Deploying actions

Use filtering, merging, and drill-down techniques to find the computers that are due for administrative action. Then, in the Question Results grid, you can select the targeted computers and launch the Deploy Action workflow page.

Do not deploy an action unless you completely understand its scope, you understand the impact on an individual target and the impact on the environment given the number of targets, and your organization has authorized you to perform the action. Some organizations require a second administrator to review and approve actions. For details, see Action Approval.

User role requirements

You must be assigned a role with Write Action permission to see the Deploy Action button on the Question Results grid. Read Package content set permissions determine which packages are available. When you deploy an action, the Tanium Server uses special saved questions to track action status and report action status within the deploy action workflow. To complete the workflow, you also need the Read Sensor and Read Saved Question permissions on the Reserved content set.

Deploy an action

  1. Issue a question.
  2. If you want to deploy a policy action (see Action terms), issue a saved question instead of a dynamic question (see Saving questions).

  3. In the Question Results grid, select the rows for the endpoints that require the action, and then click Deploy Action.

    Interact displays the Deploy Action workflow page.

  4. Use the Deployment Package search box typeaheads to select packages.

    Alternatively, click Browse Packages to review package descriptions and then select them.

  5. Complete the Action Details section.
    NameSpecify a name to identify the action. The name appears in the record for the action on the Scheduled Actions, Action History, and Action Approval pages.
    DescriptionOptional. A description helps other administrators understand the purpose of the action.
    TagsOptional. Use the controls to add tags, which are name-value pairs.

  6. Complete the Schedule Deployment section. For policy actions, you must schedule repeating deployments.
    Start at / End at

    Required for policy actions, optional for other actions. Specify a start time when it is important to deploy the action to targeted clients during a maintenance window. The time refers to the Coordinated Universal Time (UTC) of the system clock on the Tanium Server host system, not on the Tanium Client host systems. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am. Note the following behavior:

    • If you omit a start time, the action deploys immediately upon completion of the deploy action workflow.
    • If you omit a start time and action approval is enabled, the action deploys immediately after it is approved, provided other action conditions do not preclude the Tanium Server from deploying it.
    • If you specify a start time and action approval is enabled, the action deploys at the next start time following the approval. For example, if you set the action to deploy at 1:00 am every day and it is approved at 2:00 am, the action deploys the next day at 1:00 am.

    As a best practice, specify an end date/time if you configure reissue intervals for the scheduled action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

    Distribute over

    The Tanium Server distributes packages to Tanium Clients in batches. This option randomizes the distribution over the specified duration to avoid spikes in network or other resource utilization. For example, if an action depends on a sensor that queries Active Directory (AD), an action that is not distributed over time can cause a flood of traffic to the AD server. Similarly, an action that targets clients in a virtual machine farm could exhaust the shared CPU or memory resources if all clients simultaneously run a resource-intensive program. Distributing over time attenuates the impact a massive orchestration might have on the networked or virtualized environment.

    Specify a number and unit: Minutes, Hours, Days.

    Reissue every

    You can schedule the action to repeat at intervals, which is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.
    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.
    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    Note: The Reissue every interval must exceed the action expiration period, which is the larger result from the following calculations:

    • The package Command Timeout + Download Timeout values
    • The package Command Timeout + the scheduled action Distribute over value

  7. Complete the Targeting Criteria section to specify the endpoints where the action must run.

    For a repeating action based on a saved question (a policy action), only the endpoints that match the latest results of the Starting Question will perform the action.

  8. Click Show preview to continue, review the preview details, and click Deploy Action.

    You are prompted to review the impact on targets and to provide administrator credentials.

  9. Enter your password.
  10. The page reloads to display the Action Status page.

  11. Review the status to confirm expected results.
  12. (Policy actions only) Go to Actions > Scheduled Actions and verify that the Policy column displays Yes for the action you just added. If the column does not appear (it is hidden by default), click the Column menu and select Columns > Policy.

The Deploy Action workflow creates a scheduled action configuration object, and the action is entered on the Scheduled Actions, Action History, and (if applicable) Action Approval pages in the Tanium Console. For details, see Managing actions.

Last updated: 6/4/2019 4:32 PM | Feedback