After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy an action to those endpoints so that the Tanium Client can run the associated package (see Managing packages). In a Tanium deployment, a package comprises a command, a script, and any related files required to execute an action on a managed endpoint. For example, the package named Clean Stale Tanium Client Data includes a Windows command-line command that executes a Visual Basic Script to remove stale data from the Tanium Client directory and safely kill any stale sensor or action processes.
To troubleshoot action deployment issues, see Monitor actions.
Action concepts and terminology
Action groups are designed to target actions so that
Action locks prevent actions from running on an endpoint. You might want to deploy action locks if, for example, you encounter unexpected behavior on endpoints and want to suspend actions during debugging. For details and related procedures, see Managing action locks.
Scheduled actions are actions that
Policy actions are scheduled actions that are based on saved questions instead of dynamic questions. They are useful for ensuring that endpoints comply with policies. For example, if your organization requires all Windows endpoints to have restricted permissions on the Tanium Client installation directory, you can schedule an action to restrict permissions based on the following saved question:
Get Tanium Client Directory Permissions equals Not Restricted from all machines with ( Tanium Client Directory Permissions equals Not Restricted and Is Windows equals True ).
The from clause ensures that only endpoints that match the question condition return results. At each action interval,
Evaluate whether the results exceed the question expiration period (10 minutes). If no,
Tanium Cloud the serveruses the results that it cached the last time it issued the question. If yes, it reissues the question to collect new results.
- Evaluate the results to determine whether any endpoints match the question condition and belong to computer management groups that are assigned to the question owner:
Tanium Cloud The serverdeploys the action to the targeted action group. However, a policy action conserves network bandwidth and endpoint resources because endpoints download the required packages and perform the actions only if they match the question condition and belong to the computer management groups that are assigned to the action owner. In the example question, only Windows endpoints with open permissions on the Tanium Client installation directory match the condition, and therefore only those endpoints download the required package Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory and run the action to restrict permissions.
- No: The action does not deploy.
If you delete a saved question,
Some organizations have policies that require an approval process for deploying actions. When action approval is enabled, the signed-in user who deploys the scheduled action cannot also approve it. The action is on hold until another user approves it. The approving user must have a role with Approve Action and Sensor read permissions. For scheduled actions, the approval remains in force until the scheduled end date of the action or until a user edits the action configuration. For details and related procedures, see Managing action approval.
Action deployment overview
To optimize action deployment, configure platform settings, content, and role-based access control (RBAC) before users start deploying actions. Monitoring action status and history is also important to ensure that actions continue to have the expected effect. The three stages of action deployment are:
Review and, if necessary, edit global settings for actions.
Review and, if necessary, customize the content for deploying actions, such as sensors and packages.
Configure RBAC for actions.
Configure authentication for package downloads if necessary.
Issue a question to identify the endpoints that require the action.
Configure action settings.
Approve the action if approval is required before deployment.
Review action status and history.
Troubleshoot actions if issues occur during deployment.
Administrative setup for actions
Typically, you perform the following tasks once as part of the initial setup of a Tanium deployment. However, you might repeat some tasks if an environment changes. For example, you might update RBAC configurations to reflect changes to roles and personnel in an organization.
Actions in the Default Content and Core Content solutions might initially target the predefined action groups Default – All Computers or Default, which specifies the No Computers computer group. To change the computer groups that these and other predefined action groups target, see Edit an action group.
Perform the following tasks to set up action deployment:
Review and, if necessary, edit global settings that affect action deployment.
From the Main menu, go to Administration > Configuration > Settings > Platform Settings to assess whether the default values of the following global settings suffice for your Tanium deployment. Update any settings that require custom values.
On the Platform Settings page, click Expand to see the full description of a setting.
Require Action Approval and Bulk Approval: Enable action approval if your organization implements two-person integrity. These settings are disabled by default. See Enable or disable action approval.
Action Target Estimate Minimum: After you issue a question to identify endpoints that require an action, you cannot deploy the action until the percentage of responding endpoints reaches the estimated percentage. The default is 20%. See Configure and deploy actions.
Prompt Estimate Threshold: When you click Deploy Action in the Action Deployment page, if the number of affected endpoints exceeds the threshold, the Tanium Console prompts you to confirm the deployment before proceeding. The default is 100. See Configure and deploy actions.
Run Commands in Process Group: Enables you to control whether package commands run in a process group. This setting is disabled by default. See Launch this package in a process group.
Restricted Targeting: Sets the No Computers computer group as the action group target during initial configuration of Tanium solutions. This setting is disabled by default. See Tools deployment.
