Enterprise TruRisk™ Platform Release 10.34

May 2, 2025

Introducing Qualys Policy Audit

Policy Audit - a tool that automates every stage of the audit process and enables you to be continuously audit ready. Check out our blog/video for insights to discover the key enhancements designed to improve your audit readiness.

Policy Audit Rollout

We are rolling out Policy Audit in phases, starting in the latter half of May 2025! For Policy Compliance users, this will be an exclusive, no-cost upgrade to Policy Audit. Once you have access to Policy Audit, you can tackle complex audits with continuous monitoring, automated remediation workflows (add-on), and risk-based insights – all in a single platform. As part of this transition, when you log into your account, you will see a prompt explaining the upgrade to Policy Audit. 

The rollout is designed to be seamless, ensuring a smooth experience for all users. To stay updated on the rollout schedule for Policy Audit, keep an eye out for in-platform notifications that will guide you through the transition.

Features

The features of Policy Audit are as follows:

  • Seamless onboarding process - Step-by-step guidance on the onboarding process to deploy, configure, and align evidence to your compliance mandates.
  • Enhanced dashboard - Explore widgets that simplify navigation and bring key insights to the forefront.
  • Audit Readiness Report - Always stay audit ready with continuous and automatic evidence collection with intelligent mapping to relevant regulatory frameworks.
  • TruRisk™ Score - Detect and analyze misconfigurations using TruRisk™ Score for better risk prioritization.
  • Audit Fix (add-on service) - Close audit gaps and remediate automated workflows using Audit Fix.
  • Compliance Framework Reports - Track mandates that matter the most and generate stakeholder-ready audit reports.
  • ServiceNow Integration - Smooth integration support for the GRC tool ServiceNow enablaing the right team to action at the right time.

Switch to Policy Audit

You can switch to Policy Audit by selecting Switch to PA.

Similarly, to switch back to Policy Compliance, select Return to PC.

Policy Audit Documentation - Coming Soon

Online Help - Refer to the product documentation for Policy Audit to get comprehensive guidance on new features and functionalities. It will provide step-by-step instructions and resources to help you maximize the benefits of the updated features and functionalities. 

Release Notes - Policy Audit release notes will be tracked as Policy Audit 1.0.0, Policy Audit 1.1.0, Policy Audit 2.0.0, and so on.

Qualys Vulnerability Management (VM)

Updated Message to Generate TruRisk Report

With this release, we have updated the message displayed on the Reports tab to align with the one shown on the Vulnerability Management, Detection, and Response (VMDR) Dashboard. This change is made to clearly convey the importance of generating a TruRisk report, while also ensuring consistency across products. Both messages serve the same purpose — to capture user attention and prompt them to generate a TruRisk report.

Generate TruRisk message displayed on the Reports tab.

Distinction Between Unselected and Empty Fields in Cloud Perimeter Scan 

When performing a Cloud Perimeter Scan (CPS), after selecting the Cloud Information and Target Hosts, the Review tab previously displayed a hyphen ( - ) for all fields — whether they were not selected by you or had no data to display.

With this release, we have enabled the fields with no data (zero entries) now display 0, while unselected fields continue to show a hyphen. This enhancement helps you to easily distinguish between fields that were not selected and those that simply have no data.

Empty fields displaing hyphen and unselected fields displaying zero.

Enhancement to Purge Host Information Page 

With this release, we have made changes in Purge Host Information page which includes removing the View button and Hyperlink for the selected hosts to be purged.

Earlier, there was a View button and hyperlink for the hosts to be purged. When you click View or hyperlink to purge multiple hosts, which may be IP tracked or Agent Tracked, it redirected to the host information page with insufficient information. With this enhancement, you can directly purge the selected hosts which helps you to improve the performance when you purge the selected hosts.

To access the page, refer to the following navigation:

  1. Go to Assets > Asset Search.
  2. Select the Asset Groups/IPv4 or IPv6 Addresses/ranges/Tags > Search.
    Asset Search Report is displayed.
  3. Select the assets to be purged from the Results list.
  4. From the Action list select Purge and click Apply. Purge Host Information page is displayed.

Purge Host Information page.

Qualys Policy Compliance (PC)

Enhancement in the PostgreSQL Authentication

With this release, you can now create multiple PostgreSQL authentication records by selecting the same IP and port with different databases. Earlier, you were not able to create an authentication record with the same configuration. With this enhancement, you can now launch the scan with different databases that are using the same IP and ports, which can reduce the scan complexity and setup time. We have also updated the error message that is displayed when you select the same IP, port, and database to validate an authentication record.

PostgreSQl error message.

Support for Extended Permissions for Scanner and Reader Users

With this release, we have provided support for extended permissions for Scanner and Reader user roles (Users > Users > New/ Edit > Permissions > Manage PC module) by providing four permissions. Now you have permissions for exception management capabilities and can perform the actions such as:

  • Accept/Reject exceptions
  • Create/edit compliance policies
  • Create User Defined Controls
  • Update/Delete user Defined Controls

Permissions to manage PC modules.

