Actions overview

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy an action to those endpoints so that the Tanium Client can run the associated package (see Managing packages). In a Tanium deployment, a package comprises a command, a script, and any related files required to execute an action on a managed endpoint. For example, the package named Clean Stale Tanium Client Data includes a Windows command-line command that executes a Visual Basic Script to remove stale data from the Tanium Client directory and safely kill any stale sensor or action processes. Tanium CloudThe Tanium Server distributes package files to endpoints based on their Tanium Client linear chains (see Tanium Client Management User Guide: File distribution). The endpoints store all package files for an action in the <Tanium_Client>/Downloads/Action_<ID> folder, where <ID> is the action identifier. When the action runs, it generates status indicators that you can monitor in the Tanium Console (see View action status) and generates client-side logs that you can use to troubleshoot failures (see Tanium Client Management User Guide: Review action logs and associated files to troubleshoot actions and packages).

For the user role permissions required to manage actions, see Action management permissions.

Action concepts and terminology

Action group

Action groups are designed to target actions so that Tanium Cloudthe Tanium Server issues them only to appropriate computer management groups. For example, you can create a computer group for Windows computers and then an action group that targets that computer group. When you configure scheduled actions to deploy packages that use Windows commands, you can specify that Tanium Cloudthe server issues the action only to the action group for Windows commands. For details and related procedures, see Managing action groups.

Action lock

Action locks prevent actions from running on an endpoint. You might want to deploy action locks if, for example, you encounter unexpected behavior on endpoints and want to suspend actions during debugging. For details and related procedures, see Managing action locks.

Scheduled action

Scheduled actions are actions that Tanium Cloudthe Tanium Server issues based on a configurable schedule. Scheduled actions have a start time that specifies when Tanium Cloudthe server first issues the action and an optional reissue interval that specifies the frequency at which Tanium Cloudthe server reissues the action. Scheduled actions also have an optional end time, after which Tanium Cloudthe server stops reissuing the action regardless of the reissue interval. Scheduled actions are most often used to enforce policy or ensure good cyber hygiene in an environment. For example, the Tanium™ Default Content pack contains several scheduled actions that periodically update tooling on endpoints, verify configuration settings are in place, and maintain the overall health of Tanium Clients in your deployment. For details and related procedures, see Manage scheduled actions.

Policy action

Policy actions are scheduled actions that are based on saved questions instead of dynamic questions. They are useful for ensuring that endpoints comply with policies. For example, if your organization requires all Windows endpoints to have restricted permissions on the Tanium Client installation directory, you can schedule an action to restrict permissions based on the following saved question:

Get Tanium Client Directory Permissions equals Not Restricted from all machines with ( Tanium Client Directory Permissions equals Not Restricted and Is Windows equals True ).

The from clause ensures that only endpoints that match the question condition return results. At each action interval, Tanium Cloudthe Tanium Server performs the following steps:

  1. Evaluate whether the results exceed the question expiration period (10 minutes). If no, Tanium Cloudthe server uses the results that it cached the last time it issued the question. If yes, it reissues the question to collect new results.

  2. Evaluate the results to determine whether any endpoints match the question condition and belong to computer management groups that are assigned to the question owner:
    • Yes: Tanium CloudThe server deploys the action to the targeted action group. However, a policy action conserves network bandwidth and endpoint resources because endpoints download the required packages and perform the actions only if they match the question condition and belong to the computer management groups that are assigned to the action owner. In the example question, only Windows endpoints with open permissions on the Tanium Client installation directory match the condition, and therefore only those endpoints download the required package Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory and run the action to restrict permissions.
    • No: The action does not deploy.
Tanium Cloud The Tanium Server does not deploy a policy action to endpoints that were offline when it issued the saved question and that then come online while the action is in progress.

If you delete a saved question, Tanium Cloudthe Tanium Server continues reissuing it for any actions that use the question and continues recording the question in the Question History log (see Administration > Actions > Action History).

Action approval

Some organizations have policies that require an approval process for deploying actions. When action approval is enabled, the signed-in user who deploys the scheduled action cannot also approve it. The action is on hold until another user approves it. The approving user must have a role with Approve Action and Sensor read permissions. For scheduled actions, the approval remains in force until the scheduled end date of the action or until a user edits the action configuration. For details and related procedures, see Managing action approval.

