Release 3.1

February 12, 2024

What's New?

Qualys Policy Compliance Integration with EDR

We have introduced Qualys Policy Compliance (PC) integration with EDR lists the CIDs, Control Statement, and MITRE Technique ID that failed the Qualys Policy Compliance assessment due to endpoint misconfiguration. The following screenshot is an example of the System Misconfiguration tab:

System Misconfiguration Tab in Risks and Exploits section of Incidents details.

Fileless Attack Protection option in Behavioral Scan

Use the Fileless Attack Protection from the Behavioral Scan to discover and block fileless attacks at the pre-execution stage. The Fileless Attack Protection is supported only for the Windows Operating System.

The following screenshot is an example of the Fileless Attack Protection option:

Fileless Attack Protection option in Behavioral Scan.

For more information about Behavioral Scan, refer to EDR Online Help.

The Incidents tab is Renamed to Detections

From this release, we have renamed the Incidents tab to Detections. The Incidents and Alerts tabs are under the Detections tab. All the malicious incidents are listed under the Incidents tab. The Alerts tab lists the detection name, severity score, and the remediation action that can be performed on these malware families. For token information, refer to Incidents Search Tokens and Alerts Search Tokens in EDR Online Help. 

The following combined screenshot is an example of the Detections tab with column names highlighted for Incidents and Alerts :

Incidents tab with Incidents and Alerts sub-tabs.

Verdict Change for Severity Score on Incident Page

If Qualys Threat Intelligence changes the severity score due to the verdict change, the previous and new scores are displayed. The adjusted score is observed on the Incidents page under the Detections tab. 

The following screenshot is an example of an Incident's severity score changed from 6 to 7:

Severity Score change in the Severity Score column of the Incidents page under the Detections tab.

Last Quarantine and Last UnQuarantine Time Columns added in Simple List Table Type

From this release, we have introduced the Last Quarantine Time and Last UnQuarantine Time columns. These columns are listed only for the Table widget for the Simple List Table Type. The Last Quarantine Time implies the time the assets were last isolated from the network. The Last UnQuarantine Time is when the assets were last removed from quarantine. 

The following screenshot is an example of the Last Quarantine and Last Unquarantine Time selected in the Columns to Display field in the Table widget of Simple List Table Type:

Last Quarantine and Last Unquarantine Time in the Column to Display field of Simple Table List.

Activity Log and Quarantined Items Introduced under the Responses tab

The newly added Activity Log lists all the remediation activities, and Quarantined Items lists all the Quarantined assets. The tabs list Vulnerability Management Detection and Response (VMDR) or EDR as the Source for the remediation activities and Quarantined assets. Suppose the Source is listed VMDR in the Activity Log or Quarantined Items tabs; it implies that the remediation activities and quarantined assets are based on the Actions and Rule Manager created under the Responses tab of the VMDR application. 

You can create only one quarantine action for each customer and one rule for each Quarantine asset.

The following screenshot is an example of the Activity Log that displays VMDR and EDR as the Source:

For more information, refer to Activity Log and Quarantined Items in the EDR online help. 

New Tokens for Activity Log and Quarantined Items

You can access the following tokens from the Responses > Activity Log or Responses > Quarantined Items tab:

Token Name                                       Description
asset.agentId This token finds an agent ID using the text value. 
asset.hostName Use this token to find events with the hostname.The token uses input value as text.
platform This token uses string value to find events on a platform.
file.hash.md5 Use text value to define the MD5 hash of a file. 
file.hash.sha256 Use text value to define the SHA256 hash of a file.
file.name This token finds events on a file name with text as the input value.
process.name This token finds a process image name using string as the input value. 
response.action Use this token to find events with response action Delete File, Kill Process, Quarantine File, or Unquarantine File. 
response.status This finds events with response status as failed, in_progress, and success. 
response.user Use a string value to list response actions execute by a certain user. 
response.userid Use a string value to list response actions executed by a certain username. 
event.source This token finds events based on the source of the event. Choose from Anti-malware, EDR, or VMDR.
indicator.severityscore This token uses an integer value to define the threat score of an indicator based on all the scoring engines. 

To know more about the EDR Search Token, refer EDR Online Help.

Added Support for Linux Versions with Malware Protection

We have added the following Linux distributions that will now support Malware Protection:

  • Red Hat Enterprise Linux (RHEL) 6.10 (with SELinux in Permissive or Disabled state)
  • Oracle Enterprise Linux (OEL) 6.10 (with SELinux in Permissive or Disabled state)
  • CentOS Linux 6.10 (with selinux in Permissive or Disabled state)

To know the list of all the supported Linux distribution, refer Linux Prerequisites for Malware Protection in EDR Online Help. 

Added Failure Causes for Quarantine Assets

From the Response > Activity Log, click a Quaratine File that has the Status as Failed. We have added the following failure causes:

  • Input File is already deleted: The input file does not exist on the endpoint
  • Agent Response Timed Out: If the Quarantine Asset request has been running (In Progress status) for more than 5 minutes, the Status column displays the instance as Agent response timed out. You can perform the action again after the timeout.
  • Error: Unable to quarantine the file: The file or file path is restricted or protected for any delete or move operation.
  • Error: Process does not exist: This error message occurs when the remediated process is not running anymore on the endpoint or is in the terminated state. 
  • Quarantine a file does not exist: The requested file is unavailable at the endpoint. 

For more information about the Quarantine Asset, refer EDR Online Help

Updated Feature Compatibility for Windows

We have added support for Windows 11 (upto 23H2) (32-/64 bit) that is compatible with File Scan, Behavioral Scan, AntiExploit, Traffic Scan, Network Monitor, and Antiphishing.

For more information about Feature Compatibility for Windows, refer EDR Online Help.