Login

Tanium GraphQL API Gateway

Tanium™ API Gateway provides a single and stable API integration point for various Tanium solutions. It is designed for Tanium partners and customers interested in building integrated solutions with the Tanium™ Core Platform.

API Endpoints
https://<customername>-api.cloud.tanium.com/plugin/products/gateway/graphql
Version

Current

Getting Started

Visit the Documentation Site to find helpful information such as...

  • Overview and Requirements
  • Installation and Troubleshooting Instructions
  • Lots of Helpful Example Queries!
New to GraphQL?

GraphQL is a query language for APIs. Visit graphql.org to learn all about it.

Need Deprecated Content?

Alternate version of the Schema Documentation that includes deprecated queries and fields

Queries

blobs

Description

Returns the blobs in the domain and category. Blobs are filtered based on HTTP request parameters.

Response

Returns [BlobMetadata!]!

Arguments
Name Description
category - ID!
domain - ID!
filter - ListBlobFilter

Example

Query
query blobs(
  $category: ID!,
  $domain: ID!,
  $filter: ListBlobFilter
) {
  blobs(
    category: $category,
    domain: $domain,
    filter: $filter
  ) {
    category
    domain
    expiration
    key
    lastModified
    size
  }
}
Variables
{
  "category": "4",
  "domain": "4",
  "filter": ListBlobFilter
}
Response
{
  "data": {
    "blobs": [
      {
        "category": 4,
        "domain": "4",
        "expiration": "10:15:30Z",
        "key": 4,
        "lastModified": "10:15:30Z",
        "size": 123
      }
    ]
  }
}

configurationItemEntities

Description

Returns configuration item entities from the CMDB.

Arguments
Name Description
after - Cursor Returns the configuration item entities after the given cursor.
before - Cursor Returns the configuration item entities before the given cursor.
first - Int Returns the first n endpoints from the list.
last - Int Returns the last n endpoints from the list.
params - EntitiesQueryParams Returns only the configuration item entities matching the given parameters.
sort - [EntitySortRequest] Sorts the configuration item entities.

Example

Query
query configurationItemEntities(
  $after: Cursor,
  $before: Cursor,
  $first: Int,
  $last: Int,
  $params: EntitiesQueryParams,
  $sort: [EntitySortRequest]
) {
  configurationItemEntities(
    after: $after,
    before: $before,
    first: $first,
    last: $last,
    params: $params,
    sort: $sort
  ) {
    edges {
      ...ConfigurationItemEntityEdgeFragment
    }
    pageInfo {
      ...PageInfoFragment
    }
    totalCount
  }
}
Variables
{
  "after": Cursor,
  "before": Cursor,
  "first": 987,
  "last": 123,
  "params": EntitiesQueryParams,
  "sort": [EntitySortRequest]
}
Response
{
  "data": {
    "configurationItemEntities": {
      "edges": [ConfigurationItemEntityEdge],
      "pageInfo": PageInfo,
      "totalCount": 123
    }
  }
}

configurationItemProperties

Description

Returns all properties related to configuration items.

Response

Returns a ConfigurationItemProperties

Example

Query
query configurationItemProperties {
  configurationItemProperties {
    customerItemsLimit
    userSpecifiedAssetsMaxAge
  }
}
Response
{
  "data": {
    "configurationItemProperties": {
      "customerItemsLimit": 987,
      "userSpecifiedAssetsMaxAge": 987
    }
  }
}

configurationItemRelationships

Description

Returns relationships for the identified configuration items from the CMDB.

Arguments
Name Description
after - Cursor Returns the relationships after the given cursor.
before - Cursor Returns the relationships before the given cursor.
first - Int Returns the first n relationships from the list.
last - Int Returns the last n relationships from the list.
params - RelationshipQueryParams Returns only the relationships matching the given parameters.
sort - [RelationshipSortRequest] Sorts the relationships.

Example

Query
query configurationItemRelationships(
  $after: Cursor,
  $before: Cursor,
  $first: Int,
  $last: Int,
  $params: RelationshipQueryParams,
  $sort: [RelationshipSortRequest]
) {
  configurationItemRelationships(
    after: $after,
    before: $before,
    first: $first,
    last: $last,
    params: $params,
    sort: $sort
  ) {
    edges {
      ...ConfigurationItemRelationshipEdgeFragment
    }
    pageInfo {
      ...PageInfoFragment
    }
    totalCount
  }
}
Variables
{
  "after": Cursor,
  "before": Cursor,
  "first": 123,
  "last": 123,
  "params": RelationshipQueryParams,
  "sort": [RelationshipSortRequest]
}
Response
{
  "data": {
    "configurationItemRelationships": {
      "edges": [ConfigurationItemRelationshipEdge],
      "pageInfo": PageInfo,
      "totalCount": 123
    }
  }
}

directEndpoint

Description

Obtains data from the specified endpoint using a Direct Connect connection.

Response

Returns a DirectConnect

Arguments
Name Description
input - OpenDirectConnectionInput!

Example

Query
query directEndpoint($input: OpenDirectConnectionInput!) {
  directEndpoint(input: $input) {
    alerts {
      ...DirectConnectAlertsFragment
    }
    performance {
      ...DirectConnectPerfFragment
    }
    processes {
      ...DirectConnectProcessesFragment
    }
  }
}
Variables
{"input": OpenDirectConnectionInput}
Response
{
  "data": {
    "directEndpoint": {
      "alerts": DirectConnectAlerts,
      "performance": DirectConnectPerf,
      "processes": DirectConnectProcesses
    }
  }
}

endpointIdChanges

Description

Changed endpoint IDs from Tanium Data Service for the given namespace and timespan.

Response

Returns an EndpointIdChangesPayload!

Arguments
Name Description
after - Time! The date and time of the oldest record to retrieve. Retrieve records newer than this time.
namespace - String Tanium Data Service (TDS) namespace to search against. If no value is specified, the TDS default namespace is used.

Example

Query
query endpointIdChanges(
  $after: Time!,
  $namespace: String
) {
  endpointIdChanges(
    after: $after,
    namespace: $namespace
  ) {
    before
    changes {
      ...EndpointIdChangeFragment
    }
  }
}
Variables
{
  "after": "10:15:30Z",
  "namespace": "xyz789"
}
Response
{
  "data": {
    "endpointIdChanges": {
      "before": "10:15:30Z",
      "changes": [EndpointIdChange]
    }
  }
}

endpointLastSeen

Response

Returns a Map

Arguments
Name Description
eids - [ID!]!

Example

Query
query endpointLastSeen($eids: [ID!]!) {
  endpointLastSeen(eids: $eids)
}
Variables
{"eids": ["4"]}
Response
{"data": {"endpointLastSeen": Map}}

endpoints

Description

Returns the matching endpoints from the specified source. The cursors in the returned connections are usable for 5 minutes after the most recent request in the cursored results, with a maximum lifetime of 1 hour.

Response

Returns an EndpointConnection

Arguments
Name Description
after - Cursor Returns the endpoints after the given cursor.
before - Cursor Returns the endpoints before the given cursor.
filter - EndpointFieldFilter Returns only the endpoints matching the filter.
first - Int Returns the first n endpoints from the list. Default = 20
last - Int Returns the last n endpoints from the list.
refresh - Cursor

Refreshes the endpoints collection identified by the given cursor, if possible. If so, this will invalidate the collection identifed by the given cursor and return a new collection with new cursor values. Otherwise, the existing collection will remain available.

This is primarily intended for use with the Tanium Server data source, where endpoint sensor readings may accumulate for many minutes beyond the original query response.

source - EndpointSource

Describes the data source from which to retrieve the endpoints.

This defaults to the Tanium Data Service source in the default Tanium endpoint namespace.

Example

Query
query endpoints(
  $after: Cursor,
  $before: Cursor,
  $filter: EndpointFieldFilter,
  $first: Int,
  $last: Int,
  $refresh: Cursor,
  $source: EndpointSource
) {
  endpoints(
    after: $after,
    before: $before,
    filter: $filter,
    first: $first,
    last: $last,
    refresh: $refresh,
    source: $source
  ) {
    collectionInfo {
      ...EndpointCollectionInfoFragment
    }
    edges {
      ...EndpointEdgeFragment
    }
    pageInfo {
      ...PageInfoFragment
    }
    totalRecords
  }
}
Variables
{
  "after": Cursor,
  "before": Cursor,
  "filter": EndpointFieldFilter,
  "first": 20,
  "last": 987,
  "refresh": Cursor,
  "source": EndpointSource
}
Response
{
  "data": {
    "endpoints": {
      "collectionInfo": EndpointCollectionInfo,
      "edges": [EndpointEdge],
      "pageInfo": PageInfo,
      "totalRecords": 123
    }
  }
}

lastActionDetails

Description

Returns the details of the last action created by the specified saved action.

Response

Returns an Action!

Arguments
Name Description
id - ID!

Example

Query
query lastActionDetails($id: ID!) {
  lastActionDetails(id: $id) {
    comment
    creationTime
    distributeSeconds
    expirationTime
    expireSeconds
    id
    name
    startTime
    status
    stoppedFlag
  }
}
Variables
{"id": 4}
Response
{
  "data": {
    "lastActionDetails": {
      "comment": "xyz789",
      "creationTime": "10:15:30Z",
      "distributeSeconds": 123,
      "expirationTime": "10:15:30Z",
      "expireSeconds": 123,
      "id": 4,
      "name": "xyz789",
      "startTime": "10:15:30Z",
      "status": "ACTIVE",
      "stoppedFlag": false
    }
  }
}

lastActionResults

Description

Returns the results of the last action created by the specified saved action.

Response

Returns an ActionResults!

Arguments
Name Description
id - ID!

Example

Query
query lastActionResults($id: ID!) {
  lastActionResults(id: $id) {
    completed
    downloading
    expired
    failed
    failedVerification
    id
    pendingVerification
    running
    verified
    waiting
    waitingToRetry
  }
}
Variables
{"id": 4}
Response
{
  "data": {
    "lastActionResults": {
      "completed": 987,
      "downloading": 987,
      "expired": 123,
      "failed": 123,
      "failedVerification": 123,
      "id": 4,
      "pendingVerification": 987,
      "running": 987,
      "verified": 987,
      "waiting": 987,
      "waitingToRetry": 987
    }
  }
}

myAPITokens

Description

Returns the API tokens for the current user.

Response

Returns an APITokenQueryPayload!

Example

Query
query myAPITokens {
  myAPITokens {
    error {
      ...SystemErrorFragment
    }
    tokens {
      ...APITokenFragment
    }
  }
}
Response
{
  "data": {
    "myAPITokens": {
      "error": SystemError,
      "tokens": [APIToken]
    }
  }
}

now

Description

The current server time. Useful to test your ability to query the server.

Response

Returns a Time!

Example

Query
query now {
  now
}
Response
{"data": {"now": "10:15:30Z"}}

packages

Description

Returns the matching packages.

Response

Returns a PackagePagination

Arguments
Name Description
filterSet - String The name of the filter set to return.
page - Int The page of records to return. This defaults to 1.
paginationId - String The ID of the paginated results.
perPage - Int The number of records to return.

Example

Query
query packages(
  $filterSet: String,
  $page: Int,
  $paginationId: String,
  $perPage: Int
) {
  packages(
    filterSet: $filterSet,
    page: $page,
    paginationId: $paginationId,
    perPage: $perPage
  ) {
    items {
      ...PackageFragment
    }
    pageInfo {
      ...PaginationInfoWithIDFragment
    }
  }
}
Variables
{
  "filterSet": "xyz789",
  "page": 123,
  "paginationId": "xyz789",
  "perPage": 123
}
Response
{
  "data": {
    "packages": {
      "items": [Package],
      "pageInfo": PaginationInfoWithID
    }
  }
}

relationshipTypes

Description

Returns all configuration item relationship types from the CMDB.

Response

Returns a RelationshipTypeResult

Example

Query
query relationshipTypes {
  relationshipTypes {
    items {
      ...RelationshipTypeFragment
    }
  }
}
Response
{
  "data": {
    "relationshipTypes": {"items": [RelationshipType]}
  }
}

sensors

Description

Returns the matching sensors. The cursors in the returned connections are usable for 5 minutes after the most recent request in the cursored results, with a maximum lifetime of 1 hour.

Response

Returns a SensorConnection

Arguments
Name Description
after - Cursor Returns the sensors after the given cursor.
before - Cursor Returns the sensors before the given cursor.
filter - FieldFilter Returns only the sensors matching the filter.
first - Int Returns the first n sensors from the list. Default = 2000
last - Int Returns the last n sensors from the list.

Example

Query
query sensors(
  $after: Cursor,
  $before: Cursor,
  $filter: FieldFilter,
  $first: Int,
  $last: Int
) {
  sensors(
    after: $after,
    before: $before,
    filter: $filter,
    first: $first,
    last: $last
  ) {
    edges {
      ...SensorEdgeFragment
    }
    pageInfo {
      ...PageInfoFragment
    }
    totalRecords
  }
}
Variables
{
  "after": Cursor,
  "before": Cursor,
  "filter": FieldFilter,
  "first": 2000,
  "last": 987
}
Response
{
  "data": {
    "sensors": {
      "edges": [SensorEdge],
      "pageInfo": PageInfo,
      "totalRecords": 123
    }
  }
}

softwareDeployment

Description

Returns the details of software package deployments. If you specify a deployment ID, this returns the details of that deployment. If you do not specify a deployment ID, this returns the details of all deployments.

Arguments
Name Description
id - ID The ID of a software package deployment, such as the ID returned by manageSoftware.

Example

Query
query softwareDeployment($id: ID) {
  softwareDeployment(id: $id) {
    ID
    errors {
      ...SoftwareDeploymentErrorCountFragment
    }
    name
    status {
      ...SoftwareDeploymentStatusFragment
    }
  }
}
Variables
{"id": 4}
Response
{
  "data": {
    "softwareDeployment": [
      {
        "ID": "4",
        "errors": [SoftwareDeploymentErrorCount],
        "name": "xyz789",
        "status": SoftwareDeploymentStatus
      }
    ]
  }
}

softwarePackages

Description

Returns the software package catalog from Deploy.

Response

Returns a SoftwarePackageConnection

Arguments
Name Description
after - Cursor Returns the software packages after the cursor.
before - Cursor Returns the software packages before the cursor.
first - Int Returns the first n software packages from the list.
last - Int Returns the last n software packages from the list.

Example

Query
query softwarePackages(
  $after: Cursor,
  $before: Cursor,
  $first: Int,
  $last: Int
) {
  softwarePackages(
    after: $after,
    before: $before,
    first: $first,
    last: $last
  ) {
    edges {
      ...SoftwarePackageEdgeFragment
    }
    pageInfo {
      ...PageInfoFragment
    }
    totalCount
  }
}
Variables
{
  "after": Cursor,
  "before": Cursor,
  "first": 123,
  "last": 123
}
Response
{
  "data": {
    "softwarePackages": {
      "edges": [SoftwarePackageEdge],
      "pageInfo": PageInfo,
      "totalCount": 987
    }
  }
}

Mutations

apiTokenGrant

Description

Creates an API token for the current user.

If you specify a persona, the created token uses the persona's permissions.

Response

Returns an APITokenGrantPayload!

Arguments
Name Description
input - APITokenGrantInput!

Example

Query
mutation apiTokenGrant($input: APITokenGrantInput!) {
  apiTokenGrant(input: $input) {
    error {
      ...SystemErrorFragment
    }
    token {
      ...APITokenFragment
    }
  }
}
Variables
{"input": APITokenGrantInput}
Response
{
  "data": {
    "apiTokenGrant": {
      "error": SystemError,
      "token": APIToken
    }
  }
}

apiTokenRevoke

Description

Deletes the API token with the specified ID.

Response

Returns an APITokenRevokePayload!

Arguments
Name Description
input - APITokenRevokeInput!

Example

Query
mutation apiTokenRevoke($input: APITokenRevokeInput!) {
  apiTokenRevoke(input: $input) {
    error {
      ...SystemErrorFragment
    }
  }
}
Variables
{"input": APITokenRevokeInput}
Response
{"data": {"apiTokenRevoke": {"error": SystemError}}}

apiTokenRotate

Description

Rotates the API token with the specified token string.

The new API token maintains applicable properties of the original API token, including persona, trusted IP addresses and notes.

Response

Returns an APITokenRotatePayload!

Arguments
Name Description
input - APITokenRotateInput!

Example

Query
mutation apiTokenRotate($input: APITokenRotateInput!) {
  apiTokenRotate(input: $input) {
    error {
      ...SystemErrorFragment
    }
    token {
      ...APITokenFragment
    }
  }
}
Variables
{"input": APITokenRotateInput}
Response
{
  "data": {
    "apiTokenRotate": {
      "error": SystemError,
      "token": APIToken
    }
  }
}

closeDirectConnection

Description

Closes an open Direct Connect connection.

Response

Returns a CloseDirectConnectionPayload!

