Tanium · Capability

Tanium Threat Response API — Intel Documents

Tanium Threat Response API — Intel Documents. 3 operations. Lead operation: Upload An Intel Document. Self-contained Naftiko capability covering one Tanium business surface.

Run with Naftiko TaniumIntel Documents

What You Can Do

POST
Uploadinteldocument — Upload An Intel Document
/v1/plugin/products/threat-response/api/v1/intels
GET
Listinteldocuments — List Intel Documents
/v1/plugin/products/threat-response/api/v1/intels
GET
Getinteldocument — Get An Intel Document By ID
/v1/plugin/products/threat-response/api/v1/intels/{inteldocid}

MCP Tools

upload-intel-document

Upload An Intel Document

list-intel-documents

List Intel Documents

read-only idempotent
get-intel-document-id

Get An Intel Document By ID

read-only idempotent

Capability Spec

threat-response-intel-documents.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Tanium Threat Response API — Intel Documents
  description: 'Tanium Threat Response API — Intel Documents. 3 operations. Lead operation: Upload An Intel Document. Self-contained
    Naftiko capability covering one Tanium business surface.'
  tags:
  - Tanium
  - Intel Documents
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    TANIUM_API_KEY: TANIUM_API_KEY
capability:
  consumes:
  - type: http
    namespace: threat-response-intel-documents
    baseUri: https://{tanium_server}
    description: Tanium Threat Response API — Intel Documents business capability. Self-contained, no shared references.
    resources:
    - name: plugin-products-threat-response-api-v1-intels
      path: /plugin/products/threat-response/api/v1/intels
      operations:
      - name: uploadinteldocument
        method: POST
        description: Upload An Intel Document
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: listinteldocuments
        method: GET
        description: List Intel Documents
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: limit
          in: query
          type: integer
          description: Maximum number of intel documents to return
        - name: offset
          in: query
          type: integer
          description: Number of intel documents to skip for pagination
        - name: name
          in: query
          type: string
          description: Filter by intel document name
        - name: description
          in: query
          type: string
          description: Filter by description text
        - name: type
          in: query
          type: string
          description: Filter by intel document type
        - name: label_id
          in: query
          type: integer
          description: Filter by associated label identifier
        - name: mitre_technique_id
          in: query
          type: string
          description: Filter by MITRE ATT&CK technique ID
    - name: plugin-products-threat-response-api-v1-intels-intelDocId
      path: /plugin/products/threat-response/api/v1/intels/{intelDocId}
      operations:
      - name: getinteldocument
        method: GET
        description: Get An Intel Document By ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: intelDocId
          in: path
          type: integer
          description: Unique identifier of the intel document
          required: true
    authentication:
      type: apikey
      key: session
      value: '{{env.TANIUM_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: threat-response-intel-documents-rest
    port: 8080
    description: REST adapter for Tanium Threat Response API — Intel Documents. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/plugin/products/threat-response/api/v1/intels
      name: plugin-products-threat-response-api-v1-intels
      description: REST surface for plugin-products-threat-response-api-v1-intels.
      operations:
      - method: POST
        name: uploadinteldocument
        description: Upload An Intel Document
        call: threat-response-intel-documents.uploadinteldocument
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: listinteldocuments
        description: List Intel Documents
        call: threat-response-intel-documents.listinteldocuments
        with:
          limit: rest.limit
          offset: rest.offset
          name: rest.name
          description: rest.description
          type: rest.type
          label_id: rest.label_id
          mitre_technique_id: rest.mitre_technique_id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/plugin/products/threat-response/api/v1/intels/{inteldocid}
      name: plugin-products-threat-response-api-v1-intels-inteldocid
      description: REST surface for plugin-products-threat-response-api-v1-intels-intelDocId.
      operations:
      - method: GET
        name: getinteldocument
        description: Get An Intel Document By ID
        call: threat-response-intel-documents.getinteldocument
        with:
          intelDocId: rest.intelDocId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: threat-response-intel-documents-mcp
    port: 9090
    transport: http
    description: MCP adapter for Tanium Threat Response API — Intel Documents. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: upload-intel-document
      description: Upload An Intel Document
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: threat-response-intel-documents.uploadinteldocument
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: list-intel-documents
      description: List Intel Documents
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-intel-documents.listinteldocuments
      with:
        limit: tools.limit
        offset: tools.offset
        name: tools.name
        description: tools.description
        type: tools.type
        label_id: tools.label_id
        mitre_technique_id: tools.mitre_technique_id
      outputParameters:
      - type: object
        mapping: $.
    - name: get-intel-document-id
      description: Get An Intel Document By ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: threat-response-intel-documents.getinteldocument
      with:
        intelDocId: tools.intelDocId
      outputParameters:
      - type: object
        mapping: $.