Tanium actions overview
After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy a package to those endpoints so that the Tanium Client can run the associated action. In a Tanium deployment, a package comprises a command, a script, and any related files required to execute an action on a managed endpoint. For example, the package named Clean Stale Tanium Client Data includes a Windows command-line command that executes a Visual Basic Script that removes stale data from the Tanium Client directory and safely kills any stale sensor or action processes. The Tanium Server distributes package files to endpoints based on their Tanium Client linear chains (for details, see Tanium Client User Guide: File distribution). The endpoints store all package files for an action in the <Tanium_Client>/Downloads/Action_<ID> folder, where <ID> is the action identifier. When the action runs, it generates status indicators that you can monitor in the Tanium Console and generates client-side logs that you can use to troubleshoot failures. For details about packages, see Managing packages.
For the user role permissions required to manage actions, see Action management permissions.
The following are key terms and concepts relating to actions.
Action groups are designed to target actions so that the Tanium Server issues them only to appropriate computer management groups. For example, you can create a computer group for Windows computers and then an action group that targets that computer group. When you configure scheduled actions to deploy packages that use Windows commands, you can specify that the Tanium Server will issue the action only to the action group for Windows commands.
Action locks are designed to suspend actions on the endpoint. You can deploy action locks if you encounter unexpected behavior and want to turn off actions while you debug it.
Action approval supports organizations that have policies requiring an approval stage. When action approval is enabled, the signed in user that deploys the scheduled action cannot also approve it. The action is put on hold until it is approved by another user that has been assigned the Approve Action permission. Once approved, the approval remains in force until the schedule ends or the scheduled action configuration is modified.
Scheduled actions are actions that the Tanium Server automatically reissues at specific intervals over a specific period. Many scheduled actions are designed to promote cyber hygiene: the system health and security of endpoints. For example,
Policy actions are scheduled actions that you use to enforce policies on endpoints. For example, your enterprise policy might require a specific Tanium™ solution module on all endpoints. Each policy action is based on a saved question. At each scheduled action interval, the Tanium Server determines which endpoints match the current results of the question. If any endpoints match, the Tanium Server deploys the action to all endpoints but only the matching endpoints try to perform the action.
For example, say you configure an action that installs Tanium™ Trace only on endpoints that match the question Get Tanium Trace Status equals needs installation from all machines with Tanium Trace Status equals needs installation. When first deploying this action, the Tanium Server installs the module on a potentially large number of endpoints that do not have Tanium Trace installed. However, few if any endpoints will match that condition in subsequent scheduled deployments (perhaps only endpoints added after the first action deployment). If no endpoints match, the action does not deploy, which conserves bandwidth and avoids clutter in the Actions > Action History grid. By contrast, non-policy actions (based on dynamic questions) deploy even when no endpoints match. Furthermore, all the endpoints in the action group will attempt to perform a non-policy action even if, having run previously, the action is unnecessary and therefore never finishes.
Note that the Tanium Server does not deploy policy actions to endpoints that were offline when it sent the saved questions and that then come online while the actions are in progress. The Tanium Server deploys only non-policy actions to endpoints that come online while the actions are in progress. Non-policy actions are also useful in cases where you want all endpoints in an action group to perform the action without filtering the endpoints based on particular conditions (such as whether a particular module is installed).
If you delete a saved question, the Tanium Server continues reissuing it for any policy actions that use the question, and the Administration > Question History grid continues displaying the question for the scheduled action intervals.
Last updated: 10/15/2020 11:18 AM | Feedback