Arguments
Name Description
input - CloseDirectConnectionInput!

Example

Query
mutation closeDirectConnection($input: CloseDirectConnectionInput!) {
  closeDirectConnection(input: $input) {
    result
  }
}
Variables
{"input": CloseDirectConnectionInput}
Response
{"data": {"closeDirectConnection": {"result": true}}}

createAction

Description

Creates a saved action that changes endpoint state.

Response

Returns an ActionInfo

Arguments
Name Description
action - ActionInput

Example

Query
mutation createAction($action: ActionInput) {
  createAction(action: $action) {
    id
  }
}
Variables
{"action": ActionInput}
Response
{"data": {"createAction": {"id": 4}}}

createBlobCategory

Description

Creates a blob storage category within a blob domain, similar to creating an Amazon S3 bucket.

If the blob domain and category already exist with the same properties, this does nothing.

Response

Returns a BlobCategoryPayload!

Arguments
Name Description
input - CreateBlobCategoryInput!

Example

Query
mutation createBlobCategory($input: CreateBlobCategoryInput!) {
  createBlobCategory(input: $input) {
    contentSetID
    domain
    name
    permissionType
    retentionPolicy
  }
}
Variables
{"input": CreateBlobCategoryInput}
Response
{
  "data": {
    "createBlobCategory": {
      "contentSetID": 123,
      "domain": "4",
      "name": "4",
      "permissionType": "SHARED",
      "retentionPolicy": "RETENTION_INDEFINITE"
    }
  }
}

deleteAction

Description

Deletes the saved actions matching the input argument.

Response

Returns [ActionInfo]

Arguments
Name Description
action - DeleteActionInput

Example

Query
mutation deleteAction($action: DeleteActionInput) {
  deleteAction(action: $action) {
    id
  }
}
Variables
{"action": DeleteActionInput}
Response
{"data": {"deleteAction": [{"id": "4"}]}}

deleteConfigurationItemElement

Description

Deletes the specified configuration item elements. Only customer-supplied elements can be deleted.

Arguments
Name Description
input - DeleteConfigurationItemElementInput!

Example

Query
mutation deleteConfigurationItemElement($input: DeleteConfigurationItemElementInput!) {
  deleteConfigurationItemElement(input: $input) {
    error
  }
}
Variables
{"input": DeleteConfigurationItemElementInput}
Response
{
  "data": {
    "deleteConfigurationItemElement": {
      "error": "xyz789"
    }
  }
}

deleteRelationship

Description

Deletes the specified relationships.

Response

Returns a RelationshipResult

Arguments
Name Description
relationships - DeleteRelationshipInput

Example

Query
mutation deleteRelationship($relationships: DeleteRelationshipInput) {
  deleteRelationship(relationships: $relationships) {
    items {
      ...RelationshipFragment
    }
  }
}
Variables
{"relationships": DeleteRelationshipInput}
Response
{
  "data": {
    "deleteRelationship": {"items": [Relationship]}
  }
}

downloadBlobURL

Description

Generates a relative URL to a blob for HTTP GET requests. To download the blob, append this relative URL to the absolute URL to which you send requests.

The URL is reusable and does not require HTTP request headers to access. You can specify HTTP response headers as part of the request.

The URL expiration time is 30 seconds, and is checked on the initiation of the GET request. If the URL expires while downloading, the download continues to completion.

Response

Returns an DownloadBlobURLPayload!

Arguments
Name Description
input - DownloadBlobURLInput!

Example

Query
mutation downloadBlobURL($input: DownloadBlobURLInput!) {
  downloadBlobURL(input: $input) {
    exists
    url
  }
}
Variables
{"input": DownloadBlobURLInput}
Response
{
  "data": {
    "downloadBlobURL": {
      "exists": true,
      "url": "abc123"
    }
  }
}

importConfigurationItemEntities

Description

Imports the specified entities. If an id is specified, the existing entity matching that id is updated. If no id is specified, a new entity is created.

You can specify a maximum of 100 entities. The request fails if you exceed 100 entities. The response returns entities in the same order as specified in the input. Entities that fail to import have an errorMessage.

Arguments
Name Description
input - [EntityInput!]!

Example

Query
mutation importConfigurationItemEntities($input: [EntityInput!]!) {
  importConfigurationItemEntities(input: $input) {
    entities {
      ...ImportConfigurationItemEntityPayloadFragment
    }
    failedCount
    importedCount
  }
}
Variables
{"input": [EntityInput]}
Response
{
  "data": {
    "importConfigurationItemEntities": {
      "entities": [ImportConfigurationItemEntityPayload],
      "failedCount": 987,
      "importedCount": 123
    }
  }
}

killProcess

Description

Terminates the specified process on an endpoint using a Direct Connect connection.

Response

Returns a KillProcessPayload!

Arguments
Name Description
input - KillProcessInput!

Example

Query
mutation killProcess($input: KillProcessInput!) {
  killProcess(input: $input) {
    result
  }
}
Variables
{"input": KillProcessInput}
Response
{"data": {"killProcess": {"result": true}}}

manageSoftware

Description

Creates a new Deploy software package deployment to install, update, or remove a software package.

Response

Returns a SoftwareDeploymentDetails!

Arguments
Name Description
description - String A description of the operation.
end - Time! The date and time after which endpoints will not run the operation. Operations that started might continue running after this time.
operation - SoftwareOperation! The operation to perform.
softwarePackageID - ID! The ID of the software package in Deploy.
start - Time! The date and time at which the operation runs on the endpoints.
target - SoftwareTarget The endpoints on which to perform the operation.

Example

Query
mutation manageSoftware(
  $description: String,
  $end: Time!,
  $operation: SoftwareOperation!,
  $softwarePackageID: ID!,
  $start: Time!,
  $target: SoftwareTarget
) {
  manageSoftware(
    description: $description,
    end: $end,
    operation: $operation,
    softwarePackageID: $softwarePackageID,
    start: $start,
    target: $target
  ) {
    ID
    errors {
      ...SoftwareDeploymentErrorCountFragment
    }
    name
    status {
      ...SoftwareDeploymentStatusFragment
    }
  }
}
Variables
{
  "description": "abc123",
  "end": "10:15:30Z",
  "operation": "INSTALL",
  "softwarePackageID": "4",
  "start": "10:15:30Z",
  "target": SoftwareTarget
}
Response
{
  "data": {
    "manageSoftware": {
      "ID": 4,
      "errors": [SoftwareDeploymentErrorCount],
      "name": "xyz789",
      "status": SoftwareDeploymentStatus
    }
  }
}

mergeConfigurationItemElements

Description

Merges two configuration item elements. The target element must be private if the duplicate element is private. The two elements must inherit from the same class. The target element must be in the category of "ManagedEndpoint" or "UnmanagedEndpoint". The duplicate element must be in the category of "UnmanagedEndpoint" or "CustomerItem". If the duplicate element category is "UnmanagedEndpoint", it must have a namespace of "unmanaged_user_specified". Comments, details, and the relationships are copied. Duplicate relationships or inverse relationships are deleted. The duplicate element is deleted.

Arguments
Name Description
input - MergeConfigurationItemElementsInput!

Example

Query
mutation mergeConfigurationItemElements($input: MergeConfigurationItemElementsInput!) {
  mergeConfigurationItemElements(input: $input) {
    element {
      ...ElementFragment
    }
  }
}
Variables
{"input": MergeConfigurationItemElementsInput}
Response
{
  "data": {
    "mergeConfigurationItemElements": {"element": Element}
  }
}

openDirectConnection

Description

Establishes a Direct Connect connection with an endpoint, returning a connection ID which you can use for Direct Connect queries.

The connection is closed after 2 minutes of inactivity.

Response

Returns an OpenDirectConnectionPayload!

Arguments
Name Description
input - OpenDirectConnectionInput!

Example

Query
mutation openDirectConnection($input: OpenDirectConnectionInput!) {
  openDirectConnection(input: $input) {
    connectionID
  }
}
Variables
{"input": OpenDirectConnectionInput}
Response
{
  "data": {
    "openDirectConnection": {
      "connectionID": "4"
    }
  }
}

ping

Description

Returns true. Useful to test your ability to issue commands to the server.

Response

Returns a Boolean!

Example

Query
mutation ping {
  ping
}
Response
{"data": {"ping": true}}

pingDirectConnection

Description

Performs a ping to an endpoint using a Direct Connect connection.

Response

Returns a PingDirectConnectionPayload!

Arguments
Name Description
input - PingDirectConnectionInput!

Example

Query
mutation pingDirectConnection($input: PingDirectConnectionInput!) {
  pingDirectConnection(input: $input) {
    result
  }
}
Variables
{"input": PingDirectConnectionInput}
Response
{"data": {"pingDirectConnection": {"result": false}}}

removeBlob

Description

Removes a blob.

If the specified blob does not exist, this does nothing.

Response

Returns a RemoveBlobPayload!

Arguments
Name Description
input - RemoveBlobInput!

Example

Query
mutation removeBlob($input: RemoveBlobInput!) {
  removeBlob(input: $input) {
    category
    domain
    key
  }
}
Variables
{"input": RemoveBlobInput}
Response
{
  "data": {
    "removeBlob": {
      "category": 4,
      "domain": 4,
      "key": "4"
    }
  }
}

sensorHarvest

Description

Manages the registration of a sensor for harvest by TDS.

Note that when registering a sensor for harvest, the system must verify that the sensor is valid for harvest. This analysis may take several minutes. To accommodate this, the response may contain a cursor instead of a success or an error. When a response contains a cursor, the caller must call the mutation again with the cursor added to the input in order to poll for the terminal response.

It is not necessary to poll for the terminal response in order for a harvest to be successful, but it is not guaranteed that a harvest is successful unless the caller obtains a terminal successful response.

Response

Returns a SensorHarvestPayload!

Arguments
Name Description
input - SensorHarvestInput!

Example

Query
mutation sensorHarvest($input: SensorHarvestInput!) {
  sensorHarvest(input: $input) {
    cursor
    error {
      ...SystemErrorFragment
    }
    success
  }
}
Variables
{"input": SensorHarvestInput}
Response
{
  "data": {
    "sensorHarvest": {
      "cursor": Cursor,
      "error": SystemError,
      "success": true
    }
  }
}

syncAssets

Description

Synchronizes assets from TDS.

Response

Returns a SyncAssetResult

Example

Query
mutation syncAssets {
  syncAssets {
    success
  }
}
Response
{"data": {"syncAssets": {"success": true}}}

updateConfigurationItemProperties

Description

Updates properties related to configuration items.

Arguments
Name Description
input - UpdateConfigurationItemPropertiesInput!

Example

Query
mutation updateConfigurationItemProperties($input: UpdateConfigurationItemPropertiesInput!) {
  updateConfigurationItemProperties(input: $input) {
    userSpecifiedAssetsMaxAge
  }
}
Variables
{"input": UpdateConfigurationItemPropertiesInput}
Response
{
  "data": {
    "updateConfigurationItemProperties": {"userSpecifiedAssetsMaxAge": 123}
  }
}

uploadBlobURL

Description

Generates a URL for HTTP PUT requests. Subsequent PUT requests overwrite the existing blob.

An optional "Content-MD5" header value can be included as part of the upload request to the URL to integrity check the request. The header value is a Base64-encoded MD5 hash of the file being uploaded.

You can include additional headers in the PUT request, such as Content-Type and Content-Disposition. These headers are written as metadata on the blob and are returned in subsequent GET requests for the blob.

The URL expiration time is 30 seconds, and is checked on the initiation of the PUT request. Uploads are restricted to 5 GB or less.

Response

Returns an UploadBlobURLPayload!

Arguments
Name Description
input - UploadBlobURLInput!

Example

Query
mutation uploadBlobURL($input: UploadBlobURLInput!) {
  uploadBlobURL(input: $input) {
    exists
    url
  }
}
Variables
{"input": UploadBlobURLInput}
Response
{
  "data": {
    "uploadBlobURL": {
      "exists": true,
      "url": "xyz789"
    }
  }
}

upsertRelationship

Description

Creates or updates relationships between configuration items within the CMDB. Returns the created or updated relationships.

Response

Returns a RelationshipResult

Arguments
Name Description
payload - [RelationshipPayload]!

Example

Query
mutation upsertRelationship($payload: [RelationshipPayload]!) {
  upsertRelationship(payload: $payload) {
    items {
      ...RelationshipFragment
    }
  }
}
Variables
{"payload": [RelationshipPayload]}
Response
{
  "data": {
    "upsertRelationship": {"items": [Relationship]}
  }
}

Types

APIToken

Description

An authentication token that a user can use to make requests.

Fields
Field Name Description
created - Time! The time at which the token was created.
expiration - Time! The time at which the API token expires and is no longer valid.
id - ID! The unique identifier of the API token.
lastUsed - Time! The time at which the API token was last used.
notes - String! The notes for the API token.
persona - Persona The persona associated with the API token.
tokenString - String

The API token string value.

This response field contains the string value only when the request creates or rotates a token, and otherwise does not contain a value.

trustedIPAddresses - [String!]!

The list of trusted IP addresses in CIDR format that can use the API token.

Examples: 92.0.2.0/24, 198.51.100.10

Example
{
  "created": "10:15:30Z",
  "expiration": "10:15:30Z",
  "id": "4",
  "lastUsed": "10:15:30Z",
  "notes": "xyz789",
  "persona": Persona,
  "tokenString": "abc123",
  "trustedIPAddresses": ["abc123"]
}

APITokenGrantInput

Description

A request to create an API token for the current user.

Fields
Input Field Description
expiresInDays - Int

The number of days before the API token expires.

notes - String

The notes for the usage of the API token.

personaName - String

The persona associated with the API token.

trustedIPAddresses - [String!]!

The list of trusted IP addresses in CIDR format that can use the API token.

Examples: 92.0.2.0/24, 198.51.100.10

Example
{
  "expiresInDays": 123,
  "notes": "xyz789",
  "personaName": "xyz789",
  "trustedIPAddresses": ["xyz789"]
}

APITokenGrantPayload

Description

A response to a request to create an API token.

Fields
Field Name Description
error - SystemError Specifies that the request terminated in an error.
token - APIToken The token created by the request.
Example
{
  "error": SystemError,
  "token": APIToken
}

APITokenQueryPayload

Description

A response to a request to query API tokens.

Fields
Field Name Description
error - SystemError Specifies that the request terminated in an error.
tokens - [APIToken!] API tokens returned by the request.
Example
{
  "error": SystemError,
  "tokens": [APIToken]
}

APITokenRevokeInput

Description

A request to revoke an API token.

Fields
Input Field Description
id - ID!

The unique identifier of the API token to revoke.

Example
{"id": 4}

APITokenRevokePayload

Description

A response to a request to revoke an API token.

Fields
Field Name Description
error - SystemError Specifies that the request terminated in an error.
Example
{"error": SystemError}

APITokenRotateInput

Description

A request to create an API token for the current user.

Fields
Input Field Description
tokenString - String!

The token string of the API token to rotate.

Example
{"tokenString": "xyz789"}

APITokenRotatePayload

Description

A response to a request to rotate an API token.

Fields
Field Name Description
error - SystemError Specifies that the request terminated in an error.
token - APIToken The token created by the request.
Example
{
  "error": SystemError,
  "token": APIToken
}

Action

Description

A command issued to a group of endpoints.

Fields
Field Name Description
comment - String! A description of the action.
creationTime - Time The date and time when this object was created.
distributeSeconds - Int The number of seconds over which to deploy the action.
expirationTime - Time The date and time at which the action is scheduled to expire.
expireSeconds - Int How long from the start time before the action expires.
id - ID! The unique ID of the action.
name - String! The name of the action.
startTime - Time The date and time when the action is scheduled to start.
status - ActionStatus The status of the action.
stoppedFlag - Boolean Indicates that an action stop has been issued for this action.
Example
{
  "comment": "abc123",
  "creationTime": "10:15:30Z",
  "distributeSeconds": 987,
  "expirationTime": "10:15:30Z",
  "expireSeconds": 123,
  "id": 4,
  "name": "xyz789",
  "startTime": "10:15:30Z",
  "status": "ACTIVE",
  "stoppedFlag": false
}

ActionChangeClientSetting

Description

A policy for changing client settings.

Fields
Input Field Description
name - SettingName!

The name of the setting to change.

value - Any!

The new value of the setting. The type can be a string or a number.

Example
{"name": "HOT_CACHE_PERCENTAGE", "value": Any}

ActionCollectAD

Description

A policy for collecting Active Directory data.

Fields
Input Field Description
minimumMinutesBetweenRuns - Int

The minimum number of minutes between collections of Active Directory data.

Example
{"minimumMinutesBetweenRuns": 123}

ActionInfo

Description

An ID for a saved action.

Fields
Field Name Description
id - ID! The unique ID for the saved action.
Example
{"id": "4"}

ActionInput

Description

A request to create a saved action.

Fields
Input Field Description
_dev_action - DevAction

Experimental action descriptions.

