Deploying actions

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy actions to those endpoints.

Do not deploy an action unless you completely understand its scope, impact on individual endpoints, and impact on the environment given the number of targeted endpoints. Furthermore, be sure your organization has authorized you to perform the action. Some organizations require a second administrator to review and approve actions: see Managing action approval.

For the user role permissions required to deploy actions, see Action management permissions.

  1. Select a method to initiate action deployment based on how many actions you want to issue, whether they are recurring (scheduled) or non-recurring (unscheduled), and whether they have similar settings:
    • Issue a new action: You can deploy only one new action at a time. Issue a question, select rows in the Question Results grid for the endpoints that require the action, click Deploy Action, and proceed to the next step.

      You can also deploy a new action from the Administration > Configuration > Client Status page. See Troubleshoot Tanium Client registration and communication.

    • Issue existing actions:
      1. Go to the Administration > Actions page that lists the actions you will issue:
        • To issue scheduled or unscheduled actions that were previously issued, go to Administration > Actions > Action History.
        • To immediately issue scheduled actions that are configured with a future start date, go to Administration > Actions > Scheduled Actions.
      2. Select one or more actions and perform one of the following steps:
        • To re-issue a single action, or to re-issue multiple actions that each require a different start time or distribution period, click Reissue and proceed to the next step.
        • To re-issue multiple actions with the same start time and distribution period, select More > Bulk Reissue, specify the time standard (Local Time / UTC), Start At, and Distribute Over values (see Table 1), click Confirm, and skip the remaining steps. This option is for a one-time deployment only. If you select multiple recurring actions, TaaSthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment.
  2. Configure the following settings. If you are issuing multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    If you save an action with Start At and Re-issue every values and subsequently clear those settings instead of specifying new values, TaaSthe Tanium Server discards the changes. To stop deploying an action, disable or delete it: see Manage scheduled actions.

     Table 1: Action settings
    SettingsGuidelines
    Local Time / UTCSelect a time standard for the Start At and End At date-times:
    • Local Time (default) is local to the system that you use to access the Tanium Console.
    • UTC is Coordinated Universal Time.
    NameSpecify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and action approval pages.
    Description(Optional) Enter a description helps other users understand the purpose of the action.
    Deployment PackageSelect a package from the drop-down list or enter a search string to find a package by name.

    If you select a parameterized package, configure the parameters. For example, if you select the Set Tanium Server Name List package, enter the Server Name List. For details, see Example: Parameterized packages.

    If you are re-issuing or editing an action, you cannot change the Deployment Package.

    The read-only Expiration Period indicates when the action expires. The value is the larger result of the following calculations:
    • The sum of the Command Timeout and Download Timeout values in the selected package
    • The sum of the package Command timeout and optional Distribute Over setting that you configure for the action

    The expiration applies to each deployment of a recurring action but does not change the schedule settings (Reissue Every, Start At, and End At).

    Schedule TypeSelect one of the following options:
    • One Time Deployment: Deploy the action only once.
    • Recurring Deployment: Schedule the action to deploy at intervals (Re-issue every) over a specified period (from the Start At to End At date-times).
    Re-issue every

    This setting appears only if you set the Schedule Type to Recurring Deployment. Scheduling the action to repeat at intervals is useful when:

    • Action approval is required and you are not certain that an approver will approve the action before its initial deployment expires.
    • You want to deploy software or configuration updates to endpoints that might not be online during the initial deployment but that you expect to be online at some point between the Start At and End At dates.
    • The action is a continual hygiene practice. For example, you want to check periodically that a Tanium Client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    The Re-issue every interval must exceed the action Expiration Period.

    Start At / End At By default, actions that do not require approval deploy as soon as you click Deploy Action at the bottom of the Action Deployment page, but you can set a Start At date-time to override the default. For example, you might want deployment to start during a maintenance window for the targeted endpoints.

    Note the following behavior when action approval is enabled:

    • If you omit a Start At time, the action deploys immediately after it is approved, provided other action conditions do not preclude TaaSthe Tanium Server from deploying it.
    • If you specify a Start At time, the action deploys at the next start time following approval. For example, if you set the action to deploy daily at 1:00 am and a user approves it at 2:00 am, the action deploys the next day at 1:00 am.

    The End At setting appears only if you set the Schedule Type to Recurring Deployment. Configure the setting if you do not want to re-deploy the action indefinitely. For example, you might want to stop deployment before the end of a maintenance window for the targeted endpoints.

    Specify an End At date-time unless you are sure that you want to re-deploy the action indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

    Distribute over

    TaaSThe Tanium Server distributes actions to endpoints in batches. The Distribute Over option randomizes the distribution over the specified period to prevent spikes in network traffic or other resource consumption. For example, an action that depends on a sensor that queries Active Directory (AD) might cause a flood of traffic to the AD server unless the action is distributed over time. Similarly, an action that targets endpoints in a virtual machine farm might exhaust the shared CPU or memory resources if all endpoints simultaneously run a resource-intensive program.

    Specify a number and unit: Minutes, Hours, Days.

    Targeting CriteriaConfigure which endpoints to target for the action. By default, the action targets all endpoints that match:
    • The Target Question, which is initially based on the rows that you selected in the Question Results page when you clicked Deploy Action there. The Target Question updates automatically when you change other targeting criteria.
    • The predefined Default - All Computers action group, which includes all managed endpoints unless you changed the group membership before initiating the action deployment. You can also select a different Action Group.

