Managing action groups

You use action groups to define which managed endpoints are the targets for actions. Before creating, editing, or deleting action groups, see the associated Best practices.

In Tanium Core Platform 7.1 and later, the default definition for the action group named Default includes the wildcard group named No Computers. This means that actions that target the Default action group have no impact. In previous releases, the Default action group included the wildcard group named All Computers. The previous behavior enabled deploying many Tanium™ content packages to a wide set of endpoints. Tanium changed the Default definition in version 7.1 to force users to manage action groups before issuing actions to Tanium Clients.

Read Action Group (micro admin) permission is required to view action groups in the Actions > Scheduled Actions page. Write Action Group (micro admin) permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. Go to Actions > Scheduled Actions.
  2. Click New Group to display the configuration page.
  3. Specify a Name and Visibility option, and select Computer Groups. You can combine the sets of computers using a Boolean AND or Boolean OR.
  4. Click Save.

Edit an action group

  1. Go to Actions > Scheduled Actions.
  2. Select the action group in the left pane.

    The console displays the group details in the right pane.

  3. Click Edit to display the configuration page.

Change the action group assignment

  1. Go to Actions > Scheduled Actions.
  2. Click a row in the grid to select the action you want to change.
  3. Click More > Change Group.
  4. Select the action group and click Confirm.

Delete an action group

  1. Go to Actions > Scheduled Actions.
  2. Select the action group in the left pane and click one of the following buttons. Both buttons open a dialog that displays the action group details so that you can evaluate the impact of deleting.
    • Delete: This button appears if the action group has no existing scheduled actions. Click Delete Action Group to proceed.
    • Migrate and Delete: This button appears if the action group has existing scheduled actions. When the Action Group dialog opens, select another action group in the Migrate existing scheduled actions to below selected action group drop-down list. Click Show Preview to Continue to review the endpoints that are currently included in the action group to which you will migrate actions (Preview section). Also review the Actions associated to this Action Group. After assessing the impact, click Transfer Actions and Delete Action Group.

Best practices

Move Tanium actions to their own group

The Tanium™ Default Content and Tanium™ Client Maintenance content packs and other Tanium solutions include scheduled actions to ensure the endpoints have the tools needed to perform the functions in the sensors and packages deployed. You must reissue these scheduled actions to all endpoints to catch any new endpoints that do not have Tanium installed, endpoints that were rebuilt or had Tanium uninstalled, or virtual desktop infrastructure (VDI) endpoints that refresh on a regular basis. After the initial deployment, create an action group that includes All Computers, and move the Default Content and Client Maintenance scheduled actions to this new group.

Define specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then operating system-type groups or region groups.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When the Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Consult your Technical Account Manager (TAM) for options to simplify computer groups.