Endpoint Vulnerability
The Endpoint Vulnerability component provides a central view of device patching for your environment. It is device-centric, meaning it shows the risk posture of each endpoint. It contains device health and risk-based metrics as well as endpoint data. Unlike the Devices view, the Endpoint Vulnerability view is meant strictly for patch management activities such as viewing data and performing patch management actions.
Endpoint Vulnerability is accessed from the main menu by selecting Patch Management > Endpoint Vulnerability. The component consists of a dashboard view along the top that contains three different charts and a summary table at the bottom.
Charts
The charts enable you to quickly assess the current patch status of your environment. Click to expand the chart to full screen.
You can click on any of the individual bars in a chart to filter the information in the table. This filters the table to show only the devices you are most concerned about.
- Device health: Allows you to easily understand the percentage of devices in your environment that are in Good, Moderate, Poor, or Unknown health. The device health is calculated using the risk score, described under Device Summary.
- Last scanned: Classifies the number of days since devices were last scanned. Endpoints in your organization that are healthy will make a best effort to report their status frequently. The process is fully automatic and is triggered by various patching and system events. Healthy endpoints will almost always report their status in less than seven days. Any endpoint that has not reported its status within the last seven days likely has some sort of issue that is preventing it from reporting and should be investigated.
- Devices by risk: Shows the number of devices that contain at least one of the following levels of patch severity.
- Exploited: There is at least one CVE that has a known exploit against a missing patch.
- Security critical: At least one missing patch has a severity of Security Critical.
- Security important: At least one missing patch has a severity of Security Important.
Device Summary
The table contains a list of all devices. The following columns are available to the table, and can be shown or hidden using the Column Chooser .
- Device name: The name of the device. You can click the name to view the Device Details page.
- Domain: The name of the domain to which the device is currently assigned.
- IP address: The IP address of the device.
- Platform: The type of operating system used on the device. Supported operating systems are Windows, macOS, and Linux.
- Operating system name: The name of the operating system used on the device.
- Operating system version: The version of the operating system used on the device.
- Patch configuration: The name of the patch configuration to which the device is currently assigned. You can click the name to view the configuration details.
Tip: To quickly locate devices that have not been assigned a patch configuration, use the sort icon in the column header to sort the column into ascending () order. The entry will be blank for all devices that are not being patched by Ivanti Neurons.
- Risk score: The maximum CVE risk for the device. The score is computed using the highest version of the CVSS Base Score (for example v3 is used if there is no v4 score). It is a normalized measure of risk on a scale of 0 to 100, with 100 being the highest risk. You can drill down to a specific patch and see the CVEs associated with it, including the VRR Group, VRR score, CVSS score, and if there are any known exploits.
The traffic light indicator icon that is located immediately to the left of the score provides a visual representation as to the relative risk health of the device. The indicator colors are:- Red = Poor, representing a risk score that is greater than or equal to 70
- Yellow = Moderate, representing a risk score that is in the range 40 - 69
- Green = Good, representing a risk score that is less than 40
- Gray = Unknown, meaning there is no patch scan data from that device. This is because it is waiting for a scan to run, the scan results to be processed, or it is not managed by a supported patch product.
- Missing patches: The number of patches that are missing on the device. You can click the number to view detailed information about the missing patches.
- Exploited: Shows a bug icon if at least one of the missing patches has been exploited. Click the numbered link to view more details.
- Security critical: The number of Security Critical patches that are missing on the device.
- Security important: The number of Security Important patches that are missing on the device.
- Management: Shows the source of the device data and indicates how the device is being managed. This can be from a connector to an on-premise product, it can be natively from the Cloud, or both.
- Desktop & Server Management: The device is being managed by Ivanti Desktop & Server Management and the data is being pulled in via a connector.
- Endpoint Manager: The device is being managed by Ivanti Endpoint Manager and the data is being pulled in via a connector.
- Endpoint Security: The device is being managed by Ivanti Endpoint Security and the data is being pulled in via a connector.
- Ivanti Neurons: The device is being supported by cloud-native Ivanti Neurons for Patch Management.
- Patch for Config Manager: The device is being managed by Ivanti Patch for Configuration Manager and the data is being pulled in via a connector.
- Patch for Intune: The device is being managed by Ivanti Patch for Intune and the data is being pulled in via a connector.
- Security Controls: The device is being managed by Ivanti Security Controls and the data is being pulled in via a connector.
- Last patch scan: The date the device was last scanned for missing patches.
- Last patch install: The date of the last patch install for the device.
- Policy: The agent policy to which the device is currently assigned. You can click the name to view the policy configuration.
