Deploying actions

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy actions to those endpoints.

For the user role permissions required to deploy actions, see User role requirements.

Do not deploy an action unless you completely understand its scope, impact on an individual endpoint, and impact on the environment given the number of targeted endpoints. Furthermore, be sure your organization has authorized you to perform the action. Some organizations require a second user to review and approve actions. For details, see Managing action approval.

Select a method to initiate action deployment based on how many actions you want to issue, whether they are recurring (scheduled) or non-recurring (unscheduled), and whether they have similar settings:
- Issue a new action: You can deploy only one new action at a time. To start, issue a dynamic question or, for a policy action, issue a saved question. Then select rows (up to 100) in the Question Results page for the endpoints that require the action, click Deploy Action, and proceed to the next step.
  You can also deploy a new action from other pages in the Tanium Console:
  - Administration > Configuration > Client Status page: See Troubleshoot Tanium Client registration and communication.
  - Administration > Permissions > Packages page: See Deploy actions from the Packages page.
- Issue existing actions:
  1. Go to the Administration > Actions page that lists the actions you will issue:
    - To issue scheduled or unscheduled actions that were previously issued, go to Administration > Actions > Action History.
    - To immediately issue scheduled actions that are configured with a future start date, go to Administration > Actions > Scheduled Actions.
  2. Select one or more actions and perform one of the following steps:
    - To re-issue a single action, or to re-issue multiple actions that each require a different start time or distribution period, click Reissue and proceed to the next step.
    - To re-issue multiple actions with the same start time and distribution period, select More > Bulk Reissue, specify the time standard (Local Time / UTC), Start At, and Distribute Over values (see Table 1), click Confirm, and skip the remaining steps. This option is for a one-time deployment only. If you select multiple recurring actions, Tanium Cloudthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment.

Configure the following settings. If you are issuing multiple actions, use the

and

widgets to navigate among the pages for each action.

If you save an action with Start At and Re-issue every values and subsequently clear those settings instead of specifying new values, Tanium Cloudthe Tanium Server discards the changes. To stop deploying an action, disable or delete it. See Manage scheduled actions.

