Tanium 6.x: Action Exclusions

Introduction

An Operator may decide that a Tanium Action (the deployment of a Package to a Target) should not hit certain machines. There are many ways to accomplish this goal.

 

A Quick Example on Deploying Packages

When deploying Packages, you must first target a line in the Answers Grid. A selected line or lines will determine where the Package goes. Asking about "Installed Applications", for example, will stack up answers which are the same into rows and aggregate the totals into the Count column. Here, an operator would have simply put "Installed Applications" into the question bar and have had the Natural Language Parser transform that into something the server can understand:

Get Installed Applications from all machines

Here are the results:

750px-Action_exclusions_installed_applications_highlights.jpg
 

Here we have selected a number of machines which can now be targeted (at least 24 machines). Machines will be targeted if they have an installed application whose Name and Version column match the highlighted values precisely. Next we will deploy the package which uninstalls the application by finding it alphabetically in the list of Packages.

750px-Action_exclusions_target_for_uninstall.jpg
 

This will immediately uninstall that application for every machine that has it. However, this may not be what you want to do! In many cases, you want to target a smaller set of machines or exclude just a few machines. The following methods provide these capabilities.

Use Drilldown to be More Specific

If you wanted to instead target a subset of those machines that you highlighted, you can drill down into the data using a Saved Question to see which machines are affected and choose which machines to uninstall from. Here we double click and choose the General Information saved question.

750px-Action_exclusions_drill_down.jpg
 

Now we can pick a few machines and be more selective about the target of the uninstall.

750px-Action_exclusions_drill_down_results.jpg
 

Clicking deploy from here will result in the uninstallation from only those two machines.

Targeting machines for Actions is a very commonly done operation, and this article should provide some value when trying to think of different ways to avoid targeting certain machines. Choosing the right approach will depend on what feels most comfortable depending on the circumstance. As always, please let us know if you have any questions or comments about this process.

Have more questions? Submit a request