TotalCloud Release 2.20
December 03, 2025
TotalCloud 2.20 brings updates to search tokens for insights, inventory, investigate, controls, and others.
Implementation of QQL Token Standardization
Applicable for: 
We have now implemented Qualys Query Language (QQL) token standardization across all Qualys applications. As part of this enhancement, both common and TotalCloud-specific tokens are updated with new token names that follow a standard, consistent nomenclature.
The new token format follows the syntax provider.entity. attribute. For example, in the new token, aws.account.status, AWS is the provider, account is the entity, and status is the attribute.
Key Enhancements:
- Standardized Token Naming: The tokens, such as insights, inventory, investigate, and controls, now adhere to a standardized naming convention. The tokens common to all Qualys applications have also been updated.
- Search Bar Updates: Only the new tokens are displayed in the auto-suggestion in the search bars within the UI. However, if you type the old token name manually, the QQL query still works. The old tokens will not be visible in the auto-suggestions on the UI.
- Backward Compatibility: The existing Dashboard widgets and Saved Search Queries will continue to support the old tokens in edit mode.
- Improved Interoperability: The standardized tokens make it easier to copy and reuse the search query from one application to another, eliminating the need to remember multiple token names for different applications and similar searches.
For the complete list of old and new token mappings, see TotalCloud online help.
Enhanced IP Address Classification for EC2 Instance Resources
Applicable for:
In the previous release, we had added support for AWS resources scanning and asset discovery with IPv6 addresses. With this release, we are enhancing the IP address classification and activation logic within the cloud asset discovery and ingestion flow. These enhancements ensure more accurate identification and representation of public and private IP addresses, especially for IPv6.
Key Features:
- The asset discovery mechanism now captures both IPv4 and IPv6 data.
- It now includes public and private IPs for both protocols.
- All network interfaces of cloud instances are scanned during asset discovery.
You can view detailed IP information (public/private, IPv4/IPv6) for each instance directly within the network section of the asset inventory details.
Event-Driven Connector Processing (Beta)
Applicable for:
With this release, we have introduced event-driven connector processing (Beta). Connectors continue to run on their normal schedule, but instead of doing full scans, they now limit AWS API calls to only those resource types with detected changes. This reduces unnecessary full scans and improves performance.
Key Features
- When a change is detected for a resource type, the next connector run only fetches inventory for that specific resource type in the affected region (example, an S3 change in us-east triggers a full S3 inventory fetch in us-east).
- A full inventory sweep runs every 48 hours regardless of event mode.
- Exceptions (resource-level, connector-level, tag-based) are evaluated in real time for EventBridge-enabled users.
- Deleted Resource Visibility:
- EventBridge-enabled users can use the token
deletedFromCloud:true/falseto view the deleted resources in the Inventory and Posture page.This token does not appear in autosuggestions and must be entered manually.
- The
deletedFromCloudfield is also included in the CSV Assessment report.
- EventBridge-enabled users can use the token
Implementation Mechanisms
You can enable one or both of these implementation mechanisms for any of your connectors based on your needs.
- Only the deleted resources are detected in your cloud account and displayed in the TC application.
- An automatic event run where all the detected modified resources are processed from your cloud account.
Benefits
- Reduces AWS API calls and processing overhead
- Enables near real-time exception evaluation
- Manual runs always perform a full inventory scan.
- This feature is applicable for Global accounts (not U.S./China).
Reach out to your TAM (Technical Account Manager) to activate this feature for any connector or cloud type. When requested, they will supply a CloudFormation Template (CFT). You need to deploy this CFT in your AWS account to enable event-driven processing.
IaC Security: Enhanced SARIF Output for GitHub Integration
Applicable for: 
With this release, we have improved the SARIF output for IaC scans to ensure better compatibility with GitHub Actions and other SARIF-compliant tools.
Key Features:
- Accurate Severity Levels: Findings now display the correct criticality (High, Medium, Low) instead of showing all issues as “Error.” This helps you prioritize risks more effectively.
- Standards-Compliant URIs: URIs in the SARIF file now follow SARIF v2.0 specifications by removing the leading slash (
/). This change ensures proper parsing and alignment with GitHub and other SARIF-compliant tools.
These improvements provide accurate severity reporting and fully standards-compliant output, enabling smoother integration with GitHub Code Scanning Alerts and reducing workflow errors.
