Managing scheduled actions and action history

Scheduled actions are actions that Tanium as a Service (TaaS) the Tanium Server automatically reissues at specific intervals over a specific period. A scheduled action configuration has the following components:

  • Package
  • Schedule settings, including start and end times, and reissue intervals
  • Targeting criteria that specifies which endpoints run the action

TaaS The Tanium Server creates a scheduled action when you deploy an action from the Question Results page and specify a reissue interval (see Deploying actions). When you install the Tanium Server, it automatically creates a set of scheduled actions while importing the Default Content pack. These predefined actions relate to the hygiene of the Tanium environment. The Tanium Server creates additional scheduled actions when you import certain other Tanium content packs and modules. TaaS also provides several predefined scheduled actions.

For the user role permissions that are required to manage scheduled actions and view action history, see Action management permissions.

Manage scheduled actions

Perform the following steps to manage scheduled actions that are already defined. To create a new scheduled action, see Deploying actions.

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Time: Select Local Time (default), which is local to the system that you use to access the Tanium Console, or Coordinated Universal Time (UTC).
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Last Issue Time is within a specific date range. The default All means no date range filter is applied.
    • Attribute: Expand the ExpandFilters section, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

    Action buttons for administrative tasks appear above the grid. The available buttons depend on the row you select. For example, the Status column displays a green check mark Enabled to indicate enabled actions and a red minus Disabled to indicate disabled actions. When you open the More drop-down list for an enabled action, the options include Disable Action, but not Enable Action. If the status column indicated a disabled action, the More list would include Enable Action but not Disable Action.

  4. Click a button or menu to perform one of the following tasks.

    To stop deploying a scheduled action, you must use the More menu to disable or delete it instead of clearing the the Start at and Reissue every values.

    Button / TaskGuideline
    ReissueDisplays the Reissue Action page. You can change the name, schedule, and targeting criteria.
    Edit EditDisplays the Edit Action page. You can change the schedule and targeting criteria.
    StatusDisplays package details. You can use this dialog to re-download package files if you encountered issues with outdated files: see Re-download package files.
    Copy CopyCopy information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    More > Enable/Disable Action(s)Enables or disables the scheduled action.
    More > Change GroupAssigns the scheduled action to a new action group. Select the action group and click Confirm.
    More > Copy ActionCopies the scheduled action to a new action group. Select the new action group and click Confirm.
    More > DeleteDisplays the Delete Action page. You can review the action configuration before you delete it.
    Export ExportExport scheduled actions as a CSV file to view them in an application that supports that format. If you have the Administrator reserved role, you can also export scheduled actions as a JSON file to import into another Tanium Server.

    Develop and test content in your lab environment before importing that content into your production environment.

    After clicking Export Export, perform the following steps:

    1. (Optional) Edit the default export File Name, which is in the format: export-scheduled_actions-<date>T<time>.csv<format>.

      The file suffix (.csv or .json) changes automatically based on the Format selection.

    2. Select an Export Data option: All actions in the grid or just the Selected actions.
    3. Select the file Format: JSON (Administrator reserved role only) or CSV.
    4. Click Export.

      TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Manage actions that are completed or in progress

The Action History page provides a chronology of initiated, completed, and scheduled actions. You can also use the page to show action details (such as status and issuer), display action log data, stop actions that are in progress, and reissue actions.

  1. From the Main menu, go to Administration > Actions > Action History. The page displays the Status of each action:
    • Open: The time window for the action has not expired. The expiration period is the larger result from the following calculations:
      • The package Command Timeout + Download Timeout values
      • The package Command Timeout + the scheduled action Distribute over value
    • Closed: The time window has expired. If an action is reissued, the grid displays a new row based on the new start time.
    • Stopped: An administrator stopped the action.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Time: Select Local Time (default), which is local to the system that you use to access the Tanium Console, or Coordinated Universal Time (UTC).
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Start Time is within a specific date range. The default All means no date filter is applied.
    • Attribute: Click ExpandFilters, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

  4. Click a button to perform one of the following tasks.
    Table 1:   Action History administration tasks
    Button / TaskGuideline
    Show StatusDisplay the Action Summary page to see additional status details and get information from action logs: see View action summary and status.
    StopStop the action.
    ReissueDisplay the Reissue Action page. You can change the name, schedule, and targeting criteria.
    Copy CopyCopy information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    Export ExportExport action history information as a CSV file to view the information in an application that supports that format. If you have the Administrator reserved role, you can also export action history information as a JSON file.

    After clicking Export Export, perform the following steps:

    1. (Optional) Edit the default export File Name, which is in the format: export-action_history-<date>T<time>.csv<format>.

      The file suffix (.csv or .json) changes automatically based on the Format selection.

    2. Select an Export Data option: All actions in the grid or just the Selected actions.
    3. Select the file Format: JSON (Administrator reserved role only) or CSV.
    4. Click Export.

      TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

View action summary and status

The Action Summary page opens automatically when you deploy an unscheduled action so that you can track its progress. You can also open the page from the Administration > Actions > Action History page by selecting an action and clicking Show Status. The Action Summary page displays details about actions that are completed or in progress, and enables you to re-download package files and view action logs.

Figure  1:  Action Summary page

Action states

Tanium Clients report the following states for actions:

  • Waiting: Waiting to download files necessary to start the action.
  • Downloading: Files necessary to start the action are downloading. This state applies only if the action has files to download.
  • Running: Action is currently executing.
  • Waiting to Retry: Action will be retried shortly.
  • Completed: Action has successfully been completed.
  • Expired: Action did not start or complete within the available time window.
  • Failed: Action was not successfully completed.
  • Verified: Action completed and a verification question was used to verify success. This state applies only if the action has files to download.

Investigate action-related issues

The Tanium Client generates action logs to record the CLI output associated with action commands. You can display the log records to investigate issues related to an action. To display the records, you require the Read Sensor advanced permission on the Client Management content set. Perform the following steps to display the log records for an action:

  1. From the Main menu, go to Administration > Actions > Action History, select an action, and click Show Status to open the Action Summary page.,
  2. Click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines.

    The Tanium Server then issues the question Get Computer Name and Tanium Action Log[<action_ID>, 100] from all machines with (Computer Name equals <computer_name>) through the Interact Explore Data field. Endpoints that ran the action respond with the first 100 lines of the corresponding action log. Endpoints that did not run the action respond with Error: Cannot read Action_<ID>.log.


Track the Action IDs

The Tanium Server assigns an action ID to each action that you deploy. Knowing the ID is useful when you want to see details about an action. For example, if you want to investigate unexpected outcomes related to actions (such as package scripts that failed to run), you can use action IDs to find and review actions logs and action history log entries. The Tanium Console displays action IDs in multiple places.

  • In the Administration > Actions > Action History page, click Customize Columns Customize columns in the grid and select ID to display the action ID column.
  • The Action Summary page displays the Action ID in the Details section and in the browser URL (see View action summary and status).

On managed endpoints, the Tanium Client displays action IDs in the action status file and log files. In the following file paths, <Tanium Client> represents the Tanium Client installation folder.

  • In the <Tanium Client>\Downloads\config\ActionStatuses.ast file, action IDs map each action to its status.
  • In the <ClientInstallationFolder>\Downloads folder, each action log display the associated action ID in its file name.
  • In the <ClientInstallationFolder>\Logs folder, action history logs identify actions by their IDs.

Import scheduled actions

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.