Endpoint Vulnerability

Overview

The Endpoint Vulnerability component provides a central view of device patching for your environment. It is device-centric, meaning it shows the risk posture of each endpoint. It contains device health and risk-based metrics as well as endpoint data. Unlike the Devices view, the Endpoint Vulnerability view is meant strictly for patch management activities such as viewing data and performing patch management actions.

Endpoint Vulnerability is accessed from the main menu by selecting Patch Management > Endpoint Vulnerability. The component consists of a dashboard view along the top that contains three different charts and a summary table at the bottom.

Charts

The charts enable you to quickly assess the current patch status of your environment.

Tip: You can click on any of the individual bars in a chart to filter the information in the table. This filters the table to show only the devices you are most concerned about.

  • Device health: Allows you to easily understand the percentage of devices in your environment that are in Good, Moderate or Poor health. The device health is calculated using the risk score.
  • Last scanned: Classifies the number of days since devices were last scanned. Endpoints in your organization that are healthy will make a best effort to report their status frequently. The process is fully automatic and is triggered by various patching and system events. Healthy endpoints will almost always report their status in less than seven days. Any endpoint that has not reported its status within the last seven days likely has some sort of issue that is preventing it from reporting and should be investigated.
  • Devices by risk: Shows the number of devices that contain at least one of the following levels of patch severity.
    • Exploited: There is at least one CVE that has a known exploit against a missing patch.
    • Security critical: At least one missing patch has a severity of Security Critical.
    • Security important: At least one missing patch has a severity of Security Important.

Device Summary

The table contains a list of all devices. By default, the table contains the following columns and is sorted by the Last patch scan date. Additional columns are available using the Column Chooser .

  • Device name: The name of the device. You can click the name to view the Device Details page.
  • Patch configuration: The name of the patch configuration to which the device is currently assigned. You can click the name to view the configuration details.

    Tip: To quickly locate devices that have not been assigned a patch configuration, use the sort iconup arrow and down arrow to indicate the sort optionin the column header to sort the column into ascending (Ascending icon) order. The entry will be blank for all devices that are not being patched by Ivanti Neurons.

  • Risk score: The maximum CVE risk for the device. The score is computed using CVSS V2 and V3 data. It is a normalized measure of risk on a scale of 0 to 100, with 100 being the highest risk.
    The traffic light indicator icon that is located immediately to the left of the score provides a visual representation as to the relative risk health of the device. The indicator colors are:
    • Red = Poor, representing a risk score that is greater than or equal to 70
    • Yellow = Moderate, representing a risk score that is in the range 40 - 69
    • Green = Good, representing a risk score that is less than 40
  • Missing patches: The number of patches that are missing on the device. You can click the number to view detailed information about the missing patches.
  • Exploited: Shows a bug icon orange exploit bug icon if at least one of the missing patches has been exploited. Click the numbered link to view more details.
  • Management: Shows the source of the device data and indicates how the device is being managed. This can be from a connector to an on-premise product, it can be natively from the Cloud, or both.
    • Ivanti Neurons: The device is being supported by cloud-native Ivanti Neurons for Patch Management
    • Ivanti Endpoint Manager: The device is being managed by Ivanti Endpoint Manager and the data is being pulled in via a connector.
    • Ivanti Patch for Microsoft Endpoint Manager: The device is being managed by Ivanti Patch for Microsoft Endpoint Manager (MEM) and the data is being pulled in via a connector.
    • Ivanti Security Controls: The device is being managed by Ivanti Security Controls and the data is being pulled in via a connector.
    • Ivanti Endpoint Security: The device is being managed by Ivanti Endpoint Security and the data is being pulled in via a connector.
    • Ivanti Desktop & Server Management: The device is being managed by Ivanti Desktop & Server Management and the data is being pulled in via a connector.
  • Last patch scan: The date the device was last scanned for missing patches.
  • Policy group: The agent policy group to which the device is currently assigned. You can click the name to view the policy configuration.

Use the dashboard charts and the table to quickly determine which devices you need to focus on and investigate.

Actions

Actions are available for devices managed natively from Ivanti Neurons (the Cloud) and for devices managed on-premise by Ivanti Endpoint Manager or Ivanti Security Controls.

