For customers tracking Microsoft patches/solutions as it related to patching effectiveness each month, it would be incredibly helpful to have an option where InsightVM can auto-create this remediation project on or before patch Tuesday for the upcoming month.
Due to the limitation with remediation data in general not being retained (no data lake) w/o such a project in place before patch Tuesday, customers have to remembers to manually create this remediation project every single month!
1+
+1
Yes this would be really useful
+500
+1
+100
yes! +1
Yes +1
+1
+1
+1
+1
Related to this, I repeatedly have issues with the Patch Tuesday Remediation Project calculating accurate affected assets.
For example, our Microsoft asset count on the assets page we hover around 4,000 assets month to month. But our Remediation project is inconsistent at reporting affected assets:
April: 896
May: 530
June: 3197
July: 3269
August: 920
Sept: 3504
Oct: 531
My R7 support cases on this have not been able to resolve this over the last few months and one or two occasions, it was due to a verified Insight platform issue. But once the remediation project affected assets count is wrong, we have never been able to recover the correct asset count in the project—resulting in another lost month to report on our vulnerability KPI’s.
This is an infuriating topic for us too. We’ve been trying different ways of tracking patch remediation using various combinations of projects, goals, asset grouping, directory syncs, tags, etc… you name it, we’ve tried it… the issue comes back to Rapid7’s presentation of the data (if it’s even there) is hot garbage.
We have also experienced the issue of inconsistent reporting in projects. I could have 100 of the same Microsoft Windows Server 2022 servers in an asset group and one month my project will show 50 servers affected by month X’s patch Tuesday vulnerabilities, yet the next month will show 90 affected. Some t
Part of the issue is that Rapid 7’s own patch Tuesday query (from the Rapid7 published dashboard) isn’t accurate. Using “published date” in the query is what we’ve found limits the results, however even after getting rid of that we still don’t have perfect results.
You would think that if they can present this data as a solution in the projects: ‘2024-11 Cumulative Update for Microsoft Windows Server 2019, version 1809 (KB5046615)’ - that you would be able to query the solution name… or the KB… but, no… you have to have a query with 5 variables that either have to be ALL TRUE (and) … or ANY can be true… (any)… which is one of the worst features of the entire tool… god forbid someone wants to combine an and/or statement. Not ideal.
god forbid someone wants to combine an and/or statement
This may or may not help, depending on how you’re doing this, but I’d been using insightVM for years and had exactly the same problem until a few months when I realised you can mix AND\OR together.
In the Query Builder, if you click Switch to Expert you can mix AND\OR together. As example, one of my queries is used to group Windows 10\11 systems with differet hostname prefixes and looks like this:
(asset.name STARTS WITH ‘A1-’ || asset.name STARTS WITH ‘B1-’ || asset.name STARTS WITH ‘C1-’ || asset.name STARTS WITH ‘D1-’ || asset.name STARTS WITH ‘E1-’ || asset.name STARTS WITH ‘F1-’) && asset.os.description CONTAINS ‘Windows 1’
This doesn’t help when creating Asset Groups, which still drives me insane, but it may help in your situation.
It is unfortunate that the IVM cloud API is so limited.
Wouldn’t it be great to simply monitor xml feeds around patch Tuesday and once you have the CVE’s in question; to create a remediation project.
@talford yep, very heavily use Explorer (oh no its also called Query Builder) LOL
UX consistency please! 
I appreciate your responses and would also add for us Patch Tuesday remediation projects have been so inconsistent from an affected assets scope count. The past 4mo the numbers have been all over the place and on average 1,500 assets short when comparing to the Microsoft asset count on the Security Console assets page… :-/
Yes please.