api/v2/questions
      description: Create and manage endpoint questions
      operations:
      - name: create-question
        method: POST
        description: Create and ask a question across managed endpoints
        body:
          type: json
          data:
            query_text: '{{tools.query_text}}'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: question-by-id
      path: /api/v2/questions/{id}
      description: Get a specific question
      operations:
      - name: get-question
        method: GET
        description: Get a question by ID
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
          description: Question ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: question-results
      path: /api/v2/result_data/question/{id}
      description: Get question results from endpoints
      operations:
      - name: get-question-results
        method: GET
        description: Get question results from endpoints
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
          description: Question ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: saved-questions
      path: /api/v2/saved_questions
      description: List saved questions
      operations:
      - name: list-saved-questions
        method: GET
        description: List all saved questions
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: saved-question-results
      path: /api/v2/result_data/saved_question/{id}
      description: Get results for a saved question
      operations:
      - name: get-saved-question-results
        method: GET
        description: Get latest results for a saved question
        inputParameters:
        - name: id
          in: path
          type: integer
          required: true
          description: Saved question ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: actions
      path: /api/v2/saved_actions
      description: Deploy actions to endpoints
      operations:
      - name: create-action
        method: POST
        description: Create and deploy an action to targeted endpoints
        body:
          type: json
          data:
            name: '{{tools.name}}'
            package_spec: '{{tools.package_spec}}'
            action_group: '{{tools.action_group}}'
            target_group: '{{tools.target_group}}'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: packages
      path: /api/v2/packages
      description: Manage deployment packages
      operations:
      - name: list-packages
        method: GET
        description: List all deployment packages
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sensors
      path: /api/v2/sensors
      description: Manage endpoint sensors
      operations:
      - name: list-sensors
        method: GET
        description: List all sensors
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: groups
      path: /api/v2/groups
      description: List computer groups
      operations:
      - name: list-groups
        method: GET
        description: List all computer groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  - type: http
    namespace: tanium-threat-response
    baseUri: https://{{TANIUM_SERVER}}
    description: Tanium Threat Response API for incident investigations
    authentication:
      type: apikey
      key: session
      value: '{{TANIUM_API_TOKEN}}'
      placement: header
    resources:
    - name: alerts
      path: /plugin/products/threat-response/api/v1/alerts
      description: Manage threat alerts
      operations:
      - name: list-alerts
        method: GET
        description: List threat alerts
        inputParameters:
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum alerts to return
        - name: offset
          in: query
          type: integer
          required: false
          description: Pagination offset
        - name: state
          in: query
          type: string
          required: false
          description: Filter by alert state
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: connections
      path: /plugin/products/threat-response/api/v1/conns
      description: Live endpoint connections for investigations
      operations:
      - name: list-connections
        method: GET
        description: List endpoint investigation connections
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: create-connection
        method: POST
        description: Create a live connection to an endpoint
        body:
          type: json
          data:
            target: '{{tools.target}}'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: events
      path: /plugin/products/threat-response/api/v1/conns/{cid}/events/{type}
      description: View Recorder events from endpoints
      operations:
      - name: list-events
        method: GET
        description: List events by type from an endpoint connection
        inputParameters:
        - name: cid
          in: path
          type: string
          required: true
          description: Connection ID
        - name: type
          in: path
          type: string
          required: true
          description: Event type (e.g., process, network, file)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: process-tree
      path: /plugin/products/threat-response/api/v1/conns/{cid}/processtrees/{pid}
      description: Get process tree for a specific process
      operations:
      - name: get-process-tree
        method: GET
        description: Get the process tree for a specific process
        inputParameters:
        - name: cid
          in: path
          type: string
          required: true
          description: Connection ID
        - name: pid
          in: path
          type: integer
          required: true
          description: Process ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  - type: http
    namespace: tanium-connect
    baseUri: https://{{TANIUM_SERVER}}
    description: Tanium Connect API for data pipeline management
    authentication:
      type: apikey
      key: session
      value: '{{TANIUM_API_TOKEN}}'
      placement: header
    resources:
    - name: connections
      path: /plugin/products/connect/v1/connections
      description: Manage data delivery connections
      operations:
      - name: list-connections
        method: GET
        description: List all data delivery connections
        inputParameters:
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum connections to return
        - name: offset
          in: query
          type: integer
          required: false
          description: Pagination offset
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: create-connection
        method: POST
        description: Create a new data delivery connection
        body:
          type: json
          data:
            name: '{{tools.name}}'
            source: '{{tools.source}}'
            destination: '{{tools.destination}}'
            schedule: '{{tools.schedule}}'
            enabled: '{{tools.enabled}}'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: destinations
      path: /plugin/products/connect/v1/destinations
      description: Manage connection destinations
      operations:
      - name: list-destinations
        method: GET
        description: List all configured destinations
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: tanium-endpoint-management-api
    description: Unified REST API for Tanium endpoint management, threat response, and data integration.
