Reference: API Gateway examples

For additional API Gateway example syntax, see Tanium API Gateway User Guide: Reference: Filter syntax and Tanium API Gateway User Guide: Reference: API Gateway examples.

Comply query filter syntax

Endpoint queries that request Comply-related information using complianceFindings or cveFindings support the path and value filter fields. Comply 2.16.97 or later is required to submit a request that filters specific System Vulnerability and System Compliance risk vector fields.

For more information on syntax, see FieldFilter in the Documentation Explorer pane of the query explorer.

ClosedSingle column

You can filter on field values. Define a filter object using one of the following syntaxes:

complianceFindings (filter: 
  {
    path: "field-path",
    op: "operator-value",
    value: "field-value
  }
)

cveFindings (filter: 
  {
    path: "field-path",
    op: "operator-value",
    value: "field-value
  }
)

Use dot notation for sub-fields not at the root level. You can filter the endpoints returned and filter the endpoints based on Comply information in a single request.

For example, the following query retrieves the first endpoint with a compliance findings category of Error and returns that endpoint's associated compliance findings:

Copy
query filterComplianceFindings ($first: Int) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          complianceFindings (filter: {
            path: "category"
            value: "Error"
          }) {
            category
            id
            profile
            profileVersion
            rule
            ruleId
            standard
            standardVersion
            state
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

ClosedMultiple columns

You can filter on multiple Comply-related columns. Define a filter object using one of the following syntaxes:

complianceFindings (filter: 
  {any: boolean,
    filters: [
      {path: "field-path-1", op: "operator-1", value: "filter-value-1"},
      {path: "field-path-2", op: "operator-2", value: "filter-value-2"},
      {path: "field-path-n", op: "operator-n", value: "filter-value-n"}
    ]
  }
)

cveFindings (filter: 
  {any: boolean,
    filters: [
      {path: "field-path-1", op: "operator-1", value: "filter-value-1"},
      {path: "field-path-2", op: "operator-2", value: "filter-value-2"},
      {path: "field-path-n", op: "operator-n", value: "filter-value-n"}
    ]
  }
)

Use dot notation for sub-fields not at the root level. You can filter the endpoints returned and filter the endpoints based on Comply information in a single request.

For example, the following query retrieves the first endpoint that is a member of the All Mac computer group, with a vulnerability findings cveYear of 2020 and cvssScore value of 5, and returns that endpoint's associated vulnerability findings:

Copy
query filterMacOSEndpointVulnerability($first: Int!) {
  endpoints(first: $first, filter: {memberOf: {name: "All Mac"}}) {
    edges {
      node {
        name
        ipAddress
        compliance {
          cveFindings(
            filter: {any: false, filters: [{path: "cveYear", value: "2020"}, {path: "cvssScore", value: "5"}]}
          ) {
            cveId
            cveYear
            cvssScoreV3
            firstFound
            lastFound
            severityV3
            summary
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Comply examples

The following queries retrieve endpoints and use Comply to also retrieve associated compliance findings or vulnerability findings.

ClosedGet endpoints with compliance findings information (query.endpoints.edges.node.compliance.complianceFindings)

Get endpoint compliance findings information

The following query retrieves the first endpoint and associated compliance findings.

Copy
query endpointComplianceFindings($first: Int!) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          complianceFindings {
            category
            id
            profile
            profileVersion
            rule
            ruleId
            standard
            standardVersion
            state
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "comply-findings",
            "ipAddress": "192.0.2.10",
            "compliance": {
              "complianceFindings": [
                {
                  "category": "Fail",
                  "id": "CIS Microsoft Windows 10 Enterprise Release 20H2 Benchmark;1.10.1;MB Custom Win10;xccdf_com.tanium.comply_tailoring_1639024882628;xccdf_org.cisecurity.benchmarks_rule_18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled",
                  "profile": "MB Custom Win10",
                  "profileVersion": "xccdf_com.tanium.comply_tailoring_1639024882628",
                  "rule": "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'",
                  "ruleId": "xccdf_org.cisecurity.benchmarks_rule_18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled",
                  "standard": "CIS Microsoft Windows 10 Enterprise Release 20H2 Benchmark",
                  "standardVersion": "1.10.1",
                  "state": "fail"
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NTc2NTM4MDow",
        "endCursor": "NTc2NTM4MDoxOQ==",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}

Get filtered endpoint compliance findings information

The following query requires Comply 2.16.97 or later and retrieves the first endpoint with a compliance finding category of Error and returns that endpoint's associated compliance findings with a category of Error.

