CyberSecurity Asset Management/Global AssetView Release 3.5.0.0

May 16, 2025

CyberSecurity Asset Management

The following are the new features and updates available with the CSAM subscription.

Ability to View Databases Details

We have introduced the ability to view detailed information into your database instances and servers. A new Database tab is added under Inventory to view Instances and Database Servers related information.

Instances: This section provides a comprehensive view of your database instances. You can view more details into an instance by clicking View Details from the Quick Actions menu.

Database Servers: This section provides a detailed information of the database assets. It includes the Instances column, which precisely provide the number of database instances running on each server.

You can click the instance number to view the detailed information of the Instances on the Asset Details page.

Ability to Update Basic Business Information

You can now edit the basic business information of an asset from the Asset Details > Inventory > Business Information page.

To update the Basic Information, click the icon.

Trigger Criteria for Alerts

You can now specify the alert Trigger Criteria when creating a rule for monitoring critical events. This feature provides you precise control over when and how alerts are generated. The system automatically executes your selected action whenever the trigger criteria are satisfied.

By configuring alerts to trigger only when specific conditions are met, you can reduce total number of notifications you receive for each alert and focus on critical events. Additionally, multiple alerts from the same asset can be grouped into a single notification, making it easier to track issues without sorting through hundreds of alerts.

To create a new rule, navigate to Responses > Rule Manager. For more information, refer to the CSAM Online Help.

The following trigger criteria are available to select:

Single Match: The system generates an alert each time it detects an event that matches your rule query.
Time-Window Count Match: The system generates alerts based on the number of events returned by the search query in a fixed time interval. For example, an alert is sent when three matching events are found within a 15-minute window.
Time-Window Scheduled Match: The system generates alerts for matching events that occur during a scheduled time. The rule is triggered when an event matching your search criteria is found during the time specified in the schedule. For example, alerts are sent when all matching events occur within the scheduled window between 9 AM and 5 PM.

For Time-Window Count Match and Time-Window Scheduled Match, you can aggregate alerts using an aggregate group. That means you can group related alerts together instead of receiving them separately. Currently, Asset ID is supported as an aggregate group.

Ability to View EASM Profile History

You can now view and manage the EASM profile modification history. This feature enables you to track changes, revert to previous configurations, and analyze historical records of configuration changes as needed.

To access the profile history, navigate to Configuration > EASM Configuration and click More Options > View EASM Profile History on a profile.

The Version History window displays a detailed list of all modified versions of the profile, including the Current Version. The current version page has an Edit option to modify the configuration.

The system displays a maximum of 10 versions for an EASM profile.

You can click any version in the list to view its configuration details from that specific date and time. Clicking Restore & Edit enables you to restore and edit a previous version.

When you click Update after updating the profile configuration, it becomes the current active profile configuration. You can also click Save as Default to save the profile as default.

For more information, refer to the CSAM Online Help.

Information on Registrant Country and Expiration Date of Domains

You can now view domain details, such as the country of the registrant and the expiration date for both resolved and unresolved domains on the Inventory > EASM > Domains tab. This enhancement provides greater visibility into the ownership and validity of a domain. You can strengthen your external attack surface management by comparing the registrant information with known threat indicators.

This new enhancement enables you to:

Group domains by Registrant Country and Expiration Date using the Group By drop-down list.
Filter both Resolved and Unresolved Domains using QQL filters for Registrant Country and Expiration Date.
Create dashboards using QQL filters and Group By options to monitor domain information easily.

We have enhanced the Asset and Domain APIs to support filtering domains by registrant country and expiration date. For more details, refer to CSAM 3.5.0.0 API Release Notes.

ETM Asset Classification in CSAM

All assets retrieved from the Qualys Enterprise TruRisk Management (ETM) connector are now automatically classified as managed and displayed under CSAM Inventory > Assets > Managed.

This enhancement is only available if you have Qualys Enterprise TruRisk Management (ETM) subscriptions.

Enhanced EASM Summary Report

EASM Summary Report allows you to understand and have visibility into your organization's entire external attack surface. In this release, we have updated the report to include the following enhancements:

Personalized EASM Summary Reports with Custom Names
Unresolved Domains and Subdomain Count Cards
Enhanced Risk Visualization
Typosquatted Domain Information

Personalized EASM Summary Reports with Custom Names

You can now personalize the EASM Summary report for specific stakeholders by adding a user's or organization's name to the report. This custom name is displayed prominently on the cover page of the report.

We have added a new Report Generated For field to support this enhancement. While creating a new report, enter a name in the Report Generated For field on the Basic Details page.

the basic details page with the Report Generated For field.

Unresolved Domain and Subdomain Count Cards

You can now view the total count of Unresolved Domains and Subdomains on the External Attack Surface Summary section. This provides quick visibility into domain resolutions.

Unresolved domains and subdomain count cards.

