Hi Everyone, we are new to Rapid7 and InsightVM. We are trying to leverage the Automated Assisted Patching with SCCM within Rapid7.
We have the Orchestrator VM setup and running along with the connector between the Rapid7 Environment and the SCCM environment. The Trigger for the workflow is a query "vulnerability.categories IN [‘microsoft patch’].
We just deployed the client to 186 new devices and there were clearly some patches that needed to be fixed. For some reason the workflow did not kick off. We cannot figure out why or how the workflow leverages the trigger to run.
Any advice on how to get this system kicked in gear would be greatly appreciated!
Hi Sean - Were those MS vulnerabilities already present within InsightVM? The trigger responds to new vulnerability assessment data only, so existing vulnerabilities (even within that scope you set) would not initiate a workflow.
Hi @justin_prince, I see what you are saying now. So, I might be thinking about this the wrong way. If the vulnerabilities were already present in the Rapid7 “Catalog” itself, it wont trigger. The way I was seeing it is Rapid7 sees a “new” computer in our environment with vulnerabilities it would trigger.
It should trigger if it’s a new asset with vulnerabilities that match your scope, or a known asset with new vulnerabilities. The data just has to be entirely new to your environment. It can’t already exist in the security console’s database, which synchronizes to the cloud.
This help doc probably does a better job explaining it than me! https://insightvm.help.rapid7.com/docs/microsoft-sccm-automation-assisted-patching#section-trigger-behavior
If your assets/vulnerabilities fit that criteria ~and workflows aren’t kicking off~, it may be worth contacting support.
Thanks Justin, appreciate your help!