    resources:
    - path: /v1/questions
      name: questions
      description: Query endpoint state using natural language questions
      operations:
      - method: POST
        name: ask-question
        description: Ask a question to all managed endpoints
        call: tanium-platform.create-question
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/questions/{id}/results
      name: question-results
      description: Retrieve endpoint question results
      operations:
      - method: GET
        name: get-question-results
        description: Get results collected from endpoints for a question
        call: tanium-platform.get-question-results
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/saved-questions
      name: saved-questions
      description: Saved endpoint questions for recurring data collection
      operations:
      - method: GET
        name: list-saved-questions
        description: List all saved questions
        call: tanium-platform.list-saved-questions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/saved-questions/{id}/results
      name: saved-question-results
      description: Results from saved questions
      operations:
      - method: GET
        name: get-saved-question-results
        description: Get latest results for a saved question
        call: tanium-platform.get-saved-question-results
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/actions
      name: actions
      description: Deploy actions and packages to endpoints
      operations:
      - method: POST
        name: deploy-action
        description: Deploy a package action to targeted endpoints
        call: tanium-platform.create-action
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/packages
      name: packages
      description: Endpoint deployment packages
      operations:
      - method: GET
        name: list-packages
        description: List all available deployment packages
        call: tanium-platform.list-packages
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/sensors
      name: sensors
      description: Endpoint data collection sensors
      operations:
      - method: GET
        name: list-sensors
        description: List all endpoint sensors
        call: tanium-platform.list-sensors
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/computer-groups
      name: computer-groups
      description: Endpoint targeting groups
      operations:
      - method: GET
        name: list-computer-groups
        description: List all computer groups for endpoint targeting
        call: tanium-platform.list-groups
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/alerts
      name: alerts
      description: Threat Response security alerts
      operations:
      - method: GET
        name: list-alerts
        description: List threat alerts from Threat Response
        call: tanium-threat-response.list-alerts
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/investigations
      name: investigations
      description: Live endpoint investigation connections
      operations:
      - method: GET
        name: list-investigations
        description: List active endpoint investigation connections
        call: tanium-threat-response.list-connections
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: start-investigation
        description: Start a live endpoint investigation connection
        call: tanium-threat-response.create-connection
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/data-connections
      name: data-connections
      description: Data export connections to downstream systems
      operations:
      - method: GET
        name: list-data-connections
        description: List data delivery connections
        call: tanium-connect.list-connections
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: create-data-connection
        description: Create a data delivery connection
        call: tanium-connect.create-connection
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: tanium-endpoint-management-mcp
    transport: http
    description: MCP server for AI-assisted endpoint management, threat investigation, and security operations.
    tools:
    - name: ask-endpoint-question
      description: Ask a natural language question to all Tanium-managed endpoints (e.g., 'Get Running Processes from all
        machines')
      hints:
        readOnly: true
        idempotent: false
        openWorld: true
      call: tanium-platform.create-question
      with:
        query_text: tools.query_text
      outputParameters:
      - type: object
        mapping: $.
    - name: get-question-results
      description: Get endpoint data results for a question by ID
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.get-question-results
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: list-saved-questions
      description: List all saved questions configured for recurring endpoint data collection
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.list-saved-questions
      outputParameters:
      - type: object
        mapping: $.
    - name: get-saved-question-results
      description: Get the latest collected results from a saved recurring question
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.get-saved-question-results
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: deploy-package-to-endpoints
      description: Deploy a package action to a targeted group of endpoints
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: tanium-platform.create-action
      with:
        name: tools.name
        package_spec: tools.package_spec
        action_group: tools.action_group
        target_group: tools.target_group
      outputParameters:
      - type: object
        mapping: $.
    - name: list-packages
      description: List all available deployment packages on the Tanium server
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.list-packages
      outputParameters:
      - type: object
        mapping: $.
    - name: list-sensors
      description: List all endpoint sensors available for data collection in questions
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.list-sensors
      outputParameters:
      - type: object
        mapping: $.
    - name: list-computer-groups
      description: List all computer groups for endpoint targeting in actions and questions
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-platform.list-groups
      outputParameters:
      - type: object
        mapping: $.
    - name: list-threat-alerts
      description: List threat alerts detected by Tanium Threat Response
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-threat-response.list-alerts
      outputParameters:
      - type: object
        mapping: $.
    - name: start-endpoint-investigation
      description: Start a live investigation connection to an endpoint for incident response
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: tanium-threat-response.create-connection
      with:
        target: tools.target
      outputParameters:
      - type: object
        mapping: $.
    - name: get-endpoint-events
      description: Get Recorder events from an endpoint connection (process, network, file events)
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-threat-response.list-events
      with:
        cid: tools.cid
        type: tools.type
      outputParameters:
      - type: object
        mapping: $.
    - name: get-process-tree
      description: Get the full process ancestry tree for a suspicious process on an endpoint
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-threat-response.get-process-tree
      with:
        cid: tools.cid
        pid: tools.pid
      outputParameters:
      - type: object
        mapping: $.
    - name: list-data-connections
      description: List all data delivery connections for exporting endpoint data to SIEM and other systems
      hints:
        readOnly: true
        idempotent: true
        openWorld: true
      call: tanium-connect.list-connections
      outputParameters:
      - type: object
        mapping: $.
    - name: create-data-connection
      description: Create a data delivery connection to export Tanium endpoint data to a downstream system
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: tanium-connect.create-connection
      with:
        name: tools.name
        source: tools.source
        destination: tools.destination
        schedule: tools.schedule
      outputParameters:
      - type: object
        mapping: $.