Managing scheduled actions and action history

TaaS The Tanium Server creates a scheduled action when you deploy an action from the Question Results page and specify a Start At date (instead of deploying immediately) or set the Schedule Type to Recurring Deploymenta Reissue every interval (see Deploying actions). A scheduled action configuration has the following components:

  • Package
  • Schedule settings, including start times, end times, reissue intervals, and distribution periods
  • Targeting criteria that specifies which endpoints run the action

When you install the Tanium Server, it automatically creates a set of scheduled actions while importing the Default Content pack. These predefined actions relate to the hygiene of the Tanium environment. The Tanium Server creates additional scheduled actions when you import certain other Tanium solutions. TaaS provides several predefined scheduled actions that relate to the hygiene of the Tanium environment.

After a scheduled or unscheduled (one-time deployment) action deploys for the first time, you can see its status in the Action History page.

For the user role permissions that are required to manage scheduled actions and view action history, see Action management permissions.

Manage scheduled actions

Perform the following steps to manage existing scheduled actions. To create a new scheduled action, see Deploying actions. To import actions, see Import actions.

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Last Issue Time is within a specific date range. The default All means no date range filter is applied.
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Attribute: Expand the ExpandFilters section, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

    Action buttons for administrative tasks appear above the grid. The available buttons depend on the row you select. For example, the Status column displays a green check mark Enabled to indicate enabled actions and a red minus Disabled to indicate disabled actions. When you open the More drop-down list for an enabled action, the options include Disable Action, but not Enable Action. If the status column indicated a disabled action, the More list would include Enable Action but not Disable Action.

  4. Click a button or menu to perform one of the following tasks.

    To stop deploying a scheduled action, you must use the More menu to disable or delete it instead of clearing the Start At and Re-issue every values.

     Table 1: Administrative tasks for scheduled actions
    Button / Task Guideline
    Reissue Displays the Reissue Action page, where you can change the name, schedule, and targeting criteria before re-issuing the action: see Deploying actions. If you selected multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    To use a the same start time and distribution period for multiple actions in a one-time deployment, select More > Bulk Reissue instead.

    Edit Displays the Edit Action page, where you can change the schedule and targeting criteria: see Deploying actions. If you selected multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    To set the same scheduling values for multiple actions, select More > Bulk Edit instead.

    Status Displays details about any files associated with the action package. You can use this dialog to re-download package files if you encountered issues with outdated files: see Re-download package files.
    Copy Copy Copies information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    More > Enable/Disable Action(s) Prompts you to enable or disable the action. You can click the name of an action to review its configuration in the Edit Action page before clicking Confirm to enable or disable it.
    More > Change Group Prompts you to select a new action group for the scheduled action.
    More > Copy Action Prompts you to copy the scheduled action to a new action group. You can copy only one action at a time.
    More > Bulk Reissue For a one-time deployment only, select this option to configure multiple actions with the same values for the following settings, and then re-issue the actions:
    • Local Time / UTC (time standard)
    • Start At date-time
    • Distribute Over period

    For a description of these settings, see Deploying actions.

    If you bulk reissue multiple recurring actions, TaaSthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment.

    To use a different start time or distribution period for each action, click Reissue instead.

    More > Bulk Edit Select this option to configure multiple actions with the same values for one or more of the following settings. The bulk edit applies only to the settings that you change.
    • Local Time / UTC (time standard)
    • Schedule Type (One Time Deployment or Recurring Deployment)
    • Re-issue every interval (for recurring deployments)
    • Start At date-time
    • End At date-time
    • Distribute Over period

    For a description of these settings, see Deploying actions.

    To use different values for each action, click Edit instead.

    More > Delete Prompts you to delete the selected actions. You can click the name of an action to review its configuration in the Edit Action page before clicking Confirm to delete it.
    Import

    Import actions.

    Local Time / UTC Specify the time standard that the Scheduled Actions grid uses to display settings that have date-time values:
    • Local Time (default), which is local to the system that you use to access the Tanium Console
    • UTC (Coordinated Universal Time)
    Export Export Export actions.
    Administrative tasks for scheduled actions
    Button / Task Guideline
    Reissue Displays the Reissue Action page, where you can change the name, schedule, and targeting criteria before re-issuing the action: see Deploying actions.
    Edit Displays the Edit Action page, where you can change the schedule and targeting criteria: see Deploying actions.
    Status Displays details about any files associated with the action package. You can use this dialog to re-download package files if you encountered issues with outdated files: see Re-download package files.
    Copy Copy Copies information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    More > Enable/Disable Action(s) Prompts you to enable or disable the action.
    More > Change Group Prompts you to select a new action group for the scheduled action.
    More > Copy Action Prompts you to copy the scheduled action to a new action group.
    More > Delete Displays the Delete Action page. You can review the action configuration before you delete it.
    Export Export Export actions.

