Compliance Reporting

The Compliance Reporting page shows the compliance scores for your various report sets. With a quick glance, you can instantly determine the current compliance status of your devices and see how you are trending over time. The information provided on this page is extremely useful when reviewing your compliance history with a regulatory auditor.

In the beginning, you might elect to create just one report set that contains all of your devices. As you grow more comfortable with this feature, you may realize the benefits of creating multiple report sets. For example, you might create one report set for high risk devices such as servers and another report set for low risk devices. Or, you may choose to create report sets that consist of similar policies, such as server policies, staging policies, etc. You can archive and restore report sets using the Action menu. Archived reports do not run.

The Compliance Reporting page is accessed from the main menu by selecting Patch Management > Compliance Reporting.

About the Grid

The Compliance Reporting grid shows compliance information for your report sets. You can export the contents of the grid to a CSV file.

  • Report set: Represents a combination of two items:
    • One or more policies (this defines the devices that are contained in the report set)
    • One or more patch groups and levels against which the policies are evaluated

    You can click a report set name to view details about the report configuration.

  • Compliance score: Shows the current compliance score for the associated report set. The score is the percentage of all devices in the report set that are compliant against the patch group and level criteria defined in the report set.
  • Compliance threshold: Shows the percentage of devices that must meet the patching criteria in order to meet the goals for the report set.
  • Endpoints: Shows the number of devices that returned scan results when the report last ran.
  • Last run: Shows the date and time the report was last run.
  • Compliance history: Provides a graphical representation of the compliance score over a period of time. The purple line in the chart shows the compliance score over time. The yellow line shows the compliance threshold over time. You can click the report set name to view an expanded version of the chart.
  • First run: Shows the date that the report was first generated.
  • Last edited: Shows the date and time the report set was last edited.
  • Report status: Indicates if the report is active or archived.

Report Details

If you click a report set name, a detailed view of the report set is provided. This enables you to view the current configuration of a report and to make modifications. If you want to make modifications, click the Edit button located in the top-right corner of the page.

You must have a role with the Patch Management > Compliance Reporting > Create & Modify Compliance Reports permission to edit compliance reports. For information about roles and permissions, see Access Control.

View by device group

By default, the report shows results for all devices. However, you can update the report to display results only for selected device groups. For information about managing device groups, see Devices.

To filter a compliance report by device group:

  1. Toggle the View by device group on.
    The Select device groups panel appears.
  2. Select the device groups you want to filter the report by, then click Apply.
    The report updates. The groups the report is filtered by appear above the summary.
  3. To change the device groups the report is filtered, by click the groups listed above the summary.

Summary

At the top of the page is a panel that provides information about the report, including the time it is set to be recorded at, the date and time it actually last ran, its compliance threshold, the patch levels included, which patch groups are excluded, and which policies are included.

Chart

Below the Summary panel is an expanded view of the Compliance History chart. The yellow line shows the compliance threshold, which is the goal you have set for this report set. The purple line shows the compliance score, which is the percentage of all devices in the report set that are in compliance.

You can:

  • Use the scroll bar to view earlier dates in the chart
  • Specify the date range you want displayed on the chart
  • Hover over a data point to see a summary of the compliance status at that moment in time

Device Grid

The area at the bottom of the page contains a grid that shows the list of all devices associated with the report, including those that returned no data or have recently been added. You can export the contents of the grid to a CSV file.

  • Device name: The name of one of the devices in the report set.
    You can click a device name to view detailed compliance information about that device. The device view contains three sections:
    • The top section displays summary information about the device.
    • The middle section contains a Patch status over time chart that shows when the device was in or out of compliance. You can use the menu in the upper right to change the date range. If you click a date in the chart, the grid in the bottom section will display information for just that date.
    • The bottom section contains a Patch State on today's date device information grid. You can use the column headers to sort or filter the information in the grid.
  • Platform: The type of operating system used on the device. Supported operating systems are Windows, macOS, and Linux.
  • Latest compliance status: Shows if the device is in compliance. The possible values are Compliant, Not compliant, No report data and No scan data.
  • Policy: Shows the name of the policy that is assigned to the device.
  • Last updated: Shows the date that the compliance score was last updated for the device.

