Managing scheduled actions and action history

Tanium Cloud The Tanium Server creates a scheduled action when you deploy an action from the Question Results page and specify a Start At date (instead of deploying immediately) or set the Schedule Type to Recurring Deployment (see Deploying actions). A scheduled action configuration has the following components:

Package
Schedule settings, including start times, end times, reissue intervals, and distribution periods
Targeting criteria that specifies which endpoints run the action

After a scheduled or unscheduled (one-time deployment) action deploys for the first time, you can see its status in the Action History page.

For the user role permissions that are required to manage scheduled actions and view action history, see Action management permissions.

Predefined scheduled actions

Certain Tanium solutions provide scheduled actions that target the Default action group, which includes only the No Computers computer group. You must assign other action groups to those actions before they can deploy to endpoints. See Reconfigure action groups that target No Computers. For details about the action groups for particular solutions, see the user guides for those solutions at docs.tanium.com.

Manage scheduled actions

Perform the following steps to manage existing scheduled actions. To create a new scheduled action, see Deploying actions.

To reduce resource use on the Tanium Server and Tanium Clients, review scheduled actions on a quarterly basis and delete any that are no longer useful or that duplicate other actions. See Tanium Maintenance User Guide: Review and update scheduled actions.

You can by deleting actions that are no longer useful or that duplicate other actions.

From the Main menu, go to Administration > Actions > Scheduled Actions.
(Optional) To find specific actions, configure any of the following filters:
- Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
- Date Range: Filter the grid to display only actions for which the Next Issue Time is within a specific future date range, such as the next 24 Hours. The default All means no date range filter is applied.
- Source Package: The default All specifies that the grid shows all actions regardless if the settings in their associated packages changed after the actions were last issued or saved. To show only actions that have changed package settings, click Has Updates. In the Source Package column, clicking Update Source Package opens the Edit Action page, where you can update the package that is associated with the action. See Update action packages.
- Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
- Attribute: Expand the Filters section, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
Select the actions that you want to manage.

To export all actions, you can skip this step.

Action buttons for administrative tasks appear above the grid and in the Source Package column. The available buttons depend on the row you select. For example, the Status column displays a green check mark to indicate enabled actions and a red minus to indicate disabled actions. When you open the More dropdown list for an enabled action, the options include Disable Action, but not Enable Action. If the status column indicated a disabled action, the More list would include Enable Action but not Disable Action.

Click a button or menu to perform one of the following tasks.

To stop deploying a scheduled action, you must use the More menu to disable or delete it instead of clearing the Start At and Re-issue every values.

Table 1: Administrative tasks for scheduled actions
Button / Task	Guideline
Reissue	Displays the Reissue Action page, where you can change the name, schedule, and targeting criteria before re-issuing the action (see Deploying actions). If you selected multiple actions, use the and widgets to navigate among the pages for each action. To use a the same start time and distribution period for multiple actions in a one-time deployment, select More > Bulk Reissue instead.
Edit	Displays the Edit Action page, where you can change the schedule and targeting criteria (see Deploying actions). If you selected multiple actions, use the and widgets to navigate among the pages for each action. To set the same scheduling values for multiple actions, select More > Bulk Edit instead.
Status	Displays details about any files associated with the action package. You can use this dialog to re-download package files if you encountered issues with outdated files (see Re-download package files.
Copy	Copies information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string. To copy information from an individual cell, hover over the cell, click Options , and click Copy .
More > Enable/Disable Action(s)	Prompts you to enable or disable the action. You can click the name of an action to review its configuration in the Edit Action page before clicking Confirm to enable or disable it.
More > Change Group	Prompts you to select a new action group for the scheduled action.
More > Copy Action	Prompts you to copy the scheduled action to a new action group. You can copy only one action at a time.
More > Bulk Reissue	For a one-time deployment only, select this option to configure multiple actions with the same values for the following settings, and then re-issue the actions: Local Time / UTC (time standard) Start At date-time Distribute Over period For a description of these settings, see Deploying actions. If you bulk reissue multiple recurring actions, Tanium Cloudthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment. To use a different start time or distribution period for each action, click Reissue instead.
More > Bulk Edit	Select this option to configure multiple actions with the same values for one or more of the following settings. The bulk edit applies only to the settings that you change. Local Time / UTC (time standard) Schedule Type (One Time Deployment or Recurring Deployment) Re-issue every interval (for recurring deployments) Start At date-time End At date-time Distribute Over period For a description of these settings, see Deploying actions. To use different values for each action, click Edit instead.
More > Delete	Prompts you to delete the selected actions. You can click the name of an action to review its configuration in the Edit Action page before clicking Confirm to delete it.
Import	Import actions.
Local Time / UTC	Specify the time standard that the Scheduled Actions grid uses to display settings that have date-time values: Local Time (default), which is local to the system that you use to access the Tanium Console UTC (Coordinated Universal Time)
Refresh	Manually refresh the Scheduled Actions grid.
Export	Export actions as a file.
Customize Columns	Select hidden columns to show them in the grid or deselect columns to hide them. Some columns are hidden by default, such as ID and Issue Count.
Update Source Package	This icon appears in the Source Package column only for actions that use a package that was updated after the action was initially created. Clicking the icon opens the action in edit mode to enable updating the package parameters. See Update action packages.

