What's new or changed

Edit online

See what new features and improvements are available in IBM® Security QRadar® EDR.

January 2026

New in 3.12.23

Fixed application initialization bug that prevented IBM Security QRadar EDR from starting.

For more information, see KT DT459396.

December 2025

New in 3.12.22

This update temporarily reverts the Windows agent from 3.12.8 to 3.12.7 to avoid accidental updates or rollouts which might occasionally cause a BSOD.

For more information, see Known issue and QRadar EDR: Blue screen of death (BSOD).

November 2025

New in 3.12.21
Updated IBM Security QRadar EDR
  • Support for Red Hat® OpenShift® 4.20. Red Hat OpenShift 4.16 is no longer supported.
  • Ghost alerts indication.
  • New policy edit restrictions based on user role.
  • Changes that affect sending scheduled reports by email.
  • Fixed various security vulnerabilities.
Updated Linux® QRadar EDR Agent 1.0.0
  • Introduced signing of agent packages.
  • Fixed a case of incorrect parent process detail in events.
Added new DeStra (Detection as Code) policies
The following detections are available for the Windows QRadar EDR Agent:
  • Indirect Command Execution.
  • Command Obfuscation.
  • File Deobfuscation via Certutil.
  • Tamper Attempts.
The following detections are available for the Linux QRadar EDR Agent:
  • Account Creation.
  • Process Discovery.
  • Remote System Discovery
  • Sudo Activity.
  • System Network Connections Discovery.
Updated DeStra (Detection as Code) policies
The following detections are updated for the Windows QRadar EDR Agent to improve their coverage and reduce false positives:
  • Credentials Harvested.
  • Event Triggered Execution Configured.
  • In Memory only executable detected.
  • Subvert Trust Controls.
Removed DeStra (Detection as Code) policies

Removed two default DeStra policies, replaced by newly added policies to cover similar use cases with an improved detection logic. The following detections are removed:

  • Indirect Command Execution (replaced by new rule with the same name) .
  • Suspicious file deobfuscation.

November 2025

New in 3.12.20
Middleware updates
This release includes updates to the middleware integration to maintain support for OpenSearch V2.x.

October 2025

New in 3.12.19
Updated IBM Security QRadar EDR
  • Corrected an issue where an error occurs when creating policy from behavioral anomaly incident, see DT434407.
  • Corrected an issue where behavioral anomaly alerts are not triggering on GUI, see DT449993.
  • Corrected an issue where MSSP license expiration notification are not sent.
  • Corrected several minor issues related to Policy and DeStra editing.
  • Fixed various security vulnerabilities.
Updated Windows QRadar EDR Agent 3.12.7
  • Added new functionalities to the Destra engine to calculate the SHA256 checksum of a file and adjust the agent configuration.
  • Improved event handoff to the backend for better management of event spikes and caching.
  • Fixed a condition in which the MSI overwrites vcruntime140.dll with an older version during installation, see DT390910.
Updated Linux QRadar EDR Agent 0.92.0
  • Updated libraries to fix vulnerabilities.
  • Increased scope of Executable Dropped event analysis.
  • Fixed issues related to wrong local IP address reported by agent on hosts with multiple interfaces, see DT419804.
Added new DeStra (Detection as Code) policies
The following detections are available for the Windows QRadar EDR Agent:
  • Bring Your Own Vulnerable Driver.
  • Suspicious Executable Dropped by PowerShell.
  • Windows Credential Manager Dump.
The following detections are available for the Linux QRadar EDR Agent:
  • Fileless Malware Execution.
  • System Service Discovery.
Updated DeStra (Detection as Code) policies
The following detections are updated for the QRadar EDR Agent to improve their coverage and reduce false positives:
  • Indicator removal.
  • Ingress Tool Transfer.
  • Proxy Tools.

June 2025

New in 3.12.18
Updated IBM Security QRadar EDR
  • Cassandra backups are now stored directly in the backup PVC, eliminating the need for separate Cassandra backup PVCs.
  • Added ability to vertically scale Cassandra pods to right-size them to the designated workload.
  • Support DeStra validation and editing DeStras.
  • Renamed the Has Alert header in the threat hunt results table to Triggered Alert.
  • Improved form validation in the UI.
  • External API: corrected an issue where it should not be possible to add multiple clients associated with one endpoint in an MSSP environment.
  • Corrected an issue where deleting a MSSP client was affecting the visibility of associated agent distributions.
  • Corrected an issue where the App install time on the Endpoint Activities page was incorrect under certain conditions.
  • Corrected an issue where the App install date and time was invalid in the Endpoint Export CSV.
  • Corrected an issue where searching by username in the Audit Log page was not working correctly under some conditions.
  • Fixed various security vulnerabilities.

