Release 3.5

October 09, 2024

What's New?

New: Advanced Hunting

This release introduces a set of predefined hunting queries developed by our Threat Research team. These queries help you quickly identify specific event data related to potential threats, anomalies, or suspicious activities in your environment. They are ready to use, allowing you to start your threat-hunting efforts immediately.

In addition to the predefined hunting queries, you can also create custom queries. These custom queries are great for finding specific event data and can be saved for later. Saving a query means you can rerun it without having to type in the search details each time, which makes threat hunting quicker and easier.

To use this functionality, navigate to Hunting > Advanced Hunting

Key Features

Here are the exciting features that come along with this functionality:

  • Create Custom Queries: Create and save your queries tailored to your specific data requirements, allowing quick re-runs without recreating them.
  • Save and Reuse: Once created, predefined queries can be saved and reused, which makes tasks more efficient. This is especially useful for repetitive tasks such as monitoring logs, network traffic, vulnerabilities, or events that could indicate malicious behavior.
  • Run System-Generated Queries: Easily run the predefined queries that the Qualys Threat Research Team created. 
  • Simple Query Builder: Our query builder is user-friendly and suitable for all skill levels. It provides a versatile method for creating customized searches.
  • Consistency and Accuracy: Predefined queries ensure consistent results and reduce the risk of errors, making them a valuable addition to your toolkit.
  • Streamlined Data Access: You can save time during threat detection and incident response by accessing your saved queries directly from the Predefined Queries tab and running them with a single click.

Customization Options

We have incorporated robust customization options to elevate your threat-hunting experience. These features provide flexibility, enabling you to customize queries and search results for deeper insights and more effective investigation.

  • Copy Query to Clipboard: With a single click, you can effortlessly copy the entire query, facilitating quick sharing or reuse of complex queries across different tools or workflows. 

  • Add Query to Existing Query: You can combine your current query with an existing one, expanding your search criteria. Layering multiple conditions or search parameters gives you a more comprehensive view of potential threats.

  • Add Query Result as a Field in the Table Column: This feature enables you to take the results of a query and add them as a field in the result table. This makes directly comparing key data points in the table view easier.

Customizable Table View 

You can customize the table view by adding or removing columns to display the most relevant data for your current threat-hunting session.

Filtering Queries

With the new filters added in this update, you can refine your search results and focus on the most relevant data during threat hunting.

  • All Queries: View the complete list of all predefined queries to access all available search options.
  • Favorite Queries: Save your most frequently used queries as favorites for quick access.
  • Qualys Research: Access expert-curated queries developed by Qualys Research, focused on the latest security threats and vulnerabilities.
  • Filters: Filter custom and predefined queries based on categories.

For more information, see Advanced Hunting

New: Schedule Application Blocking

The Content Control panel of our Anti-Malware Profile has a new addition: Schedule Application Blocking, commonly used in cybersecurity and IT management tools. This application allows us to set specific time frames during which different applications can be allowed or blocked. 

To block applications, click . This will open the Schedule Application Blocking window.

How to use this scheduler?

Want to limit your access during certain times? It's easy! Simply click and drag your mouse over the time slots you want to block. We call this 'Restricted' blocking. During these times, your users cannot access the blocked applications.

For a full 24/7 block, including weekends, click "Block All." This is what we call "Blocked." Your users cannot access the specified applications until the schedule is completely or partially unblocked.

In addition, we have introduced an intuitive way to manage your blocked time slots. Click any blocked slot to quickly unblock it, or use the "Clear All" functionality to reset your entire schedule.

For more information, see Blacklisting Applications in the Content Control topic. 

New: Bulk Asset Tagging

Bulk asset tagging is a time-saving feature that allows you to easily create and apply tags to multiple assets. This streamlined process simplifies asset organization, categorization, and management, particularly in large environments where managing individual assets would be time-consuming. By utilizing this feature, organizations can significantly improve their asset management strategy.

Benefits of Bulk Asset Tagging

Here are some benefits that come along with this functionality:

  • Efficient Asset Organization: Bulk tagging applies organizational categories across many assets at once, speeding up the process.
  • Consistency: Ensures that all assets within a group share the same tags for accurate tracking and reporting.

For more information, see Bulk Asset Tagging in the Assets topic. 

New: IPv6 Support for Allowed IPs

Our Allowed IPs feature now supports IPv6 addresses, offering greater flexibility and ensuring your network configurations are future-proof. This update guarantees seamless compatibility with the latest internet protocols and modern networks relying on IPv6.

To specify which IPs to allow, go to Configuration > Asset Configuration > Quanrantine Asset Configuration > Allowed IPs.

For more information, see Allowing IPs in the Understanding Quarantining Assets topic. 

Enhancements in Detections

Close Status Functionality Enhanced

If there are unaddressed high-severity events within an incident you're resolving, we show a message when you select Resolved. You can choose to review these events or proceed without further remediation.

Key Benefits:

  • Ensures visibility into potentially critical events that may require further attention.
  • Provides flexibility, allowing you to resolve incidents immediately or review and address high-severity events first.

Tooltip for Closed Incidents

When viewing closed incidents, you can now hover over the incident status to see a tooltip that provides additional details about the action taken to resolve the incident.

Toggle for Viewing Unaddressed High-Severity Events

The Incident Details > Timeline panel now has a new toggle, Show Non-Remediated (Score > 3). This toggle lets you quickly identify and address high-severity events associated with an incident.

Key Benefits:

  • Provides an easy way to locate and address critical events within the incident timeline.
  • Enhances incident management by allowing visibility into events requiring further attention.

For more information, see Investigate Detections

New Tokens

We have introduced new search tokens in the Advanced Hunting tab. 

  • query.name
  • query.type 
  • query.category 
  • query.userid
  • query.username
  • query.isfavorite 

For more information, see Advanced Query Tokens