Release 4.4
January 06, 2025
What's New?
New Feature: Audit Trail for FIM Profile
With this release, we have introduced audit trail for FIM profile. An audit trail is a record of events, including file changes and user activities, that helps track actions.
Benefits
- Maintaining audit trails in a FIM policy ensures accountability and compliance.
- Viewing actual change using JSON object.
Key Points
You can find the following activities in the audit trail.
- Create a new profile
- Update in a profile
- Delete a profile
- Add and delete rules in profile
- Add and delete assets in profile
- Add and delete tags in profile
You can view the Audit trails in the Activity Logs tab of the Administration module.
To know more about the audit trail, refer to FIM Online Help.
New Feature: Import Profile
With this release, we have introduced a new feature to import profiles for enhanced convenience and organization. You can import multiple profiles in a single go. It creates multiple profiles based on the unique ID and profile name present in the CSV file. You can save the file for reuse on your local machine and can import it and customize it as per your requirements.
Benefits
- Efficiency in Configuration
Having a profile configured on one account allows for easy reuse and import into other accounts, saving time and reducing manual setup efforts. - Bulk Editing Capability
Making changes to multiple profiles using CSV files simplifies the process. You can update settings in bulk without navigating through the user interface for each profile, which enhances productivity. - Flexible Bulk Settings
You can easily adjust or replace specific settings in bulk, making it adaptable to changing requirements or configurations. - Simplified Profile Management
The ability to manage and modify multiple profiles simultaneously through a CSV file streamlines profile handling and organization. - Time-Saving Solutions
The overall process of importing, exporting, and editing profiles becomes quicker, allowing for faster adjustments and deployments.
You can select multiple profiles and from the Actions menu, choose Import Profile.
Enhancements in Dashboard
With this release, we have made several enhancements to the Dashboard. We have introduced new Widgets and renamed a couple of them for easy identification of functions from their names and improved query suitability for the function.
New Dashboard Widgets
We have added the following new widgets
- User Impersonation
Get a count of the events generated by impersonated users. - Non-compliant (Non-Communicating) Assets
Get a count of assets that have not been communicated for more than 7 days. - Non-compliant (Bad Agent Health Status)
Get the count of Assets where Agent has reported bad health status to Qualys platform indicating that FIM is not working on the host.
Updated Widgets Name and Queries
We have renamed the widgets to be more suitable for functions and ease of understanding.
Refer to the following table for details.
We have updated back tick (`) with a single quote (') in the query
| Existing Title | New Title | Existing Query | New Query |
|---|---|---|---|
| Delete activity by non-privileged users on Linux | Delete activity by regular users on Linux | platform:Linux and action:Delete and not (actor.userName:`root`) | platform:Linux and action:Delete and not (actor.userName:'root' |
| Delete activity by non-privileged users on Windows | Delete activity by standard users on Windows | platform:Windows and action:Delete and not (actor.userName:`NT AUTHORITY` or actor.userName:`Administrator`) | platform:Windows and action:Delete and not (actor.userName:'NT AUTHORITY ' or actor.userName: ' admin ' ) |
| Permission or Ownership changes by non-privileged users on Linux | Permission or Ownership changes by regular users on Linux | platform:Linux and action:Security and (actor.process:`chmod` or actor.process:`chown`) and not (actor.userName:`root`) | platform:Linux and action:Security and (actor.process:'chmod' or actor.process:'chown') and not (actor.userName:'root') |
| Log file deletion on Linux host | No Change | platform:Linux and file.fullPath:`/var/log` and action:Delete | platform:Linux and file.fullPath:'/var/log' and action:Delete |
| Security Log deletion on Windows host | No Change | platform:Windows and file.fullPath:`C:\\Windows\\System32 winevt Logs` and action:Delete |
platform:Windows and file.fullPath:'C:\\Windows\\System32 winevt Logs'and action:Delete |
