Tanium · Schema

Tanium Threat Alert

Represents a threat alert generated by Tanium Threat Response when an indicator of compromise (IOC) or threat signature matches on an endpoint. Alerts are the primary output of threat detection scanning.

ComplianceEndpoint ManagementPatch ManagementSecurityThreat DetectionUnified Endpoint Management

Properties

Name Type Description
id integer Unique numeric identifier for the alert
priority string Alert priority level indicating urgency
severity string Alert severity level indicating impact
type string Classification type of the alert
state string Current investigation state of the alert
computerName string Hostname of the affected endpoint
computerIpAddress string IP address of the affected endpoint
guid string Globally unique identifier for the alert
intelDocId integer Identifier of the intel document that triggered the alert
scanConfigId integer Identifier of the scan configuration that detected the threat
alertedAt string Timestamp when the alert was first generated
createdAt string Timestamp when the alert record was created
updatedAt string Timestamp when the alert was last updated
View JSON Schema on GitHub

JSON Schema

tanium-alert-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://github.com/api-evangelist/tanium/blob/main/json-schema/tanium-alert-schema.json",
  "title": "Tanium Threat Alert",
  "description": "Represents a threat alert generated by Tanium Threat Response when an indicator of compromise (IOC) or threat signature matches on an endpoint. Alerts are the primary output of threat detection scanning.",
  "type": "object",
  "properties": {
    "id": {
      "type": "integer",
      "description": "Unique numeric identifier for the alert"
    },
    "priority": {
      "type": "string",
      "description": "Alert priority level indicating urgency"
    },
    "severity": {
      "type": "string",
      "description": "Alert severity level indicating impact"
    },
    "type": {
      "type": "string",
      "description": "Classification type of the alert"
    },
    "state": {
      "type": "string",
      "description": "Current investigation state of the alert",
      "enum": ["unresolved", "inprogress", "resolved", "dismissed", "ignored"]
    },
    "computerName": {
      "type": "string",
      "description": "Hostname of the affected endpoint"
    },
    "computerIpAddress": {
      "type": "string",
      "description": "IP address of the affected endpoint"
    },
    "guid": {
      "type": "string",
      "description": "Globally unique identifier for the alert"
    },
    "intelDocId": {
      "type": "integer",
      "description": "Identifier of the intel document that triggered the alert"
    },
    "scanConfigId": {
      "type": "integer",
      "description": "Identifier of the scan configuration that detected the threat"
    },
    "alertedAt": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the alert was first generated"
    },
    "createdAt": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the alert record was created"
    },
    "updatedAt": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the alert was last updated"
    }
  },
  "required": ["id", "state"]
}