Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Patch Verification

Documentation

Patch Verification

arxsec-site / library/workflows/patch-verification/README.md

arxsec-site repo-root library/workflows/patch-verification/README.md

Automates post-patch verification by checking Qualys rescan results, verifying CrowdStrike host health, and updating the corresponding ServiceNow ticket with verification results.

Maturity: L3+ (Enforced and up)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~3 hours per week manually checking rescan results, verifying host health, and updating patch tickets across three tools.

After: Automated verification pipeline. Patch tickets are updated with pass/fail results and closed or flagged automatically.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Qualys | scans:read | LOW | | CrowdStrike | hosts:read | LOW | | ServiceNow | incidents:update | MEDIUM |

Overall Risk: MEDIUM -- ServiceNow incidents:update modifies ticket state (close verified, flag failures). Read operations against Qualys and CrowdStrike are low risk.

How It Works

  1. Query ServiceNow for patch tickets in "Pending Verification" state.
  2. For each ticket, check Qualys for rescan results on the target host.
  3. Query CrowdStrike for host health status and agent connectivity.
  4. Update the ServiceNow ticket with verification results.
  5. Close verified tickets or flag failures for re-patching.

ARX Governance

  • Risk Classification:
  • Qualys:scans:read -- LOW -- read-only rescan result retrieval
  • CrowdStrike:hosts:read -- LOW -- read-only host health check
  • ServiceNow:incidents:update -- MEDIUM -- updates ticket state and closes verified patches
  • HITL Gate: Disabled -- ServiceNow ticket updates are auto-approved. Closing verified tickets and flagging failures are standard ITSM operations that do not require human approval. No security tool state is modified.
  • Policy Rules:
  • PERMITTED: Reading Qualys rescan results and CrowdStrike host health data
  • PERMITTED (auto-approved): Updating ServiceNow tickets with verification results
  • PERMITTED (auto-approved): Closing tickets where patch is verified by both Qualys and CrowdStrike
  • PERMITTED (auto-approved): Flagging tickets for re-patching when verification fails
  • DENIED: Triggering new Qualys scans or modifying CrowdStrike host configurations
  • Audit Trail: Every patch ticket processed, Qualys rescan result, CrowdStrike host health status, verification outcome (pass/fail), and ServiceNow ticket state change are logged with ticket IDs and timestamps.
  • Config: See arx.yaml for connector permissions, schedule, and ticket state field mappings.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export QUALYS_URL="https://qualysapi.your-org.com" export QUALYS_USERNAME="your-qualys-username" export QUALYS_PASSWORD="your-qualys-password" export CS_CLIENT_ID="your-crowdstrike-client-id" export CS_CLIENT_SECRET="your-crowdstrike-client-secret" export SNOW_INSTANCE="your-org.service-now.com" export SNOW_USERNAME="svc-arx" export SNOW_PASSWORD="your-servicenow-password" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule (daily at 10:00 UTC, after overnight patch windows)

arx register --config arx.yaml ```

Customization

  • Ensure patch tickets use a consistent state field for "Pending Verification"
  • Adjust verification criteria (both Qualys and CrowdStrike must pass, or either)
  • Configure ServiceNow close codes and re-patch flag values