Managing scheduled actions and action history

Scheduled actions are actions that Tanium as a Service (TaaS) the Tanium Server automatically reissues at specific intervals over a specific period. A scheduled action configuration has the following components:

  • Package
  • Schedule settings, including start and end times, and reissue intervals
  • Targeting criteria that specifies which endpoints run the action

TaaS The Tanium Server creates a scheduled action when you deploy an action from the Question Results page and specify a reissue interval (see Deploying actions). When you install the Tanium Server, it automatically creates a set of scheduled actions while importing the Default Content pack. These predefined actions relate to the hygiene of the Tanium environment. The Tanium Server creates additional scheduled actions when you import certain other Tanium content packs and modules. TaaS also provides several predefined scheduled actions.

For the user role permissions that are required to manage scheduled actions and view action history, see Action management permissions.

Manage scheduled actions

Perform the following steps to manage scheduled actions that are already defined. To create a new scheduled action, see Deploying actions.

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Time: Select Local Time (default), which is local to the system that you use to access the Tanium Console, or Coordinated Universal Time (UTC).
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Last Issue Time is within a specific date range. The default All means no date range filter is applied.
    • Attribute: Expand the ExpandFilters section, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

    Action buttons for administrative tasks appear above the grid. The available buttons depend on the row you select. For example, the Status column displays a green check mark Enabled to indicate enabled actions and a red minus Disabled to indicate disabled actions. When you open the More drop-down list for an enabled action, the options include Disable Action, but not Enable Action. If the status column indicated a disabled action, the More list would include Enable Action but not Disable Action.

  4. Click a button or menu to perform one of the following tasks.

    To stop deploying a scheduled action, you must use the More menu to disable or delete it instead of clearing the the Start at and Reissue every values.

    Button / TaskGuideline
    ReissueDisplays the Reissue Action page. You can change the name, schedule, and targeting criteria.
    EditDisplays the Edit Action page. You can change the schedule and targeting criteria.
    StatusDisplays package details. You can use this dialog to re-download package files if you encountered issues with outdated files: see Re-download package files.
    Copy CopyCopy information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    More > Enable/Disable Action(s)Enables or disables the scheduled action.
    More > Change GroupAssigns the scheduled action to a new action group. Select the action group and click Confirm.
    More > Copy ActionCopies the scheduled action to a new action group. Select the new action group and click Confirm.
    More > DeleteDisplays the Delete Action page. You can review the action configuration before you delete it.
    Export ExportExport scheduled actions as a CSV file to view them in an application that supports that format. If you have the Administrator reserved role, you can also export scheduled actions as a JSON file to import into another Tanium Server.

    Develop and test content in your lab environment before importing that content into your production environment.

    After clicking Export Export, perform the following steps:

    1. (Optional) Edit the default export File Name.

      The file suffix (.csv or .json) changes automatically based on the Format selection.

    2. Select an Export Data option: All actions in the grid or just the Selected actions.
    3. Select the file Format: JSON (Administrator reserved role only) or CSV.
    4. Click Export.

      TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Manage actions that are completed or in progress

The Action History page provides a chronology of initiated, completed, and scheduled actions. You can also use the page to show action details (such as status and issuer), display action log data, stop actions that are in progress, and reissue actions.

  1. From the Main menu, go to Administration > Actions > Action History. The page displays the Status of each action:
    • Open: The time window for the action has not expired. The expiration period is the larger result from the following calculations:
      • The package Command Timeout + Download Timeout values
      • The package Command Timeout + the scheduled action Distribute over value
    • Closed: The time window has expired. If an action is reissued, the grid displays a new row based on the new start time.
    • Stopped: An administrator stopped the action.
  2. (Optional) To find specific actions, configure any of the following filters:
    • Time: Select Local Time (default), which is local to the system that you use to access the Tanium Console, or Coordinated Universal Time (UTC).
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Text string: Filter the grid by any value text in any column by entering a text string in the Filter items field.
    • Date Range: Filter the grid to display only actions for which the Start Time is within a specific date range. The default All means no date filter is applied.
    • Attribute: Click ExpandFilters, click Add, select an action attribute (such as Issuer) and operator (such as is equal to), enter an attribute value (such as administrator), and click Apply. If you add multiple attributes, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. Select the actions that you want to manage.

    To export all actions, you can skip this step.

  4. Click a button to perform one of the following tasks.
     Table 1: Action History administration tasks
    Button / TaskGuideline
    Show StatusDisplay the Action Summary page to see additional status details and get information from action logs: see View action summary and status.
    StopStop the action.
    ReissueDisplay the Reissue Action page. You can change the name, schedule, and targeting criteria.
    Copy CopyCopy information from the selected rows to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

    To copy information from an individual cell, hover over the cell, click Options Options, and click Copy Copy.

    Export ExportExport action history information as a CSV file to view the information in an application that supports that format. If you have the Administrator reserved role, you can also export action history information as a JSON file.

    After clicking Export Export, perform the following steps:

    1. (Optional) Edit the default export File Name.

      The file suffix (.csv or .json) changes automatically based on the Format selection.

    2. Select an Export Data option: All actions in the grid or just the Selected actions.
    3. Select the file Format: JSON (Administrator reserved role only) or CSV.
    4. Click Export.

      TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

View action summary and status

The Action Summary page opens automatically when you deploy an unscheduled action so that you can track its progress. You can also open the page from the Administration > Actions > Action History page by selecting an action and clicking Show Status. The Action Summary page displays details about actions that are completed or in progress, and enables you to re-download package files and view action logs.

Figure  1:  Action Summary page

Action states

The Tanium Client reports the following action states when it receives an action that targets the client.

The action timeout controls several action states. Tanium Server calculates the timeout relative to the moment when you deploy the action or, if approval is required, a user approves the action. To that start time, the server adds the sum of the Distribute over value (if it is configured in the action configuration) and the Command Timeout and Download Timeout values that are configured in the associated package. All the targeted Tanium Clients then receive the same calculated timestamp from the server.

Action State Description
Waiting This is the initial state of an action that has a non-zero Distribute over value. If Distribute over is zero, the action skips the Waiting state. An action in the Waiting state waits for a random amount of time up to the Distribute over value before proceeding to the next state.
Downloading The client is downloading package Files if the action requires them. Otherwise, the client skips the Downloading state and enters the Running state. An action in the Downloading state proceeds to the next state when one of the following events occurs:
  • The client finishes downloading the files before the action timeout: The next state is Running.
  • The client reaches the action timeout before finishing the download: The next state is Expired.
Running The client is running the Command that is configured in the associated package. The action proceeds to the next state when one of the following events occurs:
  • The command finishes executing before the action timeout: The next state is Completed.

  • The command reaches the action timeout before finishing execution: The command terminates and the next state is Expired.

  • The command runtime reaches the Command Timeout before the action timeout and before the command finishes execution: The command terminates and the next state is Failed.
  • The command execution fails before any timeout (for example, the client might fail to spawn a new process to run the command): The next state is Failed.
Completed The command finishes executing. This state applies regardless of whether the command produced the expected results. For example, a command might finish executing but generate errors. If the package specifies a Verification Query (to verify the results), the next state is Pending Verification. Otherwise, Completed is the final state.
Expired This is the final state if the client reaches the action timeout before:
  • Finishing the command execution
  • Finishing the file downloads
Failed The action enters this state if:
  • The command execution fails before the action timeout or command timeout
  • The command reaches the Command Timeout before the action timeout and before completing execution
  • The command completes execution but the client does not report Verification Query results before the query timeout

For Tanium Client 7.4 or later, Failed is a final state. For Tanium Client 7.2, the next state is Waiting to Retry.

Waiting to Retry (Tanium Client 7.2 only) This is the same as the Waiting state, but applies only to actions that previously entered the Failed state and that the client is currently retrying (re-running the command). The client continuously retries an action until it enters the Expired state (the action times out) or Completed state.
Pending Verification If the associated package specifies a Verification Query, the action proceeds from the Completed state to the Pending Verification state. The client then executes the Verification Query sensors to determine whether the query:
  • Targets the client: The next state is Verified.
  • Does not target the client: The next state is Failed Verification.

The client executes all the sensors in the Verification Query instead of reading from the sensor cache, regardless of the Max Sensor Age setting for those sensors.

Verified The action proceeds from the Completed state to the final Verified state if the associated package specifies a Verification Query and the query results are positive (the query targets the client).
Failed Verification The action proceeds from the Completed state to the final Failed Verification state if the associated package specifies a Verification Query and the query results are negative (the query does not target the client).

Investigate action-related issues

The Tanium Client generates action logs to record the CLI output associated with action commands. You can display the log records to investigate issues related to an action. To display the records, you require the Read Sensor advanced permission on the Client Management content set. Perform the following steps to display the log records for an action:

  1. From the Main menu, go to Administration > Actions > Action History, select an action, and click Show Status to open the Action Summary page.,
  2. Click Show Client Status Details, select up to 50 endpoints in the preview list, and click Get action log for selected machines.

    The Tanium Server then issues the question Get Computer Name and Tanium Action Log[<action_ID>, 100] from all machines with (Computer Name equals <computer_name>) through the Interact Explore Data field. Endpoints that ran the action respond with the first 100 lines of the corresponding action log. Endpoints that did not run the action respond with Error: Cannot read Action_<ID>.log.


Track the Action IDs

The Tanium Server assigns an action ID to each action that you deploy. Knowing the ID is useful when you want to see details about an action. For example, if you want to investigate unexpected outcomes related to actions (such as package scripts that failed to run), you can use action IDs to find and review actions logs and action history log entries. The Tanium Console displays action IDs in multiple places.

  • The Administration > Actions > Action History page displays the action ID as a column.
  • The Action Summary page displays the Action ID in the Details section and in the browser URL (see View action summary and status).

On managed endpoints, the Tanium Client displays action IDs in the action status file and log files. In the following file paths, <Tanium Client> represents the Tanium Client installation folder.

  • In the <Tanium Client>\Downloads\config\ActionStatuses.ast file, action IDs map each action to its status.
  • In the <ClientInstallationFolder>\Downloads folder, each action log display the associated action ID in its file name.
  • In the <ClientInstallationFolder>\Logs folder, action history logs identify actions by their IDs.

Import scheduled actions

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.
If the action does not require file downloads, the client skips to the Running state.