Patch from Chat Workflow

In our mission to help apply SOAR to non-threat detection & response use cases, we’re trying our hand at a few workflows built around vulnerability and patch management (VPM). Yes, I did just make up that acronym, and no, it’s not very good.

Anyway, one of the first things I wanted to try was deploying a particular patch to a particular target system using a traditional patch management solution, like BigFix, from Slack or Microsoft Teams. This workflow is quite simple:

  1. Trigger from a deploy-patch message @ your bot in Slack
  2. Message must include a patch (or “fixlet”, in BigFix terminology) Title and a target Host
  3. The workflow then searches BigFix for that fixlet
  4. If the fixlet is found, the workflow attempts to deploy the fixlet to the target host
  5. A few messages in the Slack thread keep you updated along the way, and the Action History in BigFix provides a reference back to the InsightConnect job, making it easy to tell who triggered the workflow.


The idea here is, since it is fairly common for a small number of systems to miss a patching window and never receive an update, this would be a faster way to retry patching a vulnerable host than logging into the patching solution itself.

If you’re interested, please find the workflow file below! This workflow is still a little rough around the edges, and we are seeking some more feedback before posting it to the Extension Library directly.
Deploy Patch with BigFix from Slack.icon (74.4 KB)

This is the first of several different patching workflows we are working on, and we would LOVE to hear your feedback!

  • What would you change?
  • How might you and/or your colleagues in IT be able to use a workflow with this functionality?
  • What related patching use cases that come to mind?

While we handle relatively complete immutable infrastructure, this is a great idea! I’m going to forward to our infrastructure team, as they still handle patch rollouts, but I believe they manually handle them, and i like the idea that they kick off the rollouts via slack and it keeps everyone informed rather than jumping between UI/console commands and updating people via Slack…


Thank you for the feedback here, Peter! We’ve posted our first version of this workflow to the Extension Library at the link below:

Right now, the workflow just patches one target host. I would like the next iteration to deploy a patch to a computer group, as that seems to be the most common way patches are distributed to multiple systems.

Please feel free to share with your team and send any additional feedback or ideas our way!

1 Like