Apply a software patch

If Aurora Vulnerability Management (Aurora VM) detects a vulnerability on an asset with Arctic Wolf Agent installed, you can automate remediation through supported third-party software patches. Software patches are available on a subset of Aurora VM Agent scan supported OSes and includes a range of supported third-party applications that do not require a reboot.

Note:
  • You cannot cancel a software patch after it is scheduled.
  • When a software patch is scheduled for an endpoint that is powered off, or if a system reboot occurs during the software patch process on an endpoint, the Patch Status remains in Patch Initiated for five days. After five days, if it is not past the Patch Enforcement Deadline date, the process is rescheduled. If it is past the Patch Enforcement Deadline date, the Patch Status changes to Patch Failed.
  • A software patch notification may not appear on an endpoint when a system reboots. The sequence of system and user processes on Windows operating systems can cause a silent deferral or update of the application.

We recommend that you patch a small number of assets first, preferably using test devices within your IT team. Wait one to two days and validate that the patches were successful. Then, patch the remaining assets.

Tip: You can tag assets by patch release cadence. Use saved filters with tags to manage patching in phases.

These resources are required:

  • An Aurora VM subscription

  • An Arctic Wolf Resolve subscription

  • Arctic Wolf Agent installed on the endpoint

  • Aurora VM administrator permissions in the Unified Portal

  • One of these supported 64-bit OSes:
    • Windows 10, 11, 2012, 2012 R2, 2016, 2019, 2022, 2025
    • macOS 11, 12, 13, 14, 15, 26
    • Debian 11, 12, 13
    • Linux Mint 20
    • Ubuntu 20, 22, 24
  1. Sign in to the Arctic Wolf Unified Portal.
  2. Make sure that an Agent vulnerability asset scan was performed after you obtained the Arctic Wolf Resolve subscription. If necessary, manually rescan your assets to get the available patches for identified risks.
    For more information, see Rescan assets.
  3. In the navigation menu, click Vulnerability Management > Risks.
    Note: To view vulnerabilities that have a software patch available, use this filter:
    • Columns — Select Patch Status.
    • Operator — Select is any of.
    • Value — Select Patch Available.
    For more information, see Risk filters.
  4. Select the risks that you want to apply a patch to:
    1. On the Risks page, click the All tab.
    2. Select all of the risks that you want to apply the patch to.
    3. Click Apply Patch.
      The Apply Patch button is only available if the status is Patch Available or Patch Failed.
  5. In the Apply Patch panel, in the Patch Job Name field, enter a name for the patch job. This field is used to track patch jobs.
  6. Choose when to apply the patch:
    • Schedule deployment — On the specified date, starts the software patch process. Arctic Wolf sends a Software Update notification to endpoints that informs users that a software patch update is available. If you select this option, in the Patch Deployment Date (Local Time) field, enter the date and time that you want the software patch process started. The time is your local time, not the endpoint local time.
    • Deploy now — Immediately starts the software patch process. Arctic Wolf sends a Software Update notification to endpoints that informs users that a software patch update is available.
  7. If you want to:
    • Allow users to defer the updates— In the Deferral Window (Days) field, enter the number of days that the user can defer the patch before mandatory update.

      Before the deadline, the end users see a Software Update notification with the option to update now or later. On the deadline, users see a Critical Software Update notification with the option to update now.

    • Prevent users from deferring the updates — Select the Force patch with no deferral window checkbox if you want to prevent users from deferring the software update.

      Users see a Critical Software Update notification on the endpoints.

  8. If you want to automatically rescan your assets after the patch is applied, click Automatically perform full asset rescan after successful patch.
  9. Verify that the specified asset and software are correct, and then click Deploy Patches.
    For the selected risks, the Patch Status changes to Patch Initiated and the end user receives a Software Update or Critical Software Update notification, depending on the Deferral Window (Days) and Force patch with no deferral window settings.
  10. Based on the software update notification the end user receives, they complete the preferred action:
    Note: If the endpoint has a graphical user interface, the software update notification is displayed to the end users. For other endpoints, the software is patched without any notification. For example, endpoints running Linux without a header.
    • Software Update — The end user has these options:
      • Click Update Later, close the notification, or not take any action for 15 minutes — This defers the software update. This can be done up to two times. The software update is rescheduled for half-way between the rescheduling date and the enforcement date. After the maximum number of deferrals, the end user receives a Critical Software Update notification. If the computer is offline, the notification may not appear.
      • Click Quit Apps & Update Now — The system closes the specified software applications and then applies the software patch.
    • Critical Software Update — The end user cannot defer the software update because the Patch Enforcement Deadline was reached, the software patch was requested within 15 minutes of the Patch Enforcement Deadline, or the Force patch with no deferral window checkbox was selected when the patch update was scheduled. The end user has 15 minutes to prepare for the software patch update. They can click Quit Apps & Update Now to start the update now or be forced to start the update after 15 minutes. The notification cannot be closed.
    When the software patching process in complete on the endpoint for the selected risks, the end users receive a Software Update Complete notification, and the Patch Status changes to reflect the status of applying the patch.
  11. If the Patch Status is Patch Applied, wait for the next scheduled vulnerability scan or manually rescan the assets to verify that the risk is resolved. When the risk is remediated, the risk Status updates to Resolved.
    For more information, see Rescan assets.
    Note:
    • If the risk Status does not change to Resolved after a successful patch and rescan, the CVE might be present on one or more applications that do not have a patch available. In this situation, the Patch Status is Patch Unavailable.
    • If you are experiencing errors with this feature, create a ticket that includes the output from the Agentdiagnostic tool.

      For more information, see Run the Agent diagnostic tool and Create a Unified Portal ticket.