May 2025

New in 3.12.17
Updated IBM Security QRadar EDR
  • Support for OpenShift 4.18.
  • Improved OpenSearch configuration in OpenShift: increased the readiness probe duration and optimized requests and limits settings.
  • Upgraded libraries and fixed security issues.
  • Fixed an issue which caused a UI error when trying to create an alert form a behavioral-anomaly event. For more information, see DT434407.
  • Fixed various security vulnerabilities.
Updated Windows QRadar EDR Agent 3.12.6
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Fixed a parsing error in a library causing the keeper service to crash, see DT426430.
  • Fixed a condition in a library causing the keeper service not to stop active ETW traces.
  • Fixed networking issues with QRadar EDR deployments using internally signed SSL certificates.
Updated Linux QRadar EDR Agent 0.91.0
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Updated libraries to fix vulnerabilities.
Updated macOS QRadar EDR Agent 1.2.0
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Improved events accuracy when using xpcproxy.
  • Improved checksum computation efficiency.
  • Improved event handling and hand-off to EDR Hive.
  • Fixed incompatibility of Apple Silicon Endpoints with older versions of EDR Hive.
  • Fixed issued on registration failure.

March 2025

New in 3.12.16
Updated IBM Security QRadar EDR

Fixed various security vulnerabilities.

Updated DeStra (Detection as Code) policies

Added two allowlist policies to mitigate false positives from forged digital signature events in the temporary directory and process impersonation events on Microsoft Teams, Mozilla Firefox, and Microsoft Edge. For more information, see DT423472.

Updated Windows QRadar EDR Agent 3.12.4
  • Fixed an issue where the keeper service fails due to a corrupted heap. For more information, see DT270530.
  • Fixed an issue where the keeper service fails to differentiate separate processes that share the same process ID (PID). For more information, see DT270524.
  • Fixed an issue where the uninstaller fails to remove all the agent components from the endpoint after the uninstallation process. For more information, see DT214084.
Windows Anti-Malware 1.5.12
Fixed an issue where the anti-malware service is stuck in a stop pending state during updates.
Updated Linux QRadar EDR Agent 0.90.0
  • Updated the libraries and driver to fix vulnerabilities and extend the Linux distribution support.
  • Improved event handoff to the backend for better management of event spikes and caching.
  • Enhanced process details that are reported in events.
  • Fixed an issue where the Linux agent fails to start on the Debian 10, RHEL 8, and Oracle Linux 8 endpoints due to a driver loading failure. For more information, see DT416692.
  • Fixed an issue where the Linux agent fails when invalid UTF-8 characters are observed in the process command line or file names. For more information, see DT418556
IBM Security QRadar EDR is now available with QRadar Suite Software version 1.11.
In version 1.11, QRadar Suite Software delivers essential updates to middleware, as well as performance enhancements, capability updates and enhancements, and security updates. For more information, see IBM Cloud Pak for Security 1.11.
Updated IBM Security QRadar EDR
  • Fixed a bug where the Latest Agent details of Linux agents is incorrect on the Endpoints page.
  • Fixed a bug in the Endpoint Details page to correctly display endpoints with long MAC addresses.
  • External API: Fixed a bug where pagination does not work correctly when the API applications are listed.
  • Updated MITRE ATT&CK definitions to version 16.1.

January 2025

New in 3.12.15
Updated Windows QRadar EDR Agent 3.12.2
Windows-only
  • Updated external libraries to fix multiple security vulnerabilities.
  • Updated the certificate that is used to sign the application.
  • Fixed a bug where the Keeper service in Stop Pending status causes a continuous memory increase. For more information, see DT400969.
  • Fixed a bug where allowlist policies do not trigger as expected.
Important: If you are running agents with versions older than Windows agent 3.12.0, upgrade to Windows agent 3.12.0 before you upgrade to Windows agent 3.12.2 or later to avoid failures in subsequent Windows agent updates. For more information, see technote 7180461.
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a bug where behavioral trees do not build correctly.
  • Fixed a bug where an update license request was incorrectly applied to groups in MSSP environments.
  • Fixed a bug where enabling a global policy on a group does not result in an error.
  • Fixed a bug that prevents backup and restore from starting.
  • Added support for 20k endpoints.

