Relevant Security patches on a group - Session Relevance

I’m trying to find all the MS Security Patches with a severity of Moderate or higher that are relevant for a Computer Group and then create an action to apply those patches. I am getting hung up on the relevance to find those patches though. I took another post from this forum and tried to modify it for this use but without luck. This is what I’ve got right now:

unique values of names of relevant fixlets whose (display name of site of it = "Patches for Windows" AND ("source severity" of it = "Moderate" OR "source severity" of it = "Important" OR "source severity" of it = "Critical")) of members of bes computer group whose (name of it = ">computer group name")

Give this a shot… you have issues with your quotes. Replace group name with whatever you want.

Q: unique values of names of relevant fixlets whose (display name of site of it = "Patches for Windows" AND (source severity of it = "Moderate" OR source severity of it = "Important" OR source severity of it = "Critical")) of members of bes computer groups whose (name of it = "Windows Computers")

Still getting “Undefined” in the Results tab of the Analysis.

That is the problem. This is all “Session Relevance”, which very different than “Relevance” that won’t work through Analysis Properties. ( Session Relevance will almost always contain bes in one of the inspectors )

“Relevance” only works when evaluated through the BigFix Client process. That is what analysis properties and applicability relevance are.

“Session Relevance” only works when evaluated through Web Reports, the REST API, or the BigFix Windows Console (but not in analyses), or the deprecated SOAP API. In order to evaluate “Session Relevance” in the Windows Console you need to use the “Presentation Debugger”.

There is also an old windows app called the “Session Relevance Tester” that is useful: https://bigfix.me/cdb/fixlet/3969

Thank you. That insight into the process is great information. Is there a way to do what I am trying to do using just the Console then? Meaning: determine what MS Security Fixlets are relevant to the members of a Computer Group and then use that determination to create an Action that is sent to that Computer Group.

Are you looking to “get it done” or to write an automation script? Both are possible.

Easiest way in the console is to select a computer group (or multiple computers, then right-click and 'View as Group). Then in the group view, select the ‘Applicable Fixlets and Tasks’. A fixlet or task that is applicable to any of the group members will appear here. Filter the fixlets/tasks any way you like, then select whichever fixlets you want, right-click, and ‘Add to new Baseline’.

Once you have the baseline, you can Take Action on the baseline to run the fixlets on your clients.

1 Like

It is interesting that you say to do it that way because that is the way I was doing it but I was then finding that some old fixlets (which were part of the Action sent to the group) were still relevant on one or more members of that group after the Action completed. I realize there are other reasons that fixlets become relevant again but when I went back to try to determine why it was relevant again, in at least some cases, it didn’t look like that fixlet had been sent to the client but there didn’t seem to be any good explanation for that. So it left me unsure if I was doing this right or not.
But from what you are saying, it sounds like I am doing it correctly. I just want to be sure that, at the time I am sending the fixlets via the Action, that I am definitely getting all relevant fixlets for all members of that group.

Yes, sounds like you’re doing it right.
Are you getting any failure statuses on your previous actions? If you have fixlets that are still relevant after applying, you may have some failures to investigate.

Session relevance is the best way to generate a report of the list of things, or to eventually automate it, but the only way to do that within the console directly and actually create an action is to use a Console Dashboard, which is certainly possible but not a simple task.

The main use case would be to use the REST API to automate the process fully using a combination of Session Relevance to get the set of things to deploy and then deploy them. I actually have Fixlet/Task examples that do this with the REST API but they are kind of clunky and hard to modify.

The process Jason describes above is best for doing this with the windows console.

There is also autopatch functionality in the WebUI that currently works for Windows & RedHat. It can do something similar in a more automated way.