A Deployment Bot generates patch approvals and assigns specific configurations to those approvals, such as the Patching Process and the Deployment Channel. Notification Bots exist only as optional components of Patching Strategies and Deployment Channels and deploy or generate notifications based on settings in the Notification Bot template. Notifications can alert administrators about the release or deployment of new patches or inform interested parties about newly published updates. Notification Bots do not execute independently.

Deployment Bots

Patch Deployment Bot Template Naming Conventions

TPM Deployment Bot templates include various filtering scenarios to cover most filtering requirements in an enterprise. When deciding which Bot filter to choose, consider the following examples to understand naming conventions for the different filter types.

Risk-Based Filters

These templates filter several aspects of patches based on risk. They include different rollout schedules and approval levels, and all require mandatory installation.

Mandatory Installation for Specific Categories

These templates filter specific categories of patches, including bug fixes, expired by vendor, known exploit, and so on. These bots filter based on category and then approve installation for all patches included in that category.

Descriptions of Bot Settings

The Bot templates provided by TPM include the following settings:

• Bot Settings: Used by both Deployment Bots and Notification Bots. Choices are Deployment/Notification Settings or Bot Workflow. Both templates default to Deployment/Notification Settings. To create a Bot Workflow, enter a support ticket and request help from Tenable Customer Support .

• Desired State: Used by Deployment Bots only. When patches match the patch filter settings, this field specifies what action the Deployment Bot takes:

  • Mandatory Install: Force installation onto the end-user device.

  • Do Not Install: Do not install onto the end-user device.

  • Rollback: Roll back the patch to the last approved version.

  • Uninstall: Perform an uninstall of the patch.

• Urgency: Used by both Deployment Bots and Notification Bots to specify the urgency setting (Low, Normal, High, Critical) for patches or notifications that meet the patch filter requirements. The Bot compares this setting against the urgency defined in the Patching Strategy or Deployment Channel to which this bot belongs. If the urgency settings do not match, the Bot does not deploy or send a notification.

• Business Units: Deployment Bots Only. Business Units are a fundamental organizational unit in TPM, and logically group and manage devices, settings, and other resources according to business needs. Groupings include geographic location, department, or business function. For details, see Business Units.

• Output Expression: Notification Bots only. The Output Expression is a free text field used to enter the text of the notification (E-Mail body, SMS/Text Message, Microsoft Teams message, or WhatsApp message).

• Communication Providers: Notification Bots only. Communication Provider settings define the type of communication to send when a Bot processes a patch that matches the Filter Settings. Choose one or more of the built-in Communication Providers.

Open and Save a Patch Deployment Bot Template

TPM includes prepopulated templates that address most filtering scenarios. You can save these templates using a descriptive local naming convention, and then customize them to your environment.

Tip: To create customized Deployment Bots, Tenable recommends entering a support ticket and requesting assistance from Tenable Customer Support .

Follow the instructions in the “Create a New Folder for Objects” section in Patch Object Management.

1. Select Advanced Settings > Intent Schema > Bots > Patch Deployment Bots.

   The top folder lists the templates provided by Tenable Patch Management.

2. Select Show All to see the available templates or select Filtered by: in the Bots list to see only the templates associated with that filter.

3. Select the Name of a template to open it.

   For example, in Filtered by: Known Exploit, select Mandatory Install (Known Exploit Exists).

   

4. Save the template with a new title.

5. In the upper-left of the dialog, select More.

6. Click Save As.

7. Enter a new name for the template.

8. Click Save as.

   This returns you to a copy of the template with the new name.

9. Enter a detailed Description of the process covered in this template, or leave the prepopulated description.

10. Add a character to enable the Save button.

11. Click Save.

Patch Filter Conditions

The TPM Deployment Bot and Notification Bot templates include Patch Filter Settings that provide the Bot with the details needed to approve patches for installation or to ignore specific patches, updates, or vendor content.

Proceed carefully when customizing Patch Filter Settings. Enter a support ticket and request assistance from Tenable Customer Support .

Used by both Deployment Bots and Notification Bots. New patches must meet the filter criteria before the Bot submits them to the Patching Cycle. After approving a patch that meets the Patch Filter Settings, the Bot forwards patch information to the Patching Process and the Deployment Wave associated with the Patching Strategy.

Configurable conditions include using + Import Selector, which allows you to use an existing Patch Filter to validate new patches submitted to this Bot. You can also use the Select Operator or Condition to create a flexible patch filtering process. With no filter settings applied, the Bot processes all patches.

Edit or Remove Existing Patch Filter Conditions

In a Patch Deployment Bot template, scroll down to Patch Filter Settings:

• If your template includes a patch filter condition that you want to modify, select the ellipsis (...), and then select Edit Condition.

• If you want to remove a Patch Filter Condition, select the ellipsis (...), and then select Remove.