Earlier, all these permissions were available only for the Manager and Unit Manager user roles, while the Scanner and Reader user roles had access only to the Manage PC module option. These extended permissions increase the efficiency of Scanner and Reader users by allowing them to generate exceptions without relying on the Manager or Unit Manager. 

Support for JBoss Enterprise Application Platform (EAP) Authentication

With this release, we have provided support for JBoss Enterprise Application Platform (EAP) 8.x authentication for compliance scans using Policy Compliance (PC) and Security Configuration Assessment (SCA) applications using JBoss Server authentication record (PC > Scans > Authentication > New > Applications > Jboss Server). You can create/edit a JBoss EAP authentication record with your credentials to authenticate a JBoss EAP instance running on a host through JBoss server and perform a compliance scan. 

The technology is now available for use at the following places:

Policy Editor

When you create or edit a compliance policy, JBoss EAP 8.x is now available in the list of supported technologies.

Select JBoss EAP under technologies in new policy.

Search Controls

When you search controls, you see JBoss EAP 8.x in the list of technologies. Go to  Policies > Controls > Search and select  JBoss EAP 8.x in the list.

Select JBoss under Control search.

Authentication Report

To display all the details, including JBoss EAP 8.x, in your authentication report, select all the checkboxes under Display and Filter > Details

Select all checkboxes under Display & Filter.

JBoss EAP 8.x is now listed under Host Technologies in the Result section of an authentication report.

Authentication report displays the Jboss technology.

Compliance Report

The compliance report displays the sample report. You can view the instances of JBoss EAP 8.0 for scanned hosts in compliance reports.

Appendix section shows JBoss in compliance report.

Policy Report

When you create a policy compliance for JBoss EAP 8.x using JBoss Server, and generate a report, you can view all the details in the Detailed Results section.

JBoss Policy Report.

For more information, refer to the Authentication Technologies Matrix.

Issues Addressed

The following reported and notable customer issues are fixed in this release:

Component/Category Application
 		 Description
VM - Users API Vulnerability Management When the users deactivated the sub-users using the API and needed to delete a sub-user by referring to the API User Guide, the documentation indicated that the Delete action was supported, but no instructions were provided. Since the API does not support the Delete action, we have now updated the API User Guide accordingly.
VM - Reports General Vulnerability Management When the users generated a CVE Host Based CSV report, the Qualys Vulnerability Score(QVS) was missing in the report for the associated QIDs without CVE ID score. Relevant code changes have been made to fix the issue.
VM - Distribution Group Vulnerability Management When the users tried to create a Distribution Group list by selecting the Users from the list to send the scheduled report to the sub-users, the list was taking time to load and was stuck on the same status. Relevant code changes have been made to fix the issue.   
VM - Scan API Vulnerability Management When the users tried to execute a schedule scan API /api/2.0/fo/schedule/scan/?action=list, to display the list of schedule scans, an error was encountered. Relevant code changes have been made to fix the issue.
VM - User Management Vulnerability Management Users with KnowledgeBase access and VM Manager permissions were unable to view the KnowledgeBase tab (VM > KnowledgeBase). The users encountered an error - Application You Selected Is Not Available on the landing page. Relevant code changes have been made to fix the issue.
VM - Authentication Records Vulnerability Management When the users attempted to download details for an authentication record, the confirmation prompt appeared indicating that the download had started, but the process would not complete. Relevant code changes have been made to fix the issue.
VM - Assets Vulnerability Management When the users in the Address Management tab, applied filters for Check IP Tracking, Check DNS Tracking, or Check NetBIOS Tracking to verify the Tracking Consistency Check, they observed that assets with incorrect tracking methods were displayed. Relevant code changes have been made to fix the issue.
VM - Activity logs Vulnerability Management When users click on the info in the Quick Actions list and navigate to the account activity, no activities were displayed despite having performed several API calls. As the account activity page displays only the session-specific UI and API details, no activity was displayed. We have now documented this in the Online Help.
VM - Knowledge Base Vulnerability Management When the users viewed the KnowledgeBase information that is shared using the KnowledgeBase API, inconsistencies were observed . Certain fields appeared as null or empty for various QIDs. Relevant code changes have been made to fix the issue.
PC - API Policy Compliance When the users were launching the Compliance Scan API (api/2.0/fo/scan/compliance/) they received the error - Internal Error (999). Relevant code changes have been made to fix the issue.
PC - Reports Policy Compliance When the users generated a compliance report, they observed that a particular User Defined Control (UDC) was marked as Fail, even though it passed manual evaluation. Relevant code changes have been made to fix the issue.
Documentation Policy Compliance When the users generated a compliance report with cardinality settings applied, they noticed that certain CIDs were marked as Fail. This occurred because the cardinality configurations were not set correctly, often due to a lack of understanding around how cardinality impacts evaluation. It is important to configure cardinality appropriately to ensure accurate comparisons between actual and expected results. To help with this, we have now documented what cardinality means and its uses in the Online Help.