December 2024

New in 3.12.14
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a bug where editing a disabled or partially enabled policy incorrectly enables the policy for all groups.
  • Fixed a bug where an API request to enable or disable a policy modifies the policy details.
  • Fixed a bug where Graphy miscalculates the last seen alert.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.82.0
  • Added support for user account deletion events, including in DeStra policies.
  • Enhanced username information that is reported in authentication events.
  • Fixed an issue where the Linux agent failed to start or send events when SELinux is enabled. For more information, see DT398501.
  • Fixed minor issues with the agent execution, termination, and uninstallation.

November 2024

New in 3.12.13
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.12.0
  • Added support for NanoOS for Windows 10 and Windows 11 kernels. For more information, see technote 7173575.
  • Added tamper protection for the QRadar EDR Agent file system.
  • Added support for new IBM certificates that are used to sign the application.
  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Fixed an issue in which the QRadar EDR Agent database grows in size continuously. For more information, see DT364171.
  • Fixed an issue in which the QRadar EDR Agent causes a stop error. For more information, see DT390698.
Windows Anti-Malware 1.5.11
  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Updated the certificate that is used to sign the application.
Updated IBM Security QRadar EDR
  • Added support for MITRE ATT&CK framework version 15.1.
  • Fixed various security vulnerabilities.

October 2024

New in 3.12.12
Updated IBM Security QRadar EDR
  • Added support for administrators with restricted access to view their clients' logs on the Audit page.
    Important: Administrators with restricted access cannot view audit logs with actions that are made by an administrator with unrestricted access or access to more than one client.
  • Fixed various security vulnerabilities.

August 2024

New in 3.12.11
Updated DeStra (Detection as Code) policies

Updated thirteen DeStra (Detection as Code) policies to provide MITRE ATT&CK ID information.

The following detections are updated for the Windows QRadar EDR Agent:
  • Mimikatz Behaviour
  • Nvidia Leaked Certificates
  • Proxy Tools
  • Remote Access Tools
  • Windows Code Signing Policy Modification
The following detections are updated for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Impair Defenses
The following detections are updated for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
New in 3.12.10
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.1.0
  • Added a pre-execution block for hash-based blocklisted policies. The blocklisted process is now blocked at the kernel level before it starts running.
  • Added support for using YARA rules in DeStra policies.
  • Added support for new events: File Created, File Read, File Written, File Renamed, and File Deleted.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Fixed a bug where the file name field is not populated for some events when event data is created.
  • Renamed the agent to IBM Security QRadar EDR from IBM Security ReaQta. For more information, see DT7230306.
Important: If you are running agents with versions that are older than macOS agent 1.0.1, upgrade to macOS agent 1.0.1 before you upgrade to macOS agent 1.1.0 to avoid failures in subsequent macOS agent updates.
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.6
  • Added new events to the DeStra engine: File Created, File Read, File Written, File Renamed, Registry Value Set, Registry Entry Deleted, and Kerberos Pre-Auth Failed.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added Windows 11 version reports in endpoint details.
  • Migrated some MITRE ATT&CK event generation rules from the agent to the new DeStra policies.
  • Fixed potential security vulnerabilities.
  • Fixed a bug in endpoint isolation on IPv6 targets. For more information, see DT381580.
Important: To continue MITRE ATT&CK coverage, enable the new DeStra policies in your environment. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.81.0
  • Added support for Executable Dropped events.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added support for using YARA rules in DeStra policies.
  • Simplified the installation for endpoints by using the kernel module. You do not need to set the KMOD_IGNORE_TAINT configuration option anymore.
  • Enhanced driver preparation and loading.
  • Enhanced event reports for user authentication and user detail resolution.
Added new DeStra (Detection as Code) policies

Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.

The following detections are available for the Windows QRadar EDR Agent:
  • Process Discovery
  • Account Discovery
  • Credential Harvested
  • Remote System
  • Discovery System
  • Script Proxy Execution Event Triggered Execution Configured Subvert Trust Controls Autostart Execution Configured Time Discovery XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:
  • Network Share Discovery
  • Application Window Discovery
  • Network Sniffing Tools
  • File and Directory Permissions Modification
  • System Time Discovery
  • Proxy Tools
  • Software Discovery
The following detections are available for the macOS QRadar EDR Agent:
  • Clipboard Data Collection
  • Credentials in Files
  • Credential Prompt via Osascript
  • System Network Connections Discovery
  • In-memory Script Execution
  • OSACompile Run-Only Execution
Important:
  • MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
  • The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Removed DeStra (Detection as Code) policies

Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.