Copy
query filterComplianceFindings ($first: Int) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          complianceFindings (filter: {
            path: "category"
            value: "Error"
          }) {
            category
            id
            profile
            profileVersion
            rule
            ruleId
            standard
            standardVersion
            state
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "example-host",
            "ipAddress": "192.0.2.10",
            "compliance": {
              "complianceFindings": [
                {
                  "category": "Error",
                  "id": "CIS Microsoft IIS 10 Benchmark;1.1.1;Level 1 - IIS 10;1;xccdf_org.cisecurity.benchmarks_rule_4.8_L1_Ensure_Handler_is_not_granted_Write_and_ScriptExecute",
                  "profile": "Level 1 - IIS 10",
                  "profileVersion": "1",
                  "rule": "(L1) Ensure Handler is not granted Write and Script/Execute",
                  "ruleId": "xccdf_org.cisecurity.benchmarks_rule_4.8_L1_Ensure_Handler_is_not_granted_Write_and_ScriptExecute",
                  "standard": "CIS Microsoft IIS 10 Benchmark",
                  "standardVersion": "1.1.1",
                  "state": "error"
                },
                {
                  "category": "Error",
                  "id": "CIS Microsoft IIS 10 Benchmark;1.1.1;Level 1 - IIS 10;1;xccdf_org.cisecurity.benchmarks_rule_1.6_L1_Ensure_application_pool_identity_is_configured_for_anonymous_user_identity",
                  "profile": "Level 1 - IIS 10",
                  "profileVersion": "1",
                  "rule": "(L1) Ensure 'application pool identity' is configured for anonymous user identity",
                  "ruleId": "xccdf_org.cisecurity.benchmarks_rule_1.6_L1_Ensure_application_pool_identity_is_configured_for_anonymous_user_identity",
                  "standard": "CIS Microsoft IIS 10 Benchmark",
                  "standardVersion": "1.1.1",
                  "state": "error"
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NjEwMzg2Nzow",
        "endCursor": "NjEwMzg2Nzow",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}

Get filtered endpoint compliance findings information from filtered set of endpoints

The following query requires Comply 2.16.97 or later and retrieves the first endpoint that is a member of the All Windows computer group, with a compliance findings category of Error and standardVersion value of 1.1.1, and returns that endpoint's associated compliance findings with a category of Error and standardVersion value of 1.1.1.

Copy
query filterWindowsComplianceFindings($first: Int!) {
  endpoints(first: $first, filter: {memberOf: {name: "All Windows"}}) {
    edges {
      node {
        name
        ipAddress
        compliance {
          complianceFindings(
            filter: {any: false, filters: [{path: "category", value: "Error"}, {path: "standardVersion", value: "1.1.1"}]}
          ) {
            category
            id
            profile
            profileVersion
            rule
            ruleId
            standard
            standardVersion
            state
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "example-host-2",
            "ipAddress": "192.0.2.20",
            "compliance": {
              "complianceFindings": [
                {
                  "category": "Error",
                  "id": "CIS Microsoft IIS 10 Benchmark;1.1.1;Level 1 - IIS 10;1;xccdf_org.cisecurity.benchmarks_rule_4.6_L1_Ensure_HTTP_Trace_Method_is_disabled",
                  "profile": "Level 1 - IIS 10",
                  "profileVersion": "1",
                  "rule": "(L1) Ensure 'HTTP Trace Method' is disabled",
                  "ruleId": "xccdf_org.cisecurity.benchmarks_rule_4.6_L1_Ensure_HTTP_Trace_Method_is_disabled",
                  "standard": "CIS Microsoft IIS 10 Benchmark",
                  "standardVersion": "1.1.1",
                  "state": "error"
                },
                {
                  "category": "Error",
                  "id": "CIS Microsoft IIS 10 Benchmark;1.1.1;Level 1 - IIS 10;1;xccdf_org.cisecurity.benchmarks_rule_3.4_L1_Ensure_IIS_HTTP_detailed_errors_are_hidden_from_displaying_remotely",
                  "profile": "Level 1 - IIS 10",
                  "profileVersion": "1",
                  "rule": "(L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely",
                  "ruleId": "xccdf_org.cisecurity.benchmarks_rule_3.4_L1_Ensure_IIS_HTTP_detailed_errors_are_hidden_from_displaying_remotely",
                  "standard": "CIS Microsoft IIS 10 Benchmark",
                  "standardVersion": "1.1.1",
                  "state": "error"
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NjA5ODg0MDow",
        "endCursor": "NjA5ODg0MDow",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}

ClosedGet endpoints with vulnerability findings information (query.endpoints.edges.node.compliance.cveFindings)

Get endpoint vulnerability findings information (CVSS v2)

The following query retrieves the first endpoint and associated vulnerability findings, including CVSS v2 score and severity.

