File Integrity Monitoring Release 4.6

May 05, 2025 (Updated on May 27, 2025)

Retrieve Network Assets using Tags

You can now retrieve your network assets using tags into your FIM asset inventory. Previously, retrieving assets required manually entering a QQL query. This improvement simplifies your workflow by eliminating the need to define a query for asset retrieval.

As part of this improvement, the Scan Based Assets tab is now renamed to Network Devices to better reflect its purpose.

To retrieve network assets, navigate to the Assets > Network Devices tab and click Add Assets to select your desired tags. You can add all tags that are in your scope.

For more information on network assets, refer to FIM Online Help.

New Cards to Easily Visualize FIM Non-compliant Assets

We have now introduced two summary count cards under the Assets > Real Time Assets tab. These cards give you a quick insight into assets that are non-compliant without manually filtering or searching through the list.

Non-compliant assets refer to those assets that are non-communicating and have a bad agent health status.

You can click each card to view a detailed list of the affected assets.

Non-Communicating: Displays the number of assets that have not communicated with the Qualys Enterprise TruRisk™ Platform in the last seven days.
Bad Agent Health Status: Displays the number of assets that are FIM activated but currently not functioning as expected.

real-time assets page with summary count cards.

Enhanced FIM Profile and Queries Library

We have updated the FIM Profiles and Queries in the library to include the following enhancements:

Improved Profile NamingImproved Profile Naming

The following profile names in the library are now renamed to help you identify the associated compliance:

Older Profile Name	New Profile Name
Lightweight Monitoring Profile for Linux	Linux Monitoring Profile for HIPAA
Lightweight Monitoring Profile for Windows	Windows Monitoring Profile for HIPAA
Windows Monitoring Profile for PCI DSS	Windows Monitoring Profile for PCI DSS 4.0
AIX Monitoring Profile for PCI DSS	AIX Monitoring Profile for PCI DSS 4.0

Improved Rule NamingImproved Rule Naming

Imported profiles now include an appropriate name for the associated rules to better reflect their intended purpose.

This applies to the new imported profiles only.

See the following image, which shows the rule names.

New Rules added to OOTB Monitoring ProfilesNew Rules added to OOTB Monitoring Profiles

We have added new rules to the below monitoring profiles, which help FIM detect any modifications to time synchronization files, such as NTP and Chrony, and ensure compliance with the PCI DSS 4.0 requirement 10.6.3:

Linux Monitoring Profile for PCI DSS 4.0
AIX Monitoring Profile for PCI DSS 4.0

See the following table for more details on new rules:

Profile	Rule (File Path)	Rule Description
Linux Monitoring Profile for PCI DSS 4.0	/etc/ntp.conf	This is the primary configuration file for the NTP service. Any change to this file may indicate a modification to the time synchronization settings.
	/etc/chrony/chrony.conf	This is the configuration file for Chrony, which is used for time synchronization.
	/etc/adjtime	This file stores the system's time drift and is used by NTP/Chrony to keep the system clock in sync.
	/etc/localtime	This symlink points to the system's time zone file. Any change here may affect the system's time settings.
AIX Monitoring Profile for PCI DSS 4.0	/etc/ntp.conf	This is the primary configuration file for the NTP service. Any change to this file may indicate a modification to the time synchronization settings.
AIX Monitoring Profile for PCI DSS 4.0	/etc/localtime	This symlink points to the system's time zone file. Any change here may affect the system's time settings.

Queries RevampedQueries Revamped

The queries are updated with new names, descriptions, and QQL to better meet your organization's needs for compliance and monitoring. You can view the new queries under Configuration > Library > Queries.

Support for Auth ID Client Management from UI

We have extended our support for OpenID Connect Authentication Client Management capabilities from UI. This update allows for secure authentication and authorization of API access directly from the user interface. Our API interactions are now authenticated with enhanced security measures.

ID tokens are generated and validated with utmost security. This seamless integration requires minimal changes to the existing infrastructure, allowing to maintain the highest level of security for APIs.

Access Control

Manager users can create two types of clients based on access requirements:

User Level Clients: These are associated directly to individual user accounts, making them ideal for scenarios where user-specific access tracking and control are required. The token generated by user level client becomes invalid if the user is deactivated.
Subscription Level Clients: These are independent of user identities and offer broader access within the subscription. The token generated by a subscription level client continues to function even if the user is deactivated.
Currently, the tokens generated through subscription level clients are not supported by FIM APIs.

Non-manager users can create only User Level Clients, ensuring limited access control.

With the Auth ID Client Management from UI, you can:

Manage authentication and authorization processes more intuitively, providing a smoother user experience.
Easily handle API access permissions directly from the UI, simplifying the process of granting and revoking access when needed.
Maintain your existing workflows with minimal changes, enabling you to continue your tasks without the need to learn new processes extensively.

To access the client management tab, navigate to your profile icon, located at the top-right corner, and click View Profile > Auth Id Client Management tab.

For client creation, select either User Level or Subscription Level from the available options, and then click New Client.

Only users with manager privileges can view and access the Subscription Level tab.

While creating a client, you can select all modules at once or individual modules as required. You can also set various permissions including global permissions, dashboard permissions, tagging permissions, as well as API access. Depending upon these permissions a user can access the modules and its features that are assigned to the client.

Based on the permissions you select:

If the API Access permission is not enabled under Global Permissions > Access, the API returns a response with this message:
User does not have permission to access API module
If the FIM Access permission under File Integrity Monitoring > FIM Permissions is not enabled, the API returns a response with this message:
User does not have permission to access FIM module

Once you click Create, a Client ID and Client Secret Key are automatically generated. The Client Secret Key is displayed only once. Make sure to copy and store it securely. This key is essential for generating JWT access tokens and cannot be retrieved later. For more information, refer to JWT Token Generation.

Issues Addressed

The following reported and notable issues are fixed in this release.

Category/Component	Issue
FIM Reporting	We fixed an issue where the event details associated with assets were not displayed in the downloaded report for a unit manager. Now, the report includes all relevant event details.
Correlation Rule	We fixed the issue where selecting a Rule Query from Saved Searches caused an error during Correlation rule creation. Now, the error is no longer displayed.
FIM Reporting	We fixed an issue where downloading a CSV report from the Assets > Real Time Assets tab using QQL filters resulted in a blank file. The report now correctly includes the expected data based on the applied filters.
FIM Incident	We fixed the issue where incidents created through correlation rules did not capture all events linked to a specific profile. Now, all relevant events are correctly captured.
FIM Reporting	We fixed an issue where downloading a report with a large number of events showed a Gateway Time-out error. Now, the report downloads successfully, even when it contains many events.

Category/Component

Issue

FIM Reporting

We fixed an issue where the event details associated with assets were not displayed in the downloaded report for a unit manager. Now, the report includes all relevant event details.

Correlation Rule

We fixed the issue where selecting a Rule Query from Saved Searches caused an error during Correlation rule creation. Now, the error is no longer displayed.

FIM Reporting

We fixed an issue where downloading a CSV report from the Assets > Real Time Assets tab using QQL filters resulted in a blank file. The report now correctly includes the expected data based on the applied filters.

FIM Incident

We fixed the issue where incidents created through correlation rules did not capture all events linked to a specific profile. Now, all relevant events are correctly captured.

FIM Reporting

We fixed an issue where downloading a report with a large number of events showed a Gateway Time-out error. Now, the report downloads successfully, even when it contains many events.