Managing action groups

Action groups define which managed endpoints are the targets for actions. Before creating, editing, or deleting action groups, see the associated Best practices for action groups.

When you issue an action, the default target is the Default - All Computers action group. This action group is pre-configured to include only the All Computers computer group, but you can edit the configuration.

The Default action group is pre-configured to include only the No Computers computer group. This means that Tanium Cloudthe Tanium Server does not deploy actions to any endpoints if those actions target the Default action group. When you import content packs onto the Tanium Server, some packs (such as Tanium™ Core Content) include scheduled actions (such as Distribute Hardware Tools) that target the Default action group. To deploy those actions to endpoints, you must change their targeted action group. For details, see Move Tanium actions to their own group.

Action Group read permission is required to view action groups in the Administration > Actions > Action Groups page. Action Group write permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions.

View action groups

  1. From the Main menu, go to Administration > Actions > Action Groups.

    The page displays the ID and Name of each action group.

  2. (Optional) Use the filters to find specific action groups:
    • Filter by text: To filter the grid by ID or Name values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as ID or Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the RBAC visibility setting, assigned computer groups, and associated actions of an action group, click the action group Name.

Create an action group

Computer management groups and filter groups are the building blocks of action groups. Therefore, you must create the necessary computer groups (see Managing computer groups) before performing the following steps:

  1. From the Main menu, go to Administration > Actions > Action Groups and click New Group.
  2. Configure the following settings and click Save.
     Table 1: Action group settings
    NameEnter a Name to identify the action group.
    VisibilitySelect a Visibility option:
    • Only administrators can see this group: Only users with the Administrator or Content Administrator reserved role can see this action group.
    • All users can see this action group
    • Limit visibility to specific user groups: Select the User Groups that can see the action group.

    Action Group read permission overrides the Visibility setting. A user who has Action Group read and action deployment permissions can select any action group when deploying an action. A user who has Action Group read and Approve Action permissions can approve actions that target any action group. However, the computer groups that are assigned to a user still control which endpoints run an action that the user deploys to the selected action group.

    Computer GroupsSelect Computer Groups and select the Boolean AND or OR matching.

Edit an action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click the action group Name.
  3. Edit the settings that are listed in Table 1.
  4. Review the Actions associated to this Group to assess the impact of your changes and then click Save.

Change the action group assignment

Reassign actions to a different action group as follows:

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. Select the actions that you want to reassign.
  3. Select More > Change Group.
  4. Select the action group and click Confirm.

Export and import action groups

The following procedures describe how to export and import specific action groups or all action groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export action groups

Export action groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the action groups with the same attributes (columns) as the Action Groups page displays.

  • JSON: If you are assigned the Administrator reserved role, you can export action group configurations as a JSON file to import them into another Tanium Server.

Perform the following steps to export action groups:

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. (Optional, CSV exports only) To add action groups IDs as a column in the CSV file, click Customize Columns Customize Columns in the grid and select ID. If you skip this step, the file show only action group names.
  3. Select rows in the grid to export only specific action groups. If you want to export all action groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All action groups in the grid or just the Selected action groups.
  7. Select the file Format: JSON (Administrator reserved role only) or CSV

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import action groups

Users who are assigned the Administrator reserved role can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy action group configuration details

Copy information from the Action Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete an action group

You can delete any action group except Default and Default - All Computers. If any scheduled actions target the action group that you will delete, you can transfer those actions to another action group during the deletion workflow.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Select the action group and click Migrate and Delete.
  3. Scroll to the Actions associated to this Group grid. The next steps depend on whether any actions currently target the action group:
    • No associated actions: Scroll to the bottom of the dialog and click Delete Action Group.
    • Actions are associated:
      1. Review the Computer Groups that are assigned to the current action group to understand the impact of migrating the actions to a new action group.
      2. Select a new action group in the Migrate existing scheduled actions to selected action group drop-down list.
      3. Click Show Preview to Continue and review the affected computer groups and endpoints in the new action group.
      4. Click Transfer Actions and Delete Action Group.

Best practices for action groups

Move Tanium actions to their own group

When you sign in to the Tanium Console for the first time after installing the Tanium Server, the server imports certain scheduled actions that target the Default action group, which specifies the No Computers computer group by default. This means that the Tanium Server does not deploy these actions to any endpoints. To see the list of these actions, go to Administration > Actions > Scheduled Actions and click Default in the Action Groups panel. These scheduled actions distribute tools that endpoints need to perform functions for certain core sensors and packages. You must periodically deploy the actions to all endpoints to account for any that did not yet receive the action, such as:

  • Endpoints that were introduced to your network after the last time the Tanium Server deployed the actions
  • Rebuilt endpoints
  • Endpoints on which the tools were uninstalled
  • Virtual desktop infrastructure (VDI) endpoints that periodically refresh

To deploy the actions to endpoints, perform one of the following steps:

  • (Best practice) When you first install Tanium modules and shared services, perform the Tanium Recommended Installation workflow: see Import all modules and services. As part of the workflow, the Tanium Server automatically sets the Default - All Computers action group as the target for all scheduled actions that previously targeted the Default action group. Five minutes after performing this transition, the server automatically deploys those re-targeted scheduled actions.
  • If you did not perform the Tanium Recommended Installation workflow, manually change the targeted action group to Default - All Computers for the scheduled actions that currently target the Default action group.

Define a specific use for each action group

Action groups comprise one or more computer management groups. You can create an action group for a particular event and add computer groups over time: first a test group, then groups that are based on operating system or region.

Limit access to edit action groups

Coordinate changes you make to the action groups configuration with all affected administrators. An administrator might have configured scheduled actions that target the set of computers that belong to the action group as it existed when the scheduled action was last configured.

Minimize action group complexity

When Tanium Cloudthe Tanium Server issues a recurring action, action groups with long and complex targeting conditions use more resources and network traffic than groups with short and simple conditions. To reduce resource usage and traffic, minimize the number of computer groups associated with each action group, and keep the definitions of those computer groups as simple as possible. Contact Tanium Support for options to simplify computer groups.