Action deployment overview

To optimize action deployment, configure platform settings, content, and role-based access control (RBAC) before users start deploying actions. Monitoring action status and history is also important to ensure that actions continue to have the expected effect. The three stages of action deployment are:

  1. Administrative setup for actions:

    1. Review and, if necessary, edit global settings for actions.

    2. Review and, if necessary, customize the content for deploying actions, such as sensors and packages.

    3. Configure RBAC for actions.

    4. Configure authentication for package downloads if necessary.

  2. Configure and deploy actions:

    1. Issue a question to identify the endpoints that require the action.

    2. Configure action settings.

    3. Approve the action if approval is required before deployment.

  3. Monitor actions:

    1. Review action status and history.

    2. Troubleshoot actions if issues occur during deployment.

Administrative setup for actions

Typically, you perform the following tasks once as part of the initial setup of a Tanium deployment. However, you might repeat some tasks if an environment changes. For example, you might update RBAC configurations to reflect changes to roles and personnel in an organization.

Tanium provides several predefined scheduled actions, such as Distribute Hardware Tools. You can review these actions on the Administration > Actions > Scheduled Actions page. Tanium CloudThe Tanium Server automatically imports several predefined actions with the Default Content pack and imports other actions when you addimport certain modules or shared services to your Tanium license. You can manually import content packs that contain additional predefined actions. See Managing Tanium solutions.

Actions in the Default Content pack typically target the predefined action groups Default – All Computers or Default, which specifies the No Computers computer group. To change the computer groups that these and other predefined action groups target, see Edit an action group.

Perform the following tasks to set up action deployment:

  1. Review and, if necessary, edit global settings that affect action deployment.

    1. From the Main menu, go to Administration > Configuration > Settings > Platform Settings to assess whether the default values of the following global settings suffice for your Tanium deployment. Update any settings that require custom values.

      On the Platform Settings page, click Expand Expand to see the full description of a setting.

      • Require Action Approval and Bulk Approval: Enable action approval if your organization implements two-person integrity. These settings are disabled by default. See Enable or disable action approval.

      • Action Target Estimate Minimum: After you issue a question to identify endpoints that require an action, you cannot deploy the action until the percentage of responding endpoints reaches the estimated percentage. The default is 20%. See Configure and deploy actions.

      • Prompt Estimate Threshold: When you click Deploy Action in the Action Deployment page, if the number of affected endpoints exceeds the threshold, the Tanium Console prompts you to confirm the deployment before proceeding. The default is 100. See Configure and deploy actions.

      • Run Commands in Process Group: Enables you to control whether package commands run in a process group. This setting is disabled by default. See Launch this package in a process group.

      • Restricted Targeting: Sets the No Computers computer group as the action group target during initial configuration of Tanium solutions. This setting is disabled by default. See Tools deployment.

    2. Review the following advanced global settings to assess whether their default values suffice for your Tanium deployment. These settings control the maximum size of the cache that the Tanium Client uses to store file chunks for packages and client API downloads. See Tanium Client Management User Guide: Chunk caching. Update any settings that require custom values.
      • ClientCacheLimitInMB: Controls the absolute amount of disk space that a client can use for caching chunks. The value is in megabytes (MB) and the default is 100. Installing Tanium™ Deploy or Tanium ™ Patch automatically sets the value to 2,048 MB.

        If you use Tanium to distribute large files and packages, set the value to 2,048 MB.

      • ClientCachePercentageCapTimes100: Controls the maximum percentage of free disk space that a client can use for caching chunks. Multiply the target percentage by 100 to determine the value. For example, the default value 1000 specifies that the cache limit is 10% of free disk space. If you change the value, the client checks the free disk space and adjusts the cache size only when you restart the client or wait for the next client reset interval, which by default is a random interval in the range of 2 to 6 hours.

      The Tanium Console does not display these advanced settings until a user adds them. Adding these settings is necessary only if non-default values are required. In an environment where actions deploy large files, such as for software installations or operating system (OS) patches, you might have to increase the cache limit and percentage. If each setting applies a different cache limit on a client, the client enforces whichever setting specifies a lower limit. See Manage advanced settings.

