Policy Audit Release 1.5

October 29, 2025

Policy Audit Alerting

With this release, we have introduced Alerting, a feature that allows you to receive real time updates of the events or incidents related to your configurations.

Previously, to get updates of your configuration, you would have to login to Policy Audit (PA) and view the respective tabs. However, with the new feature, you get notified of the updates directly via an alert of your choice. This removes the need to login to always login to the application to check for updates.

To enable the Alerting feature, contact you Technical Account Manager (TAM) or Qualys Support.

The Alerting feature is available to users with Policy Audit access. Users with only Policy Compliance access must upgrade to Policy Audit to use this feature.

Pre-requisite - A Webhook URL. This URL is required when defining Actions.

Once Alerting is enabled, the Responses tab is displayed. The following tabs are displayed once the response tab is displayed.

  • Activity - This displays all the activities performed, such as activities related to rules, actions, and alerts.
  • Rule Manager -  This tab allows you to view, create, edit, and delete rules.
  • Actions - This tab allows you to view, create, edit, and delete actions.

From the Responses tab, you can perform the following steps to create alerts for your updates of events or incidents:

  1. Define actions that the rule must take in response to the alert. Configure rule actions to specify one or more actions to be performed when events matching a condition are detected. You can set alerts to be sent by Email, Microsoft Teams, PagerDuty, or Post to Slack.

      To delete a rule, you must first disable the rule and then delete it.

    Actions tab under Responses.
  2. Set up your rules in the Rule Manager tab. Specify which events you want to monitor, the criteria for triggering the rule, and the actions to be taken on those events. When a rule is triggered based on a trigger criteria, Policy Audit will send to your configured account, alerts that will have details of the events.

     If any action is associated with any rule, you are unable to delete that action until the rule is deleted.

    Rule Manager tab under Responses.
  3. Monitor all the alerts that are sent after the rules were triggered.

    Activity tab under Responses.

For more details on these steps, refer to the Configure Responses in PA section in the Online Help.

Tokens supported for the PA AlertingTokens supported for the PA Alerting

asset.createdDate
asset.hostId
asset.id
asset.name
operatingSystem.name
asset.trackingMethod
asset.truRisk
asset.uuid
asset.interface.address
asset.interface.hostName
asset.authLastComplianceSuccessDate
asset.authStatus
asset.authType
asset.tag.name
control.id
control.categoryName
control.statement
control.type
control.subCategoryName
control.criticality
posture.id
posture.controlReference
posture.evaluatedDate
posture.failFirstFoundDate
posture.failLastFoundDate
posture.hasException
posture.instance
posture.updatedDate
posture.passFirstFoundDate
posture.passLastFoundDate
posture.policy
posture.previousStatus
posture.qds
posture.status
posture.subStatus
policy.evaluatedDate
policy.name
policy.id
technology.name
technology.categoryName
technology.subcategoryName
 finding.mitre.attack.mapping
finding.mitre.attack.tactic.name
finding.mitre.attack.technique.name
finding.mitre.attack.subTechnique.name
mandate.name
mandate.requirement
exception.expirationDate
exception.isEvidenceBased
exception.number
exception.requestedDate
exception.status
sensor.lastComplianceScanDate

Automated Policy Creation using Compliance Framework

With this release, we have introduced automation for creating policies using Compliance Framework-mapped controls. This enhancement enables you to efficiently generate policies aligned with Compliance Standards, ensuring accurate evaluation of their compliance posture across various frameworks such as CIS, DISA, and many more.

Previously, creating policies involved repetitive manual tasks that required significant time and effort for each Compliance Framework. With the new automation process, these repetitive steps are now streamlined, thereby allowing you to generate policies with minimal manual intervention and quick turnaround time.

To create a new policy from Framework, navigate to Policies > New > Create from Framework.

The Create New: Policy from Framework page is displayed.

Complete the given steps - Basic Information > Technology > Asset Details > Control Configuration > Review and Confirm and select Create Policy.

The new policy framework is created. The new policy framework is displayed in the Policies tab.


- For more details on the steps to create a new policy framework, refer to the Framework Policy section.
- When creating a new policy using a framework, you can currently select one framework at a time.

New Columns Added to Posture Reports in CSV Format

With this release, we have added a new columns to the different Posture reports when downloaded in CSV format. These enhancements provide deeper insights into attacker behavior, compliance posture, and asset level risk. The details are as follows:

  • In the Posture control report, we have added the columns mitreAttackTacticName, mitreAttackTechniqueName, and mitreAttackSubTechniqueName. These columns help you in understanding the high-level goal or intent of the vulnerability, the action or method that caused the vulnerability, and a more detailed breakdown and details of the vulnerability.

  • In the Posture Control report we have also added the column QDS - Qualys Detection Score. QDS is a critical metric used to assess the compliance posture of an organization. QDS ranges from 1 to 100. It is derived from the factors, Criticality, Policies, MITRE Mapping, and Best Practice Controls for Malware and Ransomware Prevention.
  • In the Posture Assets control report, we have added TruRisk Score column. The TruRisk score is the overall risk score assigned to the asset based on the contributing factors, Asset Criticality Score (ACS), Qualys Detection Score (QDS) scores for each control level, and Auto-assigned weighting factor (w) for each criticality level of controls. 