This field is experimental and is subject to change or removal without warning.

changeClientSetting - ActionChangeClientSetting

Changes a client setting on the endpoints.

collectActiveDirectoryInfo - ActionCollectAD

Collect Active Directory data needed by their sensors.

description - String

The description of the saved action.

name - String

The name of the saved action.

reboot - ActionReboot

Reboots the endpoints.

replaceExisting - Boolean

Indicates that the saved action should replace any existing saved actions with the same name.

restartService - ActionService

Restarts a service on the endpoints.

schedule - ActionSchedule

The schedule on which to run the actions.

startService - ActionService

Starts a service on the endpoints.

stopService - ActionService

Stops a service on the endpoints.

target - ActionTarget

The group of endpoints to target with the saved action.

Example
{
  "_dev_action": DevAction,
  "changeClientSetting": ActionChangeClientSetting,
  "collectActiveDirectoryInfo": ActionCollectAD,
  "description": "xyz789",
  "name": "abc123",
  "reboot": ActionReboot,
  "replaceExisting": false,
  "restartService": ActionService,
  "schedule": ActionSchedule,
  "startService": ActionService,
  "stopService": ActionService,
  "target": ActionTarget
}

ActionReboot

Description

A policy for rebooting endpoints.

Fields
Input Field Description
randomDelaySeconds - Int

Delays the reboot of endpoints by a random time up to the specified value in seconds.

Example
{"randomDelaySeconds": 987}

ActionResults

Description

The results of an action.

Fields
Field Name Description
completed - Int! The number of endpoints that have completed the action.
downloading - Int! The number of endpoints downloading the action package.
expired - Int! The number of endpoints for which the action has expired.
failed - Int! The number of endpoints for which the action run failed.
failedVerification - Int! The number of endpoints that failed to verify the action.
id - ID! The unique ID of the action.
pendingVerification - Int! The number of endpoints waiting to verify the action.
running - Int! The number of endpoints currently running the action.
verified - Int! The number of endpoints that have verified the action.
waiting - Int! The number of endpoints waiting to run the action.
waitingToRetry - Int! The number of endpoints waiting to retry a failed action run.
Example
{
  "completed": 123,
  "downloading": 123,
  "expired": 123,
  "failed": 123,
  "failedVerification": 987,
  "id": 4,
  "pendingVerification": 987,
  "running": 987,
  "verified": 123,
  "waiting": 987,
  "waitingToRetry": 987
}

ActionSchedule

Description

The policy governing the scheduling of the action.

Fields
Input Field Description
distributeOverSeconds - Int

The number of seconds over which to distribute the execution of the action.

end - Time

The stop date and time of the action.

reissueSeconds - Int

The number of seconds to elapse between issuing actions. If not specified, the action is issued once.

start - Time

The start date and time of the action. This defaults to the current time.

Example
{
  "distributeOverSeconds": 123,
  "end": "10:15:30Z",
  "reissueSeconds": 987,
  "start": "10:15:30Z"
}

ActionService

Description

A service running on an endpoint.

Fields
Input Field Description
name - String!

The name of the endpoint service.

Example
{"name": "abc123"}

ActionStatus

Description

The action status values.

Values
Enum Value Description

ACTIVE

EXPIRED

OPEN

PENDING

STOPPED

Example
"ACTIVE"

ActionTarget

Description

The group of endpoints targeted by an action.

Fields
Input Field Description
actionGroup - String

The name of the root group to target. The target group will always be a subset of this group.

This defaults to the Default action group.

endpoints - [ID]

The list of endpoint IDs to target.

You can specify up to 25 endpoints.

platforms - [EndpointPlatform!]

The platforms on which the action should run.

targetGroup - String

The name of the group to target. This will be a subset of the action group.

This defaults to the All Computers computer group.

Example
{
  "actionGroup": "abc123",
  "endpoints": ["4"],
  "platforms": ["AIX"],
  "targetGroup": "xyz789"
}

Any

Description

An untyped value.

Example
Any

Asset

Description

A generic asset, such as an endpoint.

Fields
Field Name Description
configurationItem - ConfigurationItem The CMDB reference IDs for the asset.
id - ID! The unique ID. This is reasonably guaranteed to be stable.
manufacturer - String! The asset manufacturer.
model - String! The asset model.
name - String! The assigned name of the asset.
serialNumber - String! The serial number provided by the manufacturer.
Possible Types
Asset Types

Endpoint

Example
{
  "configurationItem": ConfigurationItem,
  "id": "4",
  "manufacturer": "xyz789",
  "model": "abc123",
  "name": "xyz789",
  "serialNumber": "xyz789"
}

BlobCategoryPayload

Description

A blob category creation response.

Fields
Field Name Description
contentSetID - Int! The ID of the content set to which this category belongs.
domain - ID! The domain for this category, generally unique to a Tanium product module or service.
name - ID! The name of the category.
permissionType - PermissionType! The permission type for the category, which controls how blobs are shared among users.
retentionPolicy - RetentionType! The retention policy for all blobs stored within this category. The retention window is based on the blob LastModified attribute. Updating a blob resets the blob retention window.
Example
{
  "contentSetID": 123,
  "domain": 4,
  "name": "4",
  "permissionType": "SHARED",
  "retentionPolicy": "RETENTION_INDEFINITE"
}

BlobMetadata

Description

A blob is a durably stored, shareable sequence of bytes.

Fields
Field Name Description
category - ID! The category of the blob.
domain - ID! The domain of the blob.
expiration - Time

The date and time after which the blob is not guaranteed to be available. This is not a hard deadline. Depending on the underlying storage mechanism, deletion of the blob may happen within a 24 hour window.

This has no value if the blob has no expiration or if this entry is a folder.

key - ID! The unique key of the blob.
lastModified - Time

The date and time at which the blob was last modified.

This has no value if this entry is a folder.

size - Int

The size of the blob in bytes.

This has no value if this entry is a folder.

Example
{
  "category": 4,
  "domain": 4,
  "expiration": "10:15:30Z",
  "key": 4,
  "lastModified": "10:15:30Z",
  "size": 123
}

Boolean

Description

The Boolean scalar type represents true or false.

Example
true

CIEntity

Description

An item managed in the CMDB.

Fields
Field Name Description
category - EntityCategory! The category of the entity.
comments - String The comments about the entity.
created - Time! The date and time at which the entity was stored in the CMDB.
details - Map The semi-structured data for the entity.
id - ID! The unique ID for an entity in the CMDB.
name - String! The assigned name of the entity.
private - Boolean! Indicates that the entity is not viewable by service agents.
updated - Time! The date and time at which the entity was last updated in the CMDB.
Possible Types
CIEntity Types

Element

Example
{
  "category": "ConfigurationItemClass",
  "comments": "abc123",
  "created": "10:15:30Z",
  "details": Map,
  "id": 4,
  "name": "xyz789",
  "private": true,
  "updated": "10:15:30Z"
}

CloseDirectConnectionInput

Description

A request to close a Direct Connect connection to an endpoint.

Fields
Input Field Description
connectionID - ID!

The ID of the connection to close.

Example
{"connectionID": "4"}

CloseDirectConnectionPayload

Description

A response to a request to close a Direct Connect connection to an endpoint.

Fields
Field Name Description
result - Boolean! Indicates that the connection is closed.
Example
{"result": false}

ConfigurationItem

Description

The CMDB reference IDs for an asset.

Fields
Field Name Description
entityClassIDs - [ID!]! The unique IDs of the class records of an asset in the CMDB.
entityID - ID! The unique ID of an asset entity record in the CMDB.
namespace - String!

The namespace of an asset entity record in the CMDB.

Examples: tds, discover

Example
{
  "entityClassIDs": ["4"],
  "entityID": 4,
  "namespace": "xyz789"
}

ConfigurationItemEntityConnection

Description

A page of configuration item entity edges.

Fields
Field Name Description
edges - [ConfigurationItemEntityEdge]! The list of configuration item entity edges.
pageInfo - PageInfo! Information about the configuration item entity collection.
totalCount - Int! The total number of configuration item entities in the list.
Example
{
  "edges": [ConfigurationItemEntityEdge],
  "pageInfo": PageInfo,
  "totalCount": 987
}

ConfigurationItemEntityEdge

Description

A configuration item entity within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this edge within the collection.
node - CIEntity! The configuration item entity.
Example
{"cursor": Cursor, "node": CIEntity}

ConfigurationItemProperties

Description

Properties of the configuration item CMDB.

Fields
Field Name Description
customerItemsLimit - Int The total limit for entities provided by the customer. For on-premises deployments, select Administration > Configuration > Platform Settings to configure this. For TaaS deployments, contact Tanium support to configure this.
userSpecifiedAssetsMaxAge - Int The maximum age in seconds of user-specified Unmanaged Assets.
Example
{"customerItemsLimit": 123, "userSpecifiedAssetsMaxAge": 123}

ConfigurationItemRelationshipConnection

Description

A page of configuration item relationship edges.

Fields
Field Name Description
edges - [ConfigurationItemRelationshipEdge]! The list of configuration item relationship edges.
pageInfo - PageInfo! Information about the configuration item relationship collection.
totalCount - Int! The total number of configuration item relationships in the list.
Example
{
  "edges": [ConfigurationItemRelationshipEdge],
  "pageInfo": PageInfo,
  "totalCount": 123
}

ConfigurationItemRelationshipEdge

Description

A configuration item relationship within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this edge within the collection.
node - Relationship! The configuration item relationship.
Example
{
  "cursor": Cursor,
  "node": Relationship
}

ConnectedState

Description

The set of connected states of wireless adapters.

Values
Enum Value Description

CONNECTED

The wireless adapter is connected.

DISCONNECTED

The wireless adapter is disconnected.

UNKNOWN

The wireless adapter connected state is unknown.
Example
"CONNECTED"

Connection

Description

A page of records.

Fields
Field Name Description
edges - [Edge]! The list of records.
pageInfo - PageInfo! Information about the collection.
Example
{
  "edges": [Edge],
  "pageInfo": PageInfo
}

CreateBlobCategoryInput

Description

A request to create a blob category.

Fields
Input Field Description
contentSetID - Int!

The ID of the content set to which this category belongs. The user must have the blob category create privilege for this content set.

domain - ID!

The domain for the category, generally unique to a Tanium product module or service.

name - ID!

The name of the category.

permissionType - PermissionType!

The permission type for the category, which controls how blobs are shared among users.

retentionPolicy - RetentionType!

The retention policy for all blobs stored within this category. The retention window is based on the blob LastModified attribute. Updating a blob resets the blob retention window.

You cannot change this value after category creation.

Example
{
  "contentSetID": 123,
  "domain": "4",
  "name": 4,
  "permissionType": "SHARED",
  "retentionPolicy": "RETENTION_INDEFINITE"
}

Cursor

Description

A relay pagination cursor, which is an opaque string that specifies a record within a connection.

Example
Cursor

Date

Description

A string date in RFC 3339 long-date format.

Example
"2007-12-03"

DateTimeComponent

Example
DateTimeComponent

DefaultRangeEnd

Fields
Field Name Description
interval - Int
intervalCount - Int
model - ParameterDefinitionType!
parameterType - ParameterDefinitionType!
type - DateTimeComponent
unixTimeStamp - Int
Example
{
  "interval": 123,
  "intervalCount": 987,
  "model": ParameterDefinitionType,
  "parameterType": ParameterDefinitionType,
  "type": DateTimeComponent,
  "unixTimeStamp": 123
}

DeleteActionInput

Description

A set of saved actions to delete.

Fields
Input Field Description
name - String!

The name of the saved action.

Example
{"name": "xyz789"}

DeleteConfigurationItemElementInput

Description

A request to delete a configuration item element.

Fields
Input Field Description
id - ID!

The ID of the configuration item element to delete.

Example
{"id": 4}

DeleteConfigurationItemElementResult

Description

A response to a request to delete a configuration item element.

Fields
Field Name Description
error - String If the delete operation failed, the error message logged.
Example
{"error": "abc123"}

DeleteRelationshipInput

Description

A request to delete relationships between configuration item entities.

Fields
Input Field Description
ids - [ID!]!

The set of relationship IDs to delete.

Example
{"ids": [4]}

DevAction

Description

Experimental action policies.

Fields
Input Field Description
packageName - String!

The name of the package to deploy.

parameters - Map

A map of parameter keys ($1, $2, etc.) to string values.

Example
{
  "packageName": "abc123",
  "parameters": Map
}

DirectConnect

Description

Data from an endpoint, obtained using a Direct Connect connection.

Fields
Field Name Description
alerts - DirectConnectAlerts Performance alerts from the endpoint.
performance - DirectConnectPerf Performance data from the endpoint.
processes - DirectConnectProcesses Processes running on the endpoint.
Example
{
  "alerts": DirectConnectAlerts,
  "performance": DirectConnectPerf,
  "processes": DirectConnectProcesses
}

DirectConnectAlerts

Description

Performance alerts from an endpoint.

Fields
Field Name Description
all - [EndpointAlert!] All performance alerts for the endpoint.
Example
{"all": [EndpointAlert]}

DirectConnectPerf

Description

Performance data from an endpoint.

Fields
Field Name Description
_dev_query - [EndpointMetric!]

Raw PromQL queries.

This field is experimental and is subject to change or removal without warning.

Arguments
query - PerfQuery!
cpuUsagePercent - Float! The current CPU usage percentage.
memoryUsagePercent - Float! The current memory usage percentage.
Example
{
  "_dev_query": [EndpointMetric],
  "cpuUsagePercent": 987.65,
  "memoryUsagePercent": 123.45
}

DirectConnectProcesses

Description

Processes running on an endpoint.

Fields
Field Name Description
all - [Process!] All processes running on the endpoint.
Example
{"all": [Process]}

DownloadBlobURLInput

Description

A request to generate a blob download relative URL.

Fields
Input Field Description
category - ID!

The category of the blob.

domain - ID!

The domain of the blob.

key - ID!

The unique key of the blob.

responseHeaderCacheControl - String

Overrides the Cache-Control header of the GET response.

responseHeaderContentDisposition - String

Overrides the Content-Disposition header of the GET response.

responseHeaderContentType - String

Overrides the Content-Type header of the GET response.

responseHeaderExpires - String

Overrides the Expires header of the GET response.

Example
{
  "category": 4,
  "domain": 4,
  "key": "4",
  "responseHeaderCacheControl": "abc123",
  "responseHeaderContentDisposition": "xyz789",
  "responseHeaderContentType": "abc123",
  "responseHeaderExpires": "xyz789"
}

DownloadBlobURLPayload

Description

A response to a request to generate a blob download relative URL.

Fields
Field Name Description
exists - Boolean! Indicates that the blob exists at the time of this URL request. You can generate a download URL before the blob is uploaded. A HTTP 404 error code is returned if the blob does not exist when using the download URL.
url - String! HTTP GET relative URL to download the requested blob. Append this relative URL to the absolute URL to which you send requests.
Example
{"exists": false, "url": "xyz789"}

Edge

Description

A record within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this record.
Example
{"cursor": Cursor}

EdgeDirection

Description

The set of directions of relationships between configuration item entities.

Values
Enum Value Description

AtoB

Bidirectional

BtoA

Example
"AtoB"

Element

Description

An asset managed in the CMDB.

Fields
Field Name Description
category - EntityCategory! The category of the element.
classes - EntityPagination The paginated list of the classes of the element classes in the CMDB.
Arguments
page - Int
perPage - Int
comments - String The comments about the element.
created - Time! The date and time at which the element was stored in the CMDB.
details - Map The semi-structured data for the entity class. The schema version can be specified as an argument. If it is not specified, the schema version defaults to the latest schema available. The schema version of the response is returned as the schemaVersion value in the details map.
Arguments
schemaVersion - String
eid - ID The endpoint ID of the element in the CMDB.
entityClassIDs - [ID!]! The IDs of the classes of the element classes in the CMDB.
id - ID! The unique ID for an element in the CMDB.
name - String! The assigned name of the element.
namespace - String!

The namespace for an element in the CMDB.

Examples: tds, discover

private - Boolean! Indicates that the element is not viewable by service agents.
updated - Time! The date and time at which the element was last updated in the CMDB.
Example
{
  "category": "ConfigurationItemClass",
  "classes": EntityPagination,
  "comments": "abc123",
  "created": "10:15:30Z",
  "details": Map,
  "eid": 4,
  "entityClassIDs": [4],
  "id": 4,
  "name": "abc123",
  "namespace": "xyz789",
  "private": true,
  "updated": "10:15:30Z"
}

Endpoint

Description

An endpoint managed by the Tanium Client.

Fields
Field Name Description
chassisType - String!

The machine or chassis type of the endpoint.

Examples: MacBookPro16,1, Server, Virtual

Sensor: Chassis Type

compliance - EndpointCompliance The state of the endpoint's compliance with security policies.
computerID - String!

The Tanium Client computer ID. This is temporally unique but not stable.