- Review the following advanced global settings to assess whether their default values suffice for your Tanium deployment. These settings control the maximum size of the cache that the Tanium Client uses to store file chunks for packages and client API downloads. See Tanium Client Management User Guide: Chunk caching. Update any settings that require custom values.
- ClientCacheLimitInMB: Controls the absolute amount of disk space that a client can use for caching chunks. The value is in megabytes (MB) and the default is 2048.
- ClientCachePercentageCapTimes100: Controls the maximum percentage of free disk space that a client can use for caching chunks. Multiply the target percentage by 100 to determine the value. For example, the default value 1000 specifies that the cache limit is 10% of free disk space. If you change the value, the client checks the free disk space and adjusts the cache size only when you restart the client or wait for the next client reset interval, which by default is a random interval in the range of 2 to 6 hours.
The Tanium Console does not display these advanced settings until a user adds them. Adding these settings is necessary only if non-default values are required. In an environment where actions deploy large files, such as for software installations or operating system (OS) patches, you might have to increase the cache limit and percentage. If each setting applies a different cache limit on a client, the client enforces whichever setting specifies a lower limit. See Manage advanced settings.
Because these are global settings, they apply to all Tanium Clients. However you can override the settings for specific clients. For example, you might have critical assets that need more resources for running non-Tanium processes or assets with very limited resources such as virtual desktop infrastructure (VDI) endpoints. To override the global settings for cache size, configure the settings locally on specific clients. See Tanium Client Management User Guide: Tanium Client CLI and client settings.
Review the content that is required for action deployment. If the predefined content does not suffice, create customized versions of:
Content sets: Content sets contain the content that you create. When you configure user roles for action deployment, you assign permissions to content sets to control which content users can access. For example, if you create a package that updates files on data center servers, you can assign it to a content set for which access is restricted to users who have a role that allows data center file management. See Managing content sets.
Packages: A package configuration includes settings, a command, a script, and any other files that are needed to orchestrate an action on an endpoint. For example, you might create a package that updates a specific file to a specific version. See Managing packages.
Sensors and saved questions: You use sensors and saved questions to identify the endpoints that require action. For example, you might create a saved question with the File Version sensor to identify which endpoints have a particular version of a file. You organize the questions into dashboards and organize the dashboards into categories. See Managing sensors and Managing saved questions.
Filter groups: You use filter groups to filter the questions and question results on which actions are based. For example, you might create a filter group that contains only the endpoints in a data center. You can also use filter groups as the building blocks of action groups for targeting specific endpoints. See Managing filter groups.
Test custom content in a lab environment before using it in a production environment.
Configure roles for administering, deploying, and (optionally) approving actions. See Managing roles and Action management permissions. Figure 3 shows action-related permissions.
Users cannot approve their own actions. However, you can assign the Bypass Action Approval permission to a role to enable certain users to deploy actions without requiring approval. You must create a custom role if you want any users to have the bypass ability because no predefined role has that permission.
The following permissions control access to the pages from which users deploy actions:
- Interact module permissions: Controls access to Interact module pages from which users issue dynamic or saved questions and deploy actions based on the results. The Ask Dynamic Questions permission also controls access to the Ask a Question field on the Tanium Home page. See Interact module permissions.
- Package read permission: Controls access to the Packages page, from which users can select a package to deploy through an action.
- Client Status read permission: Controls access to the Client Status page, where users can select endpoints to target for actions. Users typically use this page to troubleshoot connectivity issues for Tanium Clients.
The following predefined roles provide action-related permissions but also other permissions. If you want action users to have a more limited range of permissions than what these roles provide, create custom roles.
- Interact Power User: This module role has all the permissions to deploy actions but not to approve actions or bypass action approval. See Interact module permissions.
- AdminAdministrator: This reserved role has all the action administration and deployment permissions but does not have permissions to approve actions or bypass action approval. See Admin reserved roleAdministrator reserved role.
After you deploy an action, you can display action log records to investigate issues related to the action. To display the records, you require Read Sensor permission on the Client Management content set. See View action status and settings.
- Review the predefined action groups and computer groups to assess whether they suffice for action targeting. Configure custom groups if necessary.
Action groups control which endpoints users can target for actions. Computer management groups and filter groups are the building blocks of action groups. See Managing computer groups and Managing action groups.
Assign the roles and computer groups to the user groups, user accounts, or personas of users who will deploy, approve, or administer actions. See:
Configure downloads authentication if Tanium Cloud
Configure and deploy actions
Perform the following steps for each new action:
Issue a dynamic or saved question to identify which endpoints require the action.Instead of deploying actions based on question results, you can also deploy actions from the:
- Administration > Configuration > Client Status page. See Troubleshoot Tanium Client issues.
- Administration > Permissions > Packages page. See Deploy actions from the Packages page.