Update action packages

When new versions of Tanium modules, shared services, or content-only solutions become available, Tanium Cloud automatically updates those solutions and any packages that they include. Tanium notifies you when updates occur that affect packages. After packages are updated, perform the following steps to verify whether any scheduled actions use the packages and then update the actions.

To review notifications about updates, see Tanium Cloud Deployment Guide: View module installation history.

When you update Tanium modules, shared services, or content-only solutions, the Tanium Server imports any packages that are associated with those solutions. After updating solutions, perform the following steps to verify whether any scheduled actions use updated packages and then update the actions.

From the Main menu, go to Administration > Actions > Scheduled Actions and set the Source Package filter to Has Updates.

The grid lists only the actions that have updated packages. Perform the remaining steps for each of those actions.
In the Source Package column, click Update Source Package to edit the action.
Perform one of the following sub-steps in the Deployment Package section:
- If the Tanium Console shows the original parameters, click Update Source Package and enter the new values.
- If the Tanium Console shows the message, Original package parameters cannot be displayed, you must leave the Edit action page to review the original parameters:
  1. Go to Administration > Actions > Action History, select an instance of the action that deployed before the package update, click Status, and review the package Command. The Command value shows the original parameters.
  2. Repeat the previous steps to edit the action, click Click here to continue to use updated package parameters, and enter the new values.
Update other action settings as necessary (see Action settings), click Show Preview to Continue, and click Save Action.

Export actions

Export actions as a file in one of the following formats:

CSV: When you open the file in an application that supports CSV format, it lists the actions with the same attributes (columns) as the Scheduled Actions or Action History page displays.
JSON: If you are assigned a role with the Export Content permission, you can export action configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

Perform the following steps to export actions:

From the Main menu, go to Administration > Actions and select Scheduled Actions or Action History.
(Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns in the grid and select the attributes.
Select rows in the grid to export only specific actions. If you want to export all actions, skip this step.
Click Export .
(Optional) Edit the default export File Name.
The file suffix (.csv or .json) changes automatically based on the Format selection.
Select an Export Data option: All actions in the grid or just the Selected actions.
Set the file Format to JSON (Administrator reserved role only) or CSV.
Click Export.
Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import actions

Develop and test custom content in your lab environment before importing that content into your production environment.

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

(Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.
If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.
From the Main menu, go to any of the following Administration pages:
- Configuration > Solutions
- Permissions > Filter Groups
- Under Content, select Sensors, Packages, or Saved Questions
- Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
Select an Import option based on the source of the content:
- Import > Import Files: Perform one of the following steps to select one or more files:
  - Drag and drop files from your file explorer.
  - Click Browse for File, select the files, and click Open.
- Import > Import URL: Enter the URL in the Import URL field, and click Import.
For each file, expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
Click Begin Install.