Example: 4202979704

Sensor: Computer ID

configurationItem - ConfigurationItem

The CMDB reference IDs for the endpoint.

Use of this field requires the Atlas solution.

deployedSoftwarePackages - [EndpointDeploySoftwarePackage!]!

The Deploy software packages that are deployed or deployable on the endpoint.

This field allows a filter argument. You can use the filter to restrict the items returned in this field. This also restricts the returned endpoints to those with matching items in this field.

Sensor: Deploy - Software Packages

Use of this field requires the Deploy solution.

Arguments
filter - FieldFilter
disks - [EndpointDisk!] The disk space details per drive on the endpoint.
domainName - String!

The domain name of the endpoint.

Example: intra.example.com

Sensor: Domain Name

eventCounts - EndpointEventCounts!

The number of performance events on the endpoint.

Use of this field requires the Performance solution.

id - ID!

The unique ID. This is reasonably guaranteed to be stable.

Sensor: Endpoint ID, Column: ID

Use of this field requires the Interact solution.

installedApplications - [EndpointInstalledApplication!]!

The software applications installed on the endpoint, regardless of provenance.

This field allows a filter argument. You can use the filter to restrict the items returned in this field. This also restricts the returned endpoints to those with matching items in this field.

Sensor: Installed Applications

Use of this field requires the Core Content solution.

Arguments
filter - FieldFilter
ipAddress - String!

The IP addresses of the endpoint.

Example: 192.168.1.1

Sensor: Tanium Client IP Address

isEncrypted - Boolean

Indicates that the endpoint storage is encrypted, such as with BitLocker on Windows or FileVault on Mac OS.

Sensor: Storage Encryption Status, Column: Encryption Status

Use of this field requires the Core Content solution.

isVirtual - Boolean

Indicates that the endpoint is virtual.

Sensor: Is Virtual

lastLoggedInUser - String!

The name of the user that last signed in to the endpoint.

Sensor: Last Logged In User

Use of this field requires the Core Content solution.

manufacturer - String!

The manufacturer of the endpoint.

Example: Dell

Sensor: Manufacturer

Use of this field requires the Core Content solution.

memory - Memory! The memory details of the endpoint.
model - String!

The model of the endpoint.

Example: OptiPlex 7050

Sensor: Model

Use of this field requires the Core Content solution.

name - String!

The assigned name of the endpoint.

Example: workstation-1.example.com

Sensor: Computer Name

networking - Networking! The networking details of the endpoint.
os - EndpointOS! The operating system details of the endpoint.
primaryUser - EndpointUser! The primary user of the endpoint.
processor - Processor! The processor details of the endpoint.
risk - EndpointRisk The Risk details of the endpoint.
sensorReadings - EndpointSensorReadings! Returns readings from the list of named sensors, including parameterized sensors. If the sensors are not available from the data source, the query returns an error.
Arguments
serialNumber - String!

The serial number provided by the manufacturer.

Sensor: Computer Serial Number

Use of this field requires the Core Content solution.

services - [EndpointService!]! The details of services on the endpoint. These are only available for Windows platforms.
software - [EndpointSoftwarePackage!]!

The state of software on the machine. This includes all installed software and software that can be installed.

Sensor: Deploy - Software Packages

Sensor: Installed Applications

Use of this field requires the Core Content, Deploy solutions.

systemUUID - String!

The UUID of the endpoint hardware.

Note that this has no real guarantee of uniqueness across platforms and a strong possibility of duplicates within platforms (for virtual endpoints in particular).

Sensor: System UUID

Use of this field requires the Core Content solution.

Example
{
  "chassisType": "abc123",
  "compliance": EndpointCompliance,
  "computerID": "abc123",
  "configurationItem": ConfigurationItem,
  "deployedSoftwarePackages": [
    EndpointDeploySoftwarePackage
  ],
  "disks": [EndpointDisk],
  "domainName": "abc123",
  "eventCounts": EndpointEventCounts,
  "id": 4,
  "installedApplications": [EndpointInstalledApplication],
  "ipAddress": "abc123",
  "isEncrypted": false,
  "isVirtual": false,
  "lastLoggedInUser": "xyz789",
  "manufacturer": "xyz789",
  "memory": Memory,
  "model": "xyz789",
  "name": "abc123",
  "networking": Networking,
  "os": EndpointOS,
  "primaryUser": EndpointUser,
  "processor": Processor,
  "risk": EndpointRisk,
  "sensorReadings": EndpointSensorReadings,
  "serialNumber": "abc123",
  "services": [EndpointService],
  "software": [EndpointSoftwarePackage],
  "systemUUID": "xyz789"
}

EndpointAlert

Description

A performance alert triggered on an endpoint.

Fields
Field Name Description
evidence - [EndpointAlertEvidence!]
evidenceToGather - [String!]
firing - Boolean
key - String
labels - Map
leadup - Int
pendingAt - Time
ref - String
resolvedAt - Time
schema - Int!
start - Time
topProcessesExpr - String
type - String
value - Float
Example
{
  "evidence": [EndpointAlertEvidence],
  "evidenceToGather": ["xyz789"],
  "firing": false,
  "key": "abc123",
  "labels": Map,
  "leadup": 123,
  "pendingAt": "10:15:30Z",
  "ref": "abc123",
  "resolvedAt": "10:15:30Z",
  "schema": 123,
  "start": "10:15:30Z",
  "topProcessesExpr": "abc123",
  "type": "xyz789",
  "value": 987.65
}

EndpointAlertEvidence

Description

Evidence collected as part of a performance alert on an endpoint.

Fields
Field Name Description
name - String
value - String
values - [EndpointAlertEvidenceValues]
Example
{
  "name": "abc123",
  "value": "xyz789",
  "values": [EndpointAlertEvidenceValues]
}

EndpointAlertEvidenceValues

Description

Discrete data collected as part of the evidence comprising a performance alert on an endpoint.

Fields
Field Name Description
labels - Map
value - Float
Example
{"labels": Map, "value": 987.65}

EndpointCollectionInfo

Description

Information about the endpoint results that populate an EndpointConnection.

Fields
Field Name Description
active - Boolean! Indicates results may still continue to accumulate in the underlying collection, and you may refresh the cursor if the paginated results are insufficient.
contributedTotal - Int! The number of endpoints that have contributed results to the query.
expectedTotal - Int The number of endpoints expected to evaluate the query, if known. Note that not all of these endpoints are necessarily expected to contribute results, and that this total may be smaller or larger than the total number of endpoints that responded.
respondedPercentage - Float The number of endpoints that have evaluated the query divided by the number of endpoints expected to evaluate the query, if both are known, expressed as a decimal value between 0.0 and 1.0.
respondedTotal - Int The number of endpoints that have evaluated the query, if known.
startCursor - Cursor The cursor for the beginning of the collection. This will be populated even if the collection is empty, as long as the collection has the possibility of being refreshed with new results.
success - Boolean! Indicates the results in the paginated connection satisfy the criteria specified by the query's data source argument.
Example
{
  "active": true,
  "contributedTotal": 987,
  "expectedTotal": 123,
  "respondedPercentage": 987.65,
  "respondedTotal": 123,
  "startCursor": Cursor,
  "success": true
}

EndpointCompliance

Description

The state of an endpoint's compliance with security policies.

Fields
Field Name Description
complianceFindings - [EndpointComplianceComplianceFinding!]

The list of all compliance findings on the endpoint.

Sensor: Comply - Compliance Findings

cveFindings - [EndpointComplianceCveFinding!]

The list of all vulnerability findings on the endpoint.

Sensor: Comply - CVE Findings

Example
{
  "complianceFindings": [
    EndpointComplianceComplianceFinding
  ],
  "cveFindings": [EndpointComplianceCveFinding]
}

EndpointComplianceComplianceFinding

Description

A compliance issue found on an endpoint.

Fields
Field Name Description
category - String

The category of the compliance issue.

Sensor: Comply - Compliance Findings, Column: Category

id - String

The ID of the compliance finding.

Sensor: Comply - Compliance Findings, Column: Check ID

profile - String

The profile violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Profile

profileVersion - String

The version of the profile violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Profile Version

rule - String

The rule violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Rule

ruleId - String

The ID of the rule violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Rule ID

standard - String

The standard violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Standard

standardVersion - String

The version of the standard violated by the compliance issue.

Sensor: Comply - Compliance Findings, Column: Standard Version

state - String

The state of the compliance issue.

Sensor: Comply - Compliance Findings, Column: State

Example
{
  "category": "xyz789",
  "id": "xyz789",
  "profile": "abc123",
  "profileVersion": "xyz789",
  "rule": "xyz789",
  "ruleId": "xyz789",
  "standard": "xyz789",
  "standardVersion": "abc123",
  "state": "abc123"
}

EndpointComplianceCveFinding

Description

A vulnerability finding on an endpoint.

Fields
Field Name Description
cveId - String

The ID of the CVE.

Sensor: Comply - CVE Findings, Column: Check ID

cveYear - String

The year in which the CVE ID was reserved, or the year in which the CVE became public.

Sensor: Comply - CVE Findings, Column: CVE Year

cvssScore - Float

The CVSS score of the CVE.

Sensor: Comply - CVE Findings, Column: CVSS Score

firstFound - Date

The date on which the CVE was first found on the endpoint.

Sensor: Comply - CVE Findings - First Found, Column: First Found - Date

lastFound - Date

The date on which the CVE was last found on the endpoint.

Sensor: Comply - CVE Findings - Last Found, Column: Last Found - Date

severity - String

The severity of the CVE.

Sensor: Comply - CVE Findings, Column: Severity

summary - String

A brief summary of the CVE.

Sensor: Comply - CVE Findings, Column: Summary

Example
{
  "cveId": "abc123",
  "cveYear": "xyz789",
  "cvssScore": 987.65,
  "firstFound": "2007-12-03",
  "lastFound": "2007-12-03",
  "severity": "xyz789",
  "summary": "abc123"
}

EndpointConnection

Description

A page of endpoint edges.

Fields
Field Name Description
collectionInfo - EndpointCollectionInfo! Information about the endpoint results that contribute to the collection.
edges - [EndpointEdge!]! The list of endpoint edges.
pageInfo - PageInfo! Information about the endpoint collection.
totalRecords - Int! The total number of endpoint records available.
Example
{
  "collectionInfo": EndpointCollectionInfo,
  "edges": [EndpointEdge],
  "pageInfo": PageInfo,
  "totalRecords": 987
}

EndpointDeploySoftwarePackage

Description

A Deploy software package that is deployed or deployable on an endpoint.

Fields
Field Name Description
applicability - String!

Indicates the applicability of the software package to the endpoint.

Examples: Installed, Install Eligible, Not Applicable

Sensor: Deploy - Software Packages, Column: Applicability

Use of this field requires the Deploy solution.

gallery - String!

If Yes, indicates that the software package is a gallery package.

Examples: Yes, No

Sensor: Deploy - Software Packages, Column: Is Gallery Package

Use of this field requires the Deploy solution.

id - ID!

The ID of the software package.

Sensor: Deploy - Software Packages, Column: Software Package ID

Use of this field requires the Deploy solution.

name - String!

The name of the software package.

Sensor: Deploy - Software Packages, Column: Name

Use of this field requires the Deploy solution.

vendor - String!

The name of the software vendor that produced the package.

Sensor: Deploy - Software Packages, Column: Vendor

Use of this field requires the Deploy solution.

version - String!

The version of the software package.

Sensor: Deploy - Software Packages, Column: Version

Use of this field requires the Deploy solution.

Example
{
  "applicability": "abc123",
  "gallery": "abc123",
  "id": 4,
  "name": "xyz789",
  "vendor": "xyz789",
  "version": "xyz789"
}

EndpointDisk

Description

The disk space details of a volume.

Fields
Field Name Description
free - String

The amount of free disk space per drive.

Example: 40 GB

Sensor: Disk Free Space

Use of this field requires the Core Content solution.

name - String!

The disk drive name.

Sensor: Disk Total Space

total - String

The amount of total disk space per drive.

Example: 100 GB

Sensor: Disk Total Space

Use of this field requires the Core Content solution.

usedPercentage - String

The percentage of used disk space per drive.

Example: 24%

Sensor: Disk Used Percentage

Use of this field requires the Core Content solution.

usedSpace - String

The amount of used disk space per drive.

Example: 40 GB

Sensor: Disk Used Space

Use of this field requires the Core Content solution.

Example
{
  "free": "abc123",
  "name": "xyz789",
  "total": "abc123",
  "usedPercentage": "xyz789",
  "usedSpace": "xyz789"
}

EndpointEdge

Description

An endpoint within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this edge within the collection.
node - Endpoint! The endpoint.
Example
{"cursor": Cursor, "node": Endpoint}

EndpointEventCounts

Description

The number of performance events on an endpoint.

Fields
Field Name Description
all - Int!

The count of all performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

appCrash - Int!

The count of application crash performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

cpu - Int!

The number of CPU performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

disk - Int!

The number of disk performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

memory - Int!

The number of memory performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

network - Int!

The count of network performance events on the endpoint in the last 24 hours.

Sensor: Performance - Event Category Match Count

Use of this field requires the Performance solution.

Example
{
  "all": 987,
  "appCrash": 987,
  "cpu": 987,
  "disk": 987,
  "memory": 123,
  "network": 123
}

EndpointFieldFilter

Description

Describes a filter for endpoint field values. Records with field values matching the filter are included in the query results. Field filters may be single or compound, and have different argument requirements. GraphQL does not allow these types of constraint expression in the type system. Any filter that is not valid causes the query to return an error.

Simple filters have three distinct forms:

  • path, value, and op properties describe a filter on the value of a field in the schema
  • sensor, value, and op properties describe a filter on the value of an arbitrary sensor reading
  • memberOf property describes a filter to a computer group

Compound filters have a single form:

  • filters, and any properties
Fields
Input Field Description
any - Boolean!

Indicates that if any of the filters comprising this compound filter passes, the compound filter passes.

This defaults to false, which means all of the filters must pass.

filters - [EndpointFieldFilter!]

Describes the set of filters which comprise this compound filter.

memberOf - EndpointFieldFilterComputerGroup

The computer group to which the endpoint must belong in order to pass the filter.

negated - Boolean!

Indicates that the filter is negated. Records with field values matching the filter are excluded from the query results.

This defaults to false.

op - FieldFilterOp!

The operator by which to compare the specified value to the field value. Note that not all operators are valid for all fields or data sources. If the operator is not valid, the query returns an error.

This defaults to the EQ operator.

path - String

The dot notation path to the field to filter, such as "cpu.manufacturer", where the field on which the filter argument is declared is the root of the path. If the path does not resolve to a field, the query returns an error.

sensor - EndpointFieldFilterSensor

The sensor whose reading is used as the basis for the filter.

value - String

The constant value to compare with the field value, expressed as a string. If this value cannot be interpreted as a valid value for the field type, the query returns an error.

Example
{
  "any": false,
  "filters": [EndpointFieldFilter],
  "memberOf": EndpointFieldFilterComputerGroup,
  "negated": true,
  "op": "CONTAINS",
  "path": "xyz789",
  "sensor": EndpointFieldFilterSensor,
  "value": "abc123"
}

EndpointFieldFilterComputerGroup

Description

Identifies the computer group to which an endpoint must belong to be included by a filter.

Fields
Input Field Description
name - String

The name of the computer group.

Example
{"name": "xyz789"}

EndpointFieldFilterSensor

Description

Identifies the sensor whose readings are used as the basis for a filter.

Fields
Input Field Description
column - String

The name of the column of the sensor results, if the sensor returns multiple columns.

name - String

The name of the sensor.

params - [EndpointFieldFilterSensorParam!]

The values of the parameters to the sensor, if needed.

Example
{
  "column": "xyz789",
  "name": "abc123",
  "params": [EndpointFieldFilterSensorParam]
}

EndpointFieldFilterSensorParam

Description

Parameterizes a sensor reading.

Fields
Input Field Description
name - String!

The name of the sensor parameter.

value - String!

The value of the sensor parameter.

Example
{
  "name": "abc123",
  "value": "abc123"
}

EndpointIdChange

Description

Describes a change between endpoint IDs.

Fields
Field Name Description
newId - ID! The new endpoint ID.
oldId - ID! The old endpoint ID.
Example
{
  "newId": "4",
  "oldId": "4"
}

EndpointIdChangesPayload

Description

The endpoint IDs changes.

Fields
Field Name Description
before - Time! The date and time of the last record returned. Using this timestamp as the after argument yields subsequent changes, if any.
changes - [EndpointIdChange!]! The list of endpoint ID changes.
Example
{
  "before": "10:15:30Z",
  "changes": [EndpointIdChange]
}

EndpointInstalledApplication

Description

A software application installed on an endpoint.

Fields
Field Name Description
name - String!

The name of the application.

Sensor: Installed Applications, Column: Name

Use of this field requires the Core Content solution.

version - String!

The version of the application.

