Compliance Reporting

The Compliance Reporting page shows the compliance scores for your various report sets. With a quick glance, you can instantly determine the current compliance status of your devices and see how you are trending over time. The information provided on this page is extremely useful when reviewing your compliance history with a regulatory auditor.

In the beginning, you might elect to create just one report set that contains all of your devices. As you grow more comfortable with this feature, you may realize the benefits of creating multiple report sets. For example, you might create one report set for high risk devices such as servers and another report set for low risk devices. Or, you may choose to create report sets that consist of similar policy groups, such as server policy groups, staging policy groups, etc.

The Compliance Reporting page is accessed from the main menu by selecting Patch Management > Compliance Reporting.

About the Grid

The Compliance Reporting grid shows compliance information for your report sets. You can export the contents of the grid to a CSV file.

  • Report set: Represents a combination of two items:
    • One or more policy groups (this defines the devices that are contained in the report set)
    • One or more patch groups and levels against which the policy groups are evaluated
    You can click a report set name to view details about the report configuration.
  • Compliance score: Shows the current compliance score for the associated report set. The score is the percentage of all devices in the report set that are compliant against the patch group and level criteria defined in the report set.
  • Compliance threshold: Shows the percentage of devices that must meet the patching criteria in order to meet the goals for the report set.
  • Endpoints: Shows the number of devices in the report set.
  • Last run: Shows the date and time the report was last run.
  • Compliance history: Provides a graphical representation of the compliance score over a period of time. The purple line in the chart shows the compliance score over time. The yellow line shows the compliance threshold over time. You can click the report set name to view an expanded version of the chart.
  • First run: Shows the date that the report was first generated.
  • Last edited: Shows the date and time the report set was last edited.
  • Report status: Indicates if the report is active or archived. (The ability to archive a report is coming in a future release.)

Report Details

If you click a report set name, a detailed view of the report set is provided. This enables you to view the current configuration of a report and to make modifications. If you want to make modifications, click the Edit button located in the top-right corner of the page.

You must have a role with the Patch Management > Compliance Reporting > Create & Modify Compliance Reports permission to edit compliance reports. For information about roles and permissions, see Access Control.

Summary

At the top of the page is a panel that provides information about the report, including the time it is set to be recorded at, the date and time it actually last ran, its compliance threshold, the patch levels included, which patch groups are excluded, and which policy groups are included.

Chart

Below the Summary panel is an expanded view of the Compliance History chart. The yellow line shows the compliance threshold, which is the goal you have set for this report set. The purple line shows the compliance score, which is the percentage of all devices in the report set that are in compliance.

You can:

  • Use the scroll bar to view earlier dates in the chart
  • Specify the date range you want displayed on the chart
  • Hover over a data point to see a summary of the compliance status at that moment in time

Device Grid

The area at the bottom of the page contains a grid that shows the complete list of devices included in the report. You can export the contents of the grid to a CSV file.

  • Device name: The name of one of the devices in the report set.
    You can click a device name to view detailed compliance information about that device. The device view contains three sections:
    • The top section displays summary information about the device.
    • The middle section contains a Patch status over time chart that shows when the device was in or out of compliance. You can use the menu in the upper right to change the date range. If you click a date in the chart, the grid in the bottom section will display information for just that date.
    • The bottom section contains a Patch State on today's date device information grid. You can use the column headers to sort or filter the information in the grid.
  • Latest compliance status: Shows if the device is in compliance. The possible values are Compliant, Not compliant, No report data and No scan data.
  • Policy group: Shows the name of the policy group to which the device belongs.
  • Last updated: Shows the date that the compliance score was last updated for the device.

How to Create a New Report

  1. In the Compliance Reporting grid, click Create report.
  2. Type a descriptive name for the report.
  3. Specify the time of day you want the report snapshot to be captured.
    You may want to specify a time that is after any regularly scheduled deployments or maintenance windows so that you get the most current snapshot of your compliance status.
  4. Specify the Compliance threshold.
    The Compliance threshold defines the level of patching you require in order to be considered compliant with your goals. The value is defined as a percentage and establishes the Y axis on the report charts. Example: If you specify 80%, it means you require that at least 80% of the devices in the report set must meet the criteria defined by the policy group that governs each device.
  5. Specify the Service Level Agreement (SLA) time window.
    This is essentially a commitment from your organization as to how long it will take to install newly released patches. Patches that are newer than the specified value are not included in the report. For example, if you use the default value of 14 days, patches that were released less than 14 days ago will not be considered when calculating the compliance score.
  6. Select the Select policy groups tab.
    Choose the policy group(s) that you want to include in this report set. You must choose at least one policy group. You can use the check box to the left of the Policy group heading to choose all current groups. If you want to choose all current groups as well as any groups that may be added in the future, enable the Include all policy groups, including any new groups that are added in the future check box. Any devices assigned to the selected policy group(s) will be included in this report set.
  7. Select the Select patch groups and levels tab.
    Choose and configure the criteria you want to use when evaluating the devices that are assigned to the selected policy groups. You can choose one or more of the following:
  8. If you enable and configure two or more options, the effect is additive, meaning a device must meet all configured options in order to be deemed compliant.

    • Report against VRR: A device is determined to be compliant if it contains all patches at or above the specified VRR score.
    • Report against CVSS Score: A device is determined to be compliant if it contains all patches at or above the specified CVSS score.
    • Report against severity: A device is determined to be compliant if it contains all patches at the specified patch severity levels.
    • Report against patch groups: Select the patch group(s) that you want to use to evaluate the devices in the report set.
      • If Include patch groups is selected, a device is determined to be compliant if it contains all patches in the specified patch group(s). You must choose at least one patch group.
      • If Exclude patch groups is selected, you should choose which patch groups you DO NOT want to use when determining if a device is compliant. You must choose at least one patch group.
  9. Click either Save or Save and run report.
    If you click Save, your first compliance snapshot will be captured at the scheduled time of day. If you click Save and run report, your first snapshot will be captured immediately and subsequent snapshots will be captured at the scheduled time of day.

Cloning an Existing Report

Cloning enables you to create a copy of the current version of a compliance report. You might clone an existing compliance report if you want to create a new report that duplicates all but a few settings in the existing report. Creating a clone and then making a few small changes is quicker and more accurate than creating a new compliance report from scratch.

Example: Assume you have a compliance report that reports on workstations that are located in North America. If you want to create a similar report for workstations that are located in Europe, you can clone the North America report and then change just the policy groups that are assigned to the cloned report.

To clone a report:

  1. In the Compliance Reporting grid, select the desired compliance report and then click Clone report.
  2. Type a descriptive name for the report.
    The default name will be "Clone of {selected compliance report}." You should provide a new name that better represents the purpose of the new report.
  3. Click Clone.
    A toast notification appears in the top right to inform you if the report has been successfully cloned. The cloned report will be displayed in the grid. The cloned report will not immediately show a compliance score because it has not yet been run.
  4. In the grid, click the report name and edit the report as necessary.

Export, Filter, Sort and Search

Related topics

Patch Management Overview

Endpoint Vulnerability

Patch Intelligence

Deployment History

Patch Settings