Ivanti Patching - Feedback Needed!

holly_wilsey · April 8, 2020, 2:20pm

We’re currently looking to build a new InsightConnect plugin for Ivanti Patch to help automate some of the most repetitive processes in your environment when it comes to patching. We’ve received some requests for specific use cases in the past, but we want to hear directly from you what would be most important in an Ivanti Patch plugin.

Based on the poll below, select the top 3 items that would be most instrumental to you as part of the Ivanti patching process. If there’s something you’re looking for that’s not on the list, add a reply with the specific use cases that’d be helpful so we can take it into account. And if you have any additional feedback you want to provide regarding Ivanti patching, this is the place!

Download/deploy patches to targets
Create patch groups
Scan targets for current patch status
Deploy Ivanti agents
Perform agent tasks (eg, patching)
Device correlation and management with InsightVM

0 voters

chris_wakulik · April 9, 2020, 7:18pm

Is just for the Ivanti Patch for Windows Product (Ivanti Security Controls) or is it also for the Ivanti Endpoint Manager product as well?

spence_engleson · April 10, 2020, 4:13pm

Hi @chris_wakulik – We have been looking specifically at Ivanti Patch but would love to hear about use cases for Endpoint Manager as well! What did you have in mind?

@holly_wilsey, from your technical research do you happen to know if these products share APIs? If so, would it make sense to consolidate functionality into one plugin for both Patch and Endpoint Manager?

chris_wakulik · April 10, 2020, 4:28pm

Both products can import the CVEs from Rapid7, but it would be nice to have it be automated instead of exporting/importing a cvs or txt file. Also, any other tasks we can automate out from Rapid7 would be bonus. Both products also use the same patch content, but we currently use one to patch servers, and one to patch workstations.

holly_wilsey · April 13, 2020, 3:13pm

I believe they have separate APIs, so that would likely make more sense as separate plugins.

spence_engleson · April 13, 2020, 4:00pm

Got it, thank you! Sounds like the use case then is, “Import my CVEs from InsightVM into Ivanti Patch & Endpoint Manager in order to keep the vulnerability data synchronized across products” – am I capturing this accurately?

chris_wakulik · April 13, 2020, 5:11pm

Correct!

ryan_fried · April 15, 2020, 6:33pm

We are hoping to be able to query hosts to see if they have been patched against a certain CVE or if they are vulnerable as well as starting patch jobs

spence_engleson · April 15, 2020, 8:13pm

Thanks Ryan! Those use cases definitely register here.

We’ve been doing a lot with Slack & Teams so that you’re able to run a basic command that passes variables into the workflow and results are then posted in a thread – see get VM host info from Slack for an example. For this use case, I’m thinking something like @Security Bot patch check CVE-123-4567 and the thread response indicates coverage for that vuln.

What do you think? If your team doesn’t use these ChatOps tools (or don’t want to use them this way), is there a particular place where you would look to trigger that check from?

ryan_fried · April 16, 2020, 5:12pm

We heavily use slack with insight connect so that would be perfect

spence_engleson · July 7, 2020, 4:30pm

Quick update here: We’ve shipped over a dozen actions for the Ivanti Security Controls plugin, including actions for:

Starting a Patch Deployment
Creating a Patch Group
Creating a Patch Scan Template
Searching Patches

Check out all the available plugin actions here: https://extensions.rapid7.com/extension/ivanti_security_controls#Documentation-Technical-Details-Actions

We expect to build out some workflow templates using this functionality in the coming weeks – if you have any further workflow ideas, please share them here!

jim_lawhon · October 21, 2020, 6:28pm

New to InsightConnect and just found this… Here’s what came to mind upon finding this…

What I would like to do from Slack on an ad hoc basis:

help - summary/syntax for commands
templates - return scan and patch templates at your disposal
creds - return list of creds at your disposal
groups - return list of machine groups with search e.g. groups prod-web*

scan asset foo bar baz with prod-scan-template saved-creds-xyzzy
patch asset foo bar baz with prod-deploy-template saved-creds-xyzzy
spatch asset (scan and patch) foo bar baz with prod-scan-template and prod-deploytemplate saved-creds-xyzzy

Create adhoc machine group, add listed machines to group, run scan, deploy all missing patches (patch/spatch) using specified scan/patch templates and creds. (allow for config of default templates/creds)
Destroy Adhoc machine group, or store in folder for ICON upon completion?

scan group foo scan-template creds
patch group bar patch-template creds
spatch group baz default default creds

rpt asset foo bar baz

Machine name, IP address, date of most recent scan, installed patch count, missing patch count, missing service packs, EOL products, last deploy date?
Is it possible to identify the date of the last deployment to a machine? That would be helpful too.

rpt group wizards hobbits dragons

Group Name, date of most recent scan, scanned machine count, installed patch count, missing patch count, missing service packs, EOL products, last deploy date?

Mainly I’d like to quickly get the details on specific devices to determine when they were last patched and number of missing patches for patching/vulnerabilty remediation ticketing, but I got carried away.