Sensor: Installed Applications, Column: Version

Use of this field requires the Core Content solution.

Example
{
  "name": "abc123",
  "version": "abc123"
}

EndpointMetric

Description

A metric recorded on an endpoint.

Fields
Field Name Description
metric - EndpointMetricInfo The metric details.
value - Any The value of the metric. This is not yet well-typed.
values - Any The values of the metric. This is not yet well-typed.
Example
{
  "metric": EndpointMetricInfo,
  "value": Any,
  "values": Any
}

EndpointMetricInfo

Description

The details of a metric recorded on an endpoint.

Fields
Field Name Description
name - String The name of the metric.
Example
{"name": "abc123"}

EndpointOS

Description

The operating system details of an endpoint.

Fields
Field Name Description
generation - String!

The generation of the operating system.

Examples: Windows 10, Windows Server 2008 R2, Red Hat Enterprise Linux Server 6, Mac OS X 10.14

Sensor: Operating System Generation

language - String!

The language of the operating system.

Example: en-US

Sensor: Operating System Language, Column: Language Packs Installed

name - String!

The name of the operating system. This name may be localized.

Example: Windows Server 2008 R2 Enterprise

Sensor: Operating System

platform - EndpointPlatform!

The platform of the operating system.

Example: Windows

Sensor: OS Platform

windows - EndpointWindowsOS The details of the Windows operating system.
Example
{
  "generation": "xyz789",
  "language": "abc123",
  "name": "xyz789",
  "platform": "AIX",
  "windows": EndpointWindowsOS
}

EndpointPlatform

Description

The set of endpoint platforms.

Values
Enum Value Description

AIX

The endpoint is running IBM AIX.

Linux

The endpoint is running Linux.

Mac

The endpoint is running macOS.

Solaris

The endpoint is running Oracle Solaris.

Unknown

The endpoint platform is unknown.

Windows

The endpoint is running Microsoft Windows.
Example
"AIX"

EndpointRisk

Description

The Risk details of an endpoint.

Fields
Field Name Description
assetCriticality - String!

Endpoint criticality, assigned by a user. This modifies the endpoint risk score.

Examples: Low, Medium, High, Critical

Sensor: Risk Vectors, Column: Asset Criticality

Use of this field requires the Risk solution.

criticalityScore - Float!

Asset criticality modifier.

For more information, see Tanium Risk User Guide: Assign asset criticality.

Sensor: Risk Vectors, Column: Criticality Score

Use of this field requires the Risk solution.

riskLevel - String!

The Endpoint score rating for the endpoint.

Examples: Low, Medium, High, Critical

Sensor: Risk Vectors, Column: Endpoint Score

Use of this field requires the Risk solution.

totalScore - Float!

The overall risk score for the endpoint.

Sensor: Risk Vectors, Column: Risk Score

Use of this field requires the Risk solution.

vectors - EndpointRiskVectors! The risk vectors associated with the endpoint.
Example
{
  "assetCriticality": "abc123",
  "criticalityScore": 987.65,
  "riskLevel": "xyz789",
  "totalScore": 123.45,
  "vectors": EndpointRiskVectors
}

EndpointRiskAdministrativeAccessVector

Description

The Administrative Access risk vector details for an endpoint.

Fields
Field Name Description
direct - Int!

The number of users on the endpoint with direct administrative access.

Sensor: Risk Vectors, Column: Impact Rating.Direct Admin By Count

Use of this field requires the Impact, Risk solutions.

impactRating - String!

The Impact rating for the endpoint.

Examples: Low, Medium, High, Critical

Sensor: Risk Vectors, Column: Impact Rating.Impact Rating

Use of this field requires the Impact, Risk solutions.

impactRatingScore - Int!

The impact score for the endpoint.

For more information, see Tanium Impact User Guide: Impact Rating.

Sensor: Risk Vectors, Column: Impact Rating.Impact Score

Use of this field requires the Impact, Risk solutions.

inbound - Int!

The number of endpoints or users that an attacker might use to breach the endpoint.

Sensor: Risk Vectors, Column: Impact Rating.Inbound Asset Count

Use of this field requires the Impact, Risk solutions.

indirect - Int!

The number of users on the endpoint with indirect administrative access through an Active Directory group membership.

Sensor: Risk Vectors, Column: Impact Rating.Indirect Admin By Count

Use of this field requires the Impact, Risk solutions.

outbound - Int!

The number of endpoints or users that an attacker might breach from the endpoint.

Sensor: Risk Vectors, Column: Impact Rating.Outbound Asset Count

Use of this field requires the Impact, Risk solutions.

score - Float!

The Administrative Access risk vector score for the endpoint.

Sensor: Risk Vectors, Column: Administrative Access

Use of this field requires the Impact, Risk solutions.

sessions - Int!

The number of active user sessions on the endpoint.

Sensor: Risk Vectors, Column: Impact Rating.Session Count

Use of this field requires the Impact, Risk solutions.

Example
{
  "direct": 123,
  "impactRating": "xyz789",
  "impactRatingScore": 987,
  "inbound": 123,
  "indirect": 987,
  "outbound": 987,
  "score": 987.65,
  "sessions": 987
}

EndpointRiskComplianceVector

Description

The System Compliance risk vector details for an endpoint.

Fields
Field Name Description
complianceFailCount - Int!

The number of compliance failures for the endpoint.

Sensor: Risk Vectors, Column: Compliance Fail Count

Use of this field requires the Comply, Risk solutions.

score - Float!

The System Compliance risk vector score for the endpoint.

Sensor: Risk Vectors, Column: Compliance Score

Use of this field requires the Comply, Risk solutions.

Example
{"complianceFailCount": 987, "score": 987.65}

EndpointRiskExpiredCertificatesVector

Description

The Expired Certificates risk vector details for an endpoint.

Fields
Field Name Description
certificatesCount - Int!

The number of expired certificates on the endpoint.

Sensor: Risk Vectors, Column: Certificates Count

Use of this field requires the Core Content, Risk solutions.

ports - String!

The TCP ports associated with expired certificates on the endpoint.

Sensor: Risk Vectors, Column: Expired Certificates Ports

Use of this field requires the Core Content, Risk solutions.

score - Float!

The Expired Certificates risk vector score for the endpoint.

Sensor: Risk Vectors, Column: Expired Certificates

Use of this field requires the Core Content, Risk solutions.

Example
{
  "certificatesCount": 123,
  "ports": "xyz789",
  "score": 987.65
}

EndpointRiskInsecureTLSVector

Description

The Insecure SSL/TLS risk vector details for an endpoint.

Fields
Field Name Description
ports - String!

The TCP ports used for insecure SSL or TLS traffic on the endpoint.

Example: 22, 3389

Sensor: Risk Vectors, Column: Insecure SSL TLS Ports

Use of this field requires the Core Content, Risk solutions.

protocols - String!

The insecure SSL or TLS protocols in use on the endpoint.

Example: SSL 3.0, TLS 1.0

Sensor: Risk Vectors, Column: Insecure SSL TLS Protocols

Use of this field requires the Core Content, Risk solutions.

score - Float!

The Insecure SSL/TLS vector risk score for the endpoint.

Sensor: Risk Vectors, Column: Insecure SSL TLS

Use of this field requires the Core Content, Risk solutions.

Example
{
  "ports": "abc123",
  "protocols": "abc123",
  "score": 987.65
}

EndpointRiskPasswordIdentificationVector

Description

The Password Identification risk vector details for an endpoint.

Fields
Field Name Description
filesConfirmed - String!

The number of files with confirmed passwords on the endpoint.

For more information, see Tanium Risk User Guide: Password Identification.

Sensor: Risk Vectors, Column: Files Confirmed

Use of this field requires the Reveal, Risk solutions.

score - Float!

The Password Identification vector risk score for the endpoint.

Sensor: Risk Vectors, Column: Password Score

Use of this field requires the Reveal, Risk solutions.

Example
{
  "filesConfirmed": "abc123",
  "score": 123.45
}

EndpointRiskSystemVulnerabilityVector

Description

The System Vulnerability risk vector details for an endpoint.

Fields
Field Name Description
cveCount - Int!

The number of Common Vulnerabilities and Exposures identifiers (CVEs) found on the endpoint.

Sensor: Risk Vectors, Column: CVE Count

Use of this field requires the Comply, Risk solutions.

score - Float!

The System Vulnerability vector risk score for the endpoint.

Sensor: Risk Vectors, Column: Vulnerability Score

Use of this field requires the Comply, Risk solutions.

Example
{"cveCount": 987, "score": 987.65}

EndpointRiskVectors

Description

The risk vectors associated with an endpoint.

Fields
Field Name Description
administrativeAccess - EndpointRiskAdministrativeAccessVector

The Administrative Access risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Administrative Access Missing

Use of this field requires the Impact, Risk solutions.

compliance - EndpointRiskComplianceVector

The System Compliance risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Compliance Score Missing

Use of this field requires the Comply, Risk solutions.

expiredCertificates - EndpointRiskExpiredCertificatesVector

The Expired Certificates risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Expired Certificates Missing

Use of this field requires the Core Content, Risk solutions.

insecureTLS - EndpointRiskInsecureTLSVector

The Insecure SSL/TLS risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Insecure SSL TLS Missing

Use of this field requires the Core Content, Risk solutions.

passwordIdentification - EndpointRiskPasswordIdentificationVector

The Password Identification risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Password Score Missing

Use of this field requires the Reveal, Risk solutions.

systemVulnerability - EndpointRiskSystemVulnerabilityVector

The System Vulnerability risk vector details for the endpoint.

Sensor: Risk Vectors, Column: Vulnerability Score Missing

Use of this field requires the Comply, Risk solutions.

Example
{
  "administrativeAccess": EndpointRiskAdministrativeAccessVector,
  "compliance": EndpointRiskComplianceVector,
  "expiredCertificates": EndpointRiskExpiredCertificatesVector,
  "insecureTLS": EndpointRiskInsecureTLSVector,
  "passwordIdentification": EndpointRiskPasswordIdentificationVector,
  "systemVulnerability": EndpointRiskSystemVulnerabilityVector
}

EndpointSensorReadingColumn

Description

A column collected in a sensor reading.

Fields
Field Name Description
name - String! The name of the column.
sensor - EndpointSensorReadingRef! The sensor which provided the column.
values - [String!]! The values read by the sensor.
Example
{
  "name": "abc123",
  "sensor": EndpointSensorReadingRef,
  "values": ["xyz789"]
}

EndpointSensorReadingRef

Description

Identifies a sensor that was read.

Fields
Field Name Description
name - String! The name of the sensor.
params - [EndpointSensorReadingRefParam!] The list of sensor parameters.
Example
{
  "name": "xyz789",
  "params": [EndpointSensorReadingRefParam]
}

EndpointSensorReadingRefParam

Description

The parameters used in a sensor reading.

Fields
Field Name Description
name - String! The name of the sensor parameter.
value - String! The value of the sensor parameter.
Example
{
  "name": "abc123",
  "value": "xyz789"
}

EndpointSensorReadings

Description

The data collected from reading a set of sensors.

Fields
Field Name Description
columns - [EndpointSensorReadingColumn!]! The columns collected from reading a set of sensors.
Example
{"columns": [EndpointSensorReadingColumn]}

EndpointSensorRef

Description

Identifies a sensor to read.

Fields
Input Field Description
name - String!

The name of the sensor.

params - [EndpointSensorRefParam!]

The list of sensor parameters.

Example
{
  "name": "abc123",
  "params": [EndpointSensorRefParam]
}

EndpointSensorRefParam

Description

Parameterizes a sensor reading.

Fields
Input Field Description
name - String!

The name of the sensor parameter.

value - String!

The value of the sensor parameter.

Example
{
  "name": "abc123",
  "value": "abc123"
}

EndpointService

Description

The details of a service on an endpoint.

Fields
Field Name Description
displayName - String!

The display name of the service.

Sensor: Service Details, Column: Service Display Name

Use of this field requires the Core Content solution.

name - String!

The internal name of the service.

Sensor: Service Details, Column: Service Name

Use of this field requires the Core Content solution.

startupMode - EndpointServiceStartupMode

The startup mode of the service.

Sensor: Service Details, Column: Service Startup Mode

Use of this field requires the Core Content solution.

status - EndpointServiceStatus

The current status of the service.

Sensor: Service Details, Column: Service Status

Use of this field requires the Core Content solution.

Example
{
  "displayName": "abc123",
  "name": "abc123",
  "startupMode": "AUTO",
  "status": "CONTINUE_PENDING"
}

EndpointServiceStartupMode

Description

The set of service startup modes.

Values
Enum Value Description

AUTO

The service is started automatically by the service control manager during system startup.

BOOT

The service is a device driver started by the operating system loader.

DISABLED

The service can no longer be started.

MANUAL

The service is started by the service control manager when a process calls the StartService method.

ON_DEMAND

The service is started manually or when required by another service.

SYSTEM

The service is a device driver started by the operating system initialization process.
Example
"AUTO"

EndpointServiceStatus

Description

The status of a service on an endpoint.

Values
Enum Value Description

CONTINUE_PENDING

The service has been paused and is about to continue.

PAUSED

The service is paused.

PAUSE_PENDING

The service is in the process of pausing.

RUNNING

The service is running.

START_PENDING

The service is in the process of starting.

STOPPED

The service is not running.

STOP_PENDING

The service is in the process of stopping.
Example
"CONTINUE_PENDING"

EndpointSoftwarePackage

Description

A software package that is installed or can be installed on an endpoint. It represents one or more versions of a package, where packages are differentiated by name (vendor name and product name).

Fields
Field Name Description
installableVersions - [EndpointSoftwarePackageVersion!] The versions of the software that are available to be installed.
installedVersions - [EndpointSoftwarePackageVersion!] The versions of the software currently installed.
name - String!

The name of the software package, including both the vendor name and product name.

Example: Google Chrome

Sensor: Installed Applications, Column: Name

Use of this field requires the Core Content solution.

updateToVersions - [EndpointSoftwarePackageVersion!] The versions of the software that are available for update.
Example
{
  "installableVersions": [EndpointSoftwarePackageVersion],
  "installedVersions": [EndpointSoftwarePackageVersion],
  "name": "xyz789",
  "updateToVersions": [EndpointSoftwarePackageVersion]
}

EndpointSoftwarePackageVersion

Description

A specific version of a software package.

Fields
Field Name Description
removable - Boolean! Indicates that Deploy can remove the software package from the endpoint.
softwarePackageID - ID The Deploy software package ID.
version - String! The version of the software package that is installed on the endpoint.
Example
{
  "removable": false,
  "softwarePackageID": "4",
  "version": "abc123"
}

EndpointSource

Description

The data source from which to retrieve endpoints. The default source is the Tanium Data Service in the standard Tanium endpoint namespace.

You can only specify one data source.

Fields
Input Field Description
tds - EndpointSourceTDS
ts - EndpointSourceTS
Example
{
  "tds": EndpointSourceTDS,
  "ts": EndpointSourceTS
}

EndpointSourceTDS

Description

Specifies the use of the Tanium Data Service as the source of endpoints.

Fields
Input Field Description
allNamespaces - Boolean!

If true, the query returns endpoints from all namespaces. If false, the query returns endpoints from the standard Tanium endpoint namespace.

This defaults to false.

Example
{"allNamespaces": true}

EndpointSourceTS

Description

Specifies the use of a Tanium Server question as the source of endpoints. This waits for question results until any of the success criteria are met or the maximum wait time for a single request has elapsed. The success criteria are not guaranteed to be met. Users might check the collectionInfo field to observe the completeness of the results and might use the refresh argument to try to retrieve more results.

Fields
Input Field Description
expectedCount - Int

The number of endpoints for which to wait.

maxWaitTime - Int!

The total number of seconds to wait before returning a response with the available results, regardless of whether the results satisfy any success criteria. This defaults to 30 seconds and cannot exceed that value.

minPercentage - Float

The minimum fraction of expected endpoints that must have evaluated the question in order for the results to be considered successful. This must be a number between 0.0 and 1.0. Note that because the endpoint population is unstable, there is no guarantee of ever reaching 1.0, regardless of how many times you refresh the cursor.

stableWaitTime - Int

The number of seconds to wait for the Tanium Server to not receive new endpoint results.

Example
{
  "expectedCount": 123,
  "maxWaitTime": 987,
  "minPercentage": 987.65,
  "stableWaitTime": 987
}

EndpointUser

Description

The details of an endpoint user.

Fields
Field Name Description
city - String!

The Active Directory city of the endpoint user.

Sensor: AD Query - Primary User Details, Column: City

Use of this field requires the Core AD Query Content solution.

country - String!

The Active Directory country of the endpoint user.

Sensor: AD Query - Primary User Details, Column: Country

Use of this field requires the Core AD Query Content solution.

department - String!

The Active Directory department of the endpoint user.

Sensor: AD Query - Primary User Details, Column: Department

Use of this field requires the Core AD Query Content solution.

email - String!

The Active Directory email of the endpoint user.

