Bots – Patch Deployment and Notification Bots

A Deployment Bot generates patch approvals and assigns specific configurations to those approvals, such as the Patching Process and the Deployment Channel.

Notification Bots exist only as optional components of Patching Strategies and Deployment Channels and deploy or generate notifications based on settings in the Notification Bot template. Notifications can alert administrators about the release or deployment of new patches or inform interested parties about newly published updates. Notification Bots do not execute independently.

Deployment Bots

Patch Deployment Bot Template Naming Conventions

Tenable Patch Management Deployment Bot templates include various filtering scenarios to cover most filtering requirements in an enterprise. When deciding which Bot filter to choose, consider the following examples to understand naming conventions for the different filter types.

Risk-Based Filters

These templates filter several aspects of patches based on risk. They include different rollout schedules and approval levels, and all require mandatory installation.

UUID-f1d12afc-90cd-a83b-a7aa-e266ebb63b12.png

Mandatory Installation for Specific Categories

These templates filter specific categories of patches, including bug fixes, expired by vendor, known exploit, and so on. These bots filter based on category and then approve installation for all patches included in that category.

UUID-4d0e06d8-0f5d-ccbc-ef29-994e062ecc1a.png

Descriptions of Bot Settings

The Bot templates provided by Tenable Patch Management include the following settings:

  • Bot Settings: Used by both Deployment Bots and Notification Bots. Choices are Deployment/Notification Settings or Bot Workflow. Both templates default to Deployment/Notification Settings. To create a Bot Workflow, enter a support ticket and request help from Tenable Patch Management .

  • Desired State: Used by Deployment Bots only. When patches match the patch filter settings, this field specifies what action the Deployment Bot takes:

Desired State

Description

Mandatory Install

Force installation onto the end-user device.

Do Not Install

Do not install onto the end-user device.

Rollback

Roll back the patch to the last approved version.

Uninstall

Perform an uninstallation of the patch.

  • Urgency: Used by both Deployment Bots and Notification Bots to specify the urgency setting (Low, Normal, High, Critical) for patches or notifications that meet the patch filter requirements. The Bot compares this setting against the urgency defined in the Patching Strategy or Deployment Channel to which this bot belongs. If the urgency settings do not match, the Bot does not deploy or send notification.

  • Business Units: Deployment Bots Only. Business Units are a fundamental organizational unit in Tenable Patch Management and logically group and manage devices, settings, and other resources according to business needs. Groupings include geographic location, department, or business function. For details, see Business Units.

  • Output Expression: Notification Bots only. The Output Expression is a free text field used to enter the text of the notification (E-Mail body, SMS/Text Message, Microsoft Teams message, or WhatsApp message).

  • Communication Providers: Notification Bots only. Communication Provider settings define the type of communication to send when a Bot processes a patch that matches the Filter Settings. Choose one or more of the built-in Communication Providers.

    UUID-e6048f26-f8cd-48a8-5833-a06216eb10be.png

Open and Save a Patch Deployment Bot Template

Tenable Patch Management includes prepopulated templates that address most filtering scenarios. You can save these templates using a descriptive local naming convention, and then customize them to your environment.

Tip: To create customized Deployment Bots, Tenable Patch Management recommends entering a support ticket and requesting assistance from Tenable Patch Management.

  1. Follow the instructions in Create a New Folder for Objects.

  2. Hover over or click Bots in the left navigation menu of the Tenable Patch Management Admin Portal, and then select Patch Deployment Bots. The top folder lists the templates provided by Tenable Patch Management.

  3. Select Show All to see the available templates or click Filtered by: in the Bots list to see only the templates associated with that filter.

  4. Select the Name of a template to open it. For example, in Filtered by: Known Exploit, click Mandatory Install (Known ExploitExists).

    UUID-ddf5d2e0-d131-0bd9-cc2f-71fa370e6a2d.png

  5. Save the template with a new title:

    1. Select More in the upper-left corner of the dialog, and then select Save As.

    2. Enter a new name for the template, and then click Save as on the lower-left corner of dialog. This returns you to a copy of the template with the new name.

    3. Enter a detailed Description of the process covered in this template or leave the prepopulated description. Add a character to enable the Save button, and then select Save on the upper left corner of the dialog.

