Tanium Threat Response API
The Tanium Threat Response REST API enables starting investigations, viewing Recorder events, gathering evidence, and performing file and directory operations on endpoints for threat detection and incident response.
OpenAPI Specification
openapi: 3.1.0
info:
title: Tanium Threat Response API
description: >-
The Tanium Threat Response REST API enables starting investigations, viewing
Recorder events, gathering evidence, and performing file and directory
operations on endpoints for threat detection and incident response. All
endpoints are under the /plugin/products/threat-response/api/v1/ base path.
version: 1.0.0
contact:
name: Tanium Support
url: https://community.tanium.com/s/
license:
name: Proprietary
url: https://www.tanium.com/terms-of-use/
x-date: '2026-03-04'
servers:
- url: https://{tanium_server}
description: Tanium Server
variables:
tanium_server:
default: tanium.example.com
description: Hostname or IP address of the Tanium server
security:
- apiToken: []
tags:
- name: Alerts
description: Manage threat alerts
- name: Connections
description: Manage live endpoint connections for investigations
- name: Events
description: Retrieve Recorder events from endpoints
- name: Evidence
description: Collect and manage investigation evidence
- name: File Downloads
description: Download and manage files from endpoints
- name: File Operations
description: Browse and manage files on connected endpoints
- name: Intel Documents
description: Manage threat intelligence documents
- name: Labels
description: Manage classification labels for intel documents
- name: Processes
description: Inspect endpoint processes and process trees
- name: Snapshots
description: Capture and manage endpoint memory snapshots
- name: Status
description: Threat Response service status
paths:
/plugin/products/threat-response/api/v1/status:
get:
operationId: getThreatResponseStatus
summary: Get Threat Response Service Status
description: >-
Returns the current status of the Tanium Threat Response service
including version information and operational state.
tags:
- Status
responses:
'200':
description: Status retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: object
properties:
version:
type: string
description: Threat Response version
status:
type: string
description: Service operational status
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/alerts:
get:
operationId: listAlerts
summary: List Threat Alerts
description: >-
Retrieves a paginated list of threat alerts. Alerts can be filtered by
computer name, IP address, severity, priority, type, state, and
associated intel document or scan configuration.
tags:
- Alerts
parameters:
- name: limit
in: query
description: Maximum number of alerts to return
schema:
type: integer
- name: offset
in: query
description: Number of alerts to skip for pagination
schema:
type: integer
- name: computer_ip_address
in: query
description: Filter by computer IP address
schema:
type: string
- name: computer_name
in: query
description: Filter by computer hostname
schema:
type: string
- name: scan_config_id
in: query
description: Filter by scan configuration identifier
schema:
type: integer
- name: intel_doc_id
in: query
description: Filter by intel document identifier
schema:
type: integer
- name: severity
in: query
description: Filter by alert severity
schema:
type: string
- name: priority
in: query
description: Filter by alert priority
schema:
type: string
- name: type
in: query
description: Filter by alert type
schema:
type: string
- name: state
in: query
description: Filter by alert state
schema:
type: string
enum:
- unresolved
- inprogress
- resolved
- dismissed
- ignored
responses:
'200':
description: Alerts retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Alert'
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/alerts/{alertId}:
get:
operationId: getAlert
summary: Get An Alert By ID
description: >-
Retrieves the full details of a specific alert including associated
computer information, intel document references, and current state.
tags:
- Alerts
parameters:
- name: alertId
in: path
required: true
description: Unique identifier of the alert
schema:
type: integer
responses:
'200':
description: Alert retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/Alert'
'404':
description: Alert not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
put:
operationId: updateAlertState
summary: Update Alert State
description: >-
Updates the state of one or more alerts. Multiple alert IDs can be
provided as a comma-separated list in the path. Valid states are
unresolved, inprogress, resolved, dismissed, and ignored.
tags:
- Alerts
parameters:
- name: alertId
in: path
required: true
description: Alert ID or comma-separated list of alert IDs
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- state
properties:
state:
type: string
enum:
- unresolved
- inprogress
- resolved
- dismissed
- ignored
description: New state for the alert(s)
responses:
'200':
description: Alert state updated successfully
'400':
description: Invalid state value
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'404':
description: Alert not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns:
get:
operationId: listConnections
summary: List Endpoint Connections
description: >-
Retrieves a paginated list of live connections to endpoints. Connections
can be filtered by status, IP address, platform, and hostname.
tags:
- Connections
parameters:
- name: limit
in: query
description: Maximum number of connections to return
schema:
type: integer
- name: offset
in: query
description: Number of connections to skip for pagination
schema:
type: integer
- name: status
in: query
description: Filter by connection status
schema:
type: string
- name: ip
in: query
description: Filter by endpoint IP address
schema:
type: string
- name: platform
in: query
description: Filter by endpoint platform
schema:
type: string
- name: hostname
in: query
description: Filter by endpoint hostname
schema:
type: string
responses:
'200':
description: Connections retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Connection'
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/connect:
post:
operationId: createConnection
summary: Create A Live Connection To An Endpoint
description: >-
Initiates a live connection to a specified endpoint for investigation
purposes. Requires the client ID, IP, platform, and hostname of the
target endpoint.
