ETM Identity Release 1.3.0 

June 25, 2026

Introduced Foreign Security Principal Support

ETM Identity now identifies and processes Foreign Security Principal (FSP) within Active Directory environments. FSPs are accounts that exist in another forest but have rights in the AD forest.

Prerequisite: Availability of the Foreign Security Principal feature is dependent on the Qualys Cloud Agent version 6.6.0+

Managing Forest Security Principals (FSPs) provides key benefits:

  • Cross-Forest Permissions
    Assigns local access rights to users from trusted forests.
  • Security & Auditing
    Serves as placeholders in Access Control Lists (ACLs) for traceable permissions on external access.
  • Universal Group Membership
    Allows centralized resource access in multi-domain environments.
  • Broken Trust Identification
    Orphaned FSPs are easily identifiable if the trust relationship with an external forest is lost.

When are FSPs Created?

  • FSPs are created automatically by the system when:
  • A user/group from a trusted external forest/domain is added to a domain local group in the local domain.
  • A special identity (e.g., Authenticated Users) is added to a group.
  • Permissions are granted to a foreign principal on a local resource.

Key enhancements include:

  • Cross-Domain Identity Visibility
    • Improved handling of forest trust relationships between domains.
    • Enables identification of users and groups from trusted external domains.
  • Foreign Security Principal (FSP) Identification
    The system locates the domain as the administrator object and links edges to the corresponding foreign security principal, enabling accurate graph traversal across trust boundaries.
    • External users and groups are now clearly identified as Foreign Security Principals (FSPs).
    • Helps distinguish between:
      • Local domain users
      • Foreign (external) users
      • Suspicious identities
  • Enhanced Security and Auditing Insights
    • Provides better insights into:
      • Cross-domain access
      • Group memberships involving external entities
    • Supports auditing of foreign user/group activity across trusted domains.
  • Suspicious Identity Highlighting
    • Improved detection of:
      • Suspicious users
      • Suspicious group relationships
    • Helps identify unexpected or risky cross-domain associations.

The following screenshot displays the attack path analysis for the user showing the FSP account.

The user showing the FSP account.

The following screenshot displays the attack path analysis for the group, showing the FSP account.

The group showing the FSP account.

The following screenshot displays the newly added Attack Path Legends , such as Foreign Users and Foreign groups.
Attack Path Legends  for Foreign Users and Foreign groups.

For more information on Attack Path Analysis, refer to ETM Identity Online help.

Introduced Role-Based Access Control

We have introduced Role-Based Access Control (RBAC) to enhance security, streamline access management, and ensure users can only access authorized features and data. RBAC restricts system access by assigning roles, permissions, and privileges, enabling controlled access across UI and backend APIs.

Prerequisite: Availability of Role-Based Access Control feature is dependent on Qualys Cloud Agent version 6.6.0+.

Key highlights are:

  • Base permissions are:
    • ETM Identity UI access
    • ETM Identity API access
  • Role Updates
    Updated default roles in ETM Identity:
    • ETM Identity Manager has full access (Grants full access to all tabs and operations within the ETM Identity app, including write permissions)
    • ETM Identity Viewer has restricted access (Grants read access to all tabs within the ETM Identity app; write operations are not permitted.)

The introduction of Role-Based Access Control (RBAC) helps by restricting role update capabilities to specific users, improving governance, and enforcing better control over permission management. Overall, this implementation improves data integrity, user experience, and operational compliance.

Administrators can:

  • Create custom roles
  • Assign feature permissions
  • Restrict feature visibility
  • Control tenant/user access

To view the permission, navigate to Administration app > Role ManagementNew Role.

view the permission.

For more information, refer to the Administration Online Help.

Static Tag Scoping

With static tag scoping, administrators assign tags to both users and assets, ensuring that users can view only the data associated with matching tags.

Dynamic Tag Scoping

Dynamic tag scoping supports dynamic tag rules and automated tagging workflows, enabling user access and visibility to be automatically managed based on predefined conditions and policies.

To know more about the permissions for ETM Identity, refer to ETM Identity Online Help.

Multi-Factor Authentication (MFA) Status Display (Unified Asset Inventory Enabled Account)

ETM Identity now supports Multi-Factor Authentication (MFA) enrollment status directly in the Qualys Inventory dashboard. This enhancement gives security and identity teams immediate visibility into whether multi-factor authentication is enabled or disabled for each user, without requiring manual cross-referencing across identity providers. The feature is available for users ingested through the Entra and Okta connectors.

This feature is beneficial  for

  • View MFA status for all supported users in a single inventory view, eliminating the need to query identity providers separately.

  • Identify users without MFA enabled, enabling teams to prioritize remediation efforts and reduce exposure.
  • Use Qualys Query Language (QQL) to filter and segment users by MFA status, supporting both audit and operational workflows.

  • Monitor MFA support across Entra and Okta environments within a unified inventory interface.  

You can locate the MFA column in the user inventory table. The column displays MFA value. You can also filter users by MFA status using QQL user.isMfaActivated:true

  • True: MFA is enabled for the user.

  • False: MFA is disabled for the user.

View assets with MFA.

New Tenant and Policy Tabs (Unified Asset Inventory Enabled Account)

We have introduced two new tabs in the UI: Tenant and Policy. These tabs provide a unified and centralized view of identity environments and policies across multiple identity providers.

Prerequisite: Availability of these tabs is dependent on the Unified Asset Inventory (UAI) 1.2 release.

Tenant Tab

The Tenant tab provides a consolidated view of identity environments across different platforms by normalizing equivalent constructs:

Source System Representation in Tenant Tab
Active Directory (AD) Domain
Microsoft Entra ID Tenant

You can now view and manage all identity environments from a single Tenant tab. Active Directory (AD) domains and Microsoft Entra tenants are displayed in a unified format. It enables easier navigation and consistent visibility across hybrid identity setups.

To view the Tenant tab, navigate to Inventory > Assets > Identity > Tenant.

To view the Tenant tab.

Policy Tab

The Policy tab centralizes policy visibility across supported identity providers.

Source System Policy Type Shown
Active Directory (AD) Group Policy Objects (GPOs)
Microsoft Entra Conditional Access Policies

All policies are accessible in one place, regardless of their source.
This provides a standardized view for monitoring and managing policies and simplifies cross-platform policy governance.

To view the Policy tab, navigate to Inventory > Assets > Identity > Policy.

To view the Policy  tab.

The Tenant and Policy tabs are currently populated for AD Agent, AD Connector, and Entra Connector.

To know more about these tabs, refer to ETM Identity Online Help.

Interactive Cards In Risk Management and Inventory Tabs

We introduced interactive cards across multiple tabs to help you quickly identify risks, prioritize actions, and monitor users and groups more efficiently.

UAI Enabled Accounts

The Misconfigurations tab now includes four cards. It saves time by providing a quick snapshot rather than deep searching. The following is the list cards;

  • Critical Misconfigurations. It helps you prioritize the most critical security gaps first.
  • Misconfigurations (30+ days) open for more than 30 days. It helps to identify long-pending issues that need immediate attention
  • Password Misconfigurations (Last 30 Days) detected within 30 days. It helps to monitor recent authentication-related risks related to passwords)
  • Kerberos Misconfigurations (Last 30 Days) - detected within 30 days. It helps to monitor recent authentication-related risks in to Kerberos.

View Interactive Cards.

Accounts with Inventory (Qualys Apps)

For the accounts with inventory from Qualys apps (Non UAI account) we have added cards in ID Misconfigurations, Identity Users, Identity Groups tabs and dashboard.

ID Misconfigurations Tab 

The ID Misconfigurations tab now includes four cards. They provide visibility into identity-related configuration issues. The following is the list of cards:

  • Critical Misconfigurations
    Critical Misconfiguration helps you prioritize the most critical security gaps first.
  • Misconfigurations (30+ days)
    Misconfigurations open for more than 30 days. It helps to identify long-pending issues that need immediate attention

  • Password Misconfigurations (Last 30 Days)
    Password misconfigurations detected within 30 days. It helps to monitor recent authentication-related risks related to passwords)
  • Kerberos Misconfigurations (Last 30 Days) -
    Kerberos misconfigurations detected within 30 days. It helps to monitor recent authentication-related risks in to Kerberos.

View ID Misconfigurations Tab.

Identity Users Tab

The Identity Users tab now includes four cards. These cards provide on risky or important user accounts. The following is the list of cards:

  • High-risk identities (risk score > 800)
    Spot high-risk users who may need immediate action.
  • Identities with no login in 90 days
    Identifies inactive accounts that can be cleaned up or disabled
  • Privileged identities
    Monitors privileged accounts to avoid misuse
  • Service accounts 
    Track service accounts that often go unnoticed but are sensitive

View To view the Tenant tab.

Identity Groups Tab

The Identity Groups tab now includes three cards. These cards provide insights into group-level risks. The following is the list of cards:

  • High Risk Groups (Trurisk score > 800)
    Identify risky groups that can expose multiple users at once.
  • Critical Groups
    Understand group criticality using ACS scoring
  • Groups Without ACS
    Detect groups without proper evaluation (missing ACS score)

Dashboard 

You can now access widgets for the most common misconfigurations, identities with excessive privileges, and identities with the most common misconfigurations.

AD Real-Time Monitoring

AD Real-Time Monitoring continuously captures Active Directory events and converts them into actionable security alerts.
This feature includes:

  • Live security monitoring
  • Event visibility
  • Real-time detection
  • Alert generation
  • Response guidance
     

Prerequisite: Availability of AD Real-Time Monitoring is dependent on Qualys Cloud Agent version 6.6.0+

Active Directory events are collected by the AD agent and converted into a standard format for processing. The events are then enriched with identity, asset, and AD-related information to provide additional context. Next, they are analyzed against detection and misconfiguration rules to identify potential security issues. When a rule match is found, the system generates real-time security alerts for investigation and response.

Core capabilities of AD real time monitoring are

  • The system continuously monitors logons, account changes, group membership modifications, directory service access, policy changes, and overall security activity to identify and respond to potential threats in real time.
  • The system automatically identifies risky behaviors, including suspicious logons, policy misuse, potential compromise indicators, privilege abuse, and lateral movement patterns, to help detect and respond to security threats proactively.
  • Alerts include severity levels, detailed event information, source and target details, recommended remediation steps, and the raw event payload to support accurate investigation and response.

To view alerts and events, navigate to Monitoring tab > AD Monitoring > Alerts and Events.

To know more about AD monitoring, refer to ETM Identity Online Help.

Automated Group Scoring

We introduced Automated Group Scoring to simplify and accelerate identity risk assessment. The platform can now automatically assign default ACS (Asset Criticality Score) values to groups that lack manually configured scores.

The following are key benefits:

  • Reduces the manual effort required to maintain ACS scoring.
  • Ensures broader coverage for identity risk calculations.
  • Helps eliminate scoring gaps caused by unclassified groups.
  • Improves consistency in risk posture evaluation across Active Directory environments.

Organizations can achieve more complete and accurate identity risk assessments without requiring administrators to manually score every group object.

Attack Path Analysis Enhancement

Attack Path Analysis has been improved to provide clearer visuals and more accurate, context-aware metrics, making it easier for analysts to quickly understand and investigate potential attack paths.

Dynamic Count Updates in Attack Path Views

Attack Path Analysis now updates object, relationship, and suspicious path counts dynamically when switching between Suspicious and Non-Suspicious view modes. Previously, counts remained unchanged when toggling the view filter in Display Options. Counts now automatically reflect only the nodes and relationships visible in the active graph view. This provides accurate, context-aware metrics at a glance, helping analysts quickly understand the scope of the current view without manually comparing counts against the displayed graph.

Cleaner Attack Path Graphs with Excluded Edge Removal

The Attack Path Analysis graph is now simplified by removing generic excluded edges, reducing visual clutter, and enhancing analysis. This results in a cleaner visualization that highlights relevant relationships and suspicious paths, improving investigation efficiency.

Issues Addressed

There are no notable customer issues in this release.