In our mission to help apply SOAR to non-threat detection & response use cases, we’re trying our hand at a few workflows built around vulnerability and patch management (VPM). Yes, I did just make up that acronym, and no, it’s not very good.
Anyway, one of the first things I wanted to try was deploying a particular patch to a particular target system using a traditional patch management solution, like BigFix, from Slack or Microsoft Teams. This workflow is quite simple:
- Trigger from a
deploy-patch
message @ your bot in Slack - Message must include a patch (or “fixlet”, in BigFix terminology) Title and a target Host
- The workflow then searches BigFix for that fixlet
- If the fixlet is found, the workflow attempts to deploy the fixlet to the target host
- A few messages in the Slack thread keep you updated along the way, and the Action History in BigFix provides a reference back to the InsightConnect job, making it easy to tell who triggered the workflow.
The idea here is, since it is fairly common for a small number of systems to miss a patching window and never receive an update, this would be a faster way to retry patching a vulnerable host than logging into the patching solution itself.
If you’re interested, please find the workflow file below! This workflow is still a little rough around the edges, and we are seeking some more feedback before posting it to the Extension Library directly.
Deploy Patch with BigFix from Slack.icon (74.4 KB)
This is the first of several different patching workflows we are working on, and we would LOVE to hear your feedback!
- What would you change?
- How might you and/or your colleagues in IT be able to use a workflow with this functionality?
- What related patching use cases that come to mind?