Patch Filter Conditions

The Tenable Patch Management Deployment Bot and Notification Bot templates include Patch Filter Settings that provide the Bot with the details needed to approve patches for installation or to ignore specific patches, updates, or vendor content.

Proceed carefully when customizing Patch Filter Settings. Enter a support ticket and request assistance from Tenable Patch Management .

Used by both Deployment Bots and Notification Bots. New patches must meet the filter criteria before the Bot submits them to the Patching Cycle. After approving a patch that meets the Patch Filter Settings, the Bot forwards patch information to the Patching Process and the Deployment Wave associated with the Patching Strategy.

UUID-40530a8d-7501-f9f0-292c-96b5558d10d9.png

Configurable conditions include using + Import Selector, which allows you to use an existing Patch Filter to validate new patches submitted to this Bot. You can also use the Select Operator or Condition to create a flexible patch filtering process. With no filter settings applied, the Bot processes all patches.

Edit or Remove Existing Patch Filter Conditions

In a Patch Deployment Bot template, scroll down to Patch Filter Settings:

  • If your template includes a patch filter condition that you want to modify, click the ellipsis (…), and then select Edit Condition.

  • If you want to remove a Patch Filter Condition, click the ellipsis (…), and then select Remove.

    UUID-c5f1bc86-fc8f-18f0-6223-b85891a5c256.png
Add Patch Filter Conditions

Allows you to select one or more, existing filter conditions to use for this Bot. If you want to add multiple conditions, see Set and Change Patch Filter Conditions. This example uses an existing Tenable Patch Management patch filter that tells the Bot to include patches based on the imported filter settings.

  1. Select + Import Selector in the Patch Filter Settings dialog of an open Bot template.

  2. Select an existing Filtered by: folder from the list of Patch Deployment Bots, and then select one or more filters to use in this Bot.

    For example, in Filtered by: Known Exploit, select Mandatory Install (Known Exploit Exists).

    UUID-7ae9cca4-c97f-eb50-78d2-f51bda9ef544.png

  3. Select Import Selector at the bottom left of the dialog. This returns you to the Patch Filter Settings where the condition logic now displays as Risk.KnownExploitExists Equals true.

    UUID-c5f1bc86-fc8f-18f0-6223-b85891a5c256.png

    If you chose more than one filter, the condition displays the AND operator and lists your selections:

    UUID-12e93cce-3720-603f-ee07-aac3eb99fc68.png
Set and Change Patch Filter Conditions

Use Operating Conditions and Operators to manually set multiple Patch Filter Conditions to use for this Bot. You must add the operator before you can add the condition. To add multiple conditions, repeat this section as needed.

Tip: SSL Verification - Splunk requires all connections to verify SSL by default and not be configurable via the UI. To configure your TSC connection to not verify SSL certificate you will need to modify {SPLUNK_HOME}/etc/apps/TA-tenable/bin/tenable_consts.py and set to verify_ssl_for_sc_cert = False.

Add or Remove an Operator

  1. In the Patch Filter Settings of an open Bot template, delete any existing Filter Conditions.

    • To remove an existing condition, click the ellipsis to the right of the existing filter, and select Remove.

    • To add the condition in again as part of a string, make note of the name for later use.

  2. Select the ellipsis (…) to the right of Select Operator or Condition, and then select Add Operator.

  3. Select the operator you want to use (AND, NOT, OR). For example, to filter out specific patches, select NOT.

    UUID-45efec4c-6ecb-41f5-bc8a-bef0cf4f1c60.png

    This returns you to the Patch Filter Settings, which shows the operator you selected.

  4. Continue to Add an Operating Condition.

Change an Operator

  1. Select the ellipsis (...) next to the existing filter in the Patch Filter Settings of an open Bot template.

    UUID-584d373a-a56f-c5fb-c2c1-caf7164b6942.png

  2. Select Change Operator, and then select the operator you prefer.

    UUID-4c355a55-7cf0-750c-927d-317865f37144.png

  3. Select Save on the upper left-hand corner of the Patch Filter Settings workspace:

    1. Check the Error View and resolve any errors.

    2. Select Save again if you make any changes.

Add an Operating Condition

After adding the Operator, add the Operating Condition. This example filters out all patches for Windows Server Update Services (WSUS).