      Because these are global settings, they apply to all Tanium Clients. However you can override the settings for specific clients. For example, you might have critical assets that need more resources for running non-Tanium processes or assets with very limited resources such as virtual desktop infrastructure (VDI) endpoints. To override the global settings for cache size, configure the settings locally on specific clients. See Tanium Client Management User Guide: Tanium Client CLI and client settings.

  2. Review the content that is required for action deployment. If the predefined content does not suffice, create customized versions of:

    • Content sets: Content sets contain the content that you create. When you configure user roles for action deployment, you assign permissions to content sets to control which content users can access. For example, if you create a package that updates files on data center servers, you can assign it to a content set for which access is restricted to users who have a role that allows data center file management. See Managing content sets.

    • Packages: A package configuration includes settings, a command, a script, and any other files that are needed to orchestrate an action on an endpoint. For example, you might create a package that updates a specific file to a specific version. See Managing packages.

    • Sensors and saved questions: You use sensors and saved questions to identify the endpoints that require action. For example, you might create a saved question with the File Version sensor to identify which endpoints have a particular version of a file. You organize the questions into dashboards and organize the dashboards into categories. See Managing sensors and Managing saved questions.

    • Filter groups: You use filter groups to filter the questions and question results on which actions are based. For example, you might create a filter group that contains only the endpoints in a data center. You can also use filter groups as the building blocks of action groups for targeting specific endpoints. See Managing filter groups.

    Do not edit content that is provided through Tanium content packs; create custom content instead. For details, see Tip 4: Limit customizations to Tanium content.

    Test custom content in a lab environment before using it in a production environment.

    Figure  1:  Content for action deployment (click image to enlarge)
    Figure  2:  Content for action deployment (click image to enlarge)
  3. Configure RBAC for users who deploy actions:
    1. Configure roles for administering, deploying, and (optionally) approving actions. See Managing roles and Action management permissions. Figure  3 shows action-related permissions.

      Users cannot approve their own actions. However, you can assign the Bypass Action Approval permission to a role to enable certain users to deploy actions without requiring approval. You must create a custom role if you want any users to have the bypass ability because no predefined role has that permission.

      The following permissions control access to the pages from which users deploy actions:

      • Interact module permissions: Controls access to Interact module pages from which users issue dynamic or saved questions and deploy actions based on the results. The Ask Dynamic Questions permission also controls access to the Explore Data field on the Tanium Home page. See Interact module permissions.
      • Package read permission: Controls access to the Packages page, from which users can select a package to deploy through an action.
      • Client Status read permission: Controls access to the Client Status page, where users can select endpoints to target for actions. Users typically use this page to troubleshoot connectivity issues for Tanium Clients.

      The following predefined roles provide action-related permissions but also other permissions. If you want action users to have a more limited range of permissions than what these roles provide, create custom roles.

      • Interact Power User: This module role has all the permissions to deploy actions but not to approve actions or bypass action approval. See Interact module permissions.
      • AdminAdministrator: This reserved role has all the action administration and deployment permissions but does not have permissions to approve actions or bypass action approval. See Admin reserved roleAdministrator reserved role.
      Figure  3:  Role permissions for action users (click image to enlarge)

      After you deploy an action, you can display action log records to investigate issues related to the action. To display the records, you require Read Sensor permission on the Client Management content set. See View action status and settings.

    2. Review the predefined action groups and computer groups to assess whether they suffice for action targeting. Configure custom groups if necessary.

      Action groups control which endpoints users can target for actions. Computer management groups and filter groups are the building blocks of action groups. See Managing computer groups and Managing action groups.

      Figure  4:  Computer groups and action groups (click image to enlarge)
    3. Assign the roles and computer groups to the user groups, user accounts, or personas of users who will deploy, approve, or administer actions. See:

      Figure  5:  Personas, user groups, and users
  4. Configure downloads authentication if Tanium Cloudthe Tanium Server must establish trust with remote sources from which it downloads package files for actions. For example, Tanium™ Patch downloads patches from repositories such as the Red Hat Content Delivery Network to deploy to Linux endpoints. See Managing downloads authentication.