Export actions

Export actions as a CSV file to view them in an application that supports that format. If your user account has a role with the Export Content permission, you can also export actions as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

  1. Select the actions that you want to export.

    To export all actions, skip this step.

  2. Click Export ExportExport.

  3. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  4. Select an Export Data option: All actions in the grid or just the Selected actions.
  5. Select the file Format: JSON or CSV.
  6. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import actions

Develop and test content in your lab environment before importing that content into your production environment .

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Manage actions that are completed or in progress

The Action History page provides a chronology of initiated, completed, and scheduled actions that have been approved (if approval is required) and have deployed at least once. You can use the page to show action details (such as status and issuer), display action log data, stop actions that are in progress, and reissue actions.

  1. From the Main menu, go to Administration > Actions > Action History. The page displays the Status of each action:
    • Open: The time window for the action has not expired. The expiration period is the larger result from the following calculations:
    • Closed: The time window has expired. If an action is reissued, the grid displays a new row based on the new start time.
    • Stopped: An administrator stopped the action.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Start Time is within a specific date range. The default All means no date filter is applied.
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Attribute: Click ExpandFilters, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

  4. Click a button to perform one of the following tasks.
     Table 2: Administrative tasks for action history
    Button / TaskGuideline
    Show StatusDisplay the Action Status page to see additional status details, view information from action logs, or edit the package that is associated with the action. See View action summary and status.
    StopStop the action if its Status is Open.
    ReissueDisplays the Reissue Action page, where you can change the name, schedule, and targeting criteria before reissuing the action: see Action settings. If you selected multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    To set the same start time and distribution period for multiple action in a one-time deployment, select More > Bulk Reissue instead.

    Copy CopyCopies information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    More > Bulk ReissueFor a one-time deployment only, select this option to configure multiple actions with the same values for the following settings, and then re-issue the actions:
    • Local Time / UTC (time standard)
    • Start At date-time
    • Distribute Over period

    For a description of these settings, see Action settings.

    If you bulk reissue multiple recurring actions, TaaSthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment.

    To use a different start time or distribution period for each action, click Reissue instead.

    Local Time / UTCSpecify the time standard that the Action History grid uses to display settings that have date-time values:
    • Local Time (default), which is local to the system that you use to access the Tanium Console
    • UTC (Coordinated Universal Time)
    Export ExportThe steps to export actions from the Action History page are the same as from the Scheduled Actions page except that your user account requires the Administrator reserved role to export the actions as a JSON file. See Export actions.
     Table 3: Administrative tasks for action history
    Button / TaskGuideline
    Show StatusDisplay the Action Summary page to see additional status details or view information from action logs. See View action summary and status.
    StopStop the action if its Status is Open.
    ReissueDisplays the Reissue Action page, where you can change the name, schedule, and targeting criteria before reissuing the action: see Action settings.
    Copy CopyCopy information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    Export ExportThe steps to export actions from the Action History page are the same as from the Scheduled Actions page except that your user account requires the Administrator reserved role to export actions as a JSON file. See Export actions.

View action summary and status

The Action StatusAction Summary page displays details about actions that are completed or in progress, and enables you to:

The page opens automatically when you deploy an action immediately instead of setting a Start At date-time in the action configuration. For any scheduled action that has deployed at least once, you can also open the page from the Administration > Actions > Action History page by selecting an action and clicking Show Status. If you select multiple actions, the Action Status page displays a separate Action Summary for each action.

Figure  1:  Action StatusSummary page

Action states

The Tanium Client reports the following action states when it receives an action that targets the client. You can monitor the progression of an action through these states in the Action StatusAction Summary page.

The action timeout controls several action states. TaaSThe Tanium Server calculates the timeout relative to the moment when you deploy the action or, if approval is required, a user approves the action. To that start time, TaaSthe server adds the sum of the Distribute Over value (if it is configured in the action configuration) and the Command Timeout and Download Timeout values that are configured in the associated package. All targeted Tanium Clients then receive the same calculated timestamp from TaaSthe server.