Enhanced Risk Visualization

We have added a table that displays the top 10 assets with the vulnerabilities listed below. This helps you quickly identify the assets with the highest risk.

Risky Open Ports on your internet-facing assets
Database Open Ports on your internet-facing assets
Certificate Posture of your internet-facing assets

The image below shows an example of the table displaying the Risky Open Ports on your internet-facing assets.

Image showing vulnerable asset list.

Typosquatted Domain Information

You can now view your organization's typosquatted or look-a-like domain information in the EASM Summary report. The following new sections are added:

Typosquatted Domains: This section displays typosquatted domains that use common spelling mistakes of real domains.
Top Typosquatted Domains With TLD Swap: This section displays typosquatted domains that have been generated using (Top-level Domain)TLD swap.
Top WHOIS Registrant Countries of Typosquatted Domains: This section displays which countries have the most typosquatted domains registered.

The Typosquatted Domains Discovery option should be turned on for the logged-in user’s EASM profile.

EASM Scan Access Control Enhancement

Only a user with the manager role can enable or disable the EASM Scan option while creating or updating the EASM profile. This enhancement ensures that only users with the right level of access can enable EASM scanning.

Before this release, the EASM Scan option was available to all users, including sub-users. However, only the manager user's name was displayed in the VMDR module > Scans tab when the scan was initiated.

Users who previously had EASM scanning enabled will continue to retain its functionality.

This enhancement is also available through the EASM APIs. For more information, refer to the CSAM 3.5.0.0 API Release Notes.

Detection of Open Ports and Software with EASM Lightweight Scan

The EASM Lightweight scan now detects open ports and identifies the software running on external-facing assets. The assets, along with their associated open ports and software details, are listed under the Inventory > Assets tab.

The Discovery Source for these assets is shown as EASM VM Scan. You can view the Discovery Sources on the following tabs:

Inventory > Assets > Asset Details > Inventory > Open Ports and Installed Software
Inventory > Assets > Asset Details > Security > External Attack Surface > Open Ports and Software

Introduction of the EASM Rule for Asset Identification

In this release, we have introduced a new system-generated rule called EASM Rules. This rule identifies EASM assets based on their primary IP address. These identified assets can be viewed on the Inventory > EASM > Assets tab.

This rule is view-only; you cannot edit, delete, or reorder it.

To view the rule, navigate to Configuration > Asset Identification Rules > EASM Rules.

CyberSecurity Asset Management and Global AssetView

The following are the new features and updates available with the CSAM and GAV subscription.

Ability to Remove Static Asset Tags in Bulk

You can now remove static tags from multiple assets in a single operation. This simplifies removing tags from large numbers of assets that can be time-consuming.

• Only Static tags can be removed in bulk.
• Tags can be removed from a maximum of 10,000 assets in a single operation.

To remove static tags from assets, go to Inventory > Assets, select the assets, and click Actions > Remove Tags.

The Select Tags window displays the tags depending on the scope of the logged-in user.

The number of tags you can remove in a single operation varies according to the number of selected assets. Refer to the following table for more details:

Selected Assets	Permissible Number of removable tags
5000 to 10000	1
3000 to 4999	2
1000 to 2999	3
500 to 999	10
200 to 499	20

Improvement in Agent Provisioning Rules

When only Hostname is selected as a primary attribute for merging agents, it may create an issue with environments that have sub-domains. Specifically, different agents that share identical hostnames could be incorrectly merged.

To prevent incorrect merging of agents, we have introduced a Confirmation window that is displayed when you select only the Hostname as the primary attribute while editing the Agent Provisioning Rule. This window prompts you to confirm whether you want to proceed with merging based solely on Hostname.

Agent Provisioning Rule Feature Now Available to all Users

The Agent Provisioning Rule feature, which was previously accessible only upon request, is now available to all users. This feature enhances agent management by enabling the automatic merging of assets that share a common identification attribute, such as hostname, IP address, or another unique identifier.

For more details on Agent Provisioning Rule, refer to CSAM and GAV Online Help.

Enhancement in Trending Widget Data Range

Widgets now display trending data for up to 365 days. This enables you to perform thorough trend analyses and tailor your data view to meet your specific requirements.

You can use the settings icon to customize the duration of the trending data.

Trending values are calculated dynamically based on when the widget was created. Widgets older than 365 days will only show data from the past 365 days. Newer widgets will show data starting from the day they were created.

Filter AWS Assets by Tag Name or Tag Value

You can now group AWS assets by Tags Name or Tags Value.

Ability to Purge Assets Not Scanned by VM

With this release, you can configure the Asset Purge Rule to remove assets that are not scanned by VM. To support this, set the attribute to lastVMScanDate and select IS NULL as the operator for the Time-Based Criteria.

To configure the rule, navigate to Rules > Asset Purge Rules.

