Deploying actions

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy actions to those endpoints.

For the user role permissions required to deploy actions, see User role requirements.

Do not deploy an action unless you completely understand its scope, impact on an individual endpoint, and impact on the environment given the number of targeted endpoints. Furthermore, be sure your organization has authorized you to perform the action. Some organizations require a second user to review and approve actions. For details, see Managing action approval.

  1. Issue a question.
  2. If you want to deploy a policy action, issue a saved question instead of a dynamic question.

  3. In the Question Results grid, select the rows for the endpoints that require the action, and click Deploy Action.

    Interact displays the Deploy Action page.

  4. Use the Deployment Package search box typeaheads to select packages.

    Alternatively, click Browse Packages to review package descriptions and then select them.

  5. Complete the Action Details section.
    NameSpecify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and Action Approval pages.
    Description(Optional) A description helps other users understand the purpose of the action.
    Tags(Optional) Use the controls to add tags, which are name-value pairs.

    These tags apply to the action itself, not to the endpoints that run the action, and appear in the Action Details section of the Action Summary page. To assign tags to endpoints, you must deploy the Custom Tagging - Add Tags or Custom Tagging - Add Tags (Non-Windows) package.

  6. Complete the Schedule Deployment section. For policy actions, you must schedule repeating deployments.

    If you save an action with Start at and Reissue every values and subsequently deselect those settings instead of specifying new values, the Tanium Server discards the changes. To stop deploying an action, disable or delete it: see Manage scheduled actions.

    Start at / End at

    Required for policy actions, optional for other actions. Specify a start time when it is important to deploy the action to targeted clients during a maintenance window. The time refers to the Coordinated Universal Time (UTC) of the system clock on the Tanium Server host system, not on the Tanium Client host systems. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am. Note the following behavior:

    • If you omit a start time, the action deploys immediately upon completion of the deploy action workflow.
    • If you omit a start time and action approval is enabled, the action deploys immediately after it is approved, provided other action conditions do not preclude the Tanium Server from deploying it.
    • If you specify a start time and action approval is enabled, the action deploys at the next start time following the approval. For example, if you set the action to deploy at 1:00 am every day and it is approved at 2:00 am, the action deploys the next day at 1:00 am.

    As a best practice, specify an end date-time if you configure reissue intervals for the scheduled action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

    Distribute over

    The Tanium Server distributes packages to Tanium Clients in batches. This option randomizes the distribution over the specified duration to avoid spikes in network or other resource utilization. For example, if an action depends on a sensor that queries Active Directory (AD), an action that is not distributed over time can cause a flood of traffic to the AD server. Similarly, an action that targets clients in a virtual machine farm could exhaust the shared CPU or memory resources if all clients simultaneously run a resource-intensive program. Distributing over time attenuates the impact a massive orchestration might have on the networked or virtualized environment.

    Specify a number and unit: Minutes, Hours, Days.

    Reissue every

    You can schedule the action to repeat at intervals, which is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.
    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.
    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    The Reissue every interval must exceed the action expiration period, which is the larger result from the following calculations:

    • The package Command Timeout + Download Timeout values
    • The package Command Timeout + the scheduled action Distribute over value

  7. Complete the Targeting Criteria section to specify endpoints where the action must run.

    For a repeating action based on a saved question (a policy action), only the endpoints that match the latest results of the Starting Question will perform the action.

    If you select a Reissue every interval or if action approval is enabled, you must specify an Action Group. Otherwise, the action group is set to the All Computers computer group and you cannot change it (the Action Group drop-down does not appear), although only the endpoints that you selected in the Question Results grid are targeted.

  8. Click Show preview to continue, review the affected endpoints, and click Deploy Action.
  9. If the Estimated Number of affected endpoints exceeds the configured threshold (the default is 100), enter that number. The Tanium Server enforces this confirmation step to ensure that you understand the impact that an action will have on your network.
  10. To change the threshold that controls whether the Tanium Console prompts users for the Estimated Number, edit the prompt_estimate_threshold setting (Administration > Management > Global Settings). Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

  11. Review the status to confirm expected results. For details, see View action summary and status.

    To view the Action Summary page: from the Main menu, go to Administration > Actions > Action History, select the action in the grid, and click Show Status.

  12. (Policy actions only) From the Main menu, go to Administration > Actions > Scheduled Actions and verify that the Policy column displays Yes for the action you just added. If the column does not appear (it is hidden by default), click the Column menu Customize columns and select Policy.

The action deployment workflow creates a scheduled action configuration object, and the action is entered on the Scheduled Actions, Action History, and (if applicable) Action Approval pages in the Tanium Console. For details, see Managing scheduled actions and history.