Skip to content

Patch Tuesday

SentriKat ships a dedicated Patch Tuesday workflow that summarizes each month's Microsoft security release, enriches it against your inventory, and emails the result to the team.

Why it matters: Microsoft Patch Tuesday is the single largest recurring source of enterprise vulnerabilities. Automating the "what's new this month and how does it affect us" workflow saves hours of manual triage every month.

The schedule

  • Second Tuesday of every month: Microsoft publishes the monthly Security Update Guide (SUG).
  • Second Wednesday of every month, 09:00 (in the configured display timezone): SentriKat runs the patch_tuesday_job background task, pulls the latest SUG, cross-references your inventory, generates the digest, and emails it.

The 24-hour gap ensures Microsoft's advisories have been fully published and indexed by the NVD before SentriKat runs.

What you get

An email (HTML) containing:

  1. Summary: total CVEs in this release, breakdown by severity
  2. Affecting you: CVEs where the affected product is in your inventory (the core of the digest)
  3. Critical KEV: any new KEV-flagged CVEs from the release
  4. Suggested order of operation: sorted by severity × exposure
  5. Remediation links: one-click to assign each affecting CVE to a user/team (jumps to the finding in the SentriKat UI)
  6. Changelog link: link to the full Microsoft SUG for the month

Configuration

The digest is generated per organization by the background scheduler (second Wednesday of the month) and is sent to the organization's notification email (set in Administration → Organizations).

There is no separate setup step: once your organization has a notification email and SMTP is configured (see Email & Webhooks), the digest is delivered automatically.

Dry run

Before relying on the automated job, trigger a dry run via the API (see below) with dry_run=true: the digest is generated and returned without marking the month as processed.

Triggering manually

curl -sf -X POST \
  -H "Authorization: Bearer $SENTRIKAT_API_KEY" \
  "https://sentrikat.example.com/api/reports/patch-tuesday/trigger?dry_run=true&days=7"

Parameters:

  • dry_run (default true): if true, does not mark the month as processed — safe to experiment with.
  • days: the lookback window of Microsoft advisories to include (default 7).

Combining with assignment rules

Patch Tuesday digests are most useful when combined with Remediation assignment rules:

  1. Configure Admin → Assignment Rules to auto-assign any new KEV finding to the relevant team.
  2. Patch Tuesday runs → new KEVs are created as findings → auto- assigned.
  3. The digest email shows the assignee already populated, and the team lead already got their own notification.

This turns Patch Tuesday from "we need to do something" into "we already know who owns what".

Skipping a month

If Microsoft publishes no relevant updates or you need to skip a month for operational reasons:

  1. Admin → Integrations → Patch Tuesday → History.
  2. Find the month entry, click Skip.
  3. Add a reason (audit-visible).

Skipped months don't send a digest but are recorded in compliance reports so auditors see that Patch Tuesday was acknowledged even when not actioned.

Audit log

Every Patch Tuesday run creates audit entries:

  • patch_tuesday_started — job kicked off
  • patch_tuesday_digest_sent — email sent, with recipient list
  • patch_tuesday_skipped — month skipped with reason
  • patch_tuesday_failed — job errored (check admin health)

See also