Tanium Threat Response API — Evidence

naftiko: 1.0.0-alpha2
info:
  label: Tanium Threat Response API — Evidence
  description: 'Tanium Threat Response API — Evidence. 5 operations. Lead operation: List Investigation Evidence. Self-contained
    Naftiko capability covering one Tanium business surface.'
  tags:
  - Tanium
  - Evidence
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    TANIUM_API_KEY: TANIUM_API_KEY
capability:
  consumes:
  - type: http
    namespace: threat-response-evidence
    baseUri: https://{tanium_server}
    description: Tanium Threat Response API — Evidence business capability. Self-contained, no shared references.
    resources:
    - name: plugin-products-threat-response-api-v1-evidence
      path: /plugin/products/threat-response/api/v1/evidence
      operations:
      - name: listevidence
        method: GET
        description: List Investigation Evidence
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: limit
          in: query
          type: integer
          description: Maximum number of evidence items to return
        - name: offset
          in: query
          type: integer
          description: Number of evidence items to skip for pagination
        - name: sort
          in: query
          type: string
          description: Sort order for results
        - name: hostname
          in: query
          type: string
          description: Filter by endpoint hostname
        - name: type
          in: query
          type: string
          description: Filter by evidence type
      - name: createevidence
        method: POST
        description: Create Evidence From A Process
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: plugin-products-threat-response-api-v1-evidence-properties
      path: /plugin/products/threat-response/api/v1/evidence/properties
      operations:
      - name: getevidenceproperties
        method: GET
        description: Get Evidence Properties
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: plugin-products-threat-response-api-v1-evidence-evidenceId
      path: /plugin/products/threat-response/api/v1/evidence/{evidenceId}
      operations:
      - name: getevidence
        method: GET
        description: Get Evidence By ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: evidenceId
          in: path
          type: string
          description: Unique identifier of the evidence
          required: true
      - name: deleteevidence
        method: DELETE
        description: Delete Evidence
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: evidenceId
          in: path
          type: string
          description: Evidence ID or comma-separated list of evidence IDs
          required: true
    authentication:
      type: apikey
      key: session
      value: '{{env.TANIUM_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: threat-response-evidence-rest
    port: 8080
    description: REST adapter for Tanium Threat Response API — Evidence. One Spectral-compliant resource per consumed operation,
      prefixed with /v1.
    resources:
    - path: /v1/plugin/products/threat-response/api/v1/evidence
      name: plugin-products-threat-response-api-v1-evidence
      description: REST surface for plugin-products-threat-response-api-v1-evidence.
      operations:
      - method: GET
        name: listevidence
        description: List Investigation Evidence
        call: threat-response-evidence.listevidence
        with:
          limit: rest.limit
          offset: rest.offset
          sort: rest.sort
          hostname: rest.hostname
          type: rest.type
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createevidence
        description: Create Evidence From A Process
        call: threat-response-evidence.createevidence
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/evidence/properties
      name: plugin-products-threat-response-api-v1-evidence-properties
      description: REST surface for plugin-products-threat-response-api-v1-evidence-properties.
      operations:
      - method: GET
        name: getevidenceproperties
        description: Get Evidence Properties
        call: threat-response-evidence.getevidenceproperties
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/evidence/{evidenceid}
      name: plugin-products-threat-response-api-v1-evidence-evidenceid
      description: REST surface for plugin-products-threat-response-api-v1-evidence-evidenceId.
      operations:
      - method: GET
        name: getevidence
        description: Get Evidence By ID
        call: threat-response-evidence.getevidence
        with:
          evidenceId: rest.evidenceId
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteevidence
        description: Delete Evidence
        call: threat-response-evidence.deleteevidence
        with:
          evidenceId: rest.evidenceId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: threat-response-evidence-mcp
    port: 9090
    transport: http
    description: MCP adapter for Tanium Threat Response API — Evidence. One tool per consumed operation, routed inline through
      this capability's consumes block.
    tools:
    - name: list-investigation-evidence
      description: List Investigation Evidence
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-evidence.listevidence
      with:
        limit: tools.limit
        offset: tools.offset
        sort: tools.sort
        hostname: tools.hostname
        type: tools.type
      outputParameters:
      - type: object
        mapping: $.
    - name: create-evidence-process
      description: Create Evidence From A Process
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: threat-response-evidence.createevidence
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-evidence-properties
      description: Get Evidence Properties
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-evidence.getevidenceproperties
      outputParameters:
      - type: object
        mapping: $.
    - name: get-evidence-id
      description: Get Evidence By ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-evidence.getevidence
      with:
        evidenceId: tools.evidenceId
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-evidence
      description: Delete Evidence
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: threat-response-evidence.deleteevidence
      with:
        evidenceId: tools.evidenceId
      outputParameters:
      - type: object
        mapping: $.