  1. Select ellipsis (…) to the right of Select Operator or Condition, and then select Add Operating Condition.

    UUID-b6d335c4-368f-fa37-9bff-1dfbee5d0482.png

  2. Expand the list next to Data Column and select the filter you want to use. For example, select WSUS Classification.

    • See Patch Filter Settings for a description of each available setting.Patch Filter Settings

    • If you removed a Patch Filter Condition previously, you may add it back here.

  3. Set the Operating Condition to Equals, and then choose one of the following for the Value:

    • Updates – Exclude Windows updates.

    • Upgrades –Exclude Windows upgrades.

    • Windows 11 upgrades – Exclude upgrades to Windows 11.

  4. Select OK. This returns you to Patch Filter Settings, which now shows WSUS.Classification Equals <selected value> as a condition for excluding patches.

  5. See Preview Software Filtered by Conditions to confirm that the Software Patches listed do not include those you excluded.

Filter Out Specific Patches by Product ID

The Product ID is the number assigned by Tenable Patch Management to all patches from a specific vendor.

  1. Contact Tenable Patch Management to obtain the Product ID for the vendor patches you want to filter.

  2. Select ellipsis (…) to the right of Select Operator or Condition, and then select Add Operating Condition.

    UUID-9530c6f4-1362-d9ec-ef26-819f91606eaa.png

  3. Expand the list next to Data Column and select Relationships.Parent as the Object ID.

    UUID-6be3582e-d1db-6add-a614-0ebcb3b935da.png

  4. Set the Operating Condition to Equals.

    UUID-5af4b1a1-0e25-12db-0a20-1fc7e4f41b1b.png

  5. Enter the Product ID, and then click OK. This returns you to Patch Filter Settings, which now shows Parent ID Equals <product ID> as a condition for excluding patches.

    UUID-1214d909-d6b7-b224-6e58-1c578c0f5366.png

  6. See Preview Software Filtered by Conditions to confirm that the Software Patches listed do not include those you excluded.

Preview Filtered Patches

Preview Software Filtered by Conditions

Preview a list of software filtered by this Bot based on the patch filter condition.

  1. Select Preview Filtered Software on the lower-right corner of the Patch Filter Settings.

  2. Select the Software Patches tab to see the Software Patches included in this Bot with your filter.

  3. Select the Software Releases tab to see the Software Releases included in this Bot with your filter.

  4. Select OK to return to the Patch Filter Settings.

Preview Software Filtered by a Strategy

Using the Patch Filter Settings in a Deployment Bot template, you can preview the software filtered out by the Patch Filter Conditions you set. You can enhance these filter conditions by specifying a Patching Strategy to further constrain the preview results

  1. Select Browse next to Patch Filter Preview in the Patch Filter Settings of an open Deployment Bot template.

  2. Select a Patching Strategy you want to preview, and then click Set Preview Patching Strategy Constraint.

  3. Select Preview Filtered Software to see the patches or releases filtered by the Patching Strategy.

  4. Select OK to return to the Patch Filter Settings.

Configure Bot Settings

Select Deployment Settings

In the Bot settings workspace of a Deployment Bot template, the default Deployment Settings require a Desired State, an Urgency level, and designated Business Units.

UUID-91148ad7-cfaf-ea47-12a5-66bd22d69b33.png

With Deployment Settings selected, complete the following steps.

  1. Set the Desired State:

    1. Select the input line for Desired State to view the menu options.

    2. Select a State from the list (Mandatory Install, Do Not Install, Rollback, Uninstall).

  2. Set the Urgency:

    1. Select the input line for Urgency to view the menu options.

    2. Select an Urgency setting from the list (Low, Normal, High, Critical).

  3. Select Save at the upper left to save your progress:

    1. Check the Error View and resolve any errors.

    2. Select Save again if you make any changes.

  4. Continue with Add Business Units.

Business Units for Bot Deployment Settings

In the Bot Settings workspace of an open Deployment Bot template with Deployment Settings selected, complete the following steps:

  1. Select + Add Business Units:

    UUID-91148ad7-cfaf-ea47-12a5-66bd22d69b33.png

    • With no Business Units added to the Bot, the patching cycle patches the devices in all Business Units identified in the Patching Strategy.

