Using API Gateway

Use API Gateway to build API-based integrations with the Tanium Core Platform. This service consolidates information from multiple Tanium modules into a unified view of information on the endpoints in the environment. API Gateway intelligently routes requests to the services and sources that provide the most recent information and the most reliable mutations.

API Gateway uses GraphQL to request data (queries) and to make changes (mutations). With GraphQL, you can compose queries in API Gateway to retrieve the exact data that you want as well as filter the results to a set of endpoints.

Requests scheduled to run during a Tanium Cloud maintenance window might be interrupted or fail. Schedule your requests to run outside of the Tanium Cloud maintenance window. For information on configuring a custom maintenance window start time, see Tanium Cloud Deployment Guide: Configure custom maintenance window.

Requests scheduled to run during an upgrade of API Gateway, or any Tanium solution that your request relies on, might be interrupted or fail. Schedule your connections to run at a different time than your Tanium upgrades.

Use API Gateway to:

  • Query endpoints through the Tanium ServerTanium Cloud, or access data through Tanium Data Service
  • Create, delete, and query actions
  • Query packages
  • Open a connection to an endpoint through Tanium Direct Connect and retrieve data from the endpoint

For examples of available functions, see Reference: API Gateway examples.

Create a persona limited to submitting only query requests

If you want to restrict a user's ability to modify information using API Gateway, configure a role with read-only rights to certain Tanium Core Platform functionality, then create a persona and add the role to the persona. If a user with this persona active submits a mutation, the response contains an error because the persona does not have write access.

The following role and persona limit Tanium Core Platform permissions for questions and actions. If you want to restrict other functionality, such as that associated with other Tanium solutions, you might need to add additional read-only permissions.

For more information on creating a custom role, see Tanium Console User Guide: Configure a custom role. For more information on creating a persona, see Tanium Console User Guide: Create a persona.

  1. From the Main menu, go to Administration > Permissions > Roles and click New Role.

  2. Specify a Role Name, such as Gateway read-only role.

  3. Set the Permission Type to Allow.

  4. Select the Gateway API execute permission to allow the role to submit requests.

  5. Select the following permissions to restrict question access to read-only:

    • Interact - Ask Dynamic Questions special

    • Platform Content Permissions - Filter Group Read
    • Platform Content Permissions - Sensor read

    Select the following permissions to restrict action access to read-only:

    • Platform Content Permissions - Action Read
    • Platform Content Permissions - Filter Group Read
    • Platform Content Permissions - Package Read
    • Platform Content Permissions - Sensor Read

  6. Click Save.

  7. From the Main menu, go to Administration > Permissions > Personas and click New Persona.

  8. Specify a persona Name, such as Gateway read-only persona.

  9. Click Manage Roles.

  10. Select Gateway read-only role.

  11. Click Apply.

  12. Configure the user group, user, and computer group assignments.

  13. Click Save.

Test a query in the Tanium Console

To access the query explorer in the Tanium Console and run a query, perform the following steps:

  1. From the Main menu, go to Shared Services > API Gateway.
  2. Enter a query in the query pane. For example, paste the following query to get the time from the Tanium ServerTanium Cloud:
    Copy
    {
      now
    }

    If the query explorer does not appear on the API Gateway Overview page, click Customize Page and make sure the Query Explorer option is selected.

  3. (Optional) If a query or mutation uses variables, expand the QUERY VARIABLES pane and include the variables in the pane that expands.
  4. Click Execute Query Execute Query.

API Gateway sends the query to the serverTanium Cloud and returns the response in the results pane.

For more information on the query explorer, see Query explorer.

Use the Documentation Explorer to view the schema

API Gateway contains a schema reference that documents all queries, mutations, and objects that are available in API Gateway. The schema reference is generated directly from the schema; refer to the schema reference in API Gateway for the most up-to-date documentation.

To view the schema reference in the query explorer, click Docs to expand the Documentation Explorer pane of the query explorer.