Managing action groups

You use action groups to define which managed endpoints are the targets for actions. Before creating, editing, or deleting action groups, see the associated Best practices.

The default definition for the action group named Default specifies the No Computers computer group. This means that the Tanium Server does not deploy actions to any endpoints if those actions target the Default action group. When you import content packs onto the Tanium Server, some packs (such as Taniumâ„¢ Core Content) include scheduled actions (such as Distribute Hardware Tools) that target the Default action group. To deploy those actions to endpoints, you must change their targeted action group. For details, see Move Tanium actions to their own group.

Read Action Group (micro admin) permission is required to view action groups in the Actions > Scheduled Actions page. Write Action Group (micro admin) permission is required to create, edit, and delete action groups. The Admin Administrator reserved role has these permissions.

View action groups

  1. From the Main menu, go to Administration > Actions > Action Groups.

    The page displays the ID and Name of each action group.

  2. (Optional) Use the filters to find specific action groups:
    • Filter by text: To filter the grid by ID or Name values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as ID or Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the assigned computer groups and associated actions of an action group, select the action group and click Edit Edit.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click New Group to display the configuration page.
  3. Specify a Name and Visibility option.
  4. Select Computer Groups, select the Boolean AND or OR matching, and click Save.

Edit an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click EditEdit.
  3. Change the computer group assignments and click Save.

Change the action group assignment

Reassign actions to a different action group as follows:

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. Select the actions that you want to reassign.
  3. Select More > Change Group.
  4. Select the action group and click Confirm.

Export and import action groups

The following procedures describe how to export and import the configurations of specific action groups or all action groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export action groups

Export action groups as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export action groups as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select rows in the grid to export only specific action groups. If you want to export all action groups, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-action_groups-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All action groups in the grid or just the Selected action groups.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import action groups

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy action group configuration details

Copy information from the Action Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click one of the following buttons. Both buttons open a dialog that displays the action group details so that you can evaluate the impact of deleting.
    • Delete: This button appears if the action group has no existing scheduled actions. Click Delete Action Group to proceed.
    • Migrate and Delete: This button appears if the action group has existing scheduled actions. When the Action Group dialog opens, select another action group in the Migrate existing scheduled actions to below selected action group drop-down list. Click Show Preview to Continue to review the endpoints that are currently included in the action group to which you will migrate actions (Preview section). Also review the Actions associated to this Action Group. After assessing the impact, click Transfer Actions and Delete Action Group.

Best practices

Move Tanium actions to their own group

When you sign into the Tanium Console for the first time after installing the Tanium Server, the server imports certain scheduled actions that target the Default action group, which specifies the No Computers computer group by default. This means that the Tanium Server does not deploy these actions to any endpoints. To see the list of these actions, go to Administration > Actions > Scheduled Actions and click Default in the Action Groups panel. These scheduled actions distribute tools that endpoints need to perform functions for certain core sensors and packages. You must periodically deploy the actions to all endpoints to account for any that did not yet receive the action, such as:

  • Endpoints that were introduced to your network after the last time the Tanium Server deployed the actions
  • Rebuilt endpoints
  • Endpoints on which the tools were uninstalled
  • Virtual desktop infrastructure (VDI) endpoints that periodically refresh

To deploy the actions to endpoints, perform one of the following steps:

  • (Best practice) Perform the Install with Recommended Configurations workflow: see Import and (optionally) configure the latest versions of all modules. As part of the workflow, the Tanium Server automatically creates a Default - All Computers action group and makes it the target for all scheduled actions that previously targeted the Default action group. Five minutes after performing this transition, the server automatically deploys those re-targeted scheduled actions.
  • Manually create an action group that includes the All Computers computer group and change the targeting for those scheduled actions to that action group.

Define specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then operating system-type groups or region groups.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When the Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Contact Tanium Support for options to simplify computer groups.