Cloud Detection and Response (CDR)
The following sections describe the enhancements made to the CDR environment in the upcoming CDR release.
These CDR enhancements will be available by the end of November.
Enhanced CSV Reports: MITRE Information Added
Applicable for:
We have enhanced the CSV reports generated via the UI to include MITRE-related fields, MITRE TACTICS and MITRE TECHNIQUES. The MITRE_TECHNIQUES column also contains the corresponding MITRE rule ID.
This enhancement helps align findings with the MITRE ATT&CK framework and makes it easier to understand which tactics and techniques are involved.
Control Updates
Updated Policy Versions
Applicable for:
We have updated the following policies to their latest CIS versions.
| Policy | CIS Version |
|---|---|
| CIS Azure Foundation Benchmark | Version 4.0.0 |
| CIS GCP Foundation Benchmark | Version 4.0.0 |
| CIS OCI Foundation Benchmark | Version 3.0.0 |
Run Time and Build Time Controls Deprecated
Applicable for:
| Platform | CID | Title |
|---|---|---|
| AWS | 180 | Ensure QLDB ledger has deletion protection enabled |
| AWS | 251 | Ensure QLDB ledger has encryption enabled using accessible Customer managed KMS key |
| AWS | 384 | Ensure QLDB ledger permissions mode is set to STANDARD |
| Azure | 50039 | Ensure Enforce SSL connection is set to ENABLED for MySQL Database Server |
| Azure | 50040 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| Azure | 50041 | Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server |
| Azure | 50042 | Ensure server parameter log_connections is set to ON for PostgreSQL Database Server |
| Azure | 50043 | Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server |
| Azure | 50044 | Ensure server parameter log_duration is set to ON for PostgreSQL Database Server |
| Azure | 50045 | Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
| Azure | 50074 | Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server |
| Azure | 50096 | Ensure Storage Auto-Growth is enabled on PostgreSQL server |
| Azure | 50103 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for MySQL server |
| Azure | 50104 | Ensure no MySQL Server allow ingress from Internet (ANY IP) |
| Azure | 50105 | Ensure that geo_redundant_backup_enabled is set to Enabled for Azure Database for MySQL server |
| Azure | 50106 | Ensure that Public Network Access is Disabled for Azure Database for MySQL server |
| Azure | 50107 | Ensure that Azure Database for MySQL server diagnostic setting is configured properly |
| Azure | 50109 | Ensure Enforce SSL connection is set to ENABLED for Azure Database for MariaDB server |
| Azure | 50110 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for MariaDB server |
| Azure | 50111 | Ensure no MariaDB Server allow ingress from Internet (ANY IP) |
| Azure | 50112 | Ensure that geo_redundant_backup_enabled is set to Enabled for Azure Database for MariaDB server |
| Azure | 50113 | Ensure that Public Network Access is Disabled for Azure Database for MariaDB server |
| Azure | 50115 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for PostgreSQL server |
| Azure | 50116 | Ensure that TLS is enforced and the minimum version be set to 1.2 for Azure Database for PostgreSQL server |
| Azure | 50117 | Ensure Allow access to Azure services for PostgreSQL Database Server is disabled |
| Azure | 50118 | Ensure that 'geo_redundant_backup_enabled' is set to Enabled for Azure Database for PostgreSQL server |
| Azure | 50119 | Ensure that Public Network Access is Disabled for Azure Database for PostgreSQL server |
| Azure | 50120 | Ensure that Azure Database for PostgreSQL server diagnostic setting is configured properly |
| Azure | 50131 | Ensure that Azure Active Directory authentication is configured for MySql server |
| Azure | 50132 | Ensure that Azure Active Directory authentication is configured for PostgreSql servers |
| Azure | 50177 | Ensure that encryption with customer-managed key is enabled in PostgreSQL servers |
| Azure | 50240 | Ensure that PostgreSQL server has infrastructure encryption enabled |
| Azure | 50263 | Ensure that MySQL server has infrastructure encryption enabled |
| Azure | 50268 | Ensure that encryption with customer-managed key is enabled in MySQL Servers |
| Azure | 50349 | Ensure missing service endpoints are disabled for Azure PostgreSQL Virtual Network Rule |
| Azure | 50445 | Ensure server parameter audit_log_enabled is set to ON for MySQL Database Server |
| Azure | 50446 | Ensure server parameter audit_log_events has CONNECTION set for MySQL Database Server |
Azure Controls Policy-To-Policy Migration
Applicable for:
| Platform | CID | Title | Old Policy | New Policy |
|---|---|---|---|---|
