Tanium · Capability
Tanium Threat Response API — Alerts
Tanium Threat Response API — Alerts. 3 operations. Lead operation: List Threat Alerts. Self-contained Naftiko capability covering one Tanium business surface.
What You Can Do
GET
Listalerts
— List Threat Alerts
/v1/plugin/products/threat-response/api/v1/alerts
GET
Getalert
— Get An Alert By ID
/v1/plugin/products/threat-response/api/v1/alerts/{alertid}
PUT
Updatealertstate
— Update Alert State
/v1/plugin/products/threat-response/api/v1/alerts/{alertid}
MCP Tools
list-threat-alerts
List Threat Alerts
read-only
idempotent
get-alert-id
Get An Alert By ID
read-only
idempotent
update-alert-state
Update Alert State
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Tanium Threat Response API — Alerts
description: 'Tanium Threat Response API — Alerts. 3 operations. Lead operation: List Threat Alerts. Self-contained Naftiko
capability covering one Tanium business surface.'
tags:
- Tanium
- Alerts
created: '2026-05-19'
modified: '2026-05-19'
binds:
- namespace: env
keys:
TANIUM_API_KEY: TANIUM_API_KEY
capability:
consumes:
- type: http
namespace: threat-response-alerts
baseUri: https://{tanium_server}
description: Tanium Threat Response API — Alerts business capability. Self-contained, no shared references.
resources:
- name: plugin-products-threat-response-api-v1-alerts
path: /plugin/products/threat-response/api/v1/alerts
operations:
- name: listalerts
method: GET
description: List Threat Alerts
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: limit
in: query
type: integer
description: Maximum number of alerts to return
- name: offset
in: query
type: integer
description: Number of alerts to skip for pagination
- name: computer_ip_address
in: query
type: string
description: Filter by computer IP address
- name: computer_name
in: query
type: string
description: Filter by computer hostname
- name: scan_config_id
in: query
type: integer
description: Filter by scan configuration identifier
- name: intel_doc_id
in: query
type: integer
description: Filter by intel document identifier
- name: severity
in: query
type: string
description: Filter by alert severity
- name: priority
in: query
type: string
description: Filter by alert priority
- name: type
in: query
type: string
description: Filter by alert type
- name: state
in: query
type: string
description: Filter by alert state
- name: plugin-products-threat-response-api-v1-alerts-alertId
path: /plugin/products/threat-response/api/v1/alerts/{alertId}
operations:
- name: getalert
method: GET
description: Get An Alert By ID
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: alertId
in: path
type: integer
description: Unique identifier of the alert
required: true
- name: updatealertstate
method: PUT
description: Update Alert State
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: alertId
in: path
type: string
description: Alert ID or comma-separated list of alert IDs
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: true
authentication:
type: apikey
key: session
value: '{{env.TANIUM_API_KEY}}'
placement: header
exposes:
- type: rest
namespace: threat-response-alerts-rest
port: 8080
description: REST adapter for Tanium Threat Response API — Alerts. One Spectral-compliant resource per consumed operation,
prefixed with /v1.
resources:
- path: /v1/plugin/products/threat-response/api/v1/alerts
name: plugin-products-threat-response-api-v1-alerts
description: REST surface for plugin-products-threat-response-api-v1-alerts.
operations:
- method: GET
name: listalerts
description: List Threat Alerts
call: threat-response-alerts.listalerts
with:
limit: rest.limit
offset: rest.offset
computer_ip_address: rest.computer_ip_address
computer_name: rest.computer_name
scan_config_id: rest.scan_config_id
intel_doc_id: rest.intel_doc_id
severity: rest.severity
priority: rest.priority
type: rest.type
state: rest.state
outputParameters:
- type: object
mapping: $.
- path: /v1/plugin/products/threat-response/api/v1/alerts/{alertid}
name: plugin-products-threat-response-api-v1-alerts-alertid
description: REST surface for plugin-products-threat-response-api-v1-alerts-alertId.
operations:
- method: GET
name: getalert
description: Get An Alert By ID
call: threat-response-alerts.getalert
with:
alertId: rest.alertId
outputParameters:
- type: object
mapping: $.
- method: PUT
name: updatealertstate
description: Update Alert State
call: threat-response-alerts.updatealertstate
with:
alertId: rest.alertId
body: rest.body
outputParameters:
- type: object
mapping: $.
- type: mcp
namespace: threat-response-alerts-mcp
port: 9090
transport: http
description: MCP adapter for Tanium Threat Response API — Alerts. One tool per consumed operation, routed inline through
this capability's consumes block.
tools:
- name: list-threat-alerts
description: List Threat Alerts
hints:
readOnly: true
destructive: false
idempotent: true
call: threat-response-alerts.listalerts
with:
limit: tools.limit
offset: tools.offset
computer_ip_address: tools.computer_ip_address
computer_name: tools.computer_name
scan_config_id: tools.scan_config_id
intel_doc_id: tools.intel_doc_id
severity: tools.severity
priority: tools.priority
type: tools.type
state: tools.state
outputParameters:
- type: object
mapping: $.
- name: get-alert-id
description: Get An Alert By ID
hints:
readOnly: true
destructive: false
idempotent: true
call: threat-response-alerts.getalert
with:
alertId: tools.alertId
outputParameters:
- type: object
mapping: $.
- name: update-alert-state
description: Update Alert State
hints:
readOnly: false
destructive: false
idempotent: true
call: threat-response-alerts.updatealertstate
with:
alertId: tools.alertId
body: tools.body
outputParameters:
- type: object
mapping: $.