EDR Release 3.8
October 24, 2025
Implementation of QQL Token Standardization
We have now implemented Qualys Query Language (QQL) token standardization across all Qualys applications. As part of this enhancement, both common and Endpoint Detection and Response tokens are updated with new token names that follow a standard, consistent nomenclature.
The new token format follows the syntax: file.updatedBy.username
For example, in the new token file.createdDate, file is the entity, and createdDate is the attribute.
Key Enhancements:
- Standardized Token Naming: The Incidents, Alerts, Events, Advanced Hunting, Assets, Exception Rules, Forensics, and Profiles tokens now follow the standardized naming convention. The tokens common to all Qualys applications have also been updated.
- Search Bar Updates: Only the new tokens are displayed in the auto-suggestion in the search bars within the UI. However, if you type the old token name manually, the QQL query still works. The old tokens will not be visible in the auto-suggestions on the UI.
- Backward Compatibility: The existing Dashboard widgets and Saved Search Queries will continue to support the old tokens in edit mode.
- Improved Interoperability: The standardized tokens make it easier to copy and reuse the search query from one application to another, eliminating the need to remember multiple token names for different applications and similar searches.
For the complete list of old and new token mappings, see Old and New Token Mappings.
Enhanced Feature: Endpoint Security Profile (Formerly Anti-malware Profile)
This release introduces a significant enhancement to the existing Anti-malware Profile, which has evolved into a comprehensive Endpoint Security Profile.
This enhancement builds on familiar EPP (Endpoint Protection Platform) controls by integrating powerful EDR (Endpoint Detection and Response) capabilities, unified exclusion management, and streamlined toggle controls, all within the same trusted interface you already know.
Key Changes in Endpoint Security Profile
The following table highlights the key changes introduced with the new Endpoint Security Profile:
| Area | Previous (Anti-malware Profile in EDR) | Now (Endpoint Security Profile) |
| Scope | Anti-malware protection within EDR | Comprehensive endpoint security (EPP + EDR). |
| Security Control Center | Anti-malware controls in Malware Protection | Expanded control center covering all endpoint security features. |
| Licensing Adaptation |
The configuration was tied to the EPP license. If you didn’t have an EPP license, you didn’t even see or configure this profile. EDR customers without EPP had no way to leverage those controls. |
The profile adapts flexibly. EPP remains license-based. You still need an EPP license to use those controls. EDR controls are tag-based, so without an EPP license, you can still configure and apply EDR protections to assets by assigning tags in the EDR profile. |
| Workflows | Established EPP/anti-malware workflows | Existing workflows preserved; new EDR/EPP areas follow the same structure. |
| User Controls | Granular controls for EPP features | Same familiar controls, now extended to include EDR features within the unified profile. |
| Profile Management | Managed Anti-malware settings only | Unified profile combining EPP (horizontal tabs) and new EDR (vertical tabs) in one place. |
For more information, see EDR online help.
Report Scheduling for Dashboards
We have introduced the Report Schedule functionality to enhance dashboard reporting capabilities.
With this update, you can now schedule dashboard-based reports and receive them via email at specified intervals. This functionality enables better planning and timely access to relevant data, eliminating the need for manual intervention.
Highlights
- Automated Report Delivery: Send dashboard reports to selected recipients via email.
- Custom Frequency: Schedule reports to run Daily, Weekly, or Monthly.
- Time Zone Support: Set schedules based on your preferred time zone.
- Flexible Formats: Reports are delivered in PDF format (Portrait or Landscape) or as a URL.
Note: If the report is shared as a URL, you will be prompted to log in to your account after clicking the link - Dashboard-Specific Schedules: Each schedule is created directly from the relevant dashboard.
This enhancement improves visibility and collaboration by ensuring stakeholders receive timely, consistent updates from the dashboards that matter most to them.
For more information, see EDR online help.
Recovering Encrypted Files
EPP with anti-ransomware detection is designed to identify, block, and mitigate ransomware attacks. Ransomware is malicious software that encrypts a victim's files, rendering them unreadable unless a ransom is paid.
Our latest Endpoint Protection Platform (EPP) engine update is a game-changer. It not only displays encrypted file details after thwarting attacks but also restores encrypted files. This significant enhancement is designed to enhance user safety, protect data, and accelerate recovery following an attack.
Recovering encrypted files is straightforward. The steps are designed to be user-friendly, making them easy to understand and follow, empowering you to take control of your system's security.
Recovery Steps: Find events | Recover affected files | Verify details
For more information, see EDR online help.
Dynamic Event Attribute Gathering
This release introduces enhanced support for gathering dynamic attributes from multiple providers. The update improves the event management system’s robustness, flexibility, and scalability, making it easier to integrate new providers and event types.
The following new capabilities are available in the Hunting and Detections tabs.
- Dynamic Attribute Collection: Gather event attributes from multiple providers to enrich context and improve analysis.
- Advanced Filtering: Filter events using QQL tokens, incident numbers, detections, or hunting queries for more targeted results.
- Event Summary View: Quickly review essential details and metadata for each event.
- Free Text Search: Perform deep investigations by searching directly within JSON payloads.
- Severity-Based Filtering: Prioritize investigations by viewing events based on their severity scores.
- Process Tree Visualization: Understand event relationships and process lineage with an interactive process tree view.
For more information, see EDR online help.
Extended EDR Remediation Actions for Mac Assets
We’ve extended support for Quarantine File, Delete File, and Kill Process remediation actions to Mac assets.
Previously, these actions were available only for Windows and Linux assets. With this release, security teams can now take the same immediate remediation actions across Mac assets, ensuring consistent endpoint protection across all major platforms.