| Azure | 50447 | Ensure server parameter audit_log_enabled is set to ON for MySQL Flexible Database Server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50448 | Ensure server parameter audit_log_events has CONNECTION set for MySQL flexible Database Server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50466 | Ensure server parameter require_secure_transport is set to ON for PostgreSQL flexible server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50467 | Ensure server parameter log_checkpoints is set to ON for PostgreSQL flexible server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50469 | Ensure server parameter connection_throttle.enable is set to ON for PostgreSQL flexible server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50475 | Ensure server parameter logfiles.retention_days is set to ON for PostgreSQL flexible server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50476 | Ensure Allow public access from any Azure service within Azure to this server for PostgreSQL flexible server is disabled | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50477 | Ensure server parameter require_secure_transport is set to ON for MySQL flexible server | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50478 | Ensure that Enable Data Access Authentication Mode is Checked for Disks | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50314 | Ensure Trusted Launch is enabled on Virtual Machines | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50156 | Ensure that public network access is disabled in Managed Disks | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50130 | Ensure that the endpoint protection for all Virtual Machines is installed | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50008 | Ensure that Disk encryption should be applied on virtual machines is set to On | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50077 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | CIS Microsoft Azure Foundations Benchmark | Azure Best Practices Policy |
| Azure | 50225 | Ensure that Storage accounts disallow Blob public access | Azure Best Practices Policy | CIS Microsoft Azure Foundations Benchmark |
Existing Controls Removed from CIS Microsoft Azure Foundations Benchmark policy
Applicable for:
| Platform | CID | Title | Remove from Policy |
|---|---|---|---|
| Azure | 50001 | Ensure that Data encryption is set to ON for a SQL database | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50002 | Ensure no SQL Servers allow ingress from Internet (ANY IP) | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50027 | Ensure SQL server Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50035 | Ensure that Microsoft Entra authentication is configured for SQL Servers | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50099 | Ensure that Azure Cosmos DB accounts Firewalls and Networks is limited to use Selected Networks instead of All Networks | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50178 | Ensure that public network access is disabled on Azure SQL databases | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50237 | Ensure that Auditing Retention is greater than 90 days for Azure MSSQL Server | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50335 | Ensure TLS Version is set to TLSv1.2 or latest for MySQL flexible Database Server | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50343 | Ensure that Auditing is Enabled for Azure SQL Server | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50440 | Ensure that private endpoints are configured for Cosmos DB | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50438 | Ensure Virtual Machines are utilizing Managed Disks | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50137 | Ensure that OS and Data disks are encrypted with Customer Managed Key | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50032 | Ensure that Unattached disks are encrypted with Customer Managed Key (CMK) | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50175 | Ensure that Storage Accounts have infrastructure encryption enabled | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50188 | Ensure that Blob Storage is configured with Diagnostic Settings | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50190 | Ensure that Queue Storage is configured with Diagnostic Settings | CIS Microsoft Azure Foundations Benchmark |
| Azure | 50191 | Ensure that Table Storage is configured with Diagnostic Settings | CIS Microsoft Azure Foundations Benchmark |
Control Title Changes
Applicable for:
| Platform | CID | old Title | New Title |
|---|---|---|---|
| GCP | 52082 | Ensure 3625 (trace flag) database flag for Cloud SQL - SQL Server instance is set to off | Ensure 3625 (trace flag) database flag for Cloud SQL - SQL Server instance is set to on |
Issues Addressed
The following issues reported by customers, as well as other notable problems, have been resolved in this release.
| Category/Component | Issue |
|---|---|
| CloudView | We have updated the correct CLI for the Control Ids 50489 and 50490. |
| CV - False Positive | We have updated the logic for CID 351. It now evaluates both HTTP redirection to HTTPS and checks for active SSL certificates on HTTPS listeners, eliminating redundancy with CID 186. |
| CV - False Positive | We updated the logic for CID-52177. The previous predicate checked updateTime, which only changes when an API key property is modified. For key rotation, it should check createTime instead. The control logic now uses createTime, and the evidence display has been updated accordingly. |