Copy
query endpointVulnerabilityCVSSv2($first: Int!) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          cveFindings {
            cveId
            cveYear
            cvssScore
            firstFound
            lastFound
            severity
            summary
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "comply-vuln",
            "ipAddress": "192.0.2.20",
            "compliance": {
              "cveFindings": [
                {
                  "cveId": "CVE-2020-9698",
                  "cveYear": "2020",
                  "cvssScore": 9.3,
                  "firstFound": "2022-02-17",
                  "lastFound": "2022-05-06",
                  "severity": "High",
                  "summary": "Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution ."
                },
                {
                  "cveId": "CVE-2020-9699",
                  "cveYear": "2020",
                  "cvssScore": 9.3,
                  "firstFound": "2022-02-17",
                  "lastFound": "2022-05-06",
                  "severity": "High",
                  "summary": "Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution ."
                },
                {
                  "cveId": "CVE-2020-9700",
                  "cveYear": "2020",
                  "cvssScore": 9.3,
                  "firstFound": "2022-02-17",
                  "lastFound": "2022-05-06",
                  "severity": "High",
                  "summary": "Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution ."
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NTc2NTM4MDow",
        "endCursor": "NTc2NTM4MDoxOQ==",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}

Get endpoint vulnerability findings information (CVSS v3)

The following query retrieves the first endpoint and associated vulnerability findings, including CVSS v3 score and severity.

Copy
query endpointVulnerabilityCVSSv3($first: Int!) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          cveFindings {
            cveId
            cveYear
            cvssScoreV3
            firstFound
            lastFound
            severityV3
            summary
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Get filtered endpoint vulnerability findings information

The following query requires Comply 2.16.97 or later and retrieves the first endpoint with a vulnerability findings cveYear of 2020 and returns that endpoint's associated vulnerability findings with a finding cveYear of 2020.

Copy
query filterEndpointVulnerability($first: Int!) {
  endpoints(first: $first) {
    edges {
      node {
        name
        ipAddress
        compliance {
          cveFindings(filter: {path: "cveYear", value: "2020"}) {
            cveId
            cveYear
            cvssScore
            firstFound
            lastFound
            severity
            summary
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "example-host-3",
            "ipAddress": "192.0.2.30",
             "compliance": {
             "cveFindings": [
               {
                 "cveId": "CVE-2020-10754",
                 "cveYear": "2020",
                 "cvssScore": 4,
                 "firstFound": "2022-09-24",
                 "lastFound": "2022-11-30",
                 "severity": "Medium",
                 "summary": "It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely."
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NjEwNDEyMzow",
        "endCursor": "NjEwNDEyMzow",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}

Get filtered endpoint vulnerability findings information from filtered set of endpoints

The following query requires Comply 2.17.167 or later and retrieves the first endpoint that is a member of the All Mac computer group, with a vulnerability findings cveYear of 2020 and cvssScore value of 5, and returns that endpoint's associated vulnerability findings with a cveYear of 2020 and cvssScore value of 5.

Copy
query filterMacOSEndpointVulnerability($first: Int!) {
  endpoints(first: $first, filter: {memberOf: {name: "All Mac"}}) {
    edges {
      node {
        name
        ipAddress
        compliance {
          cveFindings(
            filter: {any: false, filters: [{path: "cveYear", value: "2020"}, {path: "cvssScore", value: "5"}]}
          ) {
            cveId
            cveYear
            cvssScoreV3
            firstFound
            lastFound
            severityV3
            summary
          }
        }
      }
    }
    pageInfo {
      startCursor
      endCursor
      hasPreviousPage
      hasNextPage
    }
  }
}

Include the cursor variable in the QUERY VARIABLES panel or in your variables dictionary:

Copy
{
  "first": 1
}

Example response:

Copy
{
  "data": {
    "endpoints": {
      "edges": [
        {
          "node": {
            "name": "example-host-3",
            "ipAddress": "192.0.2.30",
             "compliance": {
             "cveFindings": [
               {
                 "cveId": "CVE-2020-8037",
                 "cveYear": "2020",
                 "cvssScore": 5,
                 "firstFound": "2022-09-06",
                 "lastFound": "2022-11-30",
                 "severity": "Medium",
                 "summary": "The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory."
                }
              ]
            }
          }
        }
      ],
      "pageInfo": {
        "startCursor": "NjEwNDEyMzow",
        "endCursor": "NjEwNDEyMzow",
        "hasPreviousPage": false,
        "hasNextPage": true
      }
    }
  }
}