Neurons for Patch Intelligence

Ivanti Neurons for Patch Intelligence gathers and aggregates data to help manage, prioritize and streamline patching in your environment.

The Patch Intelligence data helps to identify the biggest problems first—for example, Security Critical and Security Important—you can filter and sort the patches by severity, use bulletin and patch threat scores, internal and externally reported issues, and a trending score related to social media posts to highlight the amount of activity around individual patches.

Not only is Neurons for Patch Intelligence a proactive tool used by IT Ops teams to plan the deployment of patches, it can also be used reactively. For example, technical support investigating an issue can check the reliability ratings and feedback for recently applied patches that may be pertinent to the issue they're investigating.

To access Neurons for Patch Intelligence, click Software > Patch Intelligence in the left navigation pane.

Some of the Patch Intelligence features are available only to users with the appropriate role. For further details see Managing members and roles

Add a Connector

To add an Ivanti Endpoint Manager (EPM), Security Controls, or Patch for SCCM connector, select Add Connector at the top of the dashboard, the Help panel Get Started with Connectors slides out, select Go To Connectors which walks you through the steps required.

Alternatively you can use the Ivanti Neurons platform > Connectors menu option.

Dashboard

The default dashboard for Neurons for Patch Intelligence is All Bulletins displaying data for all released bulletins, but once a connector has been added the My Environment tab becomes available, select this tab to change the view to display data for all the devices in the connected environment. For both of these tabs you can customize the data that displays to relate to All Patches, Latest Patches (excludes patches that have been superseded) or those Revised within 60 days.

The Neurons for Patch Intelligence dashboard is made up of two parts; the charts and the data table. The charts change depending on whether you have All Bulletins or My Environment selected. You can use the charts to filter the data that displays in the Bulletin table by clicking on any of the colored segments in a pie or bar chart, re-click the colored segment to remove the filter from the table.

All Bulletins Charts

When the All Bulletins tab is selected the following charts display:

Top Vendors: This chart displays the top 5 vendors that have released the most bulletins within the last 14 days.

Patch Types: This chart displays the number of each type of patch across all vendors, released within the last 14 days.

Why 14 Days? - Research has shown that patching vulnerabilities within 14 days of identification is the optimum period to reduce risk of exploitation.

MS Patch Tuesday: All of the Microsoft Patch Tuesday bulletins, categorized by vendor and severity. This chart also includes Third Party vendors which have at least one CVE associated with an MS bulletin. Select the ellipsis to export the chart in .png format.

My Environment Charts

When the My Environment tab is selected the following charts display:

Devices Exceeding SLA chart: This chart replaces the Top Vendors chart if you have My Environment selected. It allows you to easily see how many devices within your environment are nearing or exceeding your service level agreement (SLA) and the percentage of devices that are compliant, and not. Click on either of the device numbers in the chart to filter the bulletin table, and hover over a number to see how many patches have been identified as missing from the devices.

Select the chart ellipsis to carry out one of these actions:

  • Configure: Configurable settings for the chart are:
    • Title and Description: The title and the description for the chart can be customized, up to a limit of 60 characters.
    • Patch type: The default for the chart is to include all patch types, but you can select to only include specific patch types based on security severity. For example, select Security Critical to only show the number of devices nearing or exceeding your SLA that are missing security critical patches.
    • Your SLA limit: Set the number of days for your SLA. This can be between 1 - 365.
    • Your SLA threshold: Set the number of days for your SLA threshold. This is the number of days before the actual SLA limit that you want to be notified about, it can be between 0 - 365, but not higher than the SLA value. You must have permissions to edit the SLA settings, to assign permissions to a role navigate to Admin > Roles > Permissions > Patch Intelligence > Edit SLA Config.
  • Export CSV: The data can easily be exported in CSV format, see the To export section for details on what gets exported.
  • Generate Report: Create a report to show each update, the release date, total devices affected, and the trend toward compliance compared to your defined SLA. You can define the scope of the report including time frame, vendors, and severity. You can also filter by Exploited or specific CVE IDs to report on high risk updates specifically. The report is saved to your browser default download location.

Patch Types chart: This chart displays the number of each type of patch across all vendors, released within the last 14 days.

Why 14 Days? - Research has shown that patching vulnerabilities within 14 days of identification is the optimum period to reduce risk of exploitation.

