Example workflow for the Vulnerability Response Patch Orchestration integration with Microsoft SCCM

  • Release version: Xanadu
  • Updated August 1, 2024
  • 5 minutes to read

    • An example of how patch orchestration works with Microsoft SCCM.

    Before you begin

    Say, for example, your entire environment is patched once every three weeks. The most recent patching window was completed a week ago, but you want to apply a patch to fix a critical vulnerability that has recently become known. Due to the critical nature of this vulnerability, you cannot wait two more weeks for the next scheduled patch.

    Roles required:
    • sn_vul.vulnerability_analyst or sn_vul.vulnerability_admin for the Vulnerability Manager Workspace.
    • sn_vul.remediation_owner to view the IT Remediaiton Owner workspace.
    • sn_vul_patch_orch.configure_patch role to configure and schedule patches.
    • sn_vul_patch_orch.read_patch to view (read only) patch information on records. This role is inherited with the sn_vul.remediation_owner and sn_vuln.vulnerability_analyst roles that are required for the IT Remediation and Vulnerability Manager Workspaces.

    About this task

    As a vulnerability manager or analyst working in the Vulnerability Manager Workspace, you might consider creating watch topics, or editing existing watch topics to help you capture imported VIs with critical vulnerabilities. With the patch orchestration integration, you can also see the patches you want to use to fix and track these vulnerabilities. The following table lists a few samples with the conditions you might set for watch topics for patch orchestration. Use these examples to help you determine settings that work best for your environment. See Create a watch topic in the Vulnerability Manager Workspace for more information about setting up the watch topic.
    Table 1. Sample watch topics for patch orchestration in the Vulnerability Manager Workspace
    Watch topic name Description
    Critical Vulnerabilities with Patch Leaks

    Risk rating is 1 - critical AND

    Reason is Patch Not Scheduled
    Critical Vulnerabilities with Patches Scheduled (missing SLA)

    Reason is Patch Scheduled (Missing Target Date)
    Critical Vulnerabilities with Patches Scheduled

    Risk rating is 1 - critical AND

    Patch scheduled date is not empty AND

    Reason is Patch Scheduled
    • As a vulnerability manager or analyst, after you create the watch topics and remediation efforts, you generate remediation tasks. From VI records and remediation tasks, you can drill down into the Detections tab and locate discovered item records that have the vulnerability you are tracking, along with the assets imported by the SCCM product.
    • As a vulnerability analyst or admin, you can monitor the patch data associated with the vulnerability. You might also deploy a patch or multiple patches to a specific asset (configuration item) from a discovered item record.

    As an IT remediation specialist, you have options for how you address the vulnerability with a patch deployment.

    • You can schedule the patch from a Patch Update record (VPU#).
    • If vulnerable items (VI)s have preferred solutions mapped to them, and they are assigned to you or your groups, you can schedule the patches from a remediation task that has these vulnerable items.

    Procedure

    1. As an IT Remediation Specialist, in the IT Remediation Workspace, click the Home view.
    2. From the home view, click the Assigned remediation tasks scorecard to view the records.

      For the sake of this example, you might check the Short description field on the remediation task (VUL#) for any text that relates to your critical vulnerability. Say, for example, you might know that your vulnerability manager has created a watch topic called, Critical vulnerabilities with Patch leaks to catch VIs (VIT#) with this critical vulnerability.

      With the record open, you can also review the VIs, the Preferred patches, and see if you or any of your group has already submitted any patch requests for approval.

    3. If you have enough information, you might prefer to submit a request for a patch now from this remediation task.
      Note:
      If the VIs associated with the record do not have patches that are mapped to them, the Schedule Patch button is not available on the record.
    4. Click Schedule Patch and fill out the fields in the dialog.
      For more information about how to schedule a patch, see Schedule patches with the Microsoft SCCM integration with Vulnerability Response.
    5. Alternatively, from the List view in the IT Remediation Workspace, you can click on the Remediation tasks, Vulnerable items, Solutions, and Patches links to view these records.
      In the case of this example, instead of a watch topic name, you might know the Article ID or the Bulletin ID and title of the patch. If so, you might want to check if any of the VIs with this vulnerability are assigned to you or to your groups. From Patch Update records, you can submit patch requests. From VI records, you can check for potential patches and open the associated remediation task if you want to submit a patch request.
    6. If you don't have access to the workspaces, or you prefer to view data and schedule patches from the classic environment, follow these steps.
      1. Navigate to Vulnerability Response > Patches > All.
      2. Locate the Patch Update record you want.
        You might prefer to filter the records with Critical Risk Scores.
      3. Review the associated VIs and % VIs remediated fields on the Remediation Status tab.
        If the VIs have patches available, the Schedule Patch button is displayed in the upper right of the record.
      4. If you decide you want to submit a request, click Schedule Patch.
        For more information about how to schedule a patch, see Schedule patches with the Microsoft SCCM integration with Vulnerability Response.
      5. Alternatively, say you don't have the patch ID information, but you might check the Short description field on the remediation tasks that are assigned to your group for any text that relates to your critical vulnerability.
      6. Navigate to Vulnerability Response > Remediation Tasks > Assigned to My Groups.
      7. Locate the record you want and click it to open it.
        On the open record, review the Remediation Status tab for VIs and % VIs remediated. Click the Related Links for VI records, Preferred Solutions, Preferred Patches, and Patch Requests.
        Note:
        If the VIs associated with the record do not have patches that are mapped to them, the Schedule Patch button is not available on the record.
      8. Click Schedule Patch from the record if you want to submit a patch request.