In this example, the purpose of the action is to restrict permissions for the Tanium Client installation directory on Windows endpoints such that only the SYSTEM account can view or edit files in that directory. Because this action is based on question results, it deploys only to endpoints that have unrestricted permissions on the directory. Avoiding deployment to endpoints that do not need an action reduces its impact on network and endpoint resources.
Dynamic question: Go to the Tanium Home page or Interact Overview page and use the Ask a Question field (as in the following example) or question builder to issue a dynamic question. See Asking questions and searching endpoints.
Saved question: Go to the Interact Overview page and issue a question through the Saved Questions panel. You can also issue saved questions from the Administration > Content > Saved Questions page or (if the questions have favorite status) from the Tanium Home page. See Issue a saved question.
An action that is based on the results of a saved question is a Policy action.
Select the results from endpoints that require the action and click Deploy Action to configure the action settings.
You cannot deploy an action until the estimated percentage of endpoints that answer the question reaches the threshold that is specified in the Action Target Estimate Minimum platform setting.
You can refine the results before deploying an action. For example, you can issue drill-down questions, merge questions, or filter the results until you identify more precisely the endpoints that require the action. See Managing question results.
Configure the action settings.
When the action first deploys, some endpoints might be offline. To ensure that the action deploys to endpoints that come online after the initial deployment, set the Schedule Type to Recurring Deployment and set the interval (Re-issue every) and time period (between the Start At and End At dates) to appropriate values. In this example, the action deploys once per day for a month to ensure that all endpoints have a chance to come online.
Click Show preview to continue, review the affected endpoints, and click Deploy Action.
If the number of affected Tanium Clients exceeds the threshold that is specified in the Prompt Estimate Threshold platform setting, the Tanium Console prompts you to confirm the deployment before proceeding.
If approval is not required and the action starts immediately, the Action Status page opens. If approval is required or you specified a future Start At value, the action appears in the Scheduled Actions page. See View action status and settings.
(Action approval only) If the Require Action Approval platform setting is enabled, another user must approve the action before deployment can start. Actions stay in a pending state until a user approves them. See Approve pending actions.
For recurring actions, approval is a manual process only for the first deployment interval and is automatic for subsequent intervals.
Track the status of actions to ensure that they are configured correctly and deploy as expected, and to troubleshoot if necessary.
View action status and settings
The Tanium Console displays action settings and status on different pages based on whether the action is one-time only or recurring and whether it starts immediately or at a future date:
One-time only, immediate deployment: The Action Status page opens automatically when you deploy the action. See View action status.The Tanium Client generates action logs to record the command-line interface (CLI) output that is associated with action commands. If you have Read Sensor permission on the Client Management content set, you can display the log records to investigate issues related to an action. To display the records, on the Action Status page click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines. See Investigate action-related issues.
Recurring action or action with future start date: On the Scheduled Actions page, you can select an action and click Status to review or re-download files that are associated with the action package. See Manage scheduled actions.
After the first (or only) deployment interval, you can also view the settings, status, and other details of an action on the Action History page. See Manage actions that are completed or in progress.
If issues occur during action deployment, the following tasks can help you to troubleshoot. Note the action IDs of the actions that you want to troubleshoot before reviewing logs. The Action History, Scheduled Actions, and Action Status pages all show action IDs. See Track Action IDs.
For issues on Tanium Clients, investigate:
- Sensor quarantines: Verify whether the actions use sensors that are quarantined on the clients and, if appropriate, remove those sensors from quarantine. See Manage sensor quarantines.
Action locks: Verify whether action locks are turned on by issuing the following question:
Get Clients That Cannot Take Actions - Action Lock On from all machines
For information and tasks related to overriding or turning off action locks, see Managing action locks.
- To see the action logs for multiple endpoints through the Tanium Console, see Investigate action-related issues.
To see the action log on a specific endpoint, see Tanium Client Management User Guide: Review action logs and associated files to troubleshoot actions and packages.
- To troubleshoot or audit actions, review action history logs. See Tanium Client Management User Guide: Review action history logs to troubleshoot or audit actions.
For issues on Tanium Cloud
- Action deployment issues: To review action scheduler logs, see Tanium Core Platform Deployment Reference Guide: Action scheduler logs.
Download and caching issues: Review the following logs:
- Review details about package files associated with the action and, if necessary, re-download the files if they are outdated. See Re-download package files.
Verify the validity of the certificates that Tanium Cloud
the serveruses when downloading packages from remote sources. Update the certificates if necessary. See Managing downloads authentication.
If the logs indicate package download issues:
If the logs indicate package caching issues, you can Manage the package file repository.
Last updated: 5/30/2023 2:36 PM | Feedback