| Unauthorized modification critical authentication files on Linux | No Change | (platform:`Linux` and (file.name:`passwd` or file.name:`shadow` or file.name:`password-auth` or file.name:`system-auth` and (action:Delete or action:Security or action:Content)) and not actor.userName:`root`) | (platform:'Linux' and (file.name:'/span>passwd' or file.name:''or file.name:'password- auth' or file.name:'system-auth' and (action:Delete or action:Security or action:Content)) and not actor.userName:'root') |
| Update process on Debian-Ubuntu systems | No Change | actor.userName:`root` and (actor.process:`apt-get update` or actor.process:`apt` or actor.process:`dpkg` or actor.process:`unpack` or actor.process:`dpkg-deb` or actor.process:`update-info-dir` or actor.process:`apt-get clean`) | actor.userName:'root' and (actor.process:'apt-get update' or actor.process:'apt' or actor.process:'dpkg' or actor.process:'unpack' or actor.process:'dpkg-deb' or actor.process:'update-info-dir' or actor.process:'apt-get clean') |
| System updates on Red Hat-based Linux systems | No Change | actor.userName:`root` and (actor.process:`dnf` or actor.process:`yum` or actor.process:`rpm` or actor.process:`python` or actor.process:`update-alternatives`) | actor.userName:'.root' and (actor.process:'dnf'or actor.process:'/span>yum' or actor.process:'rpm' or actor.process:'python' or actor.process:'update-alternatives') |
| System updates on SUSE Linux-based systems | No Change | actor.userName:`root` and (actor.process:`zypper` or actor.process:`rpm` or actor.process:`python` or actor.process:`update-alternatives`) | actor.userName:'root' and (actor.process:'zypper' or actor.process:'rpm' or actor.process:'python' or actor.process:'update-alternatives') |
| Windows updates and upgrades | No Change | (actor.process:`svchost.exe` or actor.process:`wuauclt.exe` or actor.process:`TiWorker.exe` or actor.process:`msiexec.exe` or actor.process:`WindowsUpdateBox.exe` or actor.process:`Setup.exe` or actor.process:`wusa.exe`) and (actor.userName:`NT AUTHORITY SYSTEM` or actor.userName:`Administrator`) |
(actor.process:'svchost.exe' or actor.process:'wuauclt.exe' or actor.process:'TiWorker.exe' or actor.process:'msiexec.exe' or actor.process:'WindowsUpdateBox.exe' or actor.process:'Setup.exe' or actor.process:'wusa.exe') and (actor.userName:'NT AUTHORITY' or actor.userName:'admin') |
Introduced Quarterly Report Scheduling
With this release, we have introduced a new option to generate the quarterly report. You can now schedule your reports to run quarterly, providing you with greater flexibility in your reporting strategy.
You can select the Quarterly option to generate reports that run on the first day of the next quarter. Previously, users had scheduling options for daily, weekly, monthly, or yearly. The addition of the Quarterly option enhances scheduling capabilities.
Benefits
- Improved Time Management
Scheduling reports quarterly allows users to allocate time more efficiently and reduces the frequency of report generation compared to daily or weekly schedules
- Enhanced Data Analysis
Quarterly reports can provide a clearer picture of performance trends and business cycles, facilitating better strategic decision-making based on comprehensive data analysis.
Introduced Weekly Job for Creating Incidents
With this release, we have introduced a new option to create incidents weekly. You can automate the incident creation based on a QQL rule query defined in a Correlation rule. The schedule indicates when and how often you want to run the rule. By default, the rule is set to run once. You can also schedule the frequency of running this rule. Earlier this option was limited to daily, monthly, or repeat on specific days. Now, you can schedule your rule to run weekly.
Benefits
- Increased Flexibility
The new weekly scheduling option allows users to tailor incident creation to their specific needs rather than being confined to daily or monthly schedules.
- Efficient Incident Management
Automating incident creation on a weekly basis helps organizations respond to issues in a timely manner, ensuring that critical incidents are not overlooked
For weekly recurrence, you can customize the frequency to run once a week. This means the rule runs weekly on the designated day.
Updated Download limit of Event Count CSV Report
With this release, we have enhanced the Event Count CSV report functionality. The upper limit for exporting records has been increased to 500k. You can now export up to 500k records in a single CSV report.