    • With one or more Business Units added to the Bot, the patching cycle patches the devices in the Business Units. The Patching Strategy must include the same Business Units as part of its assigned Deployment Wave (see Deployment Settings).

  2. Select the right arrow next to a Business Unit type to expand one or more Business Unit structures.

    UUID-bae33f99-1d30-f085-e718-35897e5ad9f7.png

  3. Select one or more Business Units to include in this Deployment Bot.

  4. Select Add Business Units on the bottom left to return to the Deployment Bot template.

  5. Select Save at the upper left to save your progress:

    1. Check the Error View and resolve any errors.

    2. Select Save again if you make any changes.

    Now, when you need to add this Deployment Bot to a Patching Strategy or other object, you will see it in the list of available Deployment Bots.

Use a Custom Deployment Bot Workflow

If you have not created a custom workflow, contact Customer Support and request assistance. To add a customer workflow, go to the Bot Settings workspace of an open Deployment Bot template with Bot Workflow selected and complete the following steps.

  1. Select Browse next to Bot Workflow to open the list of available workflows.

    UUID-be7b6fe0-f8a9-a03e-be12-e16aa228e8c8.png

  2. Select Show All to view all available workflows for this setting.

    Note: If you have created a custom Deployment Bot Workflow, you will see it listed here. If not, contact Customer Support to create a Deployment Bot Workflow for use with these settings.

  3. Select the workflow Name, and then click Add Workflow on the bottom left to include the workflow in the Bot Settings.

  4. Select Save at the upper left to save your progress:

    1. Check the Error View and resolve any errors.

    2. Select Save again if you make any changes.

Notification Bots

Patch Notification Bots generate notifications to alert administrators or users about the release or deployment of new patches that meet Patch Filter Settings in the Bot. When the Notification Bot detects patches that match a specified filter expression, the Bot generates a notification to include in the notification cycle. The notification cycle follows the Patching Strategy or Deployment Channel configuration that contains the Notification Bot.

Notification Bots are optional components of Patching Strategy templates and Deployment Channel templates and exist only within these templates.

Patch Notification Bot Template Naming Conventions

Tenable Patch Management Patch Deployment Bot templates include various filtering scenarios to cover most filtering requirements in an enterprise. When deciding which Bot filter to choose, consider the following examples to understand naming conventions for the different filter types.

Normal Notification

These templates filter several aspects of patches based on risk. They include different rollout schedules and approval levels, and all require mandatory installation.

UUID-cc03566b-378a-96f0-cdec-063b2262136e.png

Creating Notification Bots

Open and Save a Patch Notification Bot Template

  1. Follow the instructions in Create a New Folder for Objects.

  2. Mouse over or click Bots in the left navigation menu of the Patch Dashboard and then select Patch Notification Bots. The top folder lists the templates provided by Tenable Patch Management .

  3. Select the Show All to see the available templates or click Filtered by: in the Bots list to see only the templates associated with that filter.

  4. Select the Name of a template to open it. For example, in Filtered by: Expiration, click Normal Notification (Expired by Vendor).

    UUID-083f49a4-a889-d8a0-de7e-c825e4c0f97b.png

  5. Save the template with a new title:

    1. Select More in the upper-left corner of the dialog, and then select Save As.

    2. Enter a new name for the template, and then click Save as on the lower-left corner of dialog. This returns you to a copy of the template with the new name.

    3. Enter a detailed Description of the process covered in this template or leave the prepopulated description. Add a character to enable the Save button, and then select Save on the upper left corner of the dialog.

  6. Select Save. When you have finished modifying your new template, you can drag and drop it in the folder you created (see Patch Object Management).

Create an Output Expression

The Output Expression field is a text box that allows you to provide a more meaningful notification to users that informs them of the pending changes.

Configure Notification Bot Settings

Except for Communication Providers, use the previously configured settings in the template. For details, see Communication Providers.

  1. In the Notification Bot template, scroll down to Communication Providers, and then click + Add Communication Providers.

    • Select one or more providers to use for notifications by this Bot.

    • If you do not see the provider you want to use, see Communication Providers to add it.

  2. Select Save at the upper left to save your progress:

  3. Check the Error View and resolve any errors.

  4. Select Save again if you make any changes.