Release 4.2 

September 23, 2024

What's New?

Introduction of FIM Containers

With this release, we have introduced a groundbreaking feature called FIM on Containers. On FIM events tab, you can view FIM events detected by different sources such as:

  • Container Based

    Events originating from dynamic container environments. The Qualys Cloud Platform stores any activity on the monitored locations in the containers for 13 months, even though the containers are short-lived.

  • Host Based

    Events originate from hosts equipped with the Qualys Cloud Agent.

  • Scan Based

    Events originate from network devices, which sends events at regular scan intervals.

FIM on Containers and FIM on network devices is the requirement of PCI DSS 4.0. Container based FIM is available on demand. Contact your Technical Account Manager (TAM) to activate this feature.

These new filters allow for a more organized and efficient way to view events. With these updates, you have the flexibility to sort and view the list of events based on specific hosts or scan results.

These filters are available in 

  • All Events tab
  • Event Review tab
  • Ignored tab
  • Incidents Details page

View filters on all events tab

To view the incident's details, navigate to the Incidents tab > All Incidents.

From Quick Actions menu, click View Details of the required incident and go to Events.

View incidents details.

Qualys FIM Captures User Impersonation Events

Qualys File Integrity Monitoring (FIM) has expanded its capabilities to include the detection and alerting of user impersonation events, helping to prevent unauthorized activities or potential breaches. This enhancement allows you to distinguish between the Effective User and the Actual User for more granular access and activity insights.

Effective User: The user captured by the Operating System as actively performing changes on monitored locations on the host.

Actual User: The user who has been impersonated.

FIM event details display both users. 

To view the user details, navigate to the Events Tab, select an event, and click View Details. If the Effective User and Actual User are not the same, it indicates a user impersonation event detected by FIM.

  • For Windows events, the inclusion and exclusion filters work on effective users. 
  • For Linux events, the inclusion and exclusion filters work on actual users.

View Details of Users on Event Details Page.

Report Summary Enhancement

With this release, we have enhanced our reporting feature and introduced new Report Statistics widgets. This enhancement allows you to receive a graphical representation of key statistics when you download reports in PDF format, offering a clearer visual understanding of the data. The new widgets include Changes By Action, Changes By Severity, Changes By Type, Events on Assets, and Changes by Users.

View Reports Widgets.

New Tokens for Events tab

We have introduced new tokens to find events for the following attributes being added or removed such as File archive, File compressed, File encrypted, File hidden, File read-only, and more.

Some more tokens are added to make event searches more effective. Attributes are listed in the following table.

Token Description Example

file.attribute.archive

 

Use the token to get details of all the attribute events where the 'archive' attribute has been added or deletedfor a file or folder.

file.attribute.archive: Added
file.attribute.compressed Use the token to get details of all the attribute events where the 'compressed' attribute has been added or deletedfor a file or folder. file.attribute.compressed: Added
file.attribute.encrypted Use the token to get details of all the attribute events where the 'encrypted' attribute has been added or deletedfor a file or folder. file.attribute.
encrypted: Added
file.attribute.hidden Use the token to get details of all the attribute events where the 'hidden' attribute has been added or deletedfor a file or folder. file.attribute.hidden: Removed
file.attribute.not
ContentIndexed		 Use the token to get details of all the attribute events where the 'notContentIndexed' attribute has been added or deletedfor a file or folder. file.attribute.
notContentIndexed:
Removed
file.attribute.readonly Use the token to get details of all the attribute events where the 'readonly' attribute has been added or deletedfor a file or folder. file.attribute.
readonly: Added
eventSource Use the token to get the FIM events from the selected source. Source values are agent, runtime_sensor or Scanner. eventSource: agent
actor.actualUserId Use the text value ##### to find events of the actual user using ID.  actor.actualUserId:
1001
actor.actual
UserName		 Use a text value ##### to find events of the actual user using the user name. actor.actualUserName: NT AUTHORITY\SYSTEM
actor.effective
UserId

Use a text value ##### to find events of the Effective user using ID.

Effective users are actually Impersonated users.

 actor.effectiveUserId: 1102
actor.effective
UserName

Use a text value ##### to find events of the Effective user using the user name. 

Effective users are actually Impersonated users.

 actor.effectiveUserName: "windows/admin"

Ability to Re-run Reports

With this release, we have introduced a feature that allows you to re-run the reports. Now, reports that are not marked as 'Completed' can be run again. This functionality is applicable across all types of data sources, including event-based, asset-based, and incident-based reports. Earlier, this feature was restricted to incident-based reports.

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.