Tracking Patch compliance

paul_deasy · July 6, 2020, 12:18pm

Hi All, not sure if this is the right place to ask, but here goes…
I’m looking for a way to use InsightVM to track patch compliance, for example with the monthly Microsoft ‘patch tuesday’ cycles, based on the MS KB Article numbers, rather than the CVEs… is that possible ?

I’d be keen to know how others are doing it.

I’d like to have a remediation project which I could track how many systems are showing as unpatched against say MS KB4560960(https://support.microsoft.com/help/4560960) - or whatever the latest KB article happens to be.

The idea being at the next patch Tuesday cycle, you can create the project and size up how many systems need to get patched - I’m focused on ensuring the security update rollups are deployed … tracking down those systems which aren’t getting patched (for whatever reason).

At the moment, I’m creating an asset filter, with a vulnerability filter of all the CVE’s covered in the patch tuesday update cycle… that will list the solutions (i.e. the update rollups) with assets affected and assets completed. But that doesn’t display the ‘unpatched’ systems in a straightforward manner.

What I’d like to be able to do is have a remediation project for say July 2020, and for each Security roll-up report the compliance based on assets patched, unpatched etc. Ultimately I’d like to be able to put this on some form of dashboard so we can present a guage-type card showing our progress. So that when you’re checking patching progress, that it’s quick to identify the hosts that haven’t been patched.

All of our assets/hosts have the insight agent installed, so it’s really trying to understand how to get the progress tracking setup.

Anyone doing something similar ? Thanks in advance

bulut_ersavas · July 6, 2020, 6:17pm

Hi Paul, one way to accomplish this is to use a query like the following in Query Builder, Goals & SLAs, Projects or Dashboard cards.

vulnerability.datePublished = 2020-03-10 && vulnerability.title STARTS WITH 'Microsoft’

I believe the vuln titles also include the specific KB article number as well, so you could try that too.

Hope this helps.

paul_deasy · July 7, 2020, 8:59am

Hi Bulut,
Thanks for taking the time to feedback… alas it’s not really the direction that I’m look at.
I am at present, having to manually key in all the CVEs based on the list provided my microsoft when they provide the updated security guidance https://portal.msrc.microsoft.com/en-us/security-guidance

So as you’ll see from my screen-grab, that will show me the resulting assets, vulnerabilities and solutions.
vulns-solutions

What I’m trying to accomplish, is a way to create a remediation project based on the ‘solution’ in order to monitor the compliance rate on patching systems.
These ‘solutions’ are clearly known to InsightVM (as it displays them as being available to remediate the CVEs), but I’ve yet to see a way to search for assets that are ‘vulnerable’.

Any suggestions would be welcomed
Paul

scott_lambert · August 6, 2020, 4:28pm

Hi @paul_deasy,

I think @bulut_ersavas hit the nail on the head here. I was able to use the query he provided to create a new Remediation Project (based on solutions/KB article). You can use the query below and just change it to the date the patches were released. Then just add any asset filters you like (e.g. asset groups, tags, etc.).

vulnerability.datePublished = 2020-07-14 && vulnerability.title STARTS WITH ‘Microsoft’ && asset.groups IN [‘windows servers’]

You can also do this by adding the criteria options individually.

Patch Tuesday Project

Once the project is created, you can see compliance on each of the individual solutions required to remediate the vulnerabilities patched on Patch Tuesday. Doing it this way will eliminate the need to manually type in all the associated CVE IDs and export the list of solutions. Otherwise, I don’t believe there is a way to create a remediation project with something along the lines of “solution title contains KB123456.”

Patch Tuesday Project1

I hope this helps.

matt_wyen · August 27, 2020, 6:10pm

I believe there is a vulnerability category called Microsoft Patch as well

collins_amadi · August 23, 2021, 9:05am

Hi Scott,

Thanks for the professional advise you gave.

As you can see from the image above,I am getting a response of a clean environment which is debatable. I want to know if there is something else needed to be configured to have the true representation of patch deployment in a server environment?

Looking forward to your prompt response.

scott_lambert1 · August 23, 2021, 3:45pm

Hi Collins,

The exact query you used works perfectly for me. I would recommend checking some of the servers in your “windowsservers_group” group to see if there are any vulnerabilities that meet that criteria. Also, when you select the assets.groups filter and start typing the name of one of your server groups, the list will start populating itself, and you can click on the group name instead of manually typing it if you aren’t already doing that.

Best regards,
Scott