Table 1: Action settings
Settings	Guidelines
Deployment Package	Select a package from the dropdown list or enter a search string to find a package by name. If you select a parameterized package, configure the parameters. For example, if you select the Set Tanium Server Name List package, enter the Server Name List. For details, see Example: Parameterized packages. If you select a package that has a sensor variable in its name, Tanium Cloudthe Tanium Server creates a separate action for each unique value that the sensor returns among the question results that you selected for the action. For example, if the package name includes the sensor Computer Name, the action deployment workflow automatically creates an action for each endpoint in the selected results. For details, see Package settings. If you are re-issuing or editing an action, you cannot change the Deployment Package and any package parameters are read-only by default. However, if the package settings changed after the action was last issued or saved, clicking Update Source Package makes the action use the latest version of the package and enables you to update parameter values. Click Revert Source Package if you want to revert to the default behavior of using the same package version and parameter values as when the action was last issued or saved. If the Console cannot show the original package settings, a link below the Deployment Package prompts you to Click here to continue to use updated package parameters. For more information, see Tanium Console User Guide: Update action packages.
Local Time / UTC	Select a time standard for the Start At and End At date-times: Local Time (default) is local to the system that you use to access the Tanium Console. UTC is Coordinated Universal Time.
Name	Specify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and action approval pages.
Description	(Optional) Enter a description helps other users understand the purpose of the action.
Status	This read-only setting appears when you create or reissue an action, and indicates whether the action is New or Pending Reissue.
Created	This read-only setting appears when you reissue or edit an action, and indicates the date and time when the action was created.
Expiration Period	This read-only setting indicates when the action expires. The value is the larger result of the following calculations: The sum of the Command Timeout and Download Timeout values in the selected package The sum of the package Command timeout and optional Distribute Over setting that you configure for the action The expiration applies to each deployment of a recurring action but does not change the schedule settings (Reissue Every, Start At, and End At).
Schedule Type	Select one of the following options: One Time Deployment: Deploy the action only once. Recurring Deployment: Schedule the action to deploy at intervals (Re-issue every) over a specified period (from the Start At to End At date-times). This option is required for policy actions.
Re-issue every	This setting appears only if you set the Schedule Type to Recurring Deployment. Scheduling the action to repeat at intervals is useful when: Action approval is required and you are not certain that an approver will approve the action before its initial deployment expires. You want to deploy software or configuration updates to endpoints that might not be online during the initial deployment but that you expect to be online at some point between the Start At and End At dates. The action is a continual hygiene practice. For example, you want to check periodically that a Tanium Client service is running or a client configuration has a particular value. Specify a number and unit: Minutes, Hours, Days. The Re-issue every interval must exceed the action Expiration Period.
Start At / End At	By default, actions that do not require approval deploy as soon as you click Deploy Action at the bottom of the Action Deployment page, but you can set a Start At date-time to override the default. For example, you might want deployment to start during a maintenance window for the targeted endpoints. Note the following behavior when action approval is enabled: If you omit a Start At time, the action deploys immediately after it is approved, provided other action conditions do not preclude Tanium Cloudthe Tanium Server from deploying it. If you specify a Start At time, the action deploys at the next start time following approval. For example, if you set the action to deploy daily at 1:00 am and a user approves it at 2:00 am, the action deploys the next day at 1:00 am. The End At setting appears only if you set the Schedule Type to Recurring Deployment. Configure the setting if you do not want to re-deploy the action indefinitely. For example, you might want to stop deployment before the end of a maintenance window for the targeted endpoints. Specify an End At date-time unless you are sure that you want to re-deploy the action indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.
Distribute over	Tanium CloudThe Tanium Server distributes actions to endpoints in batches. The Distribute Over option randomizes the distribution over the specified period to prevent spikes in network traffic or other resource consumption. For example, an action that depends on a sensor that queries Active Directory (AD) might cause a flood of traffic to the AD server unless the action is distributed over time. Similarly, an action that targets endpoints in a virtual machine farm might exhaust the shared CPU or memory resources if all endpoints simultaneously run a resource-intensive program. Specify a number and unit: Minutes, Hours, Days.
Targeting Criteria	Configure which endpoints to target for the action. By default, the action targets all endpoints that match: The Target Question, which is initially based on the rows that you selected in the Question Results page when you clicked Deploy Action there. The Target Question updates automatically when you change other targeting criteria. The predefined Default - All Computers action group, which includes all managed endpoints unless you changed the group membership before initiating the action deployment. You can also select a different Action Group. Optionally, refine the targeting by adding: Computer groups: Click Add Computer Groups, select one or more computer groups, and click Save. Manual list: Enter a comma-separated list of endpoints by computer name or IP address and click Save. Filter question: Enter a question to target endpoints that return results and click Save. Tanium CloudThe Tanium Server applies a Boolean AND to the criteria that you specify. For a recurring action, only the endpoints that match the latest results of the Target Question will perform the action.

Click Show Preview to Continue and review the affected endpoints.
Perform one of the following steps:
- If you are issuing or reissuing the action, click Deploy Action.
- If you are editing the action, click Save Action.
If the number of Estimated clients affected exceeds the configured threshold (the default is 100), enter the estimated number and click Confirm. Tanium CloudThe Tanium Server enforces this confirmation step to ensure that you understand the impact that an action will have on your network.

To change the threshold that controls whether the Tanium Console prompts users for the Estimated clients affected, go to Administration > Configuration > Settings > Platform Settings and edit the Prompt Estimate Threshold setting. Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

Perform one of the following steps to review the action status based on if the action requires approval.

For details about the Action Status page and the steps to access it from the Action History page, see View action status.
- Approval not required: Confirm that the action produces the expected results on the Action Status page, which opens automatically unless you specified a future Start At value in the action configuration. An action with a future Start At value appears in the Scheduled Actions page. For scheduled actions, wait until deployment starts and then check the status in the Action History page.
- Approval required: Confirm that the action appears in the Scheduled Actions page. The action remains in a pending state until a user approves it, as described in Approve pending actions. After the action is approved and deployment starts, check the action status in the Action History page.

Non-recurring actions that you deploy immediately appear only in the Action History page, not the Scheduled Actions or action approval pages.

On the Scheduled Actions page, the Policy column displays Yes for a policy action. To show the column, click Customize Columns

and select Policy. The Next Issue Time column, which is visible by default, displays if applicable for a policy action because that type of action deploys only if one or more endpoints returns results for the associated saved question at the next interval.

To troubleshoot action deployment issues, see Tanium Console User Guide: Monitor actions.