Endpoint Vulnerability

The Endpoint Vulnerability component provides a central view of device patching for your environment. It is device-centric, meaning it shows the risk posture of each endpoint. It contains device health and risk-based metrics as well as endpoint data. Unlike the Devices view, the Endpoint Vulnerability view is meant strictly for patch management activities such as viewing data and performing patch management actions.

Endpoint Vulnerability is accessed from the main menu by selecting Patch Management > Endpoint Vulnerability. The component consists of a dashboard view along the top that contains three different charts and a summary table at the bottom.

Charts

The charts enable you to quickly assess the current patch status of your environment. Click expand chart icon to expand the chart to full screen.

Tip: You can click on any of the individual bars in a chart to filter the information in the table. This filters the table to show only the devices you are most concerned about.

  • Device health: Allows you to easily understand the percentage of devices in your environment that are in Good, Moderate, Poor, or Unknown health. The device health is calculated using the risk score, described under Device Summary.
  • Last scanned: Classifies the number of days since devices were last scanned. Endpoints in your organization that are healthy will make a best effort to report their status frequently. The process is fully automatic and is triggered by various patching and system events. Healthy endpoints will almost always report their status in less than seven days. Any endpoint that has not reported its status within the last seven days likely has some sort of issue that is preventing it from reporting and should be investigated.
  • Devices by risk: Shows the number of devices that contain at least one of the following levels of patch severity.
    • Exploited: There is at least one CVE that has a known exploit against a missing patch.
    • Security critical: At least one missing patch has a severity of Security Critical.
    • Security important: At least one missing patch has a severity of Security Important.

Device Summary

The table contains a list of all devices. The following columns are available to the table, and can be shown or hidden using the Column Chooser Column chooser icon.

  • Device name: The name of the device. You can click the name to view the Device Details page.
  • Domain: The name of the domain to which the device is currently assigned.
  • IP address: The IP address of the device.
  • Platform: The type of operating system used on the device. Supported operating systems are Windows, macOS, and Linux.
  • Operating system name: The name of the operating system used on the device.
  • Operating system version: The version of the operating system used on the device.
  • Patch configuration: The name of the patch configuration to which the device is currently assigned. You can click the name to view the configuration details.

    Tip: To quickly locate devices that have not been assigned a patch configuration, use the sort icon up arrow and down arrow to indicate the sort option in the column header to sort the column into ascending (Ascending icon) order. The entry will be blank for all devices that are not being patched by Ivanti Neurons.

  • Risk score: The maximum CVE risk for the device. The score is computed using CVSS v3 data, or CVSS v2 data if there is no v3 data. It is a normalized measure of risk on a scale of 0 to 100, with 100 being the highest risk. You can drill down to a specific patch and see the CVEs associated with it, including the VRR Group, VRR score, CVSS score, and if there are any known exploits.
    The traffic light indicator icon that is located immediately to the left of the score provides a visual representation as to the relative risk health of the device. The indicator colors are:
    • Red = Poor, representing a risk score that is greater than or equal to 70
    • Yellow = Moderate, representing a risk score that is in the range 40 - 69
    • Green = Good, representing a risk score that is less than 40
    • Gray = Unknown, meaning there is no patch scan data from that device. This is because it is waiting for a scan to run, the scan results to be processed, or it is not managed by a supported patch product.
  • Missing patches: The number of patches that are missing on the device. You can click the number to view detailed information about the missing patches.
  • Exploited: Shows a bug icon orange exploit bug icon if at least one of the missing patches has been exploited. Click the numbered link to view more details.
  • Security critical: The number of Security Critical patches that are missing on the device.
  • Security important: The number of Security Important patches that are missing on the device.
  • Management: Shows the source of the device data and indicates how the device is being managed. This can be from a connector to an on-premise product, it can be natively from the Cloud, or both.
    • Desktop & Server Management: The device is being managed by Ivanti Desktop & Server Management and the data is being pulled in via a connector.
    • Endpoint Manager: The device is being managed by Ivanti Endpoint Manager and the data is being pulled in via a connector.
    • Endpoint Security: The device is being managed by Ivanti Endpoint Security and the data is being pulled in via a connector.
    • Ivanti Neurons: The device is being supported by cloud-native Ivanti Neurons for Patch Management.
    • Patch for Config Manager: The device is being managed by Ivanti Patch for Configuration Manager and the data is being pulled in via a connector.
    • Patch for Intune: The device is being managed by Ivanti Patch for Intune and the data is being pulled in via a connector.
    • Security Controls: The device is being managed by Ivanti Security Controls and the data is being pulled in via a connector.
  • Last patch scan: The date the device was last scanned for missing patches.
  • Last patch install: The date of the last patch install for the device.
  • Policy group: The agent policy group to which the device is currently assigned. You can click the name to view the policy configuration.

Use the dashboard charts and the table to quickly determine which devices you need to focus on and investigate.

Actions

Actions are available for devices managed natively from Ivanti Neurons (the Cloud) and for devices managed on-premise by Ivanti Endpoint Manager or Ivanti Security Controls.

  • For devices that are being managed from the Cloud: A command will be issued to the listening agent on the selected device to initiate an on demand patch scan or deployment.
  • For devices that are being managed by an Ivanti Endpoint Manager or Ivanti Security Controls on-premise console: A command will be issued via the connector to the on-premise console to initiate the patch deployment.

You can perform the following actions on the devices in the table.

On demand patch deployments are currently only supported on Windows devices.

  • Scan now: This command works only for devices that are managed from the Cloud. It initiates a patch scan for all missing patches on the selected devices. An on demand task is initiated on each client agent and the results are reported to the Device > Patches page and to Endpoint Vulnerability.
    When the patch scan is complete, a notification is displayed in the Neurons Platform notification area notification icon.
  • Deploy missing patches: This command works for devices that are managed from the Cloud and for devices managed by either Ivanti Endpoint Manager or Ivanti Security Controls. After confirmation that you want to override the current policy settings, it initiates a patch deployment of all patches identified as missing during the most recent patch scan on the selected devices. If a device is managed both from the Cloud and by an on-premise product, the deployment command will be issued through the Cloud. The deployment results are reported to Endpoint Vulnerability, Deployment History and the Device > Patches page.
  • If a reboot of a device is required, Ivanti Neurons will handle this centrally to prevent conflicts from other features. This means that the reboot may not be instant when requested.

    Deployment Requirements:

    • You must have the necessary permissions to deploy patches. To set this up, go to Admin > Access Control > Roles and click the role you want to configure. On the Permissions tab, click Global Actions > Deploy Patch.
    • If you have an Endpoint Manager or Security Controls connector, the following must be configured before attempting to deploy patches:
      • An Endpoint Manager or Security Controls connector has been added and has Action Details configured.
      • Connector has run and published patch scan data to the Neurons Platform.
  • Deploy by Patch Group (Windows and Mac only): This command works only for devices that are managed from the Cloud. For the selected devices, it initiates a patch deployment of the patches that are contained within the specified patch group. The deployment results are reported to Endpoint Vulnerability, Deployment History and the Device > Patches page.
  • Reboot and deployment requirements are the same as those described for the Deploy missing patches option.

Devices can also be scanned on demand using the stagentctl command-line utility.

Filter, Sort, Search and Export

Related topics

Patch Management Overview

Patch Intelligence

Deployment History

Patch Settings