    Optionally, refine the targeting by adding:

    • Computer groups: Click Add Computer Groups, select one or more computer groups, and click Save. The list includes only computer groups that are enabled to use as a filter group.
    • Manual list: Enter a comma-separated list of endpoints by computer name or IP address and click Save.
    • Filter question: Enter a question to target endpoints that return results and click Save.

    TaaSThe Tanium Server applies a Boolean AND to the criteria that you specify. For a recurring action, only the endpoints that match the latest results of the Target Question will perform the action.Action targeting


  3. Click Show preview to continue, review the affected endpoints, and click Deploy Action.
  4. If the number of Estimated clients affected exceeds the configured threshold (the default is 100), enter the estimated number and click Confirm. TaaSThe Tanium Server enforces this confirmation step to ensure that you understand the impact that an action will have on your network.
  5. To change the threshold that controls whether the Tanium Console prompts users for the Estimated clients affected, go to Administration > Configuration > Platform Settings and edit the prompt_estimate_threshold setting. Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.
  6. Review the Action Status page to confirm expected results. If you omitted a Start At value, deployment starts immediately and the page opens automatically. Otherwise, wait until deployment starts, go to Administration > Actions > Action History, select the action in the grid, and click Show Status. For details, see View action status.

    If action approval is enabled, the action remains in a pending state until a user approves it.

  1. Issue a question.
  2. In the Question Results grid, select the rows for the endpoints that require the action, and click Deploy Action.

    Interact displays the Deploy Action page.

  3. Use the Deployment Package search box typeaheads to select packages.

    Alternatively, click Browse Packages to review package descriptions and then select them.

  4. Complete the Action Details section.
    SettingsGuidelines
    NameSpecify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and Action Approval pages.
    Description(Optional) A description helps other users understand the purpose of the action.
    Tags(Optional) Use the controls to add tags, which are name-value pairs.

    These tags apply to the action itself, not to the endpoints that run the action, and appear in the Action Details section of the Action Summary page. To assign tags to endpoints, you must deploy the Custom Tagging - Add Tags or Custom Tagging - Add Tags (Non-Windows) package.


  5. Complete the Schedule Deployment section.

    If you save an action with Start at and Reissue every values and subsequently deselect those settings instead of specifying new values, TaaSthe Tanium Server discards the changes. To stop deploying an action, disable or delete it: see Manage scheduled actions.

    SettingsGuidelines
    Start at / End at

    Optionally, specify a start time when it is important to deploy the action to targeted clients during a maintenance window. The time refers to the Coordinated Universal Time (UTC) of the TaaS system clock on the Tanium Server host system, not on the Tanium Client host systems. For example, if you specify the action to deploy at 1:00 am, it deploys when the TaaSthe Tanium Server system clock time is 1:00 am. Note the following behavior:

    • If you omit a start time, the action deploys immediately upon completion of the deploy action workflow.
    • If you omit a start time and action approval is enabled, the action deploys immediately after it is approved, provided other action conditions do not preclude TaaSthe Tanium Server from deploying it.
    • If you specify a start time and action approval is enabled, the action deploys at the next start time following the approval. For example, if you set the action to deploy at 1:00 am every day and it is approved at 2:00 am, the action deploys the next day at 1:00 am.

    Specify an end date-time if you configure reissue intervals for the scheduled action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

    Distribute over

    TaaSThe Tanium Server distributes packages to Tanium Clients in batches. This option randomizes the distribution over the specified duration to avoid spikes in network or other resource utilization. For example, if an action depends on a sensor that queries Active Directory (AD), an action that is not distributed over time can cause a flood of traffic to the AD server. Similarly, an action that targets clients in a virtual machine farm could exhaust the shared CPU or memory resources if all clients simultaneously run a resource-intensive program. Distributing over time attenuates the impact a massive orchestration might have on the networked or virtualized environment.

    Specify a number and unit: Minutes, Hours, Days.

    Reissue every

    You can schedule the action to repeat at intervals, which is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.
    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.
    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    The Reissue every interval must exceed the action expiration period, which is the larger result from the following calculations:

    • The package Command Timeout + Download Timeout values
    • The package Command Timeout + the scheduled action Distribute over value

  6. Complete the Targeting Criteria section to specify endpoints where the action must run.

    For a repeating action based on a saved question, only the endpoints that match the latest results of the Starting Question will perform the action.

    If you select a Reissue every interval or if action approval is enabled, you must specify an Action Group. Otherwise, the action group is set to the All Computers computer group and you cannot change it (the Action Group drop-down does not appear), although only the endpoints that you selected in the Question Results grid are targeted.

  7. Click Show preview to continue, review the affected endpoints, and click Deploy Action.
  8. If the Estimated Number of affected endpoints exceeds the configured threshold (the default is 100), enter that number. TaaSThe Tanium Server enforces this confirmation step to ensure that you understand the impact that an action will have on your network.
  9. To change the threshold that controls whether the Tanium Console prompts users for the Estimated Number, edit the prompt_estimate_threshold setting (Administration > Management > Global Settings). Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

  10. Review the status to confirm expected results. For details, see View action summary and status.

For actions that are recurring or have a future Start At date or require approval, the deployment workflow creates a scheduled action configuration object, and the action is entered on the Scheduled Actions, Action History, and (if applicable) action approval pages. Non-recurring actions that you deploy immediately are entered only in the Action History page. For details, see Managing scheduled actions and history and Managing action approval.