 Table 4: Action states
Action State Description
Waiting This is the initial state of an action that has a non-zero Distribute over value. If Distribute over is zero, the action skips the Waiting state. An action in the Waiting state waits for a random amount of time up to the Distribute over value before proceeding to the next state.
Downloading The client is downloading package Files if the action requires them. Otherwise, the client skips the Downloading state and enters the Running state. An action in the Downloading state proceeds to the next state when one of the following events occurs:
  • The client finishes downloading the files before the action timeout: The next state is Running.
  • The client reaches the action timeout before finishing the download: The next state is Expired.
Running The client is running the Command that is configured in the associated package. The action proceeds to the next state when one of the following events occurs:
  • The command finishes executing before the action timeout: The next state is Completed.

  • The command reaches the action timeout before finishing execution: The command terminates and the next state is Expired.

  • The command runtime reaches the Command Timeout before the action timeout and before the command finishes execution: The command terminates and the next state is Failed.
  • The command execution fails before any timeout (for example, the client might fail to spawn a new process to run the command): The next state is Failed.
Completed The command finishes executing. This state applies regardless of whether the command produced the expected results. For example, a command might finish executing but generate errors. If the package specifies a Verification Query (to verify the results), the next state is Pending Verification. Otherwise, Completed is the final state.
Expired This is the final state if the client reaches the action timeout before finishing one of the following processes:
  • Command execution
  • Package file downloads
Failed The action enters this state if one of the following events occurs:
  • The command execution fails before the action timeout or command timeout
  • The command reaches the Command Timeout before the action timeout and before completing execution
  • The command completes execution but the client does not report Verification Query results before the query timeout

For Tanium Client 7.4 or later, Failed is a final state. For Tanium Client 7.2, the next state is Waiting to Retry.

Waiting to Retry (Tanium Client 7.2 only) This is the same as the Waiting state, but applies only to actions that previously entered the Failed state and that the client is currently retrying (re-running the command). The client continuously retries an action until it enters the Expired state (the action times out) or Completed state.
Pending Verification If the associated package specifies a Verification Query, the action proceeds from the Completed state to the Pending Verification state. The client then executes the Verification Query sensors to determine whether the query targets the client:
  • Yes: The next state is Verified.
  • No: The next state is Failed Verification.

The client executes all the sensors in the Verification Query instead of reading from the sensor cache, regardless of the Max Sensor Age setting for those sensors.

Verified The action proceeds from the Completed state to the final Verified state if the associated package specifies a Verification Query and the query results are positive (the query targets the client).
Failed Verification The action proceeds from the Completed state to the final Failed Verification state if the associated package specifies a Verification Query and the query results are negative (the query does not target the client).

Investigate action-related issues

The Tanium Client generates action logs to record the CLI output associated with action commands. You can display the log records to investigate issues related to an action. To display the records, you require the Read Sensor permission on the Client Management content set. Perform the following steps to display the log records for an action:

  1. From the Main menu, go to Administration > Actions > Action History, select an action, and click Show Status to open the Action StatusAction Summary page.
  2. Click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines.

    The Tanium Server then issues the question Get Computer Name and Tanium Action Log[<action_ID>, 100] from all machines with (Computer Name equals <computer_name>) through the Interact Explore Data field. Endpoints that ran the action respond with the first 100 lines of the corresponding action log. Endpoints that did not run the action respond with Error: Cannot read Action_<ID>.log.


Track Action IDs

The Tanium Server assigns an action ID to each action that you deploy. Knowing the ID is useful when you want to see details about an action. For example, if you want to investigate unexpected outcomes related to actions (such as package scripts that failed to run), you can use action IDs to find and review actions logs and action history log entries. The Tanium Console displays action IDs in multiple places.

  • The Administration > Actions > Action History page displays the action ID as a column.

  • The Action StatusAction Summary page displays the Action ID in the Details section (see View action summary and status).


On managed endpoints, the Tanium Client displays action IDs in the action status file and log files. In the following file paths, <Tanium Client> represents the Tanium Client installation folder.

  • In the <Tanium Client>\Downloads\config\ActionStatuses.ast file, action IDs map each action to its status.
  • In the <ClientInstallationFolder>\Downloads folder, each action log contains the associated action ID in its file name.
  • In the <ClientInstallationFolder>\Logs folder, action history logs identify actions by their IDs.