Sensor: AD Query - Primary User Details, Column: Email

Use of this field requires the Core AD Query Content solution.

name - String!

The Active Directory name of the endpoint user.

Sensor: AD Query - Primary User Details, Column: Name

Use of this field requires the Core AD Query Content solution.

phoneNumber - String!

The Active Directory phone number of the endpoint user.

Sensor: AD Query - Primary User Details, Column: Phone Number

Use of this field requires the Core AD Query Content solution.

Example
{
  "city": "abc123",
  "country": "xyz789",
  "department": "xyz789",
  "email": "xyz789",
  "name": "xyz789",
  "phoneNumber": "xyz789"
}

EndpointWindowsOS

Description

The Windows operating system details of an endpoint.

Fields
Field Name Description
majorVersion - String!

The major version of the Windows operating system.

Example: 6.1

Sensor: Windows OS Major Version

releaseId - String!

The release ID of the Windows operating system.

Example: 1607

Sensor: Windows OS Release ID

type - String!

The type of Windows operating system.

Examples: Windows Server, Windows Workstation

Sensor: Windows OS Type

Example
{
  "majorVersion": "abc123",
  "releaseId": "xyz789",
  "type": "abc123"
}

EntitiesQueryParams

Description

The configuration item entities to include in the results.

Fields
Input Field Description
category - [EntityCategory]

The configuration item entity category to include.

eids - [ID]

The set of endpoint IDs to include.

ids - [ID]

The set of configuration item entity IDs to include.

Example
{
  "category": ["ConfigurationItemClass"],
  "eids": ["4"],
  "ids": [4]
}

EntityCategory

Description

The set of categories of configuration item entities.

Values
Enum Value Description

ConfigurationItemClass

CustomerItem

ManagedEndpoint

ManagedItem

UnmanagedEndpoint

Example
"ConfigurationItemClass"

EntityInput

Description

A request to import a configuration item entity.

Fields
Input Field Description
category - EntityCategory!

The category of the entity.

comments - String

The comments about the entity.

details - Map

The semi-structured data for the entity.

eid - ID

The endpoint ID of the entity in the CMDB.

entityClassIDs - [ID!]

The IDs of the classes of the entity in the CMDB.

id - ID

The entity ID. If this entity ID exists, this request updates the matching entity. If this entity ID does not exist, this request creates a new entity.

name - String!

The assigned name of the entity.

namespace - String

The namespace for the entity in the CMDB.

Examples: tds, discover

private - Boolean!

Indicates that the entity is not viewable by service agents.

Example
{
  "category": "ConfigurationItemClass",
  "comments": "xyz789",
  "details": Map,
  "eid": "4",
  "entityClassIDs": ["4"],
  "id": 4,
  "name": "abc123",
  "namespace": "xyz789",
  "private": true
}

EntityPagination

Fields
Field Name Description
items - [CIEntity]!
pageInfo - PaginationInfo!
Example
{
  "items": [CIEntity],
  "pageInfo": PaginationInfo
}

EntitySortField

Description

The set of fields by which entities can be sorted.

Values
Enum Value Description

category

comments

created

details

eid

id

name

namespace

private

updated

Example
"category"

EntitySortRequest

Description

The criteria by which to sort the entities.

Fields
Input Field Description
field - EntitySortField!

The field by which to sort.

order - SortOrder

The order in which to sort field values.

Example
{"field": "category", "order": "asc"}

FieldFilter

Description

Describes a filter for field values. Records with field values matching the filter are included in the query results. Field filters may be single or compound, and have different argument requirements. GraphQL does not allow these types of constraint expression in the type system. Any filter that is not valid causes the query to return an error.

Fields
Input Field Description
any - Boolean!

Indicates that if any of the filters comprising this compound filter passes, the compound filter passes.

This defaults to false, which means all of the filters must pass.

This is allowed for compound field filters and ignored for single field filters.

filters - [FieldFilter!]

Describes the set of filters which comprise this compound filter.

This is required for compound field filters, and not allowed for single field filters.

negated - Boolean!

Indicates that the filter is negated. Records with field values matching the filter are excluded from the query results.

This defaults to false.

op - FieldFilterOp!

The operator by which to compare the specified value to the field value. Note that not all operators are valid for all fields or data sources. If the operator is not valid, the query returns an error.

This defaults to the EQ operator.

This is required for single field filters, and ignored for compound field filters.

path - String

The dot notation path to the field to filter, such as "cpu.manufacturer", where the field on which the filter argument is declared is the root of the path. If the path does not resolve to a field, the query returns an error.

This is required for single field filters, and not allowed for compound field filters.

value - String

The constant value to compare with the field value, expressed as a string. If this value cannot be interpreted as a valid value for the field type, the query returns an error.

This is required for single field filters, and not allowed for compound field filters.

Example
{
  "any": true,
  "filters": [FieldFilter],
  "negated": true,
  "op": "CONTAINS",
  "path": "abc123",
  "value": "xyz789"
}

FieldFilterOp

Description

The set of operations permitted on FieldFilter instances.

Values
Enum Value Description

CONTAINS

The string contains operator. The field value must contain the specified value.

This is valid only for string types.

ENDS_WITH

The string ends with operator. The field value must end with the specified value.

This is valid only for string types.

EQ

The equality operator. The field value and specified values must be equal.

GT

The greater than operator. The field value must be greater than the specified value.

This is valid only for comparable types.

GTE

The greater than or equals operator. The field value must be greater than or equal to the specified value.

This is valid only for comparable types.

LT

The less than operator. The field value must be less than the specified value.

This is valid only for comparable types.

LTE

LTE is the less than or equals operator, the field value must be less than or equal to the given value.

This is only valid for comparable types.

MATCHES

The string matches operator. The field value must fully match the specified value, which is interpreted as a regular expression in Perl syntax.

This is valid only for string types.

READ_AFTER

The read after operator. The field value must have been read after the given date and time.

This is only valid for fields from certain data sources.

STARTS_WITH

The string starts with operator. The field value must start with the specified value.

This is valid only for string types.

UPDATED_AFTER

The updated after operator. The field value must have been updated after the given date and time.

This is only valid for fields from certain data sources.

Example
"CONTAINS"

FilterField

Description

The list of endpoint fields on which the assets query can be filtered.

Values
Enum Value Description

ENDPOINT_CHASSIS_TYPE

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_CATEGORY

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_ID

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_PROFILE

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_PROFILE_VERSION

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_RULE

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_RULE_ID

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_STANDARD

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_STANDARD_VERSION

ENDPOINT_COMPLIANCE_COMPLIANCE_FINDINGS_STATE

ENDPOINT_COMPLIANCE_CVE_FINDINGS

ENDPOINT_COMPLIANCE_CVE_FINDINGS_CVE_ID

ENDPOINT_COMPLIANCE_CVE_FINDINGS_CVE_YEAR

ENDPOINT_COMPLIANCE_CVE_FINDINGS_CVSS_SCORE

ENDPOINT_COMPLIANCE_CVE_FINDINGS_FIRST_FOUND

ENDPOINT_COMPLIANCE_CVE_FINDINGS_LAST_FOUND

ENDPOINT_COMPLIANCE_CVE_FINDINGS_SEVERITY

ENDPOINT_COMPLIANCE_CVE_FINDINGS_SUMMARY

ENDPOINT_COMPUTER_ID

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_APPLICABILITY

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_GALLERY

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_ID

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_NAME

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_VENDOR

ENDPOINT_DEPLOYED_SOFTWARE_PACKAGES_VERSION

ENDPOINT_DISKS_FREE

ENDPOINT_DISKS_NAME

ENDPOINT_DISKS_TOTAL

ENDPOINT_DISKS_USED_PERCENTAGE

ENDPOINT_DISKS_USED_SPACE

ENDPOINT_DISK_SPACE_FREE

ENDPOINT_DISK_SPACE_TOTAL

ENDPOINT_DISK_SPACE_USED_PERCENTAGE

ENDPOINT_DISK_SPACE_USED_SPACE

ENDPOINT_DOMAIN_NAME

ENDPOINT_EVENT_COUNTS_ALL

ENDPOINT_EVENT_COUNTS_APP_CRASH

ENDPOINT_EVENT_COUNTS_CPU

ENDPOINT_EVENT_COUNTS_DISK

ENDPOINT_EVENT_COUNTS_MEMORY

ENDPOINT_EVENT_COUNTS_NETWORK

ENDPOINT_ID

ENDPOINT_INSTALLED_APPLICATIONS

ENDPOINT_INSTALLED_APPLICATIONS_NAME

ENDPOINT_INSTALLED_APPLICATIONS_VERSION

ENDPOINT_IP_ADDRESS

ENDPOINT_IS_ENCRYPTED

ENDPOINT_IS_VIRTUAL

ENDPOINT_LAST_LOGGED_IN_USER

ENDPOINT_MANUFACTURER

ENDPOINT_MEMORY_RAM

ENDPOINT_MEMORY_TOTAL

ENDPOINT_MODEL

ENDPOINT_NAME

ENDPOINT_NETWORKING_ADAPTERS_CONNECTION_ID

ENDPOINT_NETWORKING_ADAPTERS_MAC_ADDRESS

ENDPOINT_NETWORKING_ADAPTERS_MANUFACTURER

ENDPOINT_NETWORKING_ADAPTERS_NAME

ENDPOINT_NETWORKING_ADAPTERS_SPEED

ENDPOINT_NETWORKING_ADAPTERS_TYPE

ENDPOINT_NETWORKING_DNS_SERVERS

ENDPOINT_NETWORKING_WIRELESS_ADAPTERS_SSID

ENDPOINT_NETWORKING_WIRELESS_ADAPTERS_STATE

ENDPOINT_OS_GENERATION

ENDPOINT_OS_LANGUAGE

ENDPOINT_OS_NAME

ENDPOINT_OS_PLATFORM

ENDPOINT_OS_WINDOWS_MAJOR_VERSION

ENDPOINT_OS_WINDOWS_RELEASE_ID

ENDPOINT_OS_WINDOWS_TYPE

ENDPOINT_PRIMARY_USER_CITY

ENDPOINT_PRIMARY_USER_COUNTRY

ENDPOINT_PRIMARY_USER_DEPARTMENT

ENDPOINT_PRIMARY_USER_EMAIL

ENDPOINT_PRIMARY_USER_NAME

ENDPOINT_PRIMARY_USER_PHONE_NUMBER

ENDPOINT_PROCESSOR_ARCHITECTURE

ENDPOINT_PROCESSOR_CACHE_SIZE

ENDPOINT_PROCESSOR_CONSUMPTION

ENDPOINT_PROCESSOR_CPU

ENDPOINT_PROCESSOR_FAMILY

ENDPOINT_PROCESSOR_HIGH_CONSUMPTION

ENDPOINT_PROCESSOR_LOGICAL_PROCESSORS

ENDPOINT_PROCESSOR_MANUFACTURER

ENDPOINT_PROCESSOR_REVISION

ENDPOINT_PROCESSOR_SPEED

ENDPOINT_RISK

ENDPOINT_RISK_ASSET_CRITICALITY

ENDPOINT_RISK_CRITICALITY_SCORE

ENDPOINT_RISK_RISK_LEVEL

ENDPOINT_RISK_TOTAL_SCORE

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_DIRECT

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_IMPACT_RATING

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_IMPACT_RATING_SCORE

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_INBOUND

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_INDIRECT

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_OUTBOUND

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_SCORE

ENDPOINT_RISK_VECTORS_ADMINISTRATIVE_ACCESS_SESSIONS

ENDPOINT_RISK_VECTORS_COMPLIANCE

ENDPOINT_RISK_VECTORS_COMPLIANCE_COMPLIANCE_FAIL_COUNT

ENDPOINT_RISK_VECTORS_COMPLIANCE_SCORE

ENDPOINT_RISK_VECTORS_EXPIRED_CERTIFICATES

ENDPOINT_RISK_VECTORS_EXPIRED_CERTIFICATES_CERTIFICATES_COUNT

ENDPOINT_RISK_VECTORS_EXPIRED_CERTIFICATES_PORTS

ENDPOINT_RISK_VECTORS_EXPIRED_CERTIFICATES_SCORE

ENDPOINT_RISK_VECTORS_INSECURE_TLS

ENDPOINT_RISK_VECTORS_INSECURE_TLS_PORTS

ENDPOINT_RISK_VECTORS_INSECURE_TLS_PROTOCOLS

ENDPOINT_RISK_VECTORS_INSECURE_TLS_SCORE

ENDPOINT_RISK_VECTORS_PASSWORD_IDENTIFICATION

ENDPOINT_RISK_VECTORS_PASSWORD_IDENTIFICATION_FILES_CONFIRMED

ENDPOINT_RISK_VECTORS_PASSWORD_IDENTIFICATION_SCORE

ENDPOINT_RISK_VECTORS_SYSTEM_VULNERABILITY

ENDPOINT_RISK_VECTORS_SYSTEM_VULNERABILITY_CVE_COUNT

ENDPOINT_RISK_VECTORS_SYSTEM_VULNERABILITY_SCORE

ENDPOINT_SERIAL_NUMBER

ENDPOINT_SERVICES_DISPLAY_NAME

ENDPOINT_SERVICES_NAME

ENDPOINT_SERVICES_STARTUP_MODE

ENDPOINT_SERVICES_STATUS

ENDPOINT_SOFTWARE

ENDPOINT_SOFTWARE_NAME

ENDPOINT_SYSTEM_UUID

INVALID

Example
"ENDPOINT_CHASSIS_TYPE"

FilterMatch

Description

The set of compound operators available on assets query filters.

Values
Enum Value Description

ALL

All sub filters must match.

ANY

Any sub filter can match.

NOT

The sub filter must not match.
Example
"ALL"

FilterOps

Description

The set of operations allowed by the assets query filters.

Values
Enum Value Description

CONTAINS

The string contains operator. The field value must contain the specified value.

This is valid only for string types.

ENDS_WITH

The string ends with operator. The field value must end with the specified value.

This is valid only for string types.

EQ

The equality operator. The field value and specified values must be equal.

GT

The greater than operator. The field value must be greater than the specified value.

This is valid only for comparable types.

GTE

The greater than or equals operator. The field value must be greater than or equal to the specified value.

This is valid only for comparable types.

LAST_SEEN

The last seen operator. The field value must have been read since the specified date and time.

This is not valid for live queries.

LT

The less than operator. The field value must be less than the specified value.

This is valid only for comparable types.

LTE

The less than or equals operator. The field value must be less than or equal to the specified value.

This is valid only for comparable types.

MATCHES

The string matches operator. The field value must fully match the specified value, which is interpreted as a regular expression in Perl syntax.

This is valid only for string types.

STARTS_WITH

The string starts with operator. The field value must start with the specified value.

This is valid only for string types.

UPDATED_SINCE

The updated since operator. The field value must have been updated since the specified date and time.

This is not valid for live queries.

Example
"CONTAINS"

FilterSpec

Description

A filter for the assets query.

Fields
Input Field Description
field - FilterField

The field on which to filter.

match - FilterMatch

The operator by which to combine the sub filters.

op - FilterOps

The operator by which to compare the field and the value.

subs - [FilterSpec]

The list of sub filters.

value - String

The value by which to filter.

Example
{
  "field": "ENDPOINT_CHASSIS_TYPE",
  "match": "ALL",
  "op": "CONTAINS",
  "subs": [FilterSpec],
  "value": "xyz789"
}

Float

Description

The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.

Example
123.45

ID

Description

The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.

Example
"4"

IDReference

Description

A record with an ID and a name.

Fields
Field Name Description
id - ID!
name - String!
Example
{"id": 4, "name": "xyz789"}

ImportConfigurationItemEntitiesPayload

Description

A response to a request to import configuration item entities.

Fields
Field Name Description
entities - [ImportConfigurationItemEntityPayload!]! The list of configuration item entity imports.
failedCount - Int! The number of entities that failed to import.
importedCount - Int! The number of entities successfully imported.
Example
{
  "entities": [ImportConfigurationItemEntityPayload],
  "failedCount": 987,
  "importedCount": 987
}

ImportConfigurationItemEntityPayload

Description

A configuration item entity import.

Fields
Field Name Description
entity - CIEntity The configuration item entity. If the entity failed to import, this contains no value.
errorMessage - String If the entity failed to import, the import error message.
Example
{
  "entity": CIEntity,
  "errorMessage": "xyz789"
}

Int

Description

The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Example
123

KillProcessInput

Description

A request to terminate a process running on an endpoint.

Fields
Input Field Description
connectionID - ID

The ID of the Direct Connect connection to the endpoint on which the process is running. You must specify either this value or endpoint.

endpoint - OpenDirectConnectionInput

The endpoint on which the process is running. You must specify either this value or connectionID.

name - String!

The name of the process to terminate.

pid - Int!

The ID of the process to terminate.

signal - Signal!

The signal to use when terminating the process.