Add Patch Filter Conditions

Allows you to select one or more existing filter conditions to use for this Bot. If you want to add multiple conditions, see the following Set and Change Patch Filter Conditions section. This example uses an existing Tenable patch filter that tells the Bot to include patches based on the imported filter settings.

Select +Import Selector in the Patch Filter Settings dialog of an open Bot template (as detailed in the Open and Save a Patch Deployment Bot Template section earlier).

Select an existing Filtered by: folder from the list of Patch Deployment Bots, and then select one or more filters to use in this Bot.

For example, in Filtered by: Known Exploit, select Mandatory Install (Known Exploit Exists).

Select Import Selector at the lower left of the dialog. This returns you to the Patch Filter Settings where the condition logic now displays as Risk.KnownExploitExists Equals true.

If you choose more than one filter, the condition displays the AND operator and lists your selections:

Set and Change Patch Filter Conditions

Use Operating Conditions and Operators to manually set multiple Patch Filter Conditions to use for this Bot. You must add the operator before you can add the condition. To add multiple conditions, repeat this section as needed.

Tip: When using a template that already includes a Patch Filter Condition, you must remove that condition before you can add multiple conditions. You can add the original condition back in as part of setting multiple conditions.

Add or Remove an Operator

In the Patch Filter Settings of an open Bot template, delete any existing Filter Conditions.

1. To remove an existing condition, select the ellipsis (...) to the right of the existing filter, and then select Remove.

   • To add the condition again as part of a string, record the name for later use.

   • Select the ellipsis (...) to the right of Select Operator or Condition, and then select Add Operator.

2. Select the operator you want to use (AND, NOT, OR).

   For example, to filter out specific patches, select NOT.

   

3. This returns you to the Patch Filter Settings, which displays the operator you selected.

4. Continue to Add an Operating Condition section.

Change an Operator

1. Select the ellipsis (...) next to the existing filter in the Patch Filter Settings of an open Bot template (as detailed in the Open and Save a Patch Deployment Bot Template section earlier).

   

2. Select Change Operator, and then select the operator you prefer.

   

3. Click Save on the upper-left of the Patch Filter Settings workspace:

   • Check the Error View and resolve any errors.

   • Click Save again if you make any changes.

Add an Operating Condition

After adding the Operator, add the Operating Condition. This example filters out all patches for WSUS.

1. Select ellipsis (...) to the right of Select Operator or Condition, and then select Add Operating Condition.

   

2. Expand the list next to Data Column, and then select the filter you want to use.

   For example, select WSUS Classification.

   See the Patch Filter Settings section in Appendices for a description of each available setting.

   If you removed a Patch Filter Condition previously, you may add it back here.

3. Set the Operating Condition to Equals, and then choose one of the following for the Value:

   • Updates: Excludes Windows updates.

   • Upgrades: Excludes Windows upgrades.

   • Windows 11 upgrades: Exclude upgrades to Windows 11.

4. Click OK.

   This returns you to Patch Filter Settings, which now shows WSUS.Classification Equals <selected value> as a condition for excluding patches.

   See Preview Software Filtered by Conditions section to confirm that the Software Patches listed do not include those you excluded.

Filter Out Specific Patches by Product ID

The Product ID is the number assigned by Tenable to all patches from a specific vendor.

Contact Tenable Customer Support to obtain the Product ID for the vendor patches you want to filter.

1. Select ellipsis (...) to the right of Select Operator or Condition, and then select Add Operating Condition.

   

2. Expand the list next to Data Column, and then select Relationships.Parent as the Object ID.

   

3. Set the Operating Condition to Equals.

   

4. Enter the Product ID, and then click OK.

   This returns you to Patch Filter Settings, which now shows Parent ID Equals <product ID> as a condition for excluding patches.

   

5. See Preview Software Filtered by Conditions to confirm that the Software Patches listed do not include those you excluded.

Preview Filtered Patches

Preview Software Filtered by Conditions

Preview a list of software filtered by this Bot based on the patch filter condition, using the following steps:

1. Select Preview Filtered Software on the lower-right of the Patch Filter Settings.

2. Select the Software Patches tab to see the Software Patches included in this Bot with your filter.

3. Select the Software Releases tab to see the Software Releases included in this Bot with your filter.

4. Select OK to return to the Patch Filter Settings.

Preview Software Filtered by a Strategy

Using the Patch Filter Settings in a Deployment Bot template, you can preview the software filtered out by the Patch Filter Conditions you set. You can enhance these filter conditions by specifying a Patching Strategy to further constrain the preview results.

