What's new or changed
See what new features and improvements are available in IBM® Security QRadar® EDR.
January 2025
New in 3.12.15- Updated Windows QRadar EDR Agent 3.12.2
- Windows-only
- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Fixed a bug where behavioral trees do not build correctly.
- Fixed a bug where an update license request was incorrectly applied to groups in MSSP environments.
- Fixed a bug where enabling a global policy on a group does not result in an error.
- Fixed a bug that prevents backup and restore from starting.
- Added support for 20k endpoints.
December 2024
New in 3.12.14- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Fixed a bug where editing a disabled or partially enabled policy incorrectly enables the policy for all groups.
- Fixed a bug where an API request to enable or disable a policy modifies the policy details.
- Fixed a bug where Graphy miscalculates the last seen alert.
- Updated Linux® QRadar EDR Agent
- Linux-only
November 2024
New in 3.12.13- Updated Windows QRadar EDR Agent
- Windows-only
- Updated IBM Security QRadar EDR
-
- Added support for MITRE ATT&CK framework version 15.1.
- Fixed various security vulnerabilities.
October 2024
New in 3.12.12- Updated IBM Security QRadar EDR
-
- Added support for administrators with restricted access to view their clients' logs on the
Audit page. Important: Administrators with restricted access cannot view audit logs with actions that are made by an administrator with unrestricted access or access to more than one client.
- Fixed various security vulnerabilities.
- Added support for administrators with restricted access to view their clients' logs on the
Audit page.
August 2024
New in 3.12.11- Updated DeStra (Detection as Code) policies
-
Updated thirteen DeStra (Detection as Code) policies to provide MITRE ATT&CK ID information.
The following detections are updated for the Windows QRadar EDR Agent:- Mimikatz Behaviour
- Nvidia Leaked Certificates
- Proxy Tools
- Remote Access Tools
- Windows Code Signing Policy Modification
The following detections are updated for the Linux QRadar EDR Agent:- Pass the Hash
- RC Scripts Modification
- Indicator Removal
- Impair Defenses
The following detections are updated for the macOS QRadar EDR Agent:- Hidden Account Creation
- Login Item Persistence
- Kerberos Cached Credentials Dumping
- Credentials from Keychain
- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Updated macOS QRadar EDR Agent
- Mac-only
- Updated Windows QRadar EDR Agent
- Windows-only
- Updated Linux QRadar EDR Agent
- Linux-only
- Added new DeStra (Detection as Code) policies
-
Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.
The following detections are available for the Windows QRadar EDR Agent:- Process Discovery
- Account Discovery
- Credential Harvested
- Remote System
- Discovery System
- Script Proxy Execution Event Triggered Execution Configured Subvert Trust Controls Autostart Execution Configured Time Discovery XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:- Network Share Discovery
- Application Window Discovery
- Network Sniffing Tools
- File and Directory Permissions Modification
- System Time Discovery
- Proxy Tools
- Software Discovery
The following detections are available for the macOS QRadar EDR Agent:- Clipboard Data Collection
- Credentials in Files
- Credential Prompt via Osascript
- System Network Connections Discovery
- In-memory Script Execution
- OSACompile Run-Only Execution
Important:- MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
- The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
- Removed DeStra (Detection as Code) policies
-
Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.
The following detections are removed QRadar EDR Agent:- Credential Dumping via Registry
- Suspicious Shim Database Installed
- Sticky Key Backdoor
- Signed Script Proxy Execution
- Suspicious XSL script
- WMI subscription
- SquiblyTwo behaviour
- Updated IBM Security QRadar EDR
-
The following updates are now available in IBM Security QRadar EDR:
- Added support to edit blocklist and allowlist policies.
- Added support for MITRE ATT&CK framework version 15.
- Enhanced performance when alerts contain many events.
- Enhanced server request handling.
- Improved the copy and paste function in the user interface.
- MSSP client admins can now create Anti-Malware exceptions.
- Added API endpoints to search and download the agent distributions and components.
- Fixed various security vulnerabilities.
July 2024
New in 3.12.9- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Clarified the error messages from Cyber Assistant when alerts are being processed.
June 2024
New in 3.12.8- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.
May 2024
New in 3.12.7- Updated Linux QRadar EDR Agent
- Linux-only
- Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents
-
Added ten new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts.
The following detections are available for the Linux QRadar EDR Agent:- Pass the Hash
- RC Scripts Modification
- Indicator Removal
- Data Collection Tactics
- Impair Defenses
- Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:- Hidden Account Creation
- Login Item Persistence
- Kerberos Cached Credentials Dumping
- Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
- Updated IBM Security QRadar EDR
-
- Fixed various security vulnerabilities.
- Fixed the Agent distribution visibility for client admins.
March 2024
New in 3.12.5- Updated Windows QRadar EDR Agent
- Windows-only
- Updated macOS QRadar EDR Agent
- Mac-only
- Support for 15k Endpoints
-
Added support for 15k Endpoints.
- Updated IBM Security QRadar EDR
-
- Fixed an issue with the dashboard not working when proxy is enabled.
- Fixed an issue in PDF reports where page breaks split charts or tables.
- For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the UI.
Attention: Restores on fresh installations by using backups from previous fix-pack versions fail to restore successfully. After you upgrade to version 3.12.5, back up your IBM Security QRadar EDR data. For more information, see Backup and restore.
- Updated Windows QRadar EDR Agent
- Windows-only
- Updated IBM Security QRadar EDR
-
The following updates are now available in IBM Security QRadar EDR:
- Fixed various security vulnerabilities.
- Fixed warnings for creating a duplicated policy.
- Replaced in-product Changelog with a link to online documentation.
February 2024
New in 3.12.2
- Updated Windows QRadar EDR Agent
- Windows-only
- Added default DeStra (Detection