Patch Intelligence

Ivanti Patch Intelligence gathers and aggregates data to help manage, prioritize and streamline patching in your environment.

Known issues reported by customers or Ivanti can be used to highlight potential problems with individual patches.

You can filter and sort the patches by severity, which gives you a priority order to apply patches that resolve the largest problems first—for example, Security Critical and Security Important. You can also use bulletin and patch threat scores to help with the prioritization.

Not only is Patch Intelligence a proactive tool used by IT Ops teams to plan the deployment of patches, it can also be used reactively. For example, technical support investigating an issue can check the reliability ratings and feedback for recently applied patches that may be pertinent to the issue they're investigating.

To access Patch Intelligence, click Software > Patch Intelligence in the left navigation pane.

Add a Connector

To add an Ivanti Endpoint Manager (EPM), Security Controls, or Patch for SCCM connector, select Add Connector at the top of the dashboard, the Help panel Get Started with Connectors slides out, select Go To Connectors which walks you through the steps required.

Alternatively:

  1. Open the Admin menu.
  2. Select Connectors. See the Setting up connectors topic for further details.
  3. Select Add Connector for the desired server.
    The connector tiles display.
  4. Select the required connector tile.
    The connector form displays. For more information on how to complete the form see the relevant connector Help topic.

All Bulletins

Once a connector has been added the Patch Intelligence dashboard displays all the devices in the connected environment, called My Environment. To switch the view back to display all released bulletins, select All Bulletins.

Dashboard pie charts

The Patch Intelligence dashboard contains a number of informational charts. Use them to filter the results in the bulletin table below the charts, by clicking on a colored segment in the chart. To remove any applied filters, click the clear filters icon.

The chart types are:

Top Vendors chart

The top 5 vendors that have released the most bulletins within the last 14 days.

Bulletin Types chart

The number of each type of bulletin across all vendors released within the last 14 days.

MS Patch Tuesday chart

All of the Microsoft Patch Tuesday bulletins, categorized by vendor and severity. This chart also includes Third Party vendors which have at least one CVE associated with an MS bulletin. Select the ellipsis to export to export the chart in .png format.

Why 14 Days? - Research has shown that patching vulnerabilities within 14 days of identification is the optimum period to reduce risk of exploitation.

Devices Exceeding SLA chart

This chart replaces the Top Vendors chart if you have My Environment selected. It allows you to easily see how many devices within your environment are nearing or exceeding your service level agreement (SLA). Click on a number in the chart to filter the bulletin table, and hover over a number to see how many bulletins have been identified as missing from the devices.
This chart is configurable, click the ellipsis to open the chart settings. The data can easily be exported in CSV format, see the To export section for details on what gets exported.

  • Title and Description: The title and the description for the chart can be customized, up to a limit of 60 characters.
  • Bulletin type: The default for the chart is to include all bulletin types, but you can select to only include specific bulletin types based on security severity. For example, select Security Critical to only show the number of devices nearing or exceeding your SLA that are missing security critical patches.
  • Your SLA limit: Set the number of days for your SLA. This can be between 1 - 365.
  • Your SLA threshold: Set the number of days for your SLA threshold. This is the number of days before the actual SLA limit that you want to be notified about, it can be between 0 - 365, but not higher than the SLA value. You must have permissions to edit the SLA settings, to assign permissions to a role navigate to Admin > Roles > Permissions > Patch Intelligence > Edit SLA Config.
  • Known Vulnerabilities: This chart replaces the MS Patch Tuesday chart if you have My Environment selected. It allows you to easily see if there are any vulnerabilities in your environment. There are two levels of vulnerability:
    • Vulnerable: At least one CVE registered against a missing Bulletin.
    • Exploited: At least one CVE that has a known exploit against a missing Bulletin.

The patch scan results are used to provide this information. Click on either the Device or Bulletin column to filter the bulletin table results to only show the list of bulletins that fix either the vulnerability or the known exploit.

Select the ellipsis to export the chart in .png format.

For more detail on known exploits, see the Bulletin Information CVE tab.

Bulletins

The bulletin table contains a list of all the latest validated bulletins with associated patches, listed in date order by default. You can customize the view by filtering, sorting, or searching by keyword (see below).

You can customize the table view using the Column Chooser . Available columns are:

Reliability: Helps to determine the stability of the patch. Patch Intelligence gathers data from a variety of sources to provide a confidence score for updates to supplement your patch testing efforts. It is derived from the number of successful and failed installs, with other stability metrics, like vendor and user reported known issues, to categorize the patch into one of the following:

  • Green: Excellent - this represents patches that have a 100% install success rate
  • Green: Very High
  • Green: High
  • Amber: Good
  • Amber: Medium
  • Amber: Low
  • Red: Very Low
  • Grey: n/a - too few installation attempts to categorize

My Reliability: Helps determine the stability of the patch. The Bulletins are filtered to show just the devices in your environment, you must have at least one connector to use this column. The score is calculated using the formula successful deployments / total deployments * 10 for all devices in your environment.

Threat: Highest NVD (National Vulnerability Database) CVSS (Common Vulnerability Scoring System) v3 score taken from all CVEs associated with patches in the bulletin. If v3 is not available the v2 score is taken. N/A displays if no score is available.

  • Green indicates a score of 0.1 - 3.9
  • Yellow indicates a score of 4.0 - 6.9
  • Red indicates a score of 7.0 - 10

NIST (National Institute of Standards and Technology) can take up to 2 weeks to update their website.

