An example of how patch orchestration works with Microsoft
SCCM.
始める前に
Say, for example, your entire environment is patched once every three weeks. The most
recent patching window was completed a week ago, but you want to apply a patch to
fix a critical vulnerability that has recently become known. Due to the critical
nature of this vulnerability, you cannot wait two more weeks for the next scheduled
patch.
Roles required:
- sn_vul.vulnerability_analyst or sn_vul.vulnerability_admin for the
Vulnerability Manager Workspace.
- sn_vul.remediation_owner to view the IT Remediaiton Owner workspace.
- sn_vul_patch_orch.configure_patch role to configure and schedule
patches.
- sn_vul_patch_orch.read_patch to view (read only) patch information on
records. This role is inherited with the sn_vul.remediation_owner and
sn_vuln.vulnerability_analyst roles that are required for the IT Remediation
and Vulnerability Manager Workspaces.
このタスクについて
As a vulnerability manager or analyst working in the Vulnerability Manager Workspace,
you might consider creating watch topics, or editing existing watch topics to help
you capture imported VIs with critical vulnerabilities. With the patch orchestration
integration, you can also see the patches you want to use to fix and track these
vulnerabilities. The following table lists a few samples with the conditions you
might set for watch topics for patch orchestration. Use these examples to help you
determine settings that work best for your environment. See
Create a watch topic in the Vulnerability Manager Workspace for more
information about setting up the watch topic.
表 : 1. Sample watch topics for patch orchestration in the Vulnerability Manager
Workspace
| Watch topic name |
Description |
| Critical Vulnerabilities with Patch Leaks |
Risk rating is 1 - critical AND
Reason is Patch Not Scheduled |
| Critical Vulnerabilities with Patches Scheduled (missing
SLA) |
Reason is Patch Scheduled (Missing Target
Date) |
| Critical Vulnerabilities with Patches Scheduled |
Risk rating is 1 - critical AND
Patch scheduled date is not empty
AND
Reason is Patch Scheduled |
- As a vulnerability manager or analyst, after you create the watch topics and
remediation efforts, you generate remediation tasks. From VI records and
remediation tasks, you can drill down into the Detections tab and locate
discovered item records that have the vulnerability you are tracking, along with
the assets imported by the SCCM product.
- As a vulnerability analyst or admin, you can monitor the patch data associated
with the vulnerability. You might also deploy a patch or multiple patches to a
specific asset (configuration item) from a discovered item record.
As an IT remediation specialist, you have options for how you address the
vulnerability with a patch deployment.
- You can schedule the patch from a Patch Update record (VPU#).
- If vulnerable items (VI)s have preferred solutions mapped to them, and they are
assigned to you or your groups, you can schedule the patches from a remediation
task that has these vulnerable items.
手順
-
As an IT Remediation Specialist, in the IT Remediation Workspace, click the
Home view.
-
From the home view, click the Assigned remediation tasks
scorecard to view the records.
For the sake of this example, you might check the Short description field on
the remediation task (VUL#) for any text that relates to your critical
vulnerability. Say, for example, you might know that your vulnerability
manager has created a watch topic called, Critical vulnerabilities with
Patch leaks to catch VIs (VIT#) with this critical vulnerability.
With the record open, you can also review the VIs, the Preferred patches, and
see if you or any of your group has already submitted any patch requests for
approval.
-
If you have enough information, you might prefer to submit a request for a
patch now from this remediation task.
注: If the VIs associated with the record do not have patches that are mapped
to them, the Schedule Patch button is not available
on the record.
-
Click Schedule Patch and fill out the fields in the
dialog.
-
Alternatively, from the List view in the IT Remediation Workspace, you can
click on the Remediation tasks, Vulnerable items, Solutions, and Patches links
to view these records.
In the case of this example, instead of a watch topic name, you might know the
Article ID or the Bulletin ID and title of the patch. If so, you might want to
check if any of the VIs with this vulnerability are assigned to you or to your
groups. From Patch Update records, you can submit patch requests. From VI
records, you can check for potential patches and open the associated remediation
task if you want to submit a patch request.
-
If you don't have access to the workspaces, or you prefer to view data and
schedule patches from the classic environment, follow these steps.
-
Navigate to .
-
Locate the Patch Update record you want.
You might prefer to filter the records with
Critical Risk Scores.
-
Review the associated VIs and % VIs remediated fields on the
Remediation Status tab.
If the VIs have patches available, the Schedule
Patch button is displayed in the upper right of the
record.
-
If you decide you want to submit a request, click Schedule
Patch.
-
Alternatively, say you don't have the patch ID information, but you
might check the Short description field on the remediation tasks that
are assigned to your group for any text that relates to your critical
vulnerability.
-
Navigate to .
-
Locate the record you want and click it to open it.
On the open record, review the Remediation Status tab for VIs
and % VIs remediated. Click the Related Links for VI records, Preferred
Solutions, Preferred Patches, and Patch Requests.
注: If the VIs
associated with the record do not have patches that are mapped to
them, the Schedule Patch button is not
available on the record.
-
Click Schedule Patch from the record if you want
to submit a patch request.