How to Create a New Report

  1. In the Compliance reporting grid, click Create report.
  2. Type a descriptive name for the report.
  3. Specify the time of day you want the report snapshot to be captured.
    You may want to specify a time that is after any regularly scheduled deployments or maintenance windows so that you get the most current snapshot of your compliance status.
  4. Specify the Compliance threshold.
    The Compliance threshold defines the level of patching you require in order to be considered compliant with your goals. The value is defined as a percentage and establishes the Y axis on the report charts. Example: If you specify 80%, it means you require that at least 80% of the devices in the report set must meet the criteria defined by the policy that governs each device.
  5. Specify the Service Level Agreement (SLA) time window.
    This is essentially a commitment from your organization as to how long it will take to install newly released patches. Patches that are newer than the specified value are not included in the report. For example, if you use the default value of 14 days, patches that were released less than 14 days ago will not be considered when calculating the compliance score.
  6. Select the Select policies tab.
    Choose the policy or policies that you want to include in this report set. You must choose at least one policy. You can use the check box to the left of the Policy heading to choose all current policies. If you want to choose all current policies as well as any policies that may be added in the future, enable the Include all policies, including any new policies that are added in the future check box. Any devices that have the selected policy assigned to them will be included in this report set.
  7. Select the Select patch groups and levels tab.
    Choose and configure the criteria you want to use when evaluating the devices that are assigned to the selected policies. You can choose one or more of the following:
  8. If you enable and configure two or more options, the effect is additive, meaning a device must meet all configured options in order to be deemed compliant.

    • Report against VRR: A device is determined to be compliant if it contains all patches at or above the specified VRR score.
    • Report against CVSS Score: A device is determined to be compliant if it contains all patches at or above the specified CVSS score.
    • Report against severity: A device is determined to be compliant if it contains all patches at the specified patch severity levels.
    • Report against patch groups: Select the patch group(s) that you want to use to evaluate the devices in the report set.
      • If Include patch groups is selected, a device is determined to be compliant if it contains all patches in the specified patch group(s). You must choose at least one patch group.
      • If Exclude patch groups is selected, you should choose which patch groups you DO NOT want to use when determining if a device is compliant. You must choose at least one patch group.
  9. Click either Save or Save and run report.
    If you click Save, your first compliance snapshot will be captured at the scheduled time of day. If you click Save and run report, your first snapshot will be captured immediately and subsequent snapshots will be captured at the scheduled time of day.

Cloning an Existing Report

Cloning enables you to create a copy of the current version of a compliance report. You might clone an existing compliance report if you want to create a new report that duplicates all but a few settings in the existing report. Creating a clone and then making a few small changes is quicker and more accurate than creating a new compliance report from scratch.

Example: Assume you have a compliance report that reports on workstations that are located in North America. If you want to create a similar report for workstations that are located in Europe, you can clone the North America report and then change just the policies that are assigned to the cloned report.

To clone a report:

  1. In the Compliance reporting grid, select the desired compliance report and then click Actions > Clone report.
  2. Type a descriptive name for the report.
    The default name is "Clone of {selected compliance report}." Provide a new name that better represents the purpose of the new report.
  3. Click Clone.
    A toast notification appears in the top right to inform you if the report has been successfully cloned. The cloned report appears in the grid but does not immediately show a compliance score because it has not yet been run.
  4. In the grid, click the report name and edit the report as necessary.

Archiving, Restoring, and Deleting

You can archive report sets that you no longer want to run, and restore them later if required. Archived reports can be deleted.

To archive a report, in the Compliance Reporting grid, select it then click Actions > Archive report. After confirming the action, the report is set to Archived and no longer runs. You can delete archived reports using Actions > Delete report. Deleted reports cannot be recovered.

To restore an archived report, select it then click Actions > Restore report. Restored reports have blank entries for the period when they were archived.

You can filter the Compliance Reporting grid by Report status to show or hide archived reports.

Export, Filter, Sort and Search

Related topics

Patch Management Overview

Endpoint Vulnerability

Patch Intelligence

Deployment History

Patch Settings