Actions overview

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy an action to those endpoints so that the Tanium Client can run the associated package (see Managing packages). In a Tanium deployment, a package comprises a command, a script, and any related files required to execute an action on a managed endpoint. For example, the package named Clean Stale Tanium Client Data includes a Windows command-line command that executes a Visual Basic Script to remove stale data from the Tanium Client directory and safely kill any stale sensor or action processes. TaaSThe Tanium Server distributes package files to endpoints based on their Tanium Client linear chains (see Tanium Client Management User Guide: File distribution). The endpoints store all package files for an action in the <Tanium_Client>/Downloads/Action_<ID> folder, where <ID> is the action identifier. When the action runs, it generates status indicators that you can monitor in the Tanium Console (see View action status) and generates client-side logs that you can use to troubleshoot failures (see Tanium Client Management User Guide: Review action logs and associated files to troubleshoot actions and packages).

For the user role permissions required to manage actions, see Action management permissions.

The following are key terms and concepts relating to actions:

Action group

Action groups are designed to target actions so that TaaSthe Tanium Server issues them only to appropriate computer management groups. For example, you can create a computer group for Windows computers and then an action group that targets that computer group. When you configure scheduled actions to deploy packages that use Windows commands, you can specify that TaaSthe server issues the action only to the action group for Windows commands. For details and related procedures, see Managing action groups.

Action lock

Action locks prevent actions from running on an endpoint. You might want to deploy action locks if, for example, you encounter unexpected behavior on endpoints and want to suspend actions during debugging. For details and related procedures, see Managing action locks.

Scheduled action

Scheduled actions are actions that TaaSthe Tanium Server issues based on a configurable schedule. Scheduled actions have a start time that specifies when TaaSthe server first issues the action and an optional reissue interval that specifies the frequency at which TaaSthe server reissues the action. Scheduled actions also have an optional end time, after which TaaSthe server stops reissuing the action regardless of the reissue interval. Scheduled actions are most often used to enforce policy or ensure good cyber hygiene in an environment. For example, the Tanium™ Default Content pack contains several scheduled actions that periodically update tooling on endpoints, verify configuration settings are in place, and maintain the overall health of Tanium Clients in your deployment. For details and related procedures, see Manage scheduled actions.

If you delete the saved question that a scheduled action uses for targeting endpoints, the action continues using that question for targeting and TaaSthe Tanium Server continues recording the question in the Question History log.

Action approval

Some organizations have policies that require an approval process for deploying actions. When action approval is enabled, the signed-in user who deploys the scheduled action cannot also approve it. The action is on hold until another user approves it. The approving user must have a role with Approve Action and Sensor read permissions. For scheduled actions, the approval remains in force until the scheduled end date of the action or until a user edits the action configuration. For details and related procedures, see Managing action approval.