Tanium 6.x: Deploying Actions

Overview

Tanium Console operators take actions by deploying packages to one or more designated computers. A package can contain a single command line instruction to be executed by the Tanium agent on a one-time basis or on a defined, recurring interval or it could be as complex as distributing files and installing updates and applications.

For additional information on creating packages, please see Creating Packages.

The remainder of this document highlights the steps to initiate an action by deploying a package targeted to specific computers

Usage

Targeting Actions

Users select one or more rows in the answer result table (see the screenshot below), they can then press the button Deploy Action located at the bottom of the result table to take action on those endpoints which satisfy the question's criteria and return the selected answers. Tanium's unique communication architecture enables actions to typically deploy in seconds, as operators watch what happen as they sweep across the enterprise in real-time.

In the example image shown below, the machines running dropbox are targeted with the question:

Get Running Processes containing "dropbox" from all machines

which is put through the Natural Language Parser.

Deployingpackages-target-v2.png
 

Deploying a Package

In the example shown, the desired action is to kill the dropbox process by using a previously defined package called Kill Process.

Selecting a line to target and choosing Deploy Action allows an operator to find the Kill Process package.

First, chose an appropriate package from the drop down list of available packages.

Deployingpackages-immediate1.png
 By clicking the Target & Schedule tab at the top, the operator can choose specifics about how the action will deploy:
  • Changing the Start at field will change the deploy time from instant to the time specified.
  • Changing the End at field will determine a time to stop re-issuing to package.
  • Enabling Distribute over option allows the operator to send out the package with instructions for the client to wait a random time, with the maximum defined in the option, before performing the action.
  • Enabling Reissue every option will deploy this action multiple times. This option is used to account for machines not online or future machine for the environment.
Note: The "Reissue every" interval must be greater than the expiration period. The expiration period is the larger result from the following calculations:
  • The Package "Command Timeout" + "Download Timeout" values
  • The "Distribute over" + Package "Command Timeout" values

Also, the operator can put Actions into Action Groups, which is a way to sort and target scheduled actions. The Default Action Group is perfectly fine for this example.

Once complete the Target Estimate box will populate with the estimated number of end-points that will run this action. This only accounts for machines online and reporting in at this moment. Understanding the scope of the source question and the action group selected is very important to understanding the full scope of an action, especially when using the reissue option.

Deployingpackages-immediate2.png
 

Selecting the Finish tab will show the options to name your action, defaulting to the package name, provide a description/reason for deploying this action, and tag it as a way to categorize the action.

Deployingpackages-immediate3.png
 

Confirming the action will require the logged on users password and the console user will need to read the Target Estimate provided and type in that number to confirm the estimated current scope of the action.

Deployingpackages-immediate4.png
 

If an action is issued immediately the action status box will show the number of clients downloading, running, and completing the action.

Deployingpackages-status.png
 

Scheduling an Action

If the console operator wanted the action to take place in the future, they could specify a start time by selecting the Start At: radio button and specifying a time.

Deployingpackages-scheduled3-v2.png
 

They can further choose to reissue the Action as a policy by selecting the Reissue every: radio box and selecting a reissue interval. A policy means that the action is periodically issued to ensure that it targets machines that may have been offline or who have started running Dropbox at a later time.

Note: The "Reissue every" interval must be greater than the expiration period. The expiration period is the larger result from the following calculations:

  • The Package "Command Timeout" + "Download Timeout" values
  • The "Distribute over" + Package "Command Timeout" values
Deployingpackages-scheduled-v2.png
 

Finally, the console operator also has the option to select the Distribute Over: radio button and enter a length of time. If multiple rows were highlighted during targeting of the action and the package being used is a sensor sourced package, then the result of deploying this package will be multiple scheduled actions that can be viewed in the Actions->Scheduled Actions tab as shown later in this article. The Distribute Over: setting allows those scheduled actions to be distributed over a specified period of time. An example of a case in which this is useful is patch management, where the operator may desire the selected patches to be distributed over time instead of all at once. If only a single scheduled action results from deploying a package, either because the package is not a sensor sourced package or because only a single row was targeted, then the result of this checkbox will be that the action is scheduled for a time during the time time window specified.

In this example, because it is scheduled, the operator can see status on the Actions->Scheduled Actions tab.

Deployingpackages-scheduled2-v2.png
 

The Action will reissue as long as the Scheduled Action exists here and the Start and End Time constraints are met.

Have more questions? Submit a request