tags:
- Connections
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- client_id
- ip
- platform
- hostname
properties:
client_id:
type: string
description: Tanium client identifier of the endpoint
ip:
type: string
description: IP address of the endpoint
platform:
type: string
description: Operating system platform
hostname:
type: string
description: Hostname of the endpoint
responses:
'200':
description: Connection initiated successfully
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/Connection'
'400':
description: Invalid connection parameters
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}:
get:
operationId: getConnection
summary: Get A Connection By ID
description: >-
Retrieves the details and current status of a specific endpoint
connection.
tags:
- Connections
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
responses:
'200':
description: Connection retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/Connection'
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/close/{connectionId}:
post:
operationId: closeConnection
summary: Close A Live Connection
description: >-
Closes an active live connection to an endpoint, ending the
investigation session.
tags:
- Connections
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection to close
schema:
type: string
responses:
'200':
description: Connection closed successfully
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/delete/{connectionId}:
delete:
operationId: deleteConnection
summary: Delete A Connection Record
description: >-
Permanently deletes a connection record from the Threat Response
database.
tags:
- Connections
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection to delete
schema:
type: string
responses:
'200':
description: Connection deleted successfully
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/snapshot:
post:
operationId: createSnapshot
summary: Create An Endpoint Snapshot
description: >-
Initiates a snapshot capture from a connected endpoint. The snapshot
captures a point-in-time image of endpoint Recorder data for offline
analysis.
tags:
- Snapshots
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
responses:
'200':
description: Snapshot creation initiated
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/SnapshotTask'
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/snapshot:
get:
operationId: listSnapshots
summary: List All Snapshots
description: >-
Retrieves a paginated list of all endpoint snapshots captured for
investigations.
tags:
- Snapshots
parameters:
- name: limit
in: query
description: Maximum number of snapshots to return
schema:
type: integer
- name: offset
in: query
description: Number of snapshots to skip for pagination
schema:
type: integer
responses:
'200':
description: Snapshots retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Snapshot'
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
delete:
operationId: deleteSnapshots
summary: Delete Snapshots
description: >-
Deletes one or more snapshots by their identifiers. Provide snapshot
IDs in the request body.
tags:
- Snapshots
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- ids
properties:
ids:
type: array
items:
type: string
description: List of snapshot IDs to delete
responses:
'200':
description: Snapshots deleted successfully
'404':
description: One or more snapshots not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/snapshot/{snapshotId}:
delete:
operationId: deleteLocalSnapshot
summary: Delete A Local Snapshot
description: >-
Deletes a specific snapshot stored locally on the Tanium server,
freeing disk space.
tags:
- Snapshots
parameters:
- name: snapshotId
in: path
required: true
description: Unique identifier of the snapshot to delete
schema:
type: string
responses:
'200':
description: Local snapshot deleted successfully
'404':
description: Snapshot not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/views/{eventType}/events:
get:
operationId: listEvents
summary: List Events By Type
description: >-
Retrieves Recorder events from a connected endpoint filtered by event
type. Supported event types include File, Network, Registry, Process,
Driver, Combined, DNS, and Image.
tags:
- Events
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
- name: eventType
in: path
required: true
description: Type of events to retrieve
schema:
type: string
enum:
- File
- Network
- Registry
- Process
- Driver
- Combined
- DNS
- Image
- name: limit
in: query
description: Maximum number of events to return
schema:
type: integer
- name: offset
in: query
description: Number of events to skip for pagination
schema:
type: integer
- name: filter
in: query
description: Filter expression for events
schema:
type: string
- name: match
in: query
description: Match mode for filter expression
schema:
type: string
- name: sort
in: query
description: Sort order for results
schema:
type: string
- name: fields
in: query
description: Comma-separated list of fields to include
schema:
type: string
responses:
'200':
description: Events retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Event'
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/views/{eventType}/eventsCount:
get:
operationId: getEventsSummary
summary: Get Events Count Summary
description: >-
Returns a summary count of Recorder events by type for a specific
connection, useful for understanding the volume of activity on an
endpoint.
tags:
- Events
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
- name: eventType
in: path
required: true
description: Type of events to count
schema:
type: string
enum:
- File
- Network
- Registry
- Process
- Driver
- Combined
- DNS
- Image
responses:
'200':
description: Event count retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: object
properties:
count:
type: integer
description: Total number of events of the specified type
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/processevents/{processTableId}/{eventType}:
get:
operationId: getProcessEvents
summary: Get Events For A Specific Process
description: >-
Retrieves events associated with a specific process on a connected
endpoint, identified by its process table ID and event type.
