Tanium · Capability

Tanium Threat Response API — Connections

Tanium Threat Response API — Connections. 5 operations. Lead operation: List Endpoint Connections. Self-contained Naftiko capability covering one Tanium business surface.

Run with Naftiko TaniumConnections

What You Can Do

GET
Listconnections — List Endpoint Connections
/v1/plugin/products/threat-response/api/v1/conns
POST
Closeconnection — Close A Live Connection
/v1/plugin/products/threat-response/api/v1/conns/close/{connectionid}
POST
Createconnection — Create A Live Connection To An Endpoint
/v1/plugin/products/threat-response/api/v1/conns/connect
DELETE
Deleteconnection — Delete A Connection Record
/v1/plugin/products/threat-response/api/v1/conns/delete/{connectionid}
GET
Getconnection — Get A Connection By ID
/v1/plugin/products/threat-response/api/v1/conns/{connectionid}

MCP Tools

list-endpoint-connections

List Endpoint Connections

read-only idempotent
close-live-connection

Close A Live Connection

create-live-connection-endpoint

Create A Live Connection To An Endpoint

delete-connection-record

Delete A Connection Record

idempotent
get-connection-id

Get A Connection By ID

read-only idempotent

Capability Spec

threat-response-connections.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Tanium Threat Response API — Connections
  description: 'Tanium Threat Response API — Connections. 5 operations. Lead operation: List Endpoint Connections. Self-contained
    Naftiko capability covering one Tanium business surface.'
  tags:
  - Tanium
  - Connections
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    TANIUM_API_KEY: TANIUM_API_KEY
capability:
  consumes:
  - type: http
    namespace: threat-response-connections
    baseUri: https://{tanium_server}
    description: Tanium Threat Response API — Connections business capability. Self-contained, no shared references.
    resources:
    - name: plugin-products-threat-response-api-v1-conns
      path: /plugin/products/threat-response/api/v1/conns
      operations:
      - name: listconnections
        method: GET
        description: List Endpoint Connections
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: limit
          in: query
          type: integer
          description: Maximum number of connections to return
        - name: offset
          in: query
          type: integer
          description: Number of connections to skip for pagination
        - name: status
          in: query
          type: string
          description: Filter by connection status
        - name: ip
          in: query
          type: string
          description: Filter by endpoint IP address
        - name: platform
          in: query
          type: string
          description: Filter by endpoint platform
        - name: hostname
          in: query
          type: string
          description: Filter by endpoint hostname
    - name: plugin-products-threat-response-api-v1-conns-close-connectionId
      path: /plugin/products/threat-response/api/v1/conns/close/{connectionId}
      operations:
      - name: closeconnection
        method: POST
        description: Close A Live Connection
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: connectionId
          in: path
          type: string
          description: Unique identifier of the connection to close
          required: true
    - name: plugin-products-threat-response-api-v1-conns-connect
      path: /plugin/products/threat-response/api/v1/conns/connect
      operations:
      - name: createconnection
        method: POST
        description: Create A Live Connection To An Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: plugin-products-threat-response-api-v1-conns-delete-connectionId
      path: /plugin/products/threat-response/api/v1/conns/delete/{connectionId}
      operations:
      - name: deleteconnection
        method: DELETE
        description: Delete A Connection Record
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: connectionId
          in: path
          type: string
          description: Unique identifier of the connection to delete
          required: true
    - name: plugin-products-threat-response-api-v1-conns-connectionId
      path: /plugin/products/threat-response/api/v1/conns/{connectionId}
      operations:
      - name: getconnection
        method: GET
        description: Get A Connection By ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: connectionId
          in: path
          type: string
          description: Unique identifier of the connection
          required: true
    authentication:
      type: apikey
      key: session
      value: '{{env.TANIUM_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: threat-response-connections-rest
    port: 8080
    description: REST adapter for Tanium Threat Response API — Connections. One Spectral-compliant resource per consumed operation,
      prefixed with /v1.
    resources:
    - path: /v1/plugin/products/threat-response/api/v1/conns
      name: plugin-products-threat-response-api-v1-conns
      description: REST surface for plugin-products-threat-response-api-v1-conns.
      operations:
      - method: GET
        name: listconnections
        description: List Endpoint Connections
        call: threat-response-connections.listconnections
        with:
          limit: rest.limit
          offset: rest.offset
          status: rest.status
          ip: rest.ip
          platform: rest.platform
          hostname: rest.hostname
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/conns/close/{connectionid}
      name: plugin-products-threat-response-api-v1-conns-close-connectionid
      description: REST surface for plugin-products-threat-response-api-v1-conns-close-connectionId.
      operations:
      - method: POST
        name: closeconnection
        description: Close A Live Connection
        call: threat-response-connections.closeconnection
        with:
          connectionId: rest.connectionId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/conns/connect
      name: plugin-products-threat-response-api-v1-conns-connect
      description: REST surface for plugin-products-threat-response-api-v1-conns-connect.
      operations:
      - method: POST
        name: createconnection
        description: Create A Live Connection To An Endpoint
        call: threat-response-connections.createconnection
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/conns/delete/{connectionid}
      name: plugin-products-threat-response-api-v1-conns-delete-connectionid
      description: REST surface for plugin-products-threat-response-api-v1-conns-delete-connectionId.
      operations:
      - method: DELETE
        name: deleteconnection
        description: Delete A Connection Record
        call: threat-response-connections.deleteconnection
        with:
          connectionId: rest.connectionId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/conns/{connectionid}
      name: plugin-products-threat-response-api-v1-conns-connectionid
      description: REST surface for plugin-products-threat-response-api-v1-conns-connectionId.
      operations:
      - method: GET
        name: getconnection
        description: Get A Connection By ID
        call: threat-response-connections.getconnection
        with:
          connectionId: rest.connectionId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: threat-response-connections-mcp
    port: 9090
    transport: http
    description: MCP adapter for Tanium Threat Response API — Connections. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: list-endpoint-connections
      description: List Endpoint Connections
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-connections.listconnections
      with:
        limit: tools.limit
        offset: tools.offset
        status: tools.status
        ip: tools.ip
        platform: tools.platform
        hostname: tools.hostname
      outputParameters:
      - type: object
        mapping: $.
    - name: close-live-connection
      description: Close A Live Connection
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: threat-response-connections.closeconnection
      with:
        connectionId: tools.connectionId
      outputParameters:
      - type: object
        mapping: $.
    - name: create-live-connection-endpoint
      description: Create A Live Connection To An Endpoint
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: threat-response-connections.createconnection
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-connection-record
      description: Delete A Connection Record
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: threat-response-connections.deleteconnection
      with:
        connectionId: tools.connectionId
      outputParameters:
      - type: object
        mapping: $.
    - name: get-connection-id
      description: Get A Connection By ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-connections.getconnection
      with:
        connectionId: tools.connectionId
      outputParameters:
      - type: object
        mapping: $.