Deploying actions

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy actions to those endpoints.

Do not deploy an action unless you completely understand its scope, impact on individual endpoints, and impact on the environment given the number of targeted endpoints. Furthermore, be sure your organization has authorized you to perform the action. Some organizations require a second administrator to review and approve actions: see Managing action approval.

For the user role permissions required to deploy actions, see Action management permissions.

After an action is created or edited, a user might update the files or settings of the associated package. Before you reissue an action, you can check the status of package files and optionally update them: see Re-download package files. When you reissue or edit an action, the workflow includes an option for updating the Deployment Package to use its latest settings.

  1. Select a method to initiate action deployment based on how many actions you want to issue, whether they are recurring (scheduled) or non-recurring (unscheduled), and whether they have similar settings:
    • Issue a new action: You can deploy only one new action at a time. Issue a question, select rows in the Question Results page for the endpoints that require the action, click Deploy Action, and proceed to the next step.
      You can also deploy a new action from the Administration > Configuration > Client Status page. See Troubleshoot Tanium Client registration and communication.
      You can also deploy a new action from other pages in the Tanium Console:
    • Issue existing actions:
      1. Go to the Administration > Actions page that lists the actions you will issue:
        • To issue scheduled or unscheduled actions that were previously issued, go to Administration > Actions > Action History.
        • To immediately issue scheduled actions that are configured with a future start date, go to Administration > Actions > Scheduled Actions.
      2. Select one or more actions and perform one of the following steps:
        • To re-issue a single action, or to re-issue multiple actions that each require a different start time or distribution period, click Reissue and proceed to the next step.
        • To re-issue multiple actions with the same start time and distribution period, select More > Bulk Reissue, specify the time standard (Local Time / UTC), Start At, and Distribute Over values (see Table 1), click Confirm, and skip the remaining steps. This option is for a one-time deployment only. If you select multiple recurring actions, TaaSthe Tanium Server creates copies of the actions with their Schedule Type set to One Time Deployment.
  2. Configure the following settings. If you are issuing multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    If you save an action with Start At and Re-issue every values and subsequently clear those settings instead of specifying new values, TaaSthe Tanium Server discards the changes. To stop deploying an action, disable or delete it: see Manage scheduled actions.

     Table 1: Action settings
    Local Time / UTCSelect a time standard for the Start At and End At date-times:
    • Local Time (default) is local to the system that you use to access the Tanium Console.
    • UTC is Coordinated Universal Time.
    NameSpecify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and action approval pages.
    Description(Optional) Enter a description helps other users understand the purpose of the action.
    Deployment PackageSelect a package from the drop-down list or enter a search string to find a package by name.

    If you select a parameterized package, configure the parameters. For example, if you select the Set Tanium Server Name List package, enter the Server Name List. For details, see Example: Parameterized packages.

    If you are re-issuing or editing an action, you cannot change the Deployment Package and any package parameters are read-only by default. However, if the package settings changed after the action was last issued or saved, clicking Update Source Package makes the action use the latest version of the package and enables you to update parameter values. Click Revert Source Package if you want to revert to the default behavior of using the same package version and parameter values as when the action was last issued or saved.

    The read-only Expiration Period indicates when the action expires. The value is the larger result of the following calculations:
    • The sum of the Command Timeout and Download Timeout values in the selected package
    • The sum of the package Command timeout and optional Distribute Over setting that you configure for the action

    The expiration applies to each deployment of a recurring action but does not change the schedule settings (Reissue Every, Start At, and End At).

    Schedule TypeSelect one of the following options:
    • One Time Deployment: Deploy the action only once.
    • Recurring Deployment: Schedule the action to deploy at intervals (Re-issue every) over a specified period (from the Start At to End At date-times).
    Re-issue every

    This setting appears only if you set the Schedule Type to Recurring Deployment. Scheduling the action to repeat at intervals is useful when:

    • Action approval is required and you are not certain that an approver will approve the action before its initial deployment expires.
    • You want to deploy software or configuration updates to endpoints that might not be online during the initial deployment but that you expect to be online at some point between the Start At and End At dates.
    • The action is a continual hygiene practice. For example, you want to check periodically that a Tanium Client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    The Re-issue every interval must exceed the action Expiration Period.