1. Select Browse next to Patch Filter Preview in the Patch Filter Settings of an open Deployment Bot template.

2. Select the Patching Strategy you want to preview, and then select Set Preview Patching Strategy Constraint.

3. Select Preview Filtered Software to see the patches or releases filtered by the Patching Strategy.

4. Select OK to return to the Patch Filter Settings.

Configure Bot Settings

Select Deployment Settings

In the Bot settings workspace of a Deployment Bot template, the default Deployment Settings require a Desired State, an Urgency level, and designated Business Units.

With Deployment Settings selected, complete the following steps:

1. Set the desired state:

   1. Select the input line for Desired State to view the menu options.

   2. Select a State from the list (Mandatory Install, Do Not Install, Rollback, Uninstall).

2. Set the urgency:

   1. Select the input line for Urgency to view the menu options.

   2. Select an Urgency setting from the list (Low, Normal, High, Critical).

3. Click Save at the upper-left to save your progress:

   1. Check the Error View and resolve any errors.

   2. Click Save again if you make any changes.

Business Units for Bot Deployment Settings

In the Bot Settings workspace of an open Deployment Bot template with Deployment Settings selected, complete the following steps:

1. Select +Add Business Units:

   

   • With no Business Units added to the Bot, the patching cycle patches the devices in all Business Units identified in the Patching Strategy.

   • With one or more Business Units added to the Bot, the patching cycle patches the devices in the Business Units. The Patching Strategy must include the same Business Units as part of its assigned Deployment Wave, for more information see Deployment Settings.

   

2. Select the right arrow next to a Business Unit type to expand one or more Business Unit structures.

3. Select one or more Business Units to include in this Deployment Bot.

4. Select Add Business Units on the lower-left to return to the Deployment Bot template.

5. Click Save at the upper-left to save your progress.

   Now, when you need to add this Deployment Bot to a Patching Strategy or other object, you will see it in the list of available Deployment Bots.

Use a Custom Deployment Bot Workflow

If you have not created a custom workflow, contact Tenable Customer Support and request assistance. To add a customer workflow, go to the Bot Settings workspace of an open Deployment Bot template with Bot Workflow selected, and then complete the following steps:

1. Select Browse next to Bot Workflow to open the list of available workflows.

   

2. Select Show All to view all available workflows for this setting.

   Note: If you have created a custom Deployment Bot Workflow, you will see it listed here. If not, contact Tenable Customer Support to create a Deployment Bot Workflow for use with these settings.

3. Select the workflow Name, and then select Add Workflow on the lower-left to include the workflow in the Bot Settings.

4. Select Save at the upper-left to save your progress:

   1. Check the Error View and resolve any errors.

   2. Click Save.

Notification Bots

Patch Notification Bots generate notifications to alert administrators or users about the release or deployment of new patches that meet Patch Filter Settings in the Bot. When the Notification Bot detects patches that match a specified filter expression, the Bot generates a notification to include in the notification cycle. The notification cycle follows the Patching Strategy or Deployment Channel configuration that contains the Notification Bot.

Notification Bots are optional components of Patching Strategy templates and Deployment Channel templates and exist only within these templates.

Patch Notification Bot Template Naming Conventions

Tenable Patch Deployment Bot templates include various filtering scenarios to cover most filtering requirements in an enterprise. When deciding which Bot filter to choose, consider the following examples to understand naming conventions for the different filter types.

Normal Notification

These templates filter several aspects of patches based on risk. They include different rollout schedules and approval levels, and all require mandatory installation.

Creating Notification Bots

Open and Save a Patch Notification Bot Template

1. Mouse over or select Bots in the left navigation menu of the Patch Dashboard, and then select Patch Notification Bots. The top folder lists the templates provided by TPM.

2. Create a folder for your patch notification bot.

3. Select the Show All to see the available templates, or select Filtered by: in the Bots list to see only the templates associated with that filter.

4. Select the Name of a template to open it. For example, in Filtered by: Expiration, select Normal Notification (Expired by Vendor).

   

5. Save the template with a new title:

   1. In the upper-left of the dialog, select More, and then select Save As.

   2. Enter a new name for the template, and then select Save as. This returns you to a copy of the template with the new name.

   3. Enter a detailed Description of the process covered in this template, or leave the prepopulated description. Add a character to enable the Save button, and then click Save.

6. Click Save.

   When you have finished modifying your new template, you can drag and drop it into the folder you created (see Patch Object Management).

Create an Output Expression

The Output Expression field is a text box that allows you to provide a more meaningful notification to users that informs them of the pending changes.

Configure Notification Bot Settings

Except for Communication Providers, use the previously configured settings in the template.

1. In the Notification Bot template, scroll down to Communication Providers, and then select +Add Communication Providers.

   • Select one or more providers to use for notifications by this Bot.

   • If you do not see the provider you want to use, see Communication Providers to add it.

2. Click Save at the upper-left to save your progress:

3. Check the Error View to resolve any errors.

4. Click Save again if you make any changes.