Reference: API Gateway examples for Direct Connect

For additional API Gateway example syntax, see Tanium API Gateway User Guide: Reference: Filter syntax and Tanium API Gateway User Guide: Reference: API Gateway examples.

Direct Connect examples

The following queries and mutations use Direct Connect to connect to a single endpoint, retrieve data, stop a process, and then close the connection. Queries that retrieve information from endpoints or terminate processes on endpoints require Performance.

Direct Connect requests have the following feature-specific dependencies at the specified minimum versions:

  • Direct Connect 1.10.39 or later is required to submit a request opening, closing, or getting status of Direct Connect connections (mutation.directConnectClose, mutation.directConnectOpen, mutation.directConnectPing, mutation.directConnectConnectionStatus).

  • Performance 1.10.57 or later is required to submit a request retrieving Performance data from endpoints using Direct Connect or terminating processes using Direct Connect (mutation.directConnectProcessTerminate, query.directConnectEndpoint).

Note: For the best results, install Direct Connect 2.7.43 or later.

ClosedOpen a connection to an endpoint (mutation.directConnectOpen)

Open direct connection to endpoint

The following mutation uses Direct Connect to establish a connection to the endpoint with an ID of 12323. You can retrieve IDs through the Get endpoints IDs from Tanium Data Service query. If a direct connection status is not READY (such as CONNECTING or UNKNOWN) after you use this mutation, you can use the Get direct connection status query to check the direct connection status.

Direct Connect connections close after five minutes of inactivity.

Copy 
mutation openEndpointConnection ($id: ID!){
  directConnectOpen(input: {endpointID: $id}) {
    connectionID
    status
  }
}

Include the endpoint ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12323"
}

Example response:

Copy 
{
  "data": {
    "directConnectOpen": {
      "connectionID": "86d9a9ac-0229-481b-9d88-5f1bcb1b177b",
      "status": "READY"
    }
  }
}

ClosedGet the status of a connection to an endpoint (query.directConnectConnectionStatus)

Get direct connection status

The following query uses Direct Connect to retrieve the status of a direct connection. If a direct connection status is not READY (such as CONNECTING or UNKNOWN) after you use the Open direct connection to endpoint mutation to establish a direct connection to an endpoint, you can use the connection ID from that response in this query to determine whether the direct connection is established.

Direct Connect connections close after five minutes of inactivity.

Copy 
query getDCStatus ($id: ID!){
  directConnectConnectionStatus(input: {connectionID: $id}) {
    status
  }
}

Include the connection ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "86d9a9ac-0229-481b-9d88-5f1bcb1b177b"
}

Example response:

Copy 
{
  "data": {
    "directConnectConnectionStatus": {
      "status": "READY"
    }
  }
}

ClosedPing the connection to an endpoint (mutation.directConnectPing)

Ping direct connection to endpoint

The following mutation retrieves whether a Direct Connect connection is active. Use this mutation to check connection details or to keep the connection active. You need the connectionID that is returned by the mutation to open the connection.

Direct Connect connections close after five minutes of inactivity.

Copy 
mutation pingDirectConnection($connectionID: ID!) {
  directConnectPing(input: {connectionID: $connectionID}) {
    result
  }
}

Include the connection ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8"
}

Example response:

Copy 
{
  "data": {
    "directConnectPing": {
      "result": true
    }
  }
}

ClosedGet data from an endpoint (query.directConnectEndpoint.performance)

Get data from endpoint

After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for specific information. The following query retrieves the CPU usage on the endpoint:

Copy 
query getEndpointData ($id: ID!){
  directConnectEndpoint (input : {ConnectionID: $id}) {
    performance {
      cpuUsagePercent
    }
  }
}

Include the connection ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12345678-90ab-cdef-1234-567890abcdef"
}

Example response:

Copy 
{
  "data": {
    "directConnectEndpoint": {
      "performance": {
        "cpuUsagePercent": 28.751501243887798
      }
    }
  }
}

ClosedGet process from an endpoint (query.directConnectEndpoint.processes)

Get process from endpoint

After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for process information. The following query retrieves the state of all processes running on the endpoint.

Copy 
query getEndpointProcess ($id: ID!){
  directConnectEndpoint (input : {connectionID: $id}) {
    processes {
      all {
        pid
        ppid
        name
        commandLine
        userName
        groupName
        memoryResidentBytes
      }
    }
  }
}

Include the endpoint ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12323"
}

Example response:

Copy 
{
  "data": {
    "directConnectEndpoint": {
      "processes": {
        "all": [
          {
            "pid": 2092,
            "ppid": 496,
            "name": "TaniumReceiver.exe",
            "commandLine": "\"C:\\Program Files\\Tanium\\Tanium Server\\TaniumReceiver.exe\" --service",
            "userName": "admin",
            "groupName": "test-group",
            "memoryResidentBytes": 59842560
          },
          {
            "pid": 5760,
            "ppid": 1112,
            "name": "TaniumClient.exe",
            "commandLine": "\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -c",
            "userName": "SYSTEM",
            "groupName": "NT AUTHORITY",
            "memoryResidentBytes": 17965056
          },
          {
            "pid": 1036,
            "ppid": 496,
            "name": "TaniumBlobService.exe",
            "commandLine": "\"C:\\Program Files\\Tanium\\Tanium Module Server\\services\\blob-service\\TaniumBlobService.exe\"",
            "userName": "SYSTEM",
            "groupName": "NT AUTHORITY",
            "memoryResidentBytes": 7426048
          }
        ]
      }
    }
  }
}