Configure and deploy actions

Perform the following steps for each new action:

  1. Issue a dynamic or saved question to identify which endpoints require the action.

    Instead of deploying actions based on question results, you can also deploy actions from the:

    In this example, the purpose of the action is to restrict permissions for the Tanium Client installation directory on Windows endpoints such that only the SYSTEM account can view or edit files in that directory. Because this action is based on question results, it deploys only to endpoints that have unrestricted permissions on the directory. Avoiding deployment to endpoints that do not need an action reduces its impact on network and endpoint resources.

    • Dynamic question: Go to the Tanium Home page or Interact Overview page and use the Explore Data field (as in the following example) or question builder to issue a dynamic question. See Asking questions.

      Figure  6:  Dynamic question issued through Explore Data field
    • Saved question: Go to the Interact Overview page and issue a question through the Saved Questions panel. You can also issue saved questions from the Administration > Content > Saved Questions page or (if the questions have favorite status) from the Tanium Home page. See Issue a saved question.

      An action that is based on the results of a saved question is a Policy action.

  2. Select the results from endpoints that require the action and click Deploy Action to configure the action settings.

    You cannot deploy an action until the estimated percentage of endpoints that answer the question reaches the threshold that is specified in the Action Target Estimate Minimum platform setting.

    You can refine the results before deploying an action. For example, you can issue drill-down questions, merge questions, or filter the results until you identify more precisely the endpoints that require the action. See Managing question results.

    Figure  7:  Question results
  3. Configure the action settings.

    When the action first deploys, some endpoints might be offline. To ensure that the action deploys to endpoints that come online after the initial deployment, set the Schedule Type to Recurring Deployment and set the interval (Re-issue every) and time period (between the Start At and End At dates) to appropriate values. In this example, the action deploys once per day for a month to ensure that all endpoints have a chance to come online.

    Figure  8:  Action settings
  4. Click Show preview to continue, review the affected endpoints, and click Deploy Action.

    Figure  9:  Preview and initiate deployment

    If the number of affected Tanium Clients exceeds the threshold that is specified in the Prompt Estimate Threshold platform setting, the Tanium Console prompts you to confirm the deployment before proceeding.

    If approval is not required and the action starts immediately, the Action Status page opens. If approval is required or you specified a future Start At value, the action appears in the Scheduled Actions page. See View action status and settings.

  5. (Action approval only) If the Require Action Approval platform setting is enabled, another user must approve the action before deployment can start. Actions stay in a pending state until a user approves them. See Approve pending actions.

    For recurring actions, approval is a manual process only for the first deployment interval and is automatic for subsequent intervals.

Monitor actions

Track the status of actions to ensure that they are configured correctly and deploy as expected, and to troubleshoot if necessary.

View action status and settings

The Tanium Console displays action settings and status on different pages based on whether the action is one-time only or recurring and whether it starts immediately or at a future date:

  • One-time only, immediate deployment: The Action Status page opens automatically when you deploy the action. See View action status.

    Figure  10:  Action Status page
    The Tanium Client generates action logs to record the command-line interface (CLI) output that is associated with action commands. If you have Read Sensor permission on the Client Management content set, you can display the log records to investigate issues related to an action. To display the records, on the Action Status page click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines. See Investigate action-related issues.
    Figure  11:  Display action logs
  • Recurring action or action with future start date: On the Scheduled Actions page, you can select an action and click Status to review or re-download files that are associated with the action package. See Manage scheduled actions.

    Figure  12:  Scheduled Actions page

After the first (or only) deployment interval, you can also view the settings, status, and other details of an action on the Action History page. See Manage actions that are completed or in progress.

Figure  13:  Action History page

Troubleshoot actions

If issues occur during action deployment, the following tasks can help you to troubleshoot. Note the action IDs of the actions that you want to troubleshoot before reviewing logs. The Action History, Scheduled Actions, and Action Status pages all show action IDs. See Track Action IDs.

For issues on endpoints:

To prevent actions from running on certain endpoints during troubleshooting, deploy an action lock. Because many predefined actions that run automatically are critical for the health and security of a network, be careful about which endpoints you target for locking. Remove the locks when you finish troubleshooting. Locks do not apply to actions associated with packages that have the Ignore action lock option enabled. See Managing action locks.

For issues on Tanium Cloudthe Tanium Server: