EDR Release 3.8.1 API

Jaunuary 18, 2026

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

We have implemented versioning for APIs. For more information on API versioning, refer to the Introducing API Versioning: A Strategic Upgrade for Enhanced Stability and Control for API Integrations blog.

New Public API Support

This API returns the number of events after grouping them into a specified number of buckets.

Fetch Event Count using Time Buckets

Non-Versioned

GET/ioc/events/count/time-buckets

V1.0

GET/ioc/v1/events/count/time-buckets

Non-versioned

SampleSample

API Request

 curl -G --data-urlencode "filter=type:file"
"<qualys_base_url>/ioc/events/count/time-buckets?fromDate=1764134321&toDate=1764145121&bucketCount=5 -H "Authorization: Bearer <token>"

Response

 {
  "2025-11-26T04:48:00.000Z_2025-11-26T05:24:00.000Z": 733,
  "2025-11-26T05:24:00.000Z_2025-11-26T06:00:00.000Z": 4984,
  "2025-11-26T06:00:00.000Z_2025-11-26T06:36:00.000Z": 4930,
  "2025-11-26T06:36:00.000Z_2025-11-26T07:12:00.000Z": 5120,
  "2025-11-26T07:12:00.000Z_2025-11-26T07:48:00.000Z": 5047
}
V 1.0

SampleSample

API Request

 curl -G --data-urlencode "filter=type:file" 
"<qualys_base_url>/ioc/v1/events/count/time-buckets?fromDate=1764134321&toDate=1764145121&bucketCount=5 -H "Authorization: Bearer <token>"

Response

{
  "2025-11-26T04:48:00.000Z_2025-11-26T05:24:00.000Z": 733,
  "2025-11-26T05:24:00.000Z_2025-11-26T06:00:00.000Z": 4984,
  "2025-11-26T06:00:00.000Z_2025-11-26T06:36:00.000Z": 4930,
  "2025-11-26T06:36:00.000Z_2025-11-26T07:12:00.000Z": 5120,
  "2025-11-26T07:12:00.000Z_2025-11-26T07:48:00.000Z": 5047
} 

Both versions currently return the same response, and functionality remains unchanged.

Enhancement: UserInfo fields in the SearchAfter API for Antimalware events

We have enriched the antimalware events with UserInfo fields to provide better visibility and security investigations in the SearchAfter API for EPP events.

The following fields are now included in the antimalware events:

  • UserName
  • UserType
  • UserSid

These fields are available for all antimalware events, including AntiPhishing, AntiRansomware, Device Control, File, Network, Process, Traffic, and User Control. These fields help identify and correlate user activity across different antimalware events, improving threat analysis and incident response.

SampleSample

API Request

curl -L -X GET '<qualys_base_url>/ioc/asset/searchAfter' \ -H 'Authorization: Bearer <token>'

Response

[
  {
    "dateTime": "2025-11-14T11:14:54.000+0000",
    "eventSource": "Anti-malware",
    "type": "TRAFFIC",
    "eventMetadata": {
      "isDetectedByEPP": true,
      "detectionType": "Traffic-Scan",
      "eppEventName": "TrafficScan.Malware",
      "threatType": "VIRUS",
      "fileState": "BLOCKED",
      "malwareType": "HTTP",
      "isDetectOnlyEvent": false,
      "threatName": "Cloud Virus",
      "fileActionTaken": "ACTION_DENY"
    },
    "score": "4",
    "scoreSource": "Anti-malware",
    "file": {
      "fullPath": "bitdefender-testing.com/malware",
      "path": "bitdefender-testing.com/malware",
      "fileName": "malware",
      "userSid": "S-x-x-xx-5xxxxxx02-39xxxxxx53-23xxxxxx52-xx0",
      "userType": "local",
      "userName": "Administrator"
    },
    "action": "ACCESS_DENIED",
    "id": "RTT_xxxxxxxx-xxxx-xxxx-xxxx-71xxxxxxxx49_14-xx-2025",
    "category": [
      "VIRUS"
    ],
    "asset": {
      "fullOSName": "Microsoft Windows 11 Enterprise 10.0.22631 Build 22631",
      "hostName": "EDRTK122-170",
      "agentId": "acxxxxxa-xxxx-xxxx-xxxx-afxxxxxxx40e",
      "interfaces": [
        {
          "macAddress": "xx:xx:xx:xx:xx:xx",
          "ipAddress": "xxxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx",
          "interfaceName": "Intel(R) 82574L Gigabit Network Connection",
          "gatewayAddress": "xx.xx.xxx.x"
        },
        {

          "macAddress": "xx:xx:xx:xx:xx:xx",
          "ipAddress": "xx.xx.xxx.xxx",
          "interfaceName": "Intel(R) 82574L Gigabit Network Connection",
          "gatewayAddress": "xx.xx.xxx.x"
        },
        {
          "macAddress": "xx:xx:xx:xx:xx:xx",
          "ipAddress": "xxxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx",
          "interfaceName": "Intel(R) 82574L Gigabit Network Connection",
          "gatewayAddress": "xx.xx.xxx.x"
        },
        {
          "macAddress": "xx:xx:xx:xx:xx:xx",
          "ipAddress": "xxxx:x:x:x:xxxx:xxxx:xxxx:xxxx",
          "interfaceName": "Intel(R) 82574L Gigabit Network Connection",
          "gatewayAddress": "xx.xx.xxx.x"
        },
        {
          "macAddress": "xx:xx:xx:xx:xx:xx",
          "ipAddress": "xxxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx",
          "interfaceName": "Intel(R) 82574L Gigabit Network Connection",
          "gatewayAddress": "xx.xx.xxx.x"
        }
      ],
      "netBiosName": "EDRTK122-170",
      "isQuarantineHost": false,
      "customerId": "3xxxxxx1-xxxx-xxxx-xxxx-ae0xxxxxxce3",
      "name": "edrtk122-170",
      "platform": "Windows",
      "assetType": "HOST",
      "tags": [
        {
          "name": "Test-TK",
          "id": 30xxxxx8,
          "uuid": "9xxxxxx8-xxxx-xxxx-xxxx-7xxxxxxxxxx3"
        },
        {
          "name": "Cloud Agent",
          "id": 8xxxxx4,
          "uuid": "6xxxxxxe-xxxx-xxxx-xxxx-6exxxxxxxx1b"
        }
      ],
      "architecture": "64-bit"
    },
    "uniqueId": "2xxxxxxx-xxxx-xxxx-xxxx-48xxxxxxx4c",
    "timestamp": "2025-11-14T11:16:09.914+0000"
  }
]

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026