Bulletin Id: Click to open the Bulletin Information.

Title: Click to open the Bulletin Information.

Known Issues: Number of reported known issues. Click the number to open the Known Issues tab on the Bulletin Information.

Unpatched Devices: Number of devices that do not have the patch installed. Click to open the Unpatched Devices tab on the Bulletin Information.
The Unpatched Devices column is only available when a connector is added.

Bulletin Date: The bulletin's date of issue.

CVE Count: Number of CVEs the bulletin contains. If there is at least one CVE for the bulletin has been exploited a bug icon displays . Click the icon to open the Bulletin Information panel for more details.

Vendor: Software vendor that has issued the bulletin.

Type : The bulletins are categorized to one of the following types:

  • Security: Critical, Important, Moderate, Low, Unassigned
  • Non-Security: Critical, Important, Moderate, Low, Unassigned

Filter, Sort, Search and Export

You can search, sort, and filter the bulletin database based on a number of attributes.

Select the filter iconFilter iconto refine the list using any of the predefined attributes:

Date: Available preset date ranges:

  • Last 3 Days
  • Last 14 Days
  • Last 30 Days
  • Last 365 Days
  • Custom Range

Vendor : Listed in alphabetical order such as Apple, Microsoft, VMWare, and so on.

Type : Categories:

  • Security: Critical/Important/Moderate/Low/Unassigned
  • Non-Security: Critical/Important/Moderate/Low/Unassigned

If a filter has been applied to a column, a red dot is seen on the iconFiltered icon.

To remove an applied filter, click the clear filters icon .

Select the sort iconin any column header to sort into ascending (Ascending icon) or descending (Descending icon) order.

To remove the sorting, right-click the column header and select Clear Sorting from the context menu.

Use the Search field to enter a keyword; the list will then only show bulletins that contain the keyword. The keyword is matched to any case-insensitive text found from within all of the bulletins—for example, CVE numbers, patch names, blue screen, and so on.

Example search use cases:

  • As a security engineer, I want to supply a CVE to Patch Intelligence to understand what patch I need to have my IT Ops team apply to mitigate the vulnerability. The searching functionality can be an asset to both the Security and Ops teams by allowing them to search for CVEs and see which patches are required.
  • As a support technician, I want to know whether a patch is available to fix an issue with PST corruption in Outlook 2016 occurring in conjunction with error 0x80040119. The ability to search benefits the support staff who can search for symptoms or issues around a particular patch.

To remove a search filter, click the clear filters icon.

You can export all bulletins in CSV format to help with your patch reporting requirements.

Any sorting or filtering applied to the bulletins will be retained in the exported output. All columns will be included regardless of what has been selected in the Column Chooser.

If the data is exported from the SLA chart, all devices that are missing patches in the bulletins that fall outside of the SLA window are included, this could mean that a device is listed multiple times if it is missing multiple bulletin patches.

Select the first column check box for the bulletins you want to export. Alternatively, select the check box in the header cell to select all bulletins.

Click Export CSV to save the file to your local downloads folder.

Bulletin Information

Click a bulletin in the table to view further details, such as vendor security, threat score, known issues and products affected.

List of all patches included in the bulletin. Details include the reliability score, threat score, patch name, any known issues, number of unpatched devices, and number of failed installs.

Click Filter By Products to filter the list to display only the product version(s) you're interested in. Sort the list by any of the columns to prioritize the patches.

Click a patch to open the Patch Information, which includes information such as if the patch has been superseded by another patch, if the patch replaces another patch, the CVEs contained within the patch, number of unpatched devices, and any reported known issues.

Lists any CVEs associated with the patch. Click on any to open the CVE details on the National Vulnerability Database website. If there are any known exploits for the patch a bug icon displays together with the exploited date. Click the date to open the Exploit Database website.

The Exploit Database maintained by Offensive Security, is a CVE compliant archive of public exploits and corresponding vulnerable software. Patch Intelligence cross references CVE's in its database against those listed in the Exploit Database to help ensure that the reported exploit status of CVE’s is current and accurate. www.exploit-db.com

List of devices that do not have the patch installed. The device name, domain name, IP address, OS name version are shown. Click on a device to open the Neurons Platform > Devices to view further details, you can use the Patch Status tab to select devices and patches to install.

This tab is only available when a connector is added.

If a device is managed by both Ivanti Endpoint Manager and Ivanti Security Controls then it will remain in the unpatched devices list until both Ivanti Endpoint Manager and Ivanti Security Controls report that the patch has been applied.

Device Details

An overview and detailed view of the device displays.

Any known issues can be submitted about a patch, which Ivanti will review and anonymize. The known issues can help you understand why a particular patch may or may not have rolled out smoothly and any additional steps that may be required. The issues will be listed as Customer reported issues, or Ivanti report issues.

New Issue

To add a known issue to a bulletin select New Issue. The section expands for you to complete the following:

  • Patches affected: Select all of the patches the issue relates to.
  • Issue description: Describe what the issue is in 500 characters or less. Include symptoms and remediation steps.
  • Number of endpoints affected: Select the number band of endpoints you have experienced this issue on in your environment.
  • I had to roll this patch back: Check this box if the issue caused you to roll back.
  • Add Issue: Select to submit the issue to the Ivanti moderators. If approved, the issue will be displayed in the Known Issues, this can take up to 48 hours.

Related topics

Devices

Setting up connectors

Ivanti Endpoint Manager connector

Ivanti Security Controls connector

Ivanti Patch for SCCM connector