To enable these columns for a user, contact Qualys support or your Technical Account Manager (TAM).

Support for New Authentication Technologies 

With this release, we have added support for the following new technologies:

FreeBSD 13.x

With this release, FreeBSD 13.x technology is supported for Policy Audit authenticated scans using scanners and agents. This technology is now available for use at the following places, at both the scanner and the agent:

  • Policy Editor
    When you create or edit a policy compliance, FreeBSD is now available in the list of supported technologies.

  • Search Controls
    When you search controls, you see FreeBSD  in the list of technologies. Go to Policies > Controls > Search and under Technologies, select FreeBSD in the list.

  • Authentication Report
    To display all OS authentication-based instance technologies per host, including FreeBSD, in your authentication report 


     
  • Scan Results
    FreeBSD is now listed under Application technologies found based on OS-level authentication in the Appendix section of a compliance scan result.

  • Middleware Asset
    If you are using Cloud Agent for Policy Audit (PA), the Cloud Agent auto-discovers FreeBSD. When an agent scan detects FreeBSD on a host, it is displayed on the Assets > Middleware Assets.

  • Sample Report

    The sample report displays the tracking method and the instances for the scanner and the agent.

    • Scanner
      In Compliance Reports, you can view the instances of FreeBSD for scanned hosts. The sample report displays the scanner's tracking method as IP with an instance of FreeBSD.

    • Agent
      In Compliance Reports, you can view the instances of FreeBSD for scanned hosts. The sample report displays the tracking method for the agent as AGENT with an instance of FreeBSD.

MacOS 26 (Tahoe OS)

With this release, MacOS 26 (Tahoe OS) technology is supported for Policy Audit authenticated scans using scanners and agents. This technology is now available for use at the following places, at both scanner and agent:

  • Policy Editor
    When you create or edit a policy compliance, MacOS 26 is now available in the list of supported technologies.

  • Search Controls
    When you search controls, you see MacOS 26 in the list of technologies. Go to Policies > Controls > Search and select MacOS 26 in the list.

  • Authentication Report
    To display all OS authentication-based instance technologies per host, including MacOS 26, in your authentication report.

  • Scan Results
    MacOS 26 is now available but is displayed as Unix OS under Application technologies found based on OS-level authentication in the Appendix section of a compliance scan result.

  • Sample Report

    • Scanner
      In Compliance Reports, you can view the instances of MacOS 26 for scanned hosts. The sample report displays the scanners tracking method as IP with an instance of MacOS 26.

    • Agent
      In Compliance Reports, you can view the instances of MacOS 26 for scanned hosts. The sample report displays the tracking method for the agent as AGENT with an instance of MacOS 26.

Microsoft Edge Chromium

With this release, Microsoft Edge Chromium technology is supported for Policy Audit authenticated scans using scanners and agents. This technology is now available for use at the following places, at both the scanner and the agent:

  • Policy Editor
    When you create or edit a policy compliance, Microsoft Edge Chromium is now available in the list of supported technologies.

  • Search Controls
    When you search controls, you see Microsoft Edge Chromium in the list of technologies. Go to Policies > Controls > Search and select Microsoft Edge Chromium in the list.

  • Authentication Report
    To display all OS authentication-based instance technologies per host, including Microsoft Edge Chromium.

  • Scan Results
    Microsoft Edge Chromium is now listed under Application technologies found based on OS-level authentication in the Appendix section of a compliance scan result.

  • Sample Report

    The sample report displays the tracking method and the instances for scanner. In Compliance Reports, you can view the instances of Microsoft Edge Chromium for scanned hosts. The sample report displays the scanner's tracking method as IP with an instance of Microsoft Edge Chromium.

Issues Addressed

The following reported and notable customer issues are fixed in this release:

Component/Category Application
 		 Description
PA / PC - PCRS Reports Policy Audit / Policy Compliance When the users scheduled reports, it was observed that the reports did not start at their scheduled time even though the scheduled task history indicated that they had run as expected. Relevant code changes have been made to fix the issue.
PA / PC - Authentication Records Policy Audit / Policy Compliance When users created a PostgreSQL authentication record using the API and UI for the first time, it was created successfully. However, when creating a similar authentication record with the same details such as a same IP, the record could not be generated, and no validation message was displayed to indicate the reason. Relevant code changes have been made to fix the issue.
PA / PC - Scan Processing Policy Audit / Policy Compliance When users downloaded the Authentication records listed on the Authentication tab, it was observed that the number of records in the downloaded report was less compared to the list displayed in the Authentication tab. Relevant code changes have been made to fix the issue.
PA / PC Policy Audit / Policy Compliance When users launched a scan using the CIS policy, they encountered an error indicating that some controls were deprecated. Relevant code changes have been made to fix the issue. After the fix, the deprecated controls no longer trigger errors during scan execution.
PA / PC - New UI Policy Audit / Policy Compliance When the users ran a query using posture control.id with specific controls and added posture.status as Fail, the Assets view displayed an incorrect count. However, when the results were grouped by policy, the count appeared correctly. Relevant code changes have been made to fix the issue.