Managing action groups

Action groups define which managed endpoints are the targets for actions. You configure the targets by assigning computer groups to the action groups. Before creating, editing, reassigning, or deleting action groups, see the associated Best practices for action groups.

Action Group read permission is required to view action groups in the Administration > Actions > Action Groups page. Action Group write permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions.

Tanium Cloud providesThe Tanium Server automatically creates several predefined action groups and their associated computer groups as part of the Initial content that is available to all deployments.

View action groups

  1. From the Main menu, go to Administration > Actions > Action Groups.

    For each action group, the page displays the following attributes:

    • Action group ID and Name

    • Number of assigned computer groups and whether they use Boolean AND or OR combination logic (see Computer Groups). To display a tooltip that lists the computer group names, hover over the entry in the Computer Groups column for the action group.

    • User (persona) who last modified the group and when

  2. (Optional) Display action group attributes (columns) that are hidden by default, such as which users (personas) created action groups and when, by clicking Customize Columns Customize columns and selecting the attributes.
  3. (Optional) Use the filters to find specific action groups:
    • Filter by text: To filter the grid by an alphanumeric string that matches an action group ID, action group Name, or computer group name, enter the string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as ID or Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional) To see the RBAC visibility setting, assigned computer groups, and associated actions of an action group, click the action group Name.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, go to Administration > Actions > Action Groups and click New Group.
  2. Configure the following settings and click Save.
     Table 1: Action group settings
    NameEnter a Name to identify the action group.
    VisibilitySelect a Visibility option:
    • Only administrators can see this group: Only users with the Administrator or Content Administrator reserved role can see this action group.
    • All users can see this action group
    • Limit visibility to specific user groups: Select the User Groups that can see the action group.

    Action Group read permission overrides the Visibility setting. A user who has Action Group read and action deployment permissions can select any action group when deploying an action. A user who has Action Group read and Approve Action permissions can approve actions that target any action group. However, the computer groups that are assigned to a user still control which endpoints run an action that the user deploys to the selected action group.

    Computer Groups

    Select Computer Groups and select the type of Boolean matching to apply:

    • AND: Endpoints run an action only if they are in all the computer groups that are assigned to the action group. For example, a macOS endpoint runs an action that targets an action group containing the All Computers and All Mac computer groups, but does not run an action that targets an action group containing the All Windows and All Mac computer groups.

    • OR: Endpoints run an action if they are in any of the computer groups that are assigned to the action group. For example, a macOS endpoint runs an action that targets an action group containing the All Windows and All Mac computer groups.

Edit an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click the action group Name.
  3. Edit the settings that are listed in Table 1.
  4. Review the Actions associated to this Group to assess the impact of your changes and then click Save.

Edit action group assignments for scheduled actions

Reassign actions to a different action group as follows:

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. Select the actions that you want to reassign.
  3. Select More > Change Group.
  4. Select the action group and click Confirm.

Export and import action groups

The following procedures describe how to export and import specific action groups or all action groups.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export action groups

Export action groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the action groups with the same attributes (columns) as the Action Groups page displays.

  • JSON: If you are assigned the Administrator reserved role, you can export action group configurations as a JSON file to import them into another Tanium Server.

Perform the following steps to export action groups:

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. (Optional, CSV exports only) To add action groups IDs as a column in the CSV file, click Customize Columns Customize Columns in the grid and select ID. If you skip this step, the file show only action group names.
  3. Select rows in the grid to export only specific action groups. If you want to export all action groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All action groups in the grid or just the Selected action groups.
  7. Select the file Format:

    • List of Action Groups - CSV
    • Action Group Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import action groups

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy action group configuration details

Copy information from the Action Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete an action group

You can delete any action group except Default and Default - All Computers. If any scheduled actions target the action group that you will delete, you can transfer those actions to another action group during the deletion workflow.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click Migrate and Delete.
  3. Scroll to the Actions associated to this Group grid. The next steps depend on whether any actions currently target the action group:
    • No associated actions: Scroll to the bottom of the dialog and click Delete Action Group.
    • Actions are associated:
      1. Review the Computer Groups that are assigned to the current action group to understand the impact of migrating the actions to a new action group.
      2. Select a new action group in the Migrate existing scheduled actions to selected action group dropdown list.
      3. Click Show Preview to Continue and review the affected computer groups and endpoints in the new action group.
      4. Click Transfer Actions and Delete Action Group.

Best practices for action groups

Reconfigure action groups that target No Computers

Certain action groups that you import with Initial content include only the No Computers computer group. Therefore, actions that target these action groups do not deploy to endpoints until you perform one of the following tasks:

For actions that target the Default action group (which includes only No Computers), the best practice is to change the action group assignments instead of reconfiguring Default.

As a best practice for weekly maintenance, review any actions that target the Default action group and, if appropriate, assign different action groups. See Tanium Maintenance User Guide: Review and update actions that target No Computers.

Define a specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then groups that are based on operating system or region.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When Tanium Cloudthe Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Contact Tanium Support for options to simplify computer groups.