EDR Release 3.8 API
October 24, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
We have implemented versioning for APIs. For more information on API versioning, refer to the Introducing API Versioning: A Strategic Upgrade for Enhanced Stability and Control for API Integrations blog.
Extended searchAfter API to Support Additional Sections
We have extended the searchAfter API to include mappings for the following sections that previously existed in our OpenSearch template but were not exposed via the API:
- amsi section in FileScan.AMSI.Detection event
- antiphishing section in Antiphishing.Phishing event
Highlights
- The above sections are now indexed and queryable through searchAfter.
- Responses include the corresponding fields under their respective sections.
- Non-breaking change. Existing requests continue to work.
searchAfter APIs
- Fetch Asset Details Using SearchAfter
- Fetch Events Using SearchAfter
- Fetch Incidents Using SearchAfter
API Sample
API Request
curl -L -X GET '<qualys_base_url>/ioc/v1/asset/searchAfter' \ -H 'Authorization: Bearer <token>'Response
{
"dateTime": "2025-08-22T15:16:24.000+0000",
"process": {
"fullPath": "C:\\Windows\\Explorer.EXE",
"processFile": {
"fullPath": "C:\\Windows\\Explorer.EXE",
"path": "C:\\Windows",
"fileName": "Explorer.EXE",
"moduleName": "Explorer",
"uniqueImageId": "9012345969476688084"
},
"processEventId": "RTP_77431db0-570c-34b3-aedb-3aaf9ab90938_22-8-2025",
"processName": "Explorer.EXE",
"elevated": false,
"parentPid": 7672,
"isCertificateExists": false,
"arguments": "C:\\Windows\\Explorer.EXE",
"pid": 7728,
"userName": "user1",
"integrityLevel": "password",
"sid": "S-1-5-21-1267196795-1931511629-2383437562-500"
},
"eventSource": "Anti-malware",
"type": "PROCESS",
"eventMetadata": {
"isDetectedByEPP": true,
"detectionType": "Fileless-AMSI",
"eppEventName": "FileScan.AMSI.Detection",
"processActionTaken": "BLOCK",
"isDetectOnlyEvent": false,
"threatName": "Application.Hacktool.AUU"
},
"amsi": {
"contentSize": 0,
"eventTime": 0,
"scriptFileName": [
"C:\\Users\\Administrator\\Desktop\\Antitest\\Antitest.exe"
],
"arguments": "C:\\Windows\\Explorer.EXE"
},
"actor": {
"processId": 1234
},
"score": "5",
"scoreSource": "Anti-malware",
"action": "AMSI",
"id": "RTP_XXXX1db0-5XXc-34X3-xxxx-3XXf9XX90938_2X-X-2025",
"category": [
"EPP.Suspicious.ProcessBehavior"
],
"asset": {
"fullOSName": "Microsoft Windows 10 Pro N 10.0.19045 Build 19045",
"hostName": "desktop-12345",
"agentId": "b51d6c44-XXX-4732-be8e-XXXXX9664f87",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "X0.1X.XX1.00",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "DESKTOP-5BC1234",
"isQuarantineHost": false,
"customerId": "355abcd1-1234-5678-0000-ae008f55bce3",
"name": "DESKTOP-5BCAB24",
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "user1",
"id": 2418XXXX,
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1bquot;
},
{
"name": "Cloud Agent",
"id": XXXX014,
"uuid": "XXX676fX-cXX0-XX31-bfXX-XXX8XbcXXX1bquot"
}
],
"architecture": "64-bit"
},
"uniqueId": "5804341234567803408",
"timestamp": "2025-08-22T11:01:02.892+0000"
} API Request
curl -L -X GET '<qualys_base_url>/ioc/v1/asset/searchAfter' \ -H 'Authorization: Bearer <token>'Response
{
"dateTime": "2025-08-18T18:09:54.000+0000",
"eventSource": "Anti-malware",
"type": "ANTIPHISHING",
"eventMetadata": {
"isDetectedByEPP": true,
"detectionType": "Anti-Phishing",
"eppEventName": "Antiphishing.Phishing",
"antiPhishingURL": "bitdefender-testing.com/phishing",
"isDetectOnlyEvent": false,
"threatName": "bitdefender-testing.com/phishing of type Phishing CLOSED",
"antiPhishingEventActionTaken": "block",
"antiPhishingType": "Phishing"
},
"score": "4",
"scoreSource": "Anti-malware",
"action": "CLOSED",
"id": "RTA_909406a7-a854-358b-8394-6db143450f19_18-8-2025",
"antiPhishing": {
"createdDate": "1970-01-21T07:39:00.594+0000",
"PhishingURL": "bitdefender-testing.com/phishing",
"userType": "local",
"userName": "user1",
"PhishingType": "Phishing"
},
"category": [
"Phishing"
],
"asset": {
"fullOSName": "Microsoft Windows 11 Enterprise N 10.0.22631 Build 22631",
"hostName": "edrdm120",
"agentId": "9b663ce0-1f51-XXXX-be79-a186dd123456",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "EDRDM120",
"isQuarantineHost": false,
"customerId": "355abcd0-9765-6611-8273-xx008x55xxx3",
"name": "EDRDM120",
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "MA",
"id": 30XXXX30,
"uuid": "68fabcdef-234e-XXXX-8765-00000XXXXXX"
},
{
"name": "Cloud Agent",
"id": 87XXXX4,
"uuid": "68fabcdef-2582-XXXX-8765-00000XXXXXX"
},
{
"name": "EDR-Win",
"id": 510XXXX5,
"uuid": "77d00a00-d0e3-44xy-b00e-9x83x509x929"
}
],
"architecture": "64-bit"
},
"uniqueId": "901234X5-a854-358b-0000-6XX14345XX19",
"timestamp": "2025-08-18T20:17:11.055+0000"
}