Use the dashboard charts and the table to quickly determine which devices you need to focus on and investigate.
Actions
Actions are available for devices managed natively from Ivanti Neurons (the Cloud) and for devices managed on-premise by Ivanti Endpoint Manager or Ivanti Security Controls.
- For devices that are being managed from the Cloud: A command will be issued to the listening agent on the selected device to initiate an on demand patch scan or deployment.
- For devices that are being managed by an Ivanti Endpoint Manager or Ivanti Security Controls on-premise console: A command will be issued via the connector to the on-premise console to initiate the patch deployment.
You can perform the following actions on the devices in the table.
On demand patch deployments are currently only supported on Windows devices.
- Scan now: This command works only for devices that are managed from the Cloud. It initiates a patch scan for all missing patches on the selected devices. An on demand task is initiated on each client agent and the results are reported to the Device > Patches page and to Endpoint Vulnerability.
When the patch scan is complete, a notification is displayed in the Neurons Platform notification area . - Deploy missing patches: This command works for devices that are managed from the Cloud and for devices managed by either Ivanti Endpoint Manager or Ivanti Security Controls. After confirmation that you want to override the current policy settings, it initiates a patch deployment of all patches identified as missing during the most recent patch scan on the selected devices. If a device is managed both from the Cloud and by an on-premise product, the deployment command will be issued through the Cloud. The deployment results are reported to Endpoint Vulnerability, Deployment History and the Device > Patches page.
- You must have the necessary permissions to deploy patches. To set this up, go to Admin > Access Control > Roles and click the role you want to configure. On the Permissions tab, click Global Actions > Deploy Patch.
- If you have an Endpoint Manager or Security Controls connector, the following must be configured before attempting to deploy patches:
- An Endpoint Manager or Security Controls connector has been added and has Action Details configured.
- Connector has run and published patch scan data to the Neurons Platform.
- Deploy by Patch Group: This command works only for devices that are managed from the Cloud. For the selected devices, it initiates a patch deployment of the patches that are contained within the specified patch group. The deployment results are reported to Endpoint Vulnerability, Deployment History and the Device > Patches page.
If a reboot of a device is required, Ivanti Neurons will handle this centrally to prevent conflicts from other features. This means that the reboot may not be instant when requested.
Deployment Requirements:
Reboot and deployment requirements are the same as those described for the Deploy missing patches option.
Devices can also be scanned on demand using the stagentctl command-line utility.
Filter, Sort, Search and Export
Toggles on and off the Smart Filters area directly above the table. Enables you to see the filters that are currently applied to the table.
Information displayed within the table can be easily filtered to narrow the focus to only those devices of interest. One way to do this is by using the Smart Filter. The Smart Filter contains several default filters. You can also define your own custom filters.
Default Filters
The Smart Filter contains several default filters. Default filters cannot be modified or deleted. The default filters include the following:
- Last 14 Days: Only those devices that were scanned within the last 14 days are displayed.
- Last 7 Days: Only those devices that were scanned within the last seven days are displayed.
- Missing at least one patch: Only those devices that are missing at least one patch are displayed.
Custom Filters
You can create your own custom filters. This is a powerful tool that enables you to specify exactly which entries you want displayed. Each custom filter is comprised of one or more rules. You can define as many rules in a filter as needed.
To create a new filter:
- Click Filters.
The Smart Filter definition area is displayed above the table. - Filter the table to a defined set of devices.
Do this using the column filters and any existing Smart Filters. - Select Smart filters > Add new smart filter from current.
The new filter is created based on the filtering criteria used in the current table. - Type a descriptive name for the filter.
- Click Add filter.
To delete a smart filter select Smart filters, from the drop-down menu select Delete existing smart filter, from the list select the filter you want to delete. On the confirmation dialog select Delete to remove the filter from the saved list.
Select the sort icon in any column header to sort into ascending () or descending () order. To remove the sorting, right-click the column header and select Clear Sorting from the context menu.
Enter a keyword into the Search field to only show patches that contain the keyword. The keyword is matched to any case-insensitive text found from within all of the patches.
To remove a search filter, click the clear filters icon.
Enables you to export the contents of the table to a CSV file. You can choose to export all items in the table or just selected items.
The CSV file is created using ISO standards and is stored in your local Downloads folder. If you use Excel to view the file, the data can be converted to the locale of the device so that it can be viewed in a more human-readable format.
Any sorting or filtering applied to the patches will be retained in the exported output. All columns will be included regardless of what has been selected in the Column Chooser.
To export all items in the table: Select Export > All.
To export selected items in the table: Select the first column check box for the devices you want to export and then select Export > Selected.