Manage actions that are completed or in progress

The Action History page provides a chronology of initiated, completed, and scheduled actions that have been approved (if approval is required) and have deployed at least once. You can use the page to show action details (such as status and issuer), display action log data, stop actions that are in progress, and reissue actions.

From the Main menu, go to Administration > Actions > Action History.
The page displays the Status of each action:
- Open: The time window for the action has not expired. The expiration period is the larger result from the following calculations:
  - The sum of the Command Timeout and Download Timeout values in the selected package
  - The sum of the package Command timeout and optional Distribute Over setting that you configure for the action
- Closed: The time window has expired. If an action is reissued, the grid displays a new row based on the new start time.
- Stopped: An administrator stopped the action.
For each action, the Computer Groups column displays the number of computer groups in the targeted action group and whether they use Boolean AND or OR combination logic (see Computer Groups). To display a tooltip that lists the computer group names, hover over the entry in that column.
(Optional) To find specific actions, configure any of the following filters:
- Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field. The filter also applies to the names of computer groups in the targeted action group.
- Date Range: Filter the grid to display only actions for which the Start Time is within a specific past date range, such as the last 24 Hours. The default All means no date filter is applied.
- Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
- Attribute: Click Filters, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
Select the actions that you want to manage.

To export all actions, you can skip this step.

Click a button to perform one of the following tasks.

Table 2: Administrative tasks for action history
Button / Task	Guideline
Show Status	Display the Action Status page to see additional status details, view information from action logs, or edit the package that is associated with the action. See View action status.
Stop	Stop the action if its Status is Open.
Reissue	Displays the Reissue Action page, where you can change the name, schedule, and targeting criteria before reissuing the action (see Action settings). If you selected multiple actions, use the and widgets to navigate among the pages for each action. To set the same start time and distribution period for multiple action in a one-time deployment, select More > Bulk Reissue instead.
Copy	Copies information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string. To copy information from an individual cell, hover over the cell, click Options , and click Copy .
More > Bulk Reissue	For a one-time deployment only, select this option to configure multiple actions with the same values for the following settings, and then re-issue the actions: Local Time / UTC (time standard) Start At date-time Distribute Over period For a description of these settings, see Action settings. If you bulk reissue multiple recurring actions, Tanium Cloudthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment. To use a different start time or distribution period for each action, click Reissue instead.
Local Time / UTC	Specify the time standard that the Action History grid uses to display settings that have date-time values: Local Time (default), which is local to the system that you use to access the Tanium Console UTC (Coordinated Universal Time)
Export	The steps to export actions from the Action History page are the same as from the Scheduled Actions page except that your user account requires the Administrator reserved role to export the actions as a JSON file. See Export actions.

View action status

The Action Status page displays details about actions that are completed or in progress, and enables you to:

Re-download package files
View action logs
Edit scheduled action settings: click Edit beside the Source ID.
Edit the package that is associated with the action: click Edit beside Files.

The page opens automatically when you deploy an action immediately instead of setting a Start At date-time in the action configuration. For any scheduled action that has deployed at least once, you can also open the page from the Administration > Actions > Action History page by selecting an action and clicking Show Status. If you select multiple actions, the Action Status page displays a separate Action Summary for each action.

Action states

The Tanium Client reports the following action states when it receives an action that targets the client. You can monitor the progression of an action through these states in the Action Status page.

The action timeout controls several action states. Tanium CloudThe Tanium Server calculates the timeout relative to the moment when you deploy the action or, if approval is required, a user approves the action. To that start time, Tanium Cloudthe server adds the sum of the Distribute Over value (if it is configured in the action configuration) and the Command Timeout and Download Timeout values that are configured in the associated package. All targeted Tanium Clients then receive the same calculated timestamp from Tanium Cloudthe server.

