Managing action groups

You use action groups to define which managed endpoints are the targets for actions. Before creating, editing, or deleting action groups, see the associated Best practices.

The default definition for the action group named Default specifies the No Computers computer group. This means that the Tanium Server does not deploy actions to any endpoints if those actions target the Default action group. When you import content packs onto the Tanium Server, some packs (such as Taniumâ„¢ Core Content) include scheduled actions (such as Distribute Hardware Tools) that target the Default action group. To deploy those actions to endpoints, you must change their targeted action group. For details, see Move Tanium actions to their own group.

Read Action Group (micro admin) permission is required to view action groups in the Actions > Scheduled Actions page. Write Action Group (micro admin) permission is required to create, edit, and delete action groups. The Admin Administrator reserved role has these permissions.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, select Console > Actions > Scheduled Actions.
  2. Click New Group to display the configuration page.
  3. Specify a Name and Visibility option, and select Computer Groups. You can combine the sets of computers using a Boolean AND or Boolean OR.
  4. Click Save.

Edit an action group

  1. From the Main menu, select Console > Actions > Scheduled Actions.
  2. Select the action group in the left pane.

    The console displays the group details in the right pane.

  3. Click Edit to display the configuration page.

Change the action group assignment

  1. From the Main menu, select Console > Actions > Scheduled Actions.
  2. Click a row in the grid to select the action you want to change.
  3. Click More > Change Group.
  4. Select the action group and click Confirm.

Delete an action group

  1. From the Main menu, select Console > Actions > Scheduled Actions.
  2. Select the action group in the left pane and click one of the following buttons. Both buttons open a dialog that displays the action group details so that you can evaluate the impact of deleting.
    • Delete: This button appears if the action group has no existing scheduled actions. Click Delete Action Group to proceed.
    • Migrate and Delete: This button appears if the action group has existing scheduled actions. When the Action Group dialog opens, select another action group in the Migrate existing scheduled actions to below selected action group drop-down list. Click Show Preview to Continue to review the endpoints that are currently included in the action group to which you will migrate actions (Preview section). Also review the Actions associated to this Action Group. After assessing the impact, click Transfer Actions and Delete Action Group.

Best practices

Move Tanium actions to their own group

When you log into the Tanium Console for the first time after installing the Tanium Server, the server imports certain scheduled actions that target the Default action group, which specifies the No Computers computer group by default. This means that the Tanium Server does not deploy these actions to any endpoints. To see the list of these actions, go to Console > Actions > Scheduled Actions and click Default in the Action Groups panel. These scheduled actions distribute tools that endpoints need to perform functions for certain core sensors and packages. You must periodically deploy the actions to all endpoints to distribute the tools to any new endpoints that do not have them installed, rebuilt endpoints, endpoints on which the tools were uninstalled, or virtual desktop infrastructure (VDI) endpoints that periodically refresh. To deploy the actions to endpoints, perform one of the following steps:

  • (Best practice) Perform the Install with Recommended Configurations workflow: see Import and (optionally) configure the latest versions of all modules. As part of the workflow, the Tanium Server automatically creates a Default - All Computers action group and makes it the target for all scheduled actions that previously targeted the Default action group. Five minutes after performing this transition, the server automatically deploys those re-targeted scheduled actions.
  • Manually create an action group that includes the All Computers computer group and change the targeting for those scheduled actions to that action group.

Define specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then operating system-type groups or region groups.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When the Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Consult your Technical Account Manager (TAM) for options to simplify computer groups.