Managing action groups

Action groups define which managed endpoints are the targets for actions. Before creating, editing, or deleting action groups, see the associated Best practices.

When you issue an action, the default target is the Default - All Computers action group. This action group is pre-configured to include only the All Computers computer group, but you can edit the configuration.

The Default action group is pre-configured to include only the No Computers computer group. This means that the Tanium Server does not deploy actions to any endpoints if those actions target the Default action group. When you import content packs onto the Tanium Server, some packs (such as Taniumâ„¢ Core Content) include scheduled actions (such as Distribute Hardware Tools) that target the Default action group. To deploy those actions to endpoints, you must change their targeted action group. For details, see Move Tanium actions to their own group.

Read Action Group permission is required to view action groups in the Administration > Actions > Action Groups page. Write Action Group permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions.

View action groups

  1. From the Main menu, go to Administration > Actions > Action Groups.

    The page displays the ID and Name of each action group.

  2. (Optional) Use the filters to find specific action groups:
    • Filter by text: To filter the grid by ID or Name values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as ID or Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the RBAC visibility setting, assigned computer groups, and associated actions of an action group, click the action group Nameselect the action group and click Edit Edit.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, go to Administration > Actions > Action Groups and click New Group.
  2. Configure the following settings and click Save.
     Table 1: Action group settings
    NameEnter a Name to identify the action group.
    VisibilitySelect a Visibility option:
    • Only administrators can see this group: Only users with the Administrator or Content Administrator reserved role can see this action group.
    • All users can see this action group
    • Limit visibility to specific user groups: Select the User Groups that can see the action group.
    Computer GroupsSelect Computer Groups and select the Boolean AND or OR matching.

Edit an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click the action group Name Select the action group and click Edit .
  3. Edit the settings that are listed in Table 1.
  4. Review the Actions associated to this Group to assess the impact of your changes and then click Save.

Change the action group assignment

Reassign actions to a different action group as follows:

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. Select the actions that you want to reassign.
  3. Select More > Change Group.
  4. Select the action group and click Confirm.

Export and import action groups

The following procedures describe how to export and import the configurations of specific action groups or all action groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export action groups

Export action groups as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export action groups as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select rows in the grid to export only specific action groups. If you want to export all action groups, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All action groups in the grid or just the Selected action groups.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import action groups

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy action group configuration details

Copy information from the Action Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete an action group

You can delete any action group except Default and Default - All Computers. If any scheduled actions target the action group that you will delete, you can transfer those actions to another action group during the deletion workflow.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click Migrate and Delete.
  3. Scroll to the Actions associated to this Group grid. The next steps depend on whether any actions currently target the action group:
    • No associated actions: Scroll to the bottom of the dialog and click Delete Action Group.
    • Actions are associated:
      1. Review the Computer Groups that are assigned to the current action group to understand the impact of migrating the actions to a new action group.
      2. Select a new action group in the Migrate existing scheduled actions to selected action group drop-down list.
      3. Click Show Preview to Continue and review the affected computer groups and endpoints in the new action group.
      4. Click Transfer Actions and Delete Action Group.

Best practices

Move Tanium actions to their own group

When you sign in to the Tanium Console for the first time after installing the Tanium Server, the server imports certain scheduled actions that target the Default action group, which specifies the No Computers computer group by default. This means that the Tanium Server does not deploy these actions to any endpoints. To see the list of these actions, go to Administration > Actions > Scheduled Actions and click Default in the Action Groups panel. These scheduled actions distribute tools that endpoints need to perform functions for certain core sensors and packages. You must periodically deploy the actions to all endpoints to account for any that did not yet receive the action, such as:

  • Endpoints that were introduced to your network after the last time the Tanium Server deployed the actions
  • Rebuilt endpoints
  • Endpoints on which the tools were uninstalled
  • Virtual desktop infrastructure (VDI) endpoints that periodically refresh

To deploy the actions to endpoints, perform one of the following steps:

  • (Best practice) When you first install Tanium modules and shared services, perform the Install with Recommended Configurations workflow: see Import and (optionally) configure the latest versions of all modules. As part of the workflow, the Tanium Server automatically sets the Default - All Computers action group as the target for all scheduled actions that previously targeted the Default action group. Five minutes after performing this transition, the server automatically deploys those re-targeted scheduled actions.
  • If you did not perform the Tanium Recommended Installation workflow, manually create an action group that includes the All Computers computer group and change the targeting for the scheduled actions that currently target the Default action group.

Define a specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then groups that are based on operating system or region.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When TaaSthe Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Contact Tanium Support for options to simplify computer groups.