tags:
- Processes
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
- name: processTableId
in: path
required: true
description: Process table identifier
schema:
type: string
- name: eventType
in: path
required: true
description: Type of events to retrieve for the process
schema:
type: string
enum:
- File
- Network
- Registry
- Process
- Driver
- DNS
- Image
- name: limit
in: query
description: Maximum number of events to return
schema:
type: integer
- name: offset
in: query
description: Number of events to skip for pagination
schema:
type: integer
responses:
'200':
description: Process events retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/ProcessEvent'
'404':
description: Connection or process not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/processtrees/{processTableId}:
get:
operationId: getProcessTree
summary: Get A Process Tree
description: >-
Retrieves the process tree for a specific process, showing parent,
child, and sibling processes. Useful for understanding process
lineage during investigations.
tags:
- Processes
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
- name: processTableId
in: path
required: true
description: Process table identifier
schema:
type: string
- name: context
in: query
description: Context level for the process tree
schema:
type: string
enum:
- parent
- node
- siblings
- children
responses:
'200':
description: Process tree retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/ProcessInfo'
'404':
description: Connection or process not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/filedownload:
get:
operationId: listFileDownloads
summary: List File Downloads
description: >-
Retrieves a paginated list of files that have been downloaded from
endpoints during investigations.
tags:
- File Downloads
parameters:
- name: limit
in: query
description: Maximum number of file downloads to return
schema:
type: integer
- name: offset
in: query
description: Number of file downloads to skip for pagination
schema:
type: integer
- name: sort
in: query
description: Sort order for results
schema:
type: string
- name: hostname
in: query
description: Filter by source endpoint hostname
schema:
type: string
- name: hash
in: query
description: Filter by file hash
schema:
type: string
responses:
'200':
description: File downloads retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/FileDownload'
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/filedownload/{fileId}:
get:
operationId: getFileDownload
summary: Get File Download Metadata
description: >-
Retrieves metadata for a specific downloaded file, including hash
values, size, and origin information.
tags:
- File Downloads
parameters:
- name: fileId
in: path
required: true
description: Unique identifier of the downloaded file
schema:
type: string
responses:
'200':
description: File download metadata retrieved successfully
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/FileDownload'
'404':
description: File download not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
delete:
operationId: deleteFileDownload
summary: Delete A Downloaded File
description: >-
Deletes a previously downloaded file from the Tanium server, freeing
storage space.
tags:
- File Downloads
parameters:
- name: fileId
in: path
required: true
description: Unique identifier of the file to delete
schema:
type: string
responses:
'200':
description: File download deleted successfully
'404':
description: File download not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/filedownload/data/{fileId}:
get:
operationId: downloadFileContent
summary: Download File Content
description: >-
Downloads the actual file content of a previously captured file. The
file is returned as a binary download, password-protected with the
default password "infected".
tags:
- File Downloads
parameters:
- name: fileId
in: path
required: true
description: Unique identifier of the file to download
schema:
type: string
responses:
'200':
description: File content downloaded successfully
content:
application/octet-stream:
schema:
type: string
format: binary
'404':
description: File not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/conns/{connectionId}/file:
post:
operationId: requestFileFromEndpoint
summary: Request A File Download From An Endpoint
description: >-
Initiates a file download from a connected endpoint. The file is
transferred from the endpoint to the Tanium server for analysis.
tags:
- File Operations
parameters:
- name: connectionId
in: path
required: true
description: Unique identifier of the connection
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- path
properties:
path:
type: string
description: Full file path on the endpoint to download
responses:
'200':
description: File download request initiated
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/FileDownloadTask'
'404':
description: Connection not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
/plugin/products/threat-response/api/v1/intels:
post:
operationId: uploadIntelDocument
summary: Upload An Intel Document
description: >-
Uploads a new threat intelligence document to Tanium Threat Response.
Intel documents define indicators of compromise (IOCs) and threat
signatures used for alerting and scanning.
tags:
- Intel Documents
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
description: Name of the intel document
description:
type: string
description: Description of the threat intel
type:
type: string
description: Intel document type
content:
type: string
description: Intel document content (e.g., STIX, YARA, OpenIOC)
responses:
'200':
description: Intel document uploaded successfully
content:
application/json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/IntelDocument'
'400':
description: Invalid intel document format
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
get:
operationId: listIntelDocuments
summary: List Intel Documents
description: >-
Retrieves a paginated list of threat intelligence documents configured
in Tanium Threat Response.
tags:
- Intel Documents
parameters:
- name: limit
in: query
description: Maximum number of intel documents to return
schema:
type: integer
- name:
# --- truncated at 32 KB (59 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/tanium/refs/heads/main/openapi/tanium-threat-response-api-openapi.yml