    Start At / End At By default, actions that do not require approval deploy as soon as you click Deploy Action at the bottom of the Action Deployment page, but you can set a Start At date-time to override the default. For example, you might want deployment to start during a maintenance window for the targeted endpoints.

    Note the following behavior when action approval is enabled:

    • If you omit a Start At time, the action deploys immediately after it is approved, provided other action conditions do not preclude TaaSthe Tanium Server from deploying it.
    • If you specify a Start At time, the action deploys at the next start time following approval. For example, if you set the action to deploy daily at 1:00 am and a user approves it at 2:00 am, the action deploys the next day at 1:00 am.

    The End At setting appears only if you set the Schedule Type to Recurring Deployment. Configure the setting if you do not want to re-deploy the action indefinitely. For example, you might want to stop deployment before the end of a maintenance window for the targeted endpoints.

    Specify an End At date-time unless you are sure that you want to re-deploy the action indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

    Distribute over

    TaaSThe Tanium Server distributes actions to endpoints in batches. The Distribute Over option randomizes the distribution over the specified period to prevent spikes in network traffic or other resource consumption. For example, an action that depends on a sensor that queries Active Directory (AD) might cause a flood of traffic to the AD server unless the action is distributed over time. Similarly, an action that targets endpoints in a virtual machine farm might exhaust the shared CPU or memory resources if all endpoints simultaneously run a resource-intensive program.

    Specify a number and unit: Minutes, Hours, Days.

    Targeting CriteriaConfigure which endpoints to target for the action. By default, the action targets all endpoints that match:
    • The Target Question, which is initially based on the rows that you selected in the Question Results page when you clicked Deploy Action there. The Target Question updates automatically when you change other targeting criteria.
    • The predefined Default - All Computers action group, which includes all managed endpoints unless you changed the group membership before initiating the action deployment. You can also select a different Action Group.

    Optionally, refine the targeting by adding:

    • Computer groups: Click Add Computer Groups, select one or more computer groups, and click Save.
    • Manual list: Enter a comma-separated list of endpoints by computer name or IP address and click Save.
    • Filter question: Enter a question to target endpoints that return results and click Save.

    TaaSThe Tanium Server applies a Boolean AND to the criteria that you specify. For a recurring action, only the endpoints that match the latest results of the Target Question will perform the action.Action targeting

  3. Click Show preview to continue, review the affected endpoints, and click Deploy Action.
  4. If the number of Estimated clients affected exceeds the configured threshold (the default is 100), enter the estimated number and click Confirm. TaaSThe Tanium Server enforces this confirmation step to ensure that you understand the impact that an action will have on your network.
  5. To change the threshold that controls whether the Tanium Console prompts users for the Estimated clients affected, go to Administration > Configuration > Platform Settings and edit the prompt_estimate_threshold setting. Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.
  6. Perform one of the following steps to review the action status based on if the action requires approval.

    For details about the Action Status page and the steps to access it from the Action History page, see View action status.

    • Approval not required: Confirm that the action produces the expected results on the Action Status page, which opens automatically unless you specified a future Start At value in the action configuration. An action with a future Start At value appears in the Scheduled Actions page. For scheduled actions, wait until deployment starts and then check the status in the Action History page.
    • Approval required: Confirm that the action appears in the Scheduled Actions page. The action remains in a pending state until a user approves it, as described in Managing action approval. After the action is approved and deployment starts, check the action status in the Action History page.

Non-recurring actions that you deploy immediately appear only in the Action History page, not the Scheduled Actions or action approval pages.