Managing action groups

Action groups define which managed endpoints are the targets for actions. You configure the targets by assigning computer groups to the action groups. Before creating, editing, or deleting action groups, see the associated Best practices for action groups.

All Tanium deployments include the following action groups. These action groups have predefined computer group assignments, but you can change the assignments.

  • Default - All Computers: This is the default action group selection when you deploy a custom action. It targets the All Computers computer group. Therefore, actions that are assigned the Default - All Computers action group deploy to all the managed endpoints in your organization.

  • Default: This action group targets only the No Computers computer group. Therefore, actions that are assigned the Default action group do not deploy to endpoints.

Under certain circumstances, some predefined scheduled actions target the Default action group and you must manually assign another action group before those actions can deploy to endpoints. See Reconfigure actions that target the Default action group.

Action Group read permission is required to view action groups in the Administration > Actions > Action Groups page. Action Group write permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions.

View action groups

  1. From the Main menu, go to Administration > Actions > Action Groups.

    For each action group, the page displays the following attributes:

    • Action group ID and Name

    • Number of assigned computer groups and whether they use Boolean AND or OR combination logic (see Computer Groups). To display a tooltip that lists the computer group names, hover over the entry in the Computer Groups column for the action group.

    • User (persona) who last modified the group and when

  2. (Optional) Display action group attributes (columns) that are hidden by default, such as which users (personas) created action groups and when, by clicking Customize Columns Customize columns and selecting the attributes.
  3. (Optional) Use the filters to find specific action groups:
    • Filter by text: To filter the grid by an alphanumeric string that matches an action group ID, action group Name, or computer group name, enter the string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as ID or Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional) To see the RBAC visibility setting, assigned computer groups, and associated actions of an action group, click the action group Name.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, go to Administration > Actions > Action Groups and click New Group.
  2. Configure the following settings and click Save.
     Table 1: Action group settings
    SettingDescription
    NameEnter a Name to identify the action group.
    VisibilitySelect a Visibility option:
    • Only administrators can see this group: Only users with the Administrator or Content Administrator reserved role can see this action group.
    • All users can see this action group
    • Limit visibility to specific user groups: Select the User Groups that can see the action group.

    Action Group read permission overrides the Visibility setting. A user who has Action Group read and action deployment permissions can select any action group when deploying an action. A user who has Action Group read and Approve Action permissions can approve actions that target any action group. However, the computer groups that are assigned to a user still control which endpoints run an action that the user deploys to the selected action group.

    Computer Groups

    Select Computer Groups and select the type of Boolean matching to apply:

    • AND: Endpoints run an action only if they are in all the computer groups that are assigned to the action group. For example, a macOS endpoint runs an action that targets an action group containing the All Computers and All Mac computer groups, but does not run an action that targets an action group containing the All Windows and All Mac computer groups.

    • OR: Endpoints run an action if they are in any of the computer groups that are assigned to the action group. For example, a macOS endpoint runs an action that targets an action group containing the All Windows and All Mac computer groups.

Edit an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click the action group Name.
  3. Edit the settings that are listed in Table 1.
  4. Review the Actions associated to this Group to assess the impact of your changes and then click Save.

Edit action group assignments for scheduled actions

Reassign actions to a different action group as follows:

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. Select the actions that you want to reassign.
  3. Select More > Change Group.
  4. Select the action group and click Confirm.

Export and import action groups

The following procedures describe how to export and import specific action groups or all action groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export action groups

Export action groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the action groups with the same attributes (columns) as the Action Groups page displays.

  • JSON: If you are assigned the Administrator reserved role, you can export action group configurations as a JSON file to import them into another Tanium Server.

Perform the following steps to export action groups:

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. (Optional, CSV exports only) To add action groups IDs as a column in the CSV file, click Customize Columns Customize Columns in the grid and select ID. If you skip this step, the file show only action group names.
  3. Select rows in the grid to export only specific action groups. If you want to export all action groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All action groups in the grid or just the Selected action groups.
  7. Select the file Format:

    • List of Action Groups - CSV
    • Action Group Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import action groups

Users who are assigned a role with Import Signed Content permission can import content files that are in JSON or XML format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy action group configuration details

Copy information from the Action Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete an action group

You can delete any action group except Default and Default - All Computers. If any scheduled actions target the action group that you will delete, you can transfer those actions to another action group during the deletion workflow.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click Migrate and Delete.
  3. Scroll to the Actions associated to this Group grid. The next steps depend on whether any actions currently target the action group:
    • No associated actions: Scroll to the bottom of the dialog and click Delete Action Group.
    • Actions are associated:
      1. Review the Computer Groups that are assigned to the current action group to understand the impact of migrating the actions to a new action group.
      2. Select a new action group in the Migrate existing scheduled actions to selected action group dropdown list.
      3. Click Show Preview to Continue and review the affected computer groups and endpoints in the new action group.
      4. Click Transfer Actions and Delete Action Group.

Best practices for action groups

Reconfigure actions that target the Default action group

Some predefined scheduled actions distribute tools that endpoints need to perform functions for certain core sensors and packages. For example, the action Distribute Application Management Tools deploys a package that includes scripts for starting and stopping services. Tanium provides these actions through the Default Content and Core Content packs (such as Core Content and Core Content - Default Content). When Tanium Cloud automatically updates these content packs, it reconfigures the associated actions to target the Default action group.Under certain circumstances, these actions are assigned the Default action group. Because Default includes only the No Computers computer group, these actions do not deploy to endpoints until you assign a different action group as described under Edit action group assignments for scheduled actions. The best practice is to assign the Default - All Computers action group to these actions. To see the actions that are assigned the Default action group, go to Administration > Actions > Scheduled Actions and select Action Group > Default.

Actions in the the Default Content and Core Content packs target the Default action group under the following circumstances:

Tanium notifies you when updates occur that change action group assignments. To review the notifications in the Activity Timeline, see Tanium Cloud Deployment Guide: View module installation history.

  • When you sign in to the Tanium Console for the first time after installing the Tanium Server, the server imports the Default Content pack and sets the action group to Default for the associated scheduled actions.

  • The method that you select for manually importing content packs determines whether their scheduled actions target the Default - All Computers or Default action group:
    • Tanium Recommended Installation: This import method sets the action group to Default - All Computers, including for scheduled actions in the Default Content pack that were initially assigned the Default action group. See Import all modules and services.
    • Any other import method: The action group remains set to Default. See Import or update specific solutions.

    When you import Tanium Interact, the Tanium Server automatically imports the Default Content and Core Content packs. In this case, the import method that you select for Interact has the same effect as for importing content packs in determining the action group assignment for the actions in those content packs.

  • When you update content packs that include scheduled actions, their action group assignment reverts to Default regardless of their previous assignment. See Import or update specific solutions.

When you change the action group assignment for Default Content and Core Content actions, the best practice is keep their default scheduling settings. The actions are configured to reissue at intervals to ensure that core tools are deployed to all endpoints, including:

  • Endpoints that were introduced to your network after the last time Tanium Cloudthe Tanium Server deployed the actions
  • Rebuilt endpoints
  • Endpoints on which the tools were uninstalled
  • Virtual desktop infrastructure (VDI) endpoints that periodically refresh

Define a specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then groups that are based on operating system or region.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When Tanium Cloudthe Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Contact Tanium Support for options to simplify computer groups.