The following detections are removed QRadar EDR Agent:
  • Credential Dumping via Registry
  • Suspicious Shim Database Installed
  • Sticky Key Backdoor
  • Signed Script Proxy Execution
  • Suspicious XSL script
  • WMI subscription
  • SquiblyTwo behaviour
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Added support to edit blocklist and allowlist policies.
  • Added support for MITRE ATT&CK framework version 15.
  • Enhanced performance when alerts contain many events.
  • Enhanced server request handling.
  • Improved the copy and paste function in the user interface.
  • MSSP client admins can now create Anti-Malware exceptions.
  • Added API endpoints to search and download the agent distributions and components.
  • Fixed various security vulnerabilities.

July 2024

New in 3.12.9
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Clarified the error messages from Cyber Assistant when alerts are being processed.

June 2024

New in 3.12.8
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.

May 2024

New in 3.12.7
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.80.1
  • Added support for new events: File Created, File Read, File Written, File Renamed, File Deleted, User Login, User Logout, User Login Failed, User Account Creation by using Custom Event, and Filesystem Persistence.
  • Added support for new events in DeStra policies: Network Connection Established, MITRE ATT&CK, File Created, File Read, File Written, File Renamed, File Deleted, Custom Event, and Filesystem Persistence.
  • Increased support for Linux Distribution.
  • Added support for the deep monitoring mode.
  • Added support for the eBPF CO-RE driver. Prerequisite packages are no longer required for kernels 5.8 or later.
  • Improved the Linux OS recognition capability.
  • Updated the libraries to address the license violation and to fix potential vulnerabilities.
Important: The Linux agent 0.80.1 fails to start on Debian 10 due to a driver issue. For more information about the known issue and the workaround, see technote 7148175.
Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents

Added ten new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts.

The following detections are available for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Data Collection Tactics
  • Impair Defenses
  • Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed the Agent distribution visibility for client admins.

March 2024

New in 3.12.5
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.5
  • Improved the overall anti-ransomware performance.
  • Fixed a typographical error in the is_dns_activity destra function name.
  • Fixed a case of event duplication.
  • Updated the certificate that is used to sign the application.
Windows Anti-Malware 1.5.9
  • Updated the certificate that is used to sign the application.
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.0.1
  • Enhanced the installer to improve the user experience.
  • Introduced MITRE event support for event enrichment.
Support for 15k Endpoints

Added support for 15k Endpoints.

New information For more information, see Hardware requirements and Storage requirements.
Updated IBM Security QRadar EDR
  • Fixed an issue with the dashboard not working when proxy is enabled.
  • Fixed an issue in PDF reports where page breaks split charts or tables.
  • For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the UI.
Attention: Restores on fresh installations by using backups from previous fix-pack versions fail to restore successfully. After you upgrade to version 3.12.5, back up your IBM Security QRadar EDR data. For more information, see Backup and restore.
New in 3.12.3
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.4
  • Fixed the error messages that appear when you use file event data in DeStra rules.
  • Optimized telemetry generation for Exchange server endpoints.
Windows Anti-Malware 1.5.8
  • Fixed potential security vulnerabilities.
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Fixed various security vulnerabilities.
  • Fixed warnings for creating a duplicated policy.
  • Replaced in-product Changelog with a link to online documentation.