Known Vulnerabilities: This chart replaces the MS Patch Tuesday chart if you have My Environment selected. It allows you to easily see if there are any vulnerabilities in your environment. There are two levels of vulnerability:

  • Vulnerable: At least one CVE registered against a missing patch.
  • Exploited: At least one CVE that has a known exploit against a missing patch.

The patch scan results are used to provide this information. Click on either the Device or Bulletin column to filter the bulletin table results to only show the list of bulletins that fix either the vulnerability or the known exploit.

For more detail on known exploits, see the Bulletin information CVE tab.

Bulletins

The bulletin table contains a list of all the latest validated bulletins with associated patches, listed in date order by default. The columns are grouped into categories so you can easily focus on the relevant data; Bulletin Details, Reliability & Social, and Threat & Risk. You can customize which columns are on show and the order of the data by filtering, sorting, or searching by keyword.

Bulletin table showing all bulletin data in sortable columns

You can customize the table view using the Column Chooser column chooser icon. Available columns are:

Bulletin Details

Bulletin Id: Click to open the Bulletin information panel.

Title: Click to open the Bulletin information panel.

Bulletin Date: The issue date for the bulletin.

Vendor: The name of the software vendor that issued the bulletin.

Unpatched Devices: The number of devices that do not have the patch installed. Click to open the Unpatched Devices tab on the Bulletin information panel. This column is only available when you have a connector setup.

Reliability & Social

Reliability: Helps to determine the stability of the patch. Patch Intelligence gathers data from a variety of sources to provide a confidence score for updates to supplement your patch testing efforts. It is derived from the number of successful and failed installs, with other stability metrics, such as Reported Issues from vendors or users, to categorize the patch into one of the following:

  • Green: Excellent - this represents patches that have a 100% install success rate
  • Green: Very High
  • Green: High
  • Amber: Good
  • Amber: Medium
  • Amber: Low
  • Red: Very Low
  • Grey: n/a - too few installation attempts to categorize

My Reliability: Helps determine the stability of the patch. The bulletins are filtered to show just the devices in your environment, you must have at least one connector to use this column. The score is calculated using the formula successful deployments / total deployments * 10 for all devices in your environment.

Trending: Indicates the level of social media attention a patch is receiving. A higher trend is indicated with the bars; the higher the bars, the higher volume of social media posts. The content of the posts could be negative i.e. problems with installing, or positive i.e. fixes issued for any problems. To understand this further, go to the Reported Issues > Trending section in either the Bulletin or Patch Information panel to see further detail on the most common trending topics or keywords.

Reported Issues: The number of reported issues plus trending comments. These can be official reported issues by the vendor, such as Microsoft, customer reported issues, or trending comments on social media. If the bulletin has received any downvotes the thumb-down icon displays blue thumb down icon indicating a down vote has been placedwith the number of votes next to it. Click the number or thumb icon to open the Reported Issues tab on the Bulletin information panel.

Threat & Risk

Threat: Highest NVD (National Vulnerability Database) CVSS (Common Vulnerability Scoring System) v3 score taken from all CVEs associated with patches in the bulletin. If v3 is not available the v2 score is taken. N/A displays if no score is available.

  • Green indicates a score of 0.1 - 3.9
  • Yellow indicates a score of 4.0 - 6.9
  • Red indicates a score of 7.0 - 10

NIST (National Institute of Standards and Technology) can take up to 2 weeks to update their website.

CVE Count: The number of CVEs the bulletin contains. If there is at least one CVE for the bulletin has been exploited a bug icon displays orange exploit bug icon. Click the icon to open the Bulletin information panel for more details.

Vendor Severity : The bulletins are categorized to one of the following types:

  • Security: Critical, Important, Moderate, Low, Unassigned
  • Non-Security: Critical, Important, Moderate, Low, Unassigned

Filter, Sort, Search and Export

You can search, sort, and filter the bulletin database based on a number of attributes.

Bulletin information

Click a Bulletin ID or Title in the table to open the Bulletin information panel, here you can view further details, such as vendor security, threat score, reported issues and products affected.

The bulletin title is followed by the option to place a downvote for the bulletin, to indicate if you have encountered any issues or problems with the bulletin. If you have not placed a vote you will see the white thumbs-down icon white thumb down icon to indicate a down vote has not been placed you are only allowed one vote, if this has been used you will see a blue thumbs-down icon blue thumb down icon indicating a down vote has been placed. Next to the icon is the number of down-votes received.

Related topics

Devices

Setting up connectors

Ivanti Endpoint Manager connector

Ivanti Security Controls connector

Ivanti Patch for MEM connector