Update in Data Retention Policy
To comply with data retention policies and regulations, we have restricted access to the events for up to 15 months. You have access to events up to 15 months old. With the upcoming release, retrieval of data older than 15 months will no longer be possible.
For example, even if you use the DateTime picker for the last three years to get the events, the Events list includes data only from the last 15 months.
New Token for Events Tab
| Token | Description | Example |
|---|---|---|
|
actor.user.impersonated |
Use the token value as true to filter events generated by impersonated users. |
|
API Enhancements
With this release, we have updated Data Retention Policy and extended our support for OAuth 2.0 and OpenID Connect Authentication Standards. For more information, refer to API Release Notes.
Enhanced User Interface (UI 4.0) of the Qualys Cloud Platform
Introducing the new and improved UI with the following key upgrades:
Enhanced Navigation for a Streamlined User Experience
Refreshed Dashboard
Standardized UI Elements for Seamless Navigation
Reorganized the Communication Tab for Easier Information Management
See it in Action
Watch this video to explore the new UI and discover the key enhancements designed to improve your experience!
Enhanced Navigation for a Streamlined User Experience
The redesigned menu structure and streamlined layouts make it easier to access critical features. You can now navigate the platform more intuitively, reducing the time spent on routine tasks. The new layout reduces cognitive load, providing a more apparent distinction between primary, secondary, and tertiary navigation elements, ensuring a seamless workflow for new and experienced users.
Primary and Secondary Navigation Elements
| Navigation Elements | Updates |
|---|---|
| Primary | We have added a vertical navigation bar on the left side of your screen for quick module access. This keeps your workspace organized and everything just a click away. You can hover over this bar to view or hide icon labels as needed.
|
| Secondary | The secondary navigation bar has been redesigned for a more intuitive user experience. Sub-menu options are displayed in a horizontal bar at the top, allowing easy access to features. Active tabs are highlighted in bold, making your current selection clear.
|
Refreshed Dashboard
We have improved our dashboards for better accessibility, color scheme, typography, and data interpretation.
These updates ensure easy information consumption for all users.
Standardized UI Elements for Seamless Navigation
We have applied a consistent look and feel across all modules, promoting better usability and reducing the learning curve. These updates ensure that transitioning between modules is seamless and intuitive.
For example, here’s our redesigned Select Tags window with improved UI components.
Reorganized the Communication Tab for Easier Information Management
The Communication tab has been reorganized for better usability, with clear sections to help you quickly find important information.
| Section | Updates |
|---|---|
| Notifications | This section focuses on items requiring immediate attention and follow-up.
|
| Messages | This section delivers general updates and information from the platform.
|
Enhanced UI Rollout Starting January 2025
The enhanced user interface is rolling out in phases starting January 2025. To guide you through the transition, you will receive in-platform notifications and email updates. Compatibility is seamless, with no additional setup required.
Learn More
Explore the full details of these updates! Check out our blog for insights.
For more information on the rollout phase, refer to the Frequently Asked Questions.
Platform Name Change Update
We are renaming the Qualys Cloud Platform to the Qualys Enterprise TruRisk Platform. This change highlights Qualys' commitment to empowering CISOs, cybersecurity professionals, and risk stakeholders to effectively measure and mitigate the impact of cyber risk on their organizations.
The Qualys Enterprise TruRisk Platform is the only cybersecurity and risk management solution that enables you to measure, communicate, and eliminate cyber risk across the extended enterprise with precise remediation and mitigation actions.
This update does not affect the platform’s functionality or features. The name change will be implemented across all product interfaces in phases, starting January 2025.
For more information, check out this blog.
Issues Addressed
| Category/Component | Issue |
|---|---|
| Incidents |
We fixed issues by making relevant code changes:
|
| Reports |
We fixed an issue where Windows Weekly Report and the PCI DSS weekly report despite both being generated using the same monitoring profile and report template settings. The statistics in the Windows Weekly Report do not match those of the PCI DSS weekly report, and the user did not find any options available for modification. |