  • For devices that are being managed from the Cloud: A command will be issued to the listening agent on the selected device to initiate an on demand patch scan or deployment.
  • For devices that are being managed by an Ivanti Endpoint Manager or Ivanti Security Controls on-premise console: A command will be issued via the connector to the on-premise console to initiate the patch deployment.

You can perform the following actions on the devices in the table. Each action can only be performed on one device at a time. If you select multiple devices, the actions will become unavailable.

  • Deploy missing patches: This command works for devices that are managed from the Cloud and for devices managed by either Ivanti Endpoint Manager or Ivanti Security Controls. It initiates a patch deployment of all missing patches on the selected device, where the patches are those identified as missing during the most recent patch scan. If the device is managed both from the Cloud and by an on-premise product, the deployment command will be issued through the Cloud. The deployment results are reported to Endpoint Vulnerability, Deployment History and the Device > Patches page.

    • If a reboot of the device is required, it will occur immediately following the successful deployment of the patches unless there is an active user on the device. If a user is logged on to the device, they will receive a 1-hour countdown timer that notifies them of the pending reboot. The user will have the ability to extend the time-out by 10 minutes. The reboot action will be forced after one day.

    Deployment Requirements:

    • You must have the necessary permissions to deploy patches. To set this up, go to Admin > Access Control > Roles and click the role you want to configure. On the Permissions tab, click Global Actions > Deploy Patch.
    • If you have an Endpoint Manager or Security Controls connector, the following must be configured before attempting to deploy patches:
      • An Endpoint Manager or Security Controls connector has been added and has Action Details configured.
      • Connector has run and published patch scan data to the Neurons Platform.
  • Scan now: This command works only for devices that are managed from the Cloud. It initiates a patch scan for all missing patches on the selected device. An on demand task is initiated on the client agent and the results are reported to the Device > Patches page and to Endpoint Vulnerability. When the patch scan is complete, a notification is displayed in the Neurons Platform notification area notification icon.

Filter, Sort, Search and Export

Toggles on and off the Smart Filters area directly above the table. Enables you to see the filters that are currently applied to the table.

Information displayed within the table can be easily filtered to narrow the focus to only those devices of interest. One way to do this is by using the Smart Filter. The Smart Filter contains several default filters. You can also define your own custom filters.

Default Filters

The Smart Filter contains several default filters. Default filters cannot be modified or deleted. The default filters include the following:

  • Last 14 Days: Only those devices that were scanned within the last 14 days are displayed.
  • Last 7 Days: Only those devices that were scanned within the last seven days are displayed.
  • Missing at least one patch: Only those devices that are missing at least one patch are displayed.

Custom Filters

You can create your own custom filters. This is a powerful tool that enables you to specify exactly which entries you want displayed. Each custom filter is comprised of one or more rules. You can define as many rules in a filter as needed.

To create a new filter:

  1. Click Filters.
    The Smart Filter definition area is displayed above the table.
  2. Filter the table to a defined set of devices.
    Do this using the column filters and any existing Smart Filters.
  3. Select Smart filters > Add new smart filter from current.
    The new filter is created based on the filtering criteria used in the current table.
  4. Type a descriptive name for the filter.
  5. Click Add filter.

Select the sort iconup arrow and down arrow to indicate the sort optionin any column header to sort into ascending (Ascending icon) or descending (Descending icon) order. To remove the sorting, right-click the column header and select Clear Sorting from the context menu.

Use the Search field to enter a keyword; the list will then only show patches that contain the keyword. The keyword is matched to any case-insensitive text found from within all of the patches.

To remove a search filter, click the clear filters iconfunnel with a cross to indicate clear any applied filters.

Enables you to export the contents of the table to a CSV file. You can choose to export all items in the table or just selected items.

The CSV file is created using ISO standards and is stored in your local Downloads folder. If you use Excel to view the file, the data can be converted to the locale of the machine so that it can be viewed in a more human-readable format.

Any sorting or filtering applied to the patches will be retained in the exported output. All columns will be included regardless of what has been selected in the Column Chooser.

To export all items in the table: Select Export > All.

To export selected items in the table: Select the first column check box for the devices you want to export and then select Export > Selected.

Related topics

Patch Management Overview

Patch Intelligence

Deployment History

Patch Settings