Tanium Actions and Questions
Tanium has a number of features and capabilities that can help understand Questions and Actions that have been executed on an endpoint. For example logging at the client level and status pages for Actions and Questions. If you are building content that affects clients or leveraging API’s to execute questions and packages you can review and monitor these changes.
When executing packages on endpoints the Tanium Client log can be used to troubleshoot and/or understand client changes. The client will generate an Action log by ID for each action. Within this file contains information on the execution of the package script. In addition to a log file the client will generate a folder by Action ID that contains any package files.
Use the logs to follow each step of your package execution. Use the Action folder to verify package files were successfully transferred to the client system.
Please see the following for more information on Client Action Logs here.
The Tanium Console has information that can also be used to review client Actions. The Action History page within Interact has a record of actions by ID. Review the action record and check important values such as Target Group, Action Group, Time values, and Command.
Please see the following for more information on Action History and Status here.
The Question History page found in the Interact module shows all Questions that have been executed in the platform. Reviewing the actual question that was executed can be particularly helpful when generated via REST API.
Please see the following for information on Question History here.
Exporting via Connect
Both Question and Action History can be exported via Connect. Both sets of data can be used by end customers to help monitor their automations. Send this data to a SIEM or monitoring solution and track targeting, frequency, and status of these executions.
Please see the following information on Connect Sources here.