ClosedGet alerts from an endpoint (query.directConnectEndpoint.alerts)

Get past 24 hours of alerts from endpoint

After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for alert information. You can also define a time period for retrieving events based on the following rules:

  • The end time must be before the current time.
  • The start time must be before the end time.
  • If you define a start time without an end time, the request time period retrieves alerts from the start time to the current time.
  • If you do not define a start time or end time, the request defaults to the past 24 hours.

The following query retrieves alerts from an endpoint that occurred during the past 24 hours.

Copy 
query getEndpointAlerts ($id: ID!){
  directConnectEndpoint (input : {connectionID: $id}) {
    alerts {
      all {
        schema
        key
        type
        ref
        topProcessesExpr
        labels
        pendingAt
        start
        resolvedAt
        leadup
        value 
      }
    }
  }
}

Include the connection ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12345678-90ab-cdef-1234-567890abcdef"
}

Example response:

Copy 
{
  "data": {
    "directConnectEndpoint": {
      "alerts": {
        "all": [
          {
            "schema": 1,
            "key": "available-mem{heuristic=\"available-mem\"}",
            "type": "available-mem",
            "ref": null,
            "topProcessesExpr": null,
            "labels": {
              "heuristic": "available-mem"
            },
            "pendingAt": "2022-03-15T15:54:38.574990164Z",
            "start": "2022-03-15T15:54:38.574990164Z",
            "resolvedAt": null,
            "leadup": 300000000000,
            "value": 168.48828125
          }
        ]
      }
    }
  }
}

Get 48 hours of alerts from endpoint

The following query sets a time period of 48 hours from January 1, 2022 to January 3, 2022 and retrieves alerts for an endpoint from that period.

Copy 
query getEndpointAlerts48Hours ($id: ID!, $startTime: Time!, $endTime: Time){
  directConnectEndpoint (input : {connectionID: $id}) {
    alerts {
      all (scope: {startTime: $startTime, endTime: $endTime}) {
        schema
        key
        type
        ref
        topProcessesExpr
        labels
        pendingAt
        start
        resolvedAt
        leadup
        value 
      }
    }
  }
}

Include the connection ID and time period variables in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12345678-90ab-cdef-1234-567890abcdef",
  "startTime": "2022-01-01T00:00:00Z",
  "endTime": "2022-01-03T00:00:00Z"
}

Get alerts from prior date from endpoint

The following query sets a time period start date of January 1, 2022 and retrieves alerts for an endpoint from that date to the current time.

Copy 
query getEndpointAlertsPriorDate ($id: ID!, $startTime: Time!){
  directConnectEndpoint (input : {connectionID: $id}) {
    alerts {
      all (scope: {startTime: $startTime}) {
        schema
        key
        type
        ref
        topProcessesExpr
        labels
        pendingAt
        start
        resolvedAt
        leadup
        value 
      }
    }
  }
}

Include the connection ID and start time variables in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "id": "12345678-90ab-cdef-1234-567890abcdef",
  "startTime": "2022-01-01T00:00:00Z"
}

ClosedStop a process on an endpoint (mutation.directConnectProcessTerminate)

Stop endpoint process

After you establish a connection to an endpoint through Direct Connect, you can stop running processes on the endpoint. The following mutation stops a process named notepad.exe on an endpoint. You need the connectionID that is returned by the mutation to open the connection.

Copy 
mutation stopEndpointProcess ($connectionID: ID!, $processName: String!, $pid: Int!, $signal: Signal!){
  directConnectProcessTerminate(
    input: {connectionID: $connectionID, name: $processName, pid: $pid, signal: $signal}
  ) {
    result
  }
}

Include the connection ID and process name variables in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8",
  "processName": "notepad.exe",
  "pid": 7056,
  "signal": "SIGKILL"
}

Example response:

Copy 
{
  "data": {
    "directConnectProcessTerminate": {
      "result": true
    }
  }

ClosedClose connection to an endpoint (mutation.directConnectClose)

Close endpoint connection

The following mutation closes a Direct Connect connection to an endpoint.

Direct Connect connections close after five minutes of inactivity.

Copy 
mutation closeEndpointConnection($connectionID: ID!) {
  directConnectClose(input: {connectionID: $connectionID}) {
    result
  }
}

Include the connection ID in the QUERY VARIABLES panel or in your variables dictionary:

Copy 
{
  "connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8"
}

Example response:

Copy 
{
  "data": {
    "directConnectClose": {
      "result": true
    }
  }
}