Tanium Actions overview
In a Tanium™ deployment, a package comprises a command, a script, and any related files required to execute an action on a managed endpoint. For example, the package named Clean Stale Tanium Client Data includes a Windows command-line command that executes a Visual Basic Script that removes stale data from the Tanium™ Client directory and safely kills any stale sensor or action processes.
A package can be deployed to Tanium Client host computers from the results grid by initiating the Deploy Action workflow. When it is deployed, the package files are distributed to endpoints through the linear chains of peers. On the endpoint, all package files for an action are stored in a folder named Action_XXXX, where XXXX is the action ID. When the action is run, it generates status indicators that can be monitored from the console and client-side logs that can be used to troubleshoot failures.
Scheduled actions are designed to promote hygiene and enforce policies. A scheduled action is an action configured to be reissued periodically. The Clean Stale Tanium Client Data action is configured to be reissued every 4 hours.
Action groups are designed to target actions so that they are issued to only appropriate computer groups. For example, you can create a computer group for Windows computers and then an action group that targets that computer group. When you configure scheduled actions to deploy packages that use Windows commands, you can specify the action to be issued only to the action group for Windows commands.
Action locks are designed to suspend actions on the endpoint. You can deploy action locks if you encounter unexpected behavior and want to turn off actions while you debug it.
Action approval supports organizations that have policies requiring an approval stage. When action approval is enabled, the logged in user that deploys the scheduled action cannot also approve it. The action is put on hold until it is approved by another user that has been assigned the Approve Action permission. Once approved, the approval remains in force until the schedule ends or the scheduled action configuration is modified.
You can see the Tanium Actions pages if you have actions-related permissions. Your capabilities on the Tanium Action pages depend on your role-based permissions.
|Administrator||All capabilities and all permissions, except Bypass Action Approval.|
All capabilities, except cannot create or edit action groups.
All permissions, except Bypass Action Approval.
You can create advanced roles with the following permissions. When you configure the roles, specify the content sets that include the associated packages.
|Read Action||Can view the Scheduled Action pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package. Can re-download package files and copy grid rows to the clipboard.|
|Write Action||Can view the Scheduled Action pages. Users can see rows for actions they issued. Users can see rows for actions issued by others
if they have Read Action permission on the content set for the
Can see and use the Deploy Action button on the results grid for dynamic questions and saved questions.
Implies the Read Own Action, Read Package, and Show Preview permissions.
To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.
|Write Action for Saved Question||
Can see the Scheduled Action pages, but the only rows are for the actions that the user has deployed.
Can see and use the Deploy Action button on the results grid but only for saved questions that are configured with an associated package. The Read Package permission is not required for the associated package. If the saved question is not configured with an associated package, the Deploy Action button is not displayed.
Tip: Use this permission instead of the Write Action permission to limit use by "action users" who use Tanium to execute standard operating procedures created by someone else.
The following advanced role permissions are relevant only when action approval is enabled.
|Approve Action||View the All Pending Approval page.
Visibility of rows in the grids depends on the Read Action permission on the content set for the underlying package.
Must have Approve Action for the content set for the underlying package. Can approve actions created by another user but not their own.
|Read Own Action||Determines whether the logged in user's actions appear in the All Pending Approval grid.|
|Bypass Action Approval||
Actions created by a user with this permission are not subject to approval requirements.
Does not apply retroactively.
Last updated: 5/16/2018 1:11 PM | Feedback