Example
{
  "connectionID": "4",
  "endpoint": OpenDirectConnectionInput,
  "name": "xyz789",
  "pid": 987,
  "signal": "SIGINT"
}

KillProcessPayload

Description

A response to a request to terminate a process.

Fields
Field Name Description
result - Boolean! Indicates that the process is terminated.
Example
{"result": true}

ListBlobFilter

Description

Filters the blobs returned by a query.

Blob keys are grouped by slashes (/). The list blob API terminates results at the next / in the key.

For example, with the following keys and request parameters:

Blobs:

  • key1 = "a.json"
  • key2 = "a/b.json"
  • key3 = "a/b/c.json"

Request 1:

  • prefix = "" and recursive = false
  • output:
  • a.json
  • a/ (returns a folder-like representation with a key but no contents)

Request 2:

  • prefix = "a/``" and recursive = false`
  • output:
  • a/b.json
  • a/b/ (returns a folder-like representation with a key but no contents)

Request 3:

  • prefix = "a/" and recursive = true
  • output:
  • a/b.json
  • a/b/c.json

Request 4:

  • prefix = "a.json" and recursive = true
  • output:
  • a.json
Fields
Input Field Description
prefix - String

Limit the results to keys beginning with the specified prefix.

recursive - Boolean

Indicates that the query results recursively list all blobs starting at the given prefix, or at the root if no prefix is specified. The recursive delimiter is the path separator (/).

Example
{"prefix": "abc123", "recursive": false}

Map

Description

A map of JSON data.

Example
Map

Memory

Description

The memory details of an endpoint.

Fields
Field Name Description
ram - String!

The total amount of installed memory in the endpoint.

Example: 2048 MB

Sensor: RAM

Use of this field requires the Core Content solution.

total - String!

The total physical memory installed in the endpoint.

Example: 8000 MB

Sensor: Total Memory

Use of this field requires the Core Content solution.

Example
{
  "ram": "abc123",
  "total": "xyz789"
}

MergeConfigurationItemElementsInput

Description

A request to merge two configuration item elements.

Fields
Input Field Description
duplicateElementId - ID!

The ID of the duplicate element, which is deleted by the merge.

targetElementId - ID!

The ID of the target element, which survives the merge.

Example
{
  "duplicateElementId": 4,
  "targetElementId": "4"
}

MergeConfigurationItemElementsPayload

Description

A response to a request to merge two configuration item elements.

Fields
Field Name Description
element - Element The merged element.
Example
{"element": Element}

Metadata

Description

Arbitrary data that can be recorded on many Tanium Server entities.

Fields
Field Name Description
adminFlag - Boolean! Indicates that the entry is accessible only to admins.
name - String! The name of the metadata entry.
value - String! The value of the metadata entry.
Example
{
  "adminFlag": false,
  "name": "xyz789",
  "value": "xyz789"
}

NetworkAdapter

Description

The network adapter details of an endpoint.

Fields
Field Name Description
connectionId - String!

The connection ID of the network adapter.

Example: Wi-Fi

Sensor: Network Adapter Details, Column: Network Connection ID

Use of this field requires the Core Content solution.

macAddress - String!

The MAC address of the network adapter.

Example: 00:24:D7:21:9C:70

Sensor: Network Adapter Details, Column: MAC Address

Use of this field requires the Core Content solution.

manufacturer - String!

The manufacturer of the network adapter.

Example: Intel Corporation

Sensor: Network Adapter Details, Column: Manufacturer

Use of this field requires the Core Content solution.

name - String!

The name of the network adapter.

Example: Intel(R) Centrino(R) Ultimate-N 6300 AGN

Sensor: Network Adapter Details, Column: Adapter Name

Use of this field requires the Core Content solution.

speed - String!

The speed of the network adapter.

Example: 65 Mbps

Sensor: Network Adapter Details, Column: Speed

Use of this field requires the Core Content solution.

type - String!

The type of the network adapter.

Example: Ethernet 802.3

Sensor: Network Adapter Details, Column: Adapter Type

Use of this field requires the Core Content solution.

Example
{
  "connectionId": "abc123",
  "macAddress": "xyz789",
  "manufacturer": "abc123",
  "name": "xyz789",
  "speed": "abc123",
  "type": "abc123"
}

Networking

Description

The networking details of an endpoint.

Fields
Field Name Description
adapters - [NetworkAdapter]! The network adapter details of the endpoint.
dnsServers - [String]!

The IP addresses of any configured DNS servers for active network adapters.

Examples: 192.168.1.1, 8.8.8.8

Sensor: DNS Server

wirelessAdapters - [WirelessAdapter]! The wireless network adapter details of the endpoint.
Example
{
  "adapters": [NetworkAdapter],
  "dnsServers": ["abc123"],
  "wirelessAdapters": [WirelessAdapter]
}

NumericIntervalOption

Fields
Field Name Description
model - ParameterDefinitionType!
name - String!
parameterType - ParameterDefinitionType!
value - String!
Example
{
  "model": ParameterDefinitionType,
  "name": "xyz789",
  "parameterType": ParameterDefinitionType,
  "value": "xyz789"
}

OpenDirectConnectionInput

Description

A request to open a Direct Connect connection to an endpoint.

Fields
Input Field Description
endpointID - ID

The ID of the endpoint.

Example
{"endpointID": 4}

OpenDirectConnectionPayload

Description

A response to a request to open a Direct Connect connection to an endpoint.

Fields
Field Name Description
connectionID - ID! A connection ID, used for Direct Connect requests.
Example
{"connectionID": 4}

Package

Fields
Field Name Description
command - String! The command to run.
commandTimeout - Int! The limit on how long the command can run before it terminates.
contentSet - IDReference The content set to which this package belongs.
displayName - String! The name of the package that displays in the user interface.
expireSeconds - Int!

The default expiration for any action issued with this package.

This value should be greater than commandTimeout. The console interprets the difference between the expireSeconds value and commandTimeout value as "download timeout."

id - ID! The unique ID of the object. This field is read-only.
metadata - [Metadata!]! A set of generic name-value pairs that describe this package.
name - String! The unique name of this package.
parameterDefinition - ParameterDefinitions JSON metadata about what data should be sent with parameters, used by the console when deploying packages.
parameters - [PackageParameter!]! A list of parameters to be used for the package. If you define parameters, you must also specify SourceID.
processGroupFlag - Boolean!

Indicates that Tanium 7.2+ clients run the package command in a process group, and terminate any remaining descendant processes when the package command completes. Default server value is false.

This should always be true.

rawParameterDefinition - String The raw parameter definition string, This field is defined only when parsing the parameterDefinition string to the expected JSON format fails.
skipLockFlag - Boolean!

Indicates that clients can run the package command, even when the client has action locks set.

This should almost always be false.

sourceHash - String! This applies only to derived packages. For source package: the hash representation of current state of the source package, and it can change when certain properties of this package are modified. For non-source package: the hash is copied from the source package at creation time and will not change.
sourceHashChangedFlag - Boolean! Indicates that the derived package is out of sync with the source package.
sourceID - Int! The ID of a source package. Specify this when creating an action with a parameterized package.
sourceName - String! The name of a source package. This field is used by the import and export routes when IDs change.
verifyExpireSeconds - Int! The maximum number of seconds for a package verification query before timeout.
Example
{
  "command": "abc123",
  "commandTimeout": 987,
  "contentSet": IDReference,
  "displayName": "xyz789",
  "expireSeconds": 987,
  "id": 4,
  "metadata": [Metadata],
  "name": "abc123",
  "parameterDefinition": ParameterDefinitions,
  "parameters": [PackageParameter],
  "processGroupFlag": false,
  "rawParameterDefinition": "xyz789",
  "skipLockFlag": true,
  "sourceHash": "xyz789",
  "sourceHashChangedFlag": false,
  "sourceID": 123,
  "sourceName": "xyz789",
  "verifyExpireSeconds": 123
}

PackagePagination

Fields
Field Name Description
items - [Package]!
pageInfo - PaginationInfoWithID!
Example
{
  "items": [Package],
  "pageInfo": PaginationInfoWithID
}

PackageParameter

Description

A parameter of a package.

Fields
Field Name Description
key - String
value - String
Example
{
  "key": "abc123",
  "value": "abc123"
}

PageInfo

Description

Information about a connection page.

Fields
Field Name Description
endCursor - Cursor The cursor of the last record on this page.
hasNextPage - Boolean! Indicates that there are records after the last record on this page.
hasPreviousPage - Boolean! Indicates that there are records before the first record on this page.
startCursor - Cursor The cursor of the first record on this page.
Example
{
  "endCursor": Cursor,
  "hasNextPage": false,
  "hasPreviousPage": false,
  "startCursor": Cursor
}

PaginationInfo

Description

Information about a paginated collection.

Fields
Field Name Description
page - Int! Current page number.
perPage - Int! Number of items per page.
totalItems - Int! Total number of items.
totalPages - Int! Total number of pages.
Example
{"page": 123, "perPage": 123, "totalItems": 987, "totalPages": 987}

PaginationInfoWithID

Description

Information about a paginated collection, including an ID for the collection.

Fields
Field Name Description
id - ID! Pagination ID to use when querying pages.
page - Int! Current page number.
perPage - Int! Number of items per page.
totalItems - Int! Total number of items.
totalPages - Int! Total number of pages.
Example
{
  "id": "4",
  "page": 987,
  "perPage": 123,
  "totalItems": 123,
  "totalPages": 123
}

ParameterDefinition

Fields
Field Name Description
allowDisableEnd - Boolean
allowEmptyList - Boolean
componentType - Int
defaultRangeEnd - DefaultRangeEnd
defaultRangeStart - DefaultRangeEnd
defaultValue - String
dropdownOptions - [NumericIntervalOption!]
endDateRestriction - DefaultRangeEnd
endTimeRestriction - DefaultRangeEnd
heightInLines - Int
helpString - String!
key - String!
label - String!
maxChars - Int
maximum - Int
minimum - Int
model - ParameterDefinitionType!
parameterType - ParameterDefinitionType!
promptText - String
restrict - String
separatorText - String
snapInterval - Int
startDateRestriction - DefaultRangeEnd
startTimeRestriction - DefaultRangeEnd
stepSize - Int
validationExpressions - [ParameterDefinitionValidationExpression!]
value - String
values - [String!]!
Example
{
  "allowDisableEnd": false,
  "allowEmptyList": true,
  "componentType": 987,
  "defaultRangeEnd": DefaultRangeEnd,
  "defaultRangeStart": DefaultRangeEnd,
  "defaultValue": "xyz789",
  "dropdownOptions": [NumericIntervalOption],
  "endDateRestriction": DefaultRangeEnd,
  "endTimeRestriction": DefaultRangeEnd,
  "heightInLines": 987,
  "helpString": "abc123",
  "key": "abc123",
  "label": "abc123",
  "maxChars": 987,
  "maximum": 987,
  "minimum": 987,
  "model": ParameterDefinitionType,
  "parameterType": ParameterDefinitionType,
  "promptText": "xyz789",
  "restrict": "xyz789",
  "separatorText": "abc123",
  "snapInterval": 123,
  "startDateRestriction": DefaultRangeEnd,
  "startTimeRestriction": DefaultRangeEnd,
  "stepSize": 987,
  "validationExpressions": [
    ParameterDefinitionValidationExpression
  ],
  "value": "abc123",
  "values": ["abc123"]
}

ParameterDefinitionType

Example
ParameterDefinitionType

ParameterDefinitionValidationExpression

Fields
Field Name Description
expression - String
helpString - String
model - ParameterDefinitionType!
parameterType - ParameterDefinitionType!
Example
{
  "expression": "abc123",
  "helpString": "abc123",
  "model": ParameterDefinitionType,
  "parameterType": ParameterDefinitionType
}

ParameterDefinitions

Fields
Field Name Description
model - ParameterDefinitionType!
parameterType - ParameterDefinitionType!
parameters - [ParameterDefinition!]!
Example
{
  "model": ParameterDefinitionType,
  "parameterType": ParameterDefinitionType,
  "parameters": [ParameterDefinition]
}

PerfQuery

Description

A request to perform a PromQL query.

Fields
Input Field Description
from - Time

The start date and time of the PromQL query.

query - String!

The PromQL query to perform.

step - String

The step size of the PromQL query.

to - Time

The end date and time of the PromQL query.

type - PerfQueryType!

The type of PromQL query to perform.

Example
{
  "from": "10:15:30Z",
  "query": "xyz789",
  "step": "xyz789",
  "to": "10:15:30Z",
  "type": "QUERY"
}

PerfQueryType

Description

The set of performance query types.

Values
Enum Value Description

QUERY

QUERY_RANGE

Example
"QUERY"

PermissionType

Description

The set of permissions applicable to blobs.

Values
Enum Value Description

SHARED

Blobs are shared among all users with access to the content set.
Example
"SHARED"

Persona

Description

A set of roles and computer groups that can be used to enforce a set of restrictions on what a user can and cannot do.

Fields
Field Name Description
name - String! The name of the persona.
Example
{"name": "xyz789"}

PingDirectConnectionInput

Description

A request to ping an endpoint over a Direct Connect connection (for example, to test connectivity).

Fields
Input Field Description
connectionID - ID!

The ID of the connection to ping.

Example
{"connectionID": "4"}

PingDirectConnectionPayload

Description

A response to a request to ping an endpoint over a Direct Connect connection.

Fields
Field Name Description
result - Boolean! Indicates that the ping is acknowledged.
Example
{"result": true}

Process

Description

A process running on an endpoint.

Fields
Field Name Description
commandLine - String! The command line of the process.
cpuKernelTimeSeconds - Float! The seconds of CPU kernel time used by the process.
cpuUserTimeSeconds - Float! The seconds of CPU user time used by the process.
groupName - String! The group name of the process.
memoryResidentBytes - Int! The number of memory resident bytes used by the process.
name - String! The name of the process.
pid - Int! The ID of the process.
ppid - Int! The ID of the parent of this process.
userName - String! The name of the user that started the process.
Example
{
  "commandLine": "xyz789",
  "cpuKernelTimeSeconds": 987.65,
  "cpuUserTimeSeconds": 123.45,
  "groupName": "xyz789",
  "memoryResidentBytes": 123,
  "name": "abc123",
  "pid": 987,
  "ppid": 123,
  "userName": "xyz789"
}

Processor

Description

The processor details of an endpoint.

Fields
Field Name Description
architecture - String!

The architecture of the CPU.

Example: i386, X86-based PC

Sensor: CPU Architecture

Use of this field requires the Core Content solution.

cacheSize - String!

The cache size of the CPU in KB.

Example: 1024 KB

Sensor: CPU Cache Size

Use of this field requires the Core Content solution.

consumption - String!

The current total CPU consumption as a percentage (%).

Example: 50%

Sensor: CPU Consumption

Use of this field requires the Core Content solution.

cpu - String!

The description of the CPU.

Example: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz

Sensor: CPU

Use of this field requires the Core Content solution.

family - String!

The CPU family.

Example: Xeon, Family 198

Sensor: CPU Family

Use of this field requires the Core Content solution.

highConsumption - String!

Indicates whether the client machine is currently experiencing high utilization of its CPU.

Example: Under threshold

Sensor: High CPU Consumption

Use of this field requires the Core Content solution.

logicalProcessors - Int!

The number of logical processors.

Example: 8

Sensor: CPU Details, Column: Total Logical Processors

Use of this field requires the Core Content solution.

manufacturer - String!

The CPU manufacturer.

Example: GenuineIntel

Sensor: CPU Manufacturer

Use of this field requires the Core Content solution.

revision - String!

The revision number of the CPU.

Example: 5898

Sensor: Revision of CPU

Use of this field requires the Core Content solution.

speed - String!

The speed of the CPU in megahertz.

Example: 3200 Mhz

Sensor: CPU Speed Mhz

Use of this field requires the Core Content solution.

Example
{
  "architecture": "xyz789",
  "cacheSize": "abc123",
  "consumption": "abc123",
  "cpu": "xyz789",
  "family": "abc123",
  "highConsumption": "abc123",
  "logicalProcessors": 987,
  "manufacturer": "xyz789",
  "revision": "abc123",
  "speed": "abc123"
}

Relationship

Description

A relationship between configuration item entities.

Fields
Field Name Description
created - Time! The date and time at which the relationship was stored in the CMDB.
details - Map The semi-structured data for the entity class. The schema version can be specified as an argument. If it is not specified, the schema version defaults to the latest schema available.
Arguments
schemaVersion - String
entityA - ID! The ID of the primary configuration item entity.
entityB - ID! The ID of the secondary configuration item entity.
id - ID! The unique ID of the relationship.
type - String! The type of the relationship.
updated - Time! The date and time at which the relationship was last updated in the CMDB.
Example
{
  "created": "10:15:30Z",
  "details": Map,
  "entityA": 4,
  "entityB": "4",
  "id": 4,
  "type": "xyz789",
  "updated": "10:15:30Z"
}

RelationshipPayload

Description

A request to manage a relationship between configuration item entities.

Fields
Input Field Description
details - Map

The semi-structured data for the relationship.

entityA - ID!

The ID of the primary configuration item entity.

entityB - ID!

The ID of the secondary configuration item entity.

id - ID

The relationship ID. If this relationship ID exists, this request updates the matching relationship. If this relationship ID does not exist, this request creates a new relationship.

type - String!

The type of the relationship.

Example
{
  "details": Map,
  "entityA": "4",
  "entityB": 4,
  "id": 4,
  "type": "xyz789"
}

RelationshipQueryParams

Description

The configuration item relationships to include in the results.

Fields
Input Field Description
entityEids - [ID]

The set of configuration item entity endpoint IDs to include in the results.

entityIds - [ID]

The set of configuration item entity IDs to include in the results.

ids - [ID]

The set of configuration item relationship IDs to include in the results.

type - String

The type of relationships to include in the results.

Example
{
  "entityEids": ["4"],
  "entityIds": [4],
  "ids": ["4"],
  "type": "abc123"
}

RelationshipResult

Description

A set of configuration item relationships.

Fields
Field Name Description
items - [Relationship]! The configuration item relationships.
Example
{"items": [Relationship]}

RelationshipSortField

Description

The set of fields by which relationships may be sorted.

Values
Enum Value Description

className

entityA

entityB

entityName

id

relationshipType

Example
"className"

RelationshipSortRequest

Description

The criteria by which to sort the relationships.

Fields
Input Field Description
field - RelationshipSortField!

The field by which to sort.

order - SortOrder

The order in which to sort the field values.

Example
{"field": "className", "order": "asc"}

RelationshipType

Description

The type of a configuration item relationship.

Fields
Field Name Description
edgeDirection - EdgeDirection! The direction of the relationship type.
type - String! The name of the relationship type.
Example
{"edgeDirection": "AtoB", "type": "abc123"}

RelationshipTypeResult

Description

A set of configuration item relationship types.

Fields
Field Name Description
items - [RelationshipType]! The configuration item relationship types.
Example
{"items": [RelationshipType]}

RemoveBlobInput

Description

A request to remove a blob.

Fields
Input Field Description
category - ID!

The category of the blob.

domain - ID!

The domain of the blob.

key - ID!

The unique key of the blob.

Example
{"category": "4", "domain": 4, "key": 4}

RemoveBlobPayload

Description

The response from a request to remove a blob.

Fields
Field Name Description
category - ID! The category of the requested blob.
domain - ID! The domain of the requested blob.
key - ID! The key of the requested blob.
Example
{
  "category": 4,
  "domain": "4",
  "key": "4"
}

RetentionType

Description

The set of retention policies applicable to blobs.

Values
Enum Value Description

RETENTION_INDEFINITE

No retention policy for blobs stored in this category. No automated cleanup is performed.

RETENTION_NINETY_DAYS

Sets a 90 day retention window for blobs stored in this category.

RETENTION_ONE_DAY

Sets a 1 day retention window for blobs stored in this category.
Example
"RETENTION_INDEFINITE"

Sensor

Description

A sensor is a named source of endpoint data. Normal sensors are managed by the Tanium Server and executed as scripts on endpoints. Virtual sensors are managed by TDS and typically store data computed and asserted by various system.

Fields
Field Name Description
category - String! The sensor category. The value "reserved" is reserved for internal system sensors.
columns - [SensorColumn!] The list of columns provided by the sensor. This is null for single-column sensors, which produce one column with the same name as the sensor.
contentSetName - String! The name of the content set governing the sensor's access control.
created - Time When the sensor was created, if known.
description - String! The sensor description.
endpointQueryPaths - [String!]! The list of paths in the endpoints query in which this sensor is read, e.g. ["cpu", "manufacturer"]. This is empty if there are no such paths.
harvested - Boolean! Indicates that the sensor is harvested in TDS. Parameterized sensors are never harvested directly, rather are harvested with specific sets of parameter values, see the parameterizations field for these.
ignoreCase - Boolean! Indicates the system should ignore case when comparing sensor readings.
keepDuplicatesFlag - Boolean Indicates that sensors should report all values if a reading obtains duplicates. This will be absent for virtual sensors.
maxAgeSeconds - Int The maximum age of sensor readings in seconds. This will be absent for virtual sensors.
name - String! The sensor name.
parameterizations - [SensorParameterization!] The sets of parameter values for this parameterized sensor that are important, by virtual of being harvested, registered in the endpoints query schema, or similar. This is null for unparameterized sensors.
parameters - [SensorParameter!] The list of parameters accepted when reading the sensor. This is null for unparameterized sensors.
scripts - [SensorScript!] The scripts which implement the sensor on the various platforms. This will be absent for virtual sensors.
updated - Time When the sensor was last updated, if known.
valueType - String! The type of value returned by the sensor, used to compare and sort values. The system does not validate or enforce these types.
virtual - Boolean! Indicates that the sensor is virtual, managed by TDS, and not available to TS queries.
Example
{
  "category": "abc123",
  "columns": [SensorColumn],
  "contentSetName": "xyz789",
  "created": "10:15:30Z",
  "description": "xyz789",
  "endpointQueryPaths": ["abc123"],
  "harvested": true,
  "ignoreCase": true,
  "keepDuplicatesFlag": true,
  "maxAgeSeconds": 123,
  "name": "abc123",
  "parameterizations": [SensorParameterization],
  "parameters": [SensorParameter],
  "scripts": [SensorScript],
  "updated": "10:15:30Z",
  "valueType": "xyz789",
  "virtual": false
}

SensorColumn

Description

A sensor column describes a named portion of a sensor reading.

Fields
Field Name Description
ignoreCase - Boolean! Indicates the system should ignore case when comparing column values.
name - String! The column name.
valueType - String! The type of value in the column, used to compare and sort values. The system does not validate or enforce these types.
Example
{
  "ignoreCase": false,
  "name": "abc123",
  "valueType": "xyz789"
}

SensorConnection

Description

A page of sensor edges.

Fields
Field Name Description
edges - [SensorEdge!]! The list of sensor edges.
pageInfo - PageInfo! Information about the sensor collection.
totalRecords - Int! The total number of sensor records available.
Example
{
  "edges": [SensorEdge],
  "pageInfo": PageInfo,
  "totalRecords": 987
}

SensorEdge

Description

A sensor within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this edge within the collection.
node - Sensor! The sensor.
Example
{"cursor": Cursor, "node": Sensor}

SensorHarvestInput

Description

A request to manage the harvest registration of a sensor in TDS.

Fields
Input Field Description
cursor - Cursor

The cursor value from a previous sensor harvest request.

harvest - Boolean!

Indicates the sensor is being registered or deregistered for harvest.

integrationName - String!

The name of the integration for which the sensor is being harvested. This should be a lowercase compound string joined by hyphens, where the first part indicates the name of the company responsible for the integration and the second part indicates the name or purpose of the integration.

The leading string tanium- is reserved for Tanium integrations.

name - String!

The name of the sensor to harvest.

parameters - [EndpointSensorRefParam!]

The values of the parameterizable sensor to harvest.

Example
{
  "cursor": Cursor,
  "harvest": false,
  "integrationName": "xyz789",
  "name": "xyz789",
  "parameters": [EndpointSensorRefParam]
}

SensorHarvestPayload

Description

A response to a harvest registration request.

Fields
Field Name Description
cursor - Cursor Indicates the request is not complete and provides an identifier for subsequent calls to determine the request's terminal state.
error - SystemError Specifies that the request terminated in an error.
success - Boolean Indicates the request completed successfully or failed.
Example
{
  "cursor": Cursor,
  "error": SystemError,
  "success": false
}

SensorParameter

Description

A sensor parameter describes an argument to a sensor.

Fields
Field Name Description
defaultValue - String The default parameter value, if any.
name - String! The parameter name.
Example
{
  "defaultValue": "xyz789",
  "name": "xyz789"
}

SensorParameterValue

Description

A sensor parameter value.

Fields
Field Name Description
name - String! The parameter name.
value - String! The parameter value.
Example
{
  "name": "abc123",
  "value": "xyz789"
}

SensorParameterization

Description

A sensor parameterization is a specific set of sensor parameter values.

Fields
Field Name Description
endpointQueryPaths - [String!]! The list of paths in the endpoints query in which this sensor is read with these parameters.
harvested - Boolean! Indicates the parameterized sensor is registered for harvest in TDS with these values.
values - [SensorParameterValue!]! The values of this parameterization.
Example
{
  "endpointQueryPaths": ["xyz789"],
  "harvested": true,
  "values": [SensorParameterValue]
}

SensorScript

Description

The script implementing a sensor for a given platform.

Fields
Field Name Description
platform - EndpointPlatform! The platform on which the sensor script runs.
source - String! The source code.
type - SensorScriptType! The type.
Example
{
  "platform": "AIX",
  "source": "abc123",
  "type": "BESRelevance"
}

SensorScriptType

Description

The types of sensor scripts allowed by the platform.

Values
Enum Value Description

BESRelevance

JScript

Powershell

Python

UnixShell

Unknown

VBScript

WMIQuery

Example
"BESRelevance"

SettingName

Description

The controllable client settings.

Values
Enum Value Description

HOT_CACHE_PERCENTAGE

The hot cache to cold cache setting percentage.

LOG_VERBOSITY_LEVEL

Sets the amount of logging.

RANDOM_SENSOR_DELAY_IN_SECONDS

Randomizes sensor execution (useful for VDI environments). The maximum randomization value is 3600 seconds. Note that this does not affect intrinsic sensors like Computer Name.

STATE_PROTECTED_FLAG

Enables encryption and protection of sensor queries in sensor.db, NodeState, and ActionManager state.
Example
"HOT_CACHE_PERCENTAGE"

Signal

Description

The set of signals that can be sent to processes.

Values
Enum Value Description

SIGINT

SIGKILL

SIGTERM

Example
"SIGINT"

SoftwareApplicabilityCounts

Description

The number of endpoints in each applicability status.

Fields
Field Name Description
installEligibleCount - Int! The number of endpoints where the software is not installed and system requirements are met.
installedCount - Int! The number of systems where the software package is already installed.
notApplicableCount - Int! The number of endpoints where the system requirements or prerequisites are not met.
updateEligibleCount - Int! The number of endpoints where one or more of the previous versions of the application are detected, and the software package can update those systems.
updateIneligibleCount - Int! The number of endpoints where one or more of the previous versions of the application are detected, but the system requirements are not met.
Example
{
  "installEligibleCount": 123,
  "installedCount": 987,
  "notApplicableCount": 123,
  "updateEligibleCount": 987,
  "updateIneligibleCount": 987
}

SoftwareDeploymentDetails

Description

The details of a software deployment.

Fields
Field Name Description
ID - ID! The ID of the software deployment.
errors - [SoftwareDeploymentErrorCount!] Any error messages logged during software deployment.
name - String! The name of the software deployment.
status - SoftwareDeploymentStatus The status of the software deployment.
Example
{
  "ID": 4,
  "errors": [SoftwareDeploymentErrorCount],
  "name": "abc123",
  "status": SoftwareDeploymentStatus
}

SoftwareDeploymentErrorCount

Description

A software deployment error that affects endpoints.

Fields
Field Name Description
count - Int! The number of endpoints affected by the error.
error - String! A description of the error.
Example
{"count": 987, "error": "abc123"}

SoftwareDeploymentStatus

Description

The status and related details of a software deployment.

Fields
Field Name Description
completeCount - Int! The number of endpoints where the deployment completed.
downloadCompleteWaitingCount - Int! The number of endpoints that finished downloading files and are waiting to run the deployment.
downloadingCount - Int! The number of endpoints that are downloading required files.
failedCount - Int! The number of endpoints where the deployment failed.
label - SoftwareDeploymentStatusLabel! The status label for the software deployment.
notApplicableCount - Int! The number of endpoints where the system requirements or prerequisites are not met.
runningCount - Int! The number of endpoints that finished downloading files and are running the deployment.
waitingCount - Int! The number of endpoints waiting to run the deployment.
Example
{
  "completeCount": 123,
  "downloadCompleteWaitingCount": 123,
  "downloadingCount": 987,
  "failedCount": 123,
  "label": "ACTIVE",
  "notApplicableCount": 987,
  "runningCount": 987,
  "waitingCount": 987
}

SoftwareDeploymentStatusLabel

Description

The set of status labels for a software deployment.

Values
Enum Value Description

ACTIVE

FINISHED

SCHEDULED

STOPPED

Example
"ACTIVE"

SoftwareOperation

Description

The set of operations permitted for software package deployments.

Values
Enum Value Description

INSTALL

INSTALL_OR_UPDATE

REMOVE

UPDATE

Example
"INSTALL"

SoftwarePackage

Description

The details of a software package.

Fields
Field Name Description
applicabilityCounts - SoftwareApplicabilityCounts The number of endpoints in each applicability status.
id - ID! The ID of the software package.
platform - EndpointPlatform! The operating system platform on which the software package runs.
productName - String! The name of the software package.
productVendor - String! The vendor of the software package.
productVersion - String! The version of the software package.
Example
{
  "applicabilityCounts": SoftwareApplicabilityCounts,
  "id": 4,
  "platform": "AIX",
  "productName": "abc123",
  "productVendor": "xyz789",
  "productVersion": "xyz789"
}

SoftwarePackageConnection

Description

A page of software packages.

Fields
Field Name Description
edges - [SoftwarePackageEdge]! The list of software package edges.
pageInfo - PageInfo! Information about the software package collection.
totalCount - Int! The total number of records in the software package collection.
Example
{
  "edges": [SoftwarePackageEdge],
  "pageInfo": PageInfo,
  "totalCount": 123
}

SoftwarePackageEdge

Description

A software package within a page.

Fields
Field Name Description
cursor - Cursor! The cursor of this edge within the collection.
node - SoftwarePackage! The software package.
Example
{
  "cursor": Cursor,
  "node": SoftwarePackage
}

SoftwareTarget

Description

The endpoints on which to perform a software management operation.

Fields
Input Field Description
endpoints - [ID]

The list of endpoint IDs on which to perform the operation. You can add up to 25 endpoints.

targetGroup - String

The name of the group of endpoints on which to perform the operation. This is a subset of the action group. This defaults to the All Computers computer group.

Example
{
  "endpoints": ["4"],
  "targetGroup": "xyz789"
}

SortOrder

Description

The directions in which entities can be sorted.

Values
Enum Value Description

asc

Ascending order.

desc

Descending order.
Example
"asc"

String

Description

The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Example
"abc123"

SyncAssetResult

Description

A response to a request to synchronize assets.

Fields
Field Name Description
success - Boolean! Indicates a successful synchronization.
Example
{"success": false}

SystemError

Description

A system error represents a problem that occurred while trying to process a command.

Fields
Field Name Description
message - String Briefly describes the problem and any possible solutions.
retryable - Boolean Indicates that the system might succeed on a subsequent try of the same request.
timedOut - Boolean Indicates that the system timed out while trying to process the command, and it is not known if it succeeded or not.
Example
{
  "message": "abc123",
  "retryable": true,
  "timedOut": false
}

Time

Description

An instant in time in RFC 3339 format.

Example
"10:15:30Z"

UpdateConfigurationItemPropertiesInput

Description

A request to update properties of the configuration item in the CMDB.

Fields
Input Field Description
userSpecifiedAssetsMaxAge - Int

The maximum age in seconds of user-specified Unmanaged Assets.

Example
{"userSpecifiedAssetsMaxAge": 987}

UpdateConfigurationItemPropertiesResult

Description

A response to a request to update properties of the configuration item in the CMDB.

Fields
Field Name Description
userSpecifiedAssetsMaxAge - Int The maximum age in seconds of user-specified Unmanaged Assets.
Example
{"userSpecifiedAssetsMaxAge": 987}

UploadBlobURLInput

Description

A request to generate a blob upload URL.

Fields
Input Field Description
category - ID!

The category of the blob.

domain - ID!

The domain of the blob.

key - ID!

The unique key of the blob.

Example
{"category": 4, "domain": 4, "key": 4}

UploadBlobURLPayload

Description

A response to a request to generate a blob upload URL.

Fields
Field Name Description
exists - Boolean! Indicates that the blob exists at the time of this URL request.
url - String! HTTP PUT URL to upload the requested blob.
Example
{"exists": true, "url": "xyz789"}

WirelessAdapter

Description

The wireless adapter details of an endpoint.

Fields
Field Name Description
ssid - String!

The SSID (name) of the wireless network to which this wireless adapter connects.

Example: linksys

Sensor: Wireless Network Connected SSID, Column: Wireless Network Connected SSID

Use of this field requires the Core Content solution.

state - ConnectedState!

The state of the adapter connection to its network.

Example: CONNECTED

Sensor: Wireless Network Connected SSID, Column: Wireless Network Connected SSID

Use of this field requires the Core Content solution.

Example
{"ssid": "xyz789", "state": "CONNECTED"}