Purging assets that are not scanned by VM can only be configured using the Time-based Criteria.

Enhanced AIX Asset Identification with LPAR ID

You can now view the Logical Partitions (LPAR) ID to identify and manage AIX assets in your inventory. The LPAR ID is displayed on the Asset Inventory > Asset Details > System Information > Specification page.

We have enhanced the Asset APIs to add support for filtering assets using the LPAR ID. For more details, refer to CSAM 3.5.0.0 API Release Notes.

Support for Auth ID Client Management from UI

With this release, we have extended our support for OpenID Connect Authentication Client Management capabilities from UI. This update allows for secure authentication and authorization of API access directly from the user interface. Our API interactions are now authenticated with enhanced security measures.

ID tokens are generated and validated with utmost security. This seamless integration requires minimal changes to the existing infrastructure, allowing to maintain the highest level of security for APIs.

With the Auth ID Client Management from UI, you can:

Manage authentication and authorization processes more intuitively, providing a smoother user experience.
Easily handle API access permissions directly from the UI, simplifying the process of granting and revoking access when needed.
Maintain your existing workflows with minimal changes, enabling you to continue your tasks without the need to learn new processes extensively.

Access Control

We have provided role-based access control to create User Level and Subscription Level clients.

Manager users can create two types of clients based on access requirements:

User Level Clients: These clients are associated directly to individual user accounts, making them ideal for scenarios where user-specific access control is required. Users can access APIs and CSAM functionalities that are provided in this client.
The token generated through the User Level client becomes invalid if the user is deactivated.
Subscription Level Clients: These are independent of user identities and offer broader access within the subscription. It means that the token generated through this client is tied to the subscription rather than an individual user.
The token generated for a subscription level client continues to function even if the user is deactivated.
Currently, the Subscription Level clients are not supported by CSAM APIs.

Non-manager users are restricted to creating only User Level Clients, ensuring limited access control.

To access the client management tab, navigate to your profile icon, located at the top-right corner, and click View Profile > Auth Id Client Management tab.

For client creation, select either User Level or Subscription Level from the available options, and then click New Client.

Only users with manager privileges can view and access the Subscription Level tab.

While creating a client, you can select all modules at once or individual modules as required. You can also set various permissions including global permissions, dashboard permissions, tagging permissions, as well as API access. Depending upon these permissions a user can access the modules and its features that are assigned to the client.

Based on the permissions you select:

If the API Access permission is not enabled under Global Permissions > Access, the API returns a response with this message:
User does not have permission to access API module
If the AI Access permission under CyberSecurity Asset Management > AI Permissions is not enabled, the API returns a response with this message:
User does not have permission to access CSAM/GAV module

In the case of EASM APIs, if you do not have the required EASM permission, the API returns a response with this message:
User don't have permission to call an API

Once you click Create, a Client ID and Client Secret Key are automatically generated. The Client Secret Key is displayed only once. Make sure to copy and store it securely. This key is essential for generating JWT access tokens and cannot be retrieved later. For more information, refer to CSAM 3.5.0.0 API Release Notes.

New QQL Tokens

The following sections provide the new QQL tokens.

New Tokens in CSAM and GAV

Token	Tab	Description
aws.tags.key	Inventory > Assets	Search a specific AWS asset using the asset tag key.
aws.tags.value	Inventory > Assets	Search a specific AWS asset using the asset tag value.
asset.lparID	Inventory > Assets	Search assets that are associated with the LPAR ID.
asset.lastInventoryDate	Inventory > Assets and Reports	Search assets with last the inventory date.

New Tokens in CSAM

Token	Tab	Description
database.instance. name	Inventory > Database Instances	Search the database instances based on the instance name.
database.instance.id	Inventory > Database Instances	Search the database instances based on the instance ID.
database.instance. technology	Inventory > Database Instances	Search the database instances based on the technology of the database.
database.instance. firstseen	Inventory > Database Instances	Search the database instances based on the first occurrence of the instance.
database.instance. lastseen	Inventory > Database Instances	Search the database instances based on the last occurrence of the instance.

QQL Token Change

Refer to the following table to learn the QQL tokens that are changed from this release.

Before CSAM 3.5.0.0 Release	With CSAM 3.5.0.0 Release
asset:(wasUrl	asset.wasUrl:

Issues Addressed

The following reported and notable customer issues are fixed in this release:

Component/Category	Description
CSAM - Reporting	We fixed the issue where the Asset Open Port report was being generated for scanner assets, which do not have open ports, causing the report to fail. The system will now skip report generation when the asset is a scanner and the report type is Asset Open Port.
CSAM - Reporting	We fixed the issue where the Last Synced Date for Agent column was not displayed in the AWS Details and Azure Details report.
CSAM+GAV - Asset Details	We fixed the issue where uninstalled applications continued to appear under installed software.