February 2024

New in 3.12.2

Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.0
  • Added support for both QRadar EDR and IBM digital signatures.
  • Fixed an issue with anti-malware download.
  • Fixed a potential vulnerability in some parameters that are passed to system APIs.
  • Fixed missing certificate chain validation for QRadar EDR components.
  • Fixed an issue with restart loop in edge cases of QRadar EDR Agent uninstallation.
  • Fixed a heap corruption issue.
Windows agent 3.11.1
  • The Windows distribution components are now IBM-signed.
  • The 32-bit NanoOS is deprecated.
  • Fixed an issue with certificate expiration for agents.
  • Fixed alert flags due to expired certificates in the agent.
Attention:
  • Due to the use of the new code-signing certificate in the Windows agent 3.11.1, the signature is changed. The end-of-life (EOL) versions of Windows do not support the new signature verification and can lead to failure during agent updates.
  • The following Windows versions are no longer supported:
    • Windows Server 2008 R2 (SP2) - 32 bit
    • Windows Server 2008 R2 (SP2) - 64 bit
    • Windows client 7 (SP1) - 32 bit
    • Windows client 7 (SP1) - 64 bit
    • Windows 8 - 32 bit
    • Windows 8 - 64 bit
    • Windows 8.1 - 32 bit
  • Windows agent 3.11.0 is the last QRadar EDR agent that can run on the Windows versions that are no longer supported. To phase out the unsupported endpoints and preserve the agent that is running, group the unsupported endpoints and exclude them from the automatic updates delivery. For more information, see technote 7161908.
Windows agent 3.11.3
  • NanoOS is turned off when memory integrity is enabled in Windows.
  • Fixed potential security vulnerabilities.
Important: If you are running agents with versions older than Windows agent 3.11.0, first upgrade to Windows agent 3.11.0 before you upgrade to Windows agent 3.11.1 or later to avoid failures in subsequent Windows agent updates. For more information, see QRadar EDR: Updating to the Latest Windows Agent Release (3.11.1). If you encounter a certificate chain issue after the upgrade to Windows agent 3.11.0, fix it manually before you install any later versions of the Windows agent. For more information, see QRadar EDR: Agent version 3.11.1 or higher failure on Windows Endpoint.
Added default DeStra (Detection as Code) policies

Added fourteen new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:

  • Known malicious tools or actors behaviors
  • Suspicious software that is used for remote access or proxy capabilities
  • Application shimming
  • System modification to weaken system security
Support for 10k Endpoints

Added support for 10k Endpoints.

New information For more information, see Hardware requirements and Storage requirements.
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Fixed various security vulnerabilities.
  • Fixed the missing Install Path header in CSV file export.
  • Fixed an edge case that was causing backend initialization crash.
  • Fixed resources allocation for medium and large types of deployments.
  • The DLL Hijacking Protection policy is removed from default policies.

October 2023

IBM Security QRadar EDR available as an on-premises deployment option
IBM Security® QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
Licensing updates

The licensing options document is updated to reflect current packaging and entitlements.

New information For more information, see License options.

September 2023

Updated macOS QRadar EDR Agent
Mac-only
The agent is now supported on macOS Monterey and Ventura, and on Apple silicon processors. This update also enhances the security and stability of the agent.
New information For more information, see Installing the QRadar EDR Agent on Mac endpoints.

June 2023

Session expiration
To enhance the security posture of QRadar EDR, the following updates are added:
  • The Remember Me checkbox was removed from the Login screen.
  • The default session length is reduced from 24 hours to 2 hours.
Anti-malware
Fixed a pagination issue on the Anti-malware configuration page.

March 2023

EULA is no longer displayed on the QRadar EDR Dashboard
View the terms of your EULA or Service Description by using one of the following methods:
Updated Linux QRadar EDR Agent
Linux-only
The agent is now supported on more Linux distributions.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

October 2022

Protected uninstallation
Windows-only
Requires Windows agent 3.10 or later
Enable protected uninstallation to prevent users from uninstalling the QRadar EDR Agent from an endpoint without authorization.
New information For more information, see Enabling protected uninstallation.
Updated Linux QRadar EDR Agent
Linux-only
The Linux agent is rewritten to use eBPF. For more information about eBPF, see What is eBPF?.
You can now specify the QRadar EDR Brain domain name rather than the IP address when you install the Linux agent.
The Linux agent also includes fixes to known issues. The agent now reports the correct endpoint IP address, displays process commands in full, correctly associated processes to alerts, and works independently from connectivity issues.
Important: Automatic updates of the Linux QRadar EDR Agent are not supported. For more information, see Installing the QRadar EDR Agent on Linux endpoints.

July 2022

Automated actions against binaries based on their threat score
Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
A Hive-Cloud score is the threat score that is associated with a binary the first time it is run in your organization. You can set the Hive-Cloud score ranges to allow a binary to run without an alert, run and generate an alert, or block it from running.
New information For more information, see Managing Hive-Cloud scores.
Enforcement of TLS 1.2
The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
New API endpoints
New API endpoints were added for better integration in your workflows and environments.
Isolation improvements
When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.