Table 3: Action states
Action State	Description
Waiting	This is the initial state of an action that has a non-zero Distribute over value. If Distribute over is zero, the action skips the Waiting state. An action in the Waiting state waits for a random amount of time up to the Distribute over value before proceeding to the next state.
Downloading	The client is downloading package Files if the action requires them. Otherwise, the client skips the Downloading state and enters the Running state. An action in the Downloading state proceeds to the next state when one of the following events occurs: The client finishes downloading the files before the action timeout: The next state is Running. The client reaches the action timeout before finishing the download: The next state is Expired.
Running	The client is running the Command that is configured in the associated package. The action proceeds to the next state when one of the following events occurs: The command finishes executing before the action timeout: The next state is Completed. The command reaches the action timeout before finishing execution: The command terminates and the next state is Expired. The command runtime reaches the Command Timeout before the action timeout and before the command finishes execution: The command terminates and the next state is Failed. The command execution fails before any timeout (for example, the client might fail to spawn a new process to run the command): The next state is Failed.
Completed	The command finishes executing. This state applies regardless of whether the command produced the expected results. For example, a command might finish executing but generate errors. If the package specifies a Verification Query (to verify the results), the next state is Pending Verification. Otherwise, Completed is the final state.
Expired	This is the final state if the client reaches the action timeout before finishing one of the following processes: Command execution Package file downloads
Failed	The action enters this state if one of the following events occurs: The command execution fails before the action timeout or command timeout The command reaches the Command Timeout before the action timeout and before completing execution The command completes execution but the client does not report Verification Query results before the query timeout For Tanium Client 7.4 or later, Failed is a final state. For Tanium Client 7.2, the next state is Waiting to Retry.
Waiting to Retry	(Tanium Client 7.2 only) This is the same as the Waiting state, but applies only to actions that previously entered the Failed state and that the client is currently retrying (re-running the command). The client continuously retries an action until it enters the Expired state (the action times out) or Completed state.
Pending Verification	If the associated package specifies a Verification Query, the action proceeds from the Completed state to the Pending Verification state. The client then executes the Verification Query sensors to determine whether the query targets the client: Yes: The next state is Verified. No: The next state is Failed Verification. The client executes all the sensors in the Verification Query instead of reading from the sensor cache, regardless of the Max Sensor Age setting for those sensors.
Verified	The action proceeds from the Completed state to the final Verified state if the associated package specifies a Verification Query and the query results are positive (the query targets the client).
Failed Verification	The action proceeds from the Completed state to the final Failed Verification state if the associated package specifies a Verification Query and the query results are negative (the query does not target the client).

Investigate action-related issues

The Tanium Client generates action logs to record the CLI output associated with action commands. You can display the log records to investigate issues related to an action. To display the records, you require the Read Sensor permission on the Client Management content set. Perform the following steps to display the log records for an action.

For additional troubleshooting tasks related to actions, see Monitor actions.

From the Main menu, go to Administration > Actions > Action History, select an action, and click Show Status to open the Action Status page.
Click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines.
The Tanium Server then issues the question Get Computer Name and Tanium Action Log[<action_ID>, 100] from all machines with (Computer Name equals <computer_name>) through the Interact Ask a Question field. Endpoints that ran the action respond with the first 100 lines of the corresponding action log. Endpoints that did not run the action respond with Error: Cannot read Action_<ID>.log.

Track Action IDs

The Tanium Server assigns an action ID to each action that you deploy. Knowing the ID is useful when you want to see details about an action. For example, if you want to investigate unexpected outcomes related to actions (such as package scripts that failed to run), you can use action IDs to find and review actions logs and action history log entries. The Tanium Console displays action IDs in multiple places.

For actions that have deployed at least once, the Administration > Actions > Action History page displays the action ID as a column.
For actions that are recurring or have a future start date, the Administration > Actions > Scheduled Actions page also displays the ID as a column, although it is hidden by default. To display the column on that page, click Customize Columns and select ID.
The Action Status page displays the Action ID in the Details section (see View action status).

On managed endpoints, the Tanium Client displays action IDs in the action status file and log files. In the following file paths, <Tanium Client> represents the Tanium Client installation folder.

In the <Tanium Client>\Downloads\config\ActionStatuses.ast file, action IDs map each action to its status.
In the <ClientInstallationFolder>\Downloads folder, each action log contains the associated action ID in its file name.
In the <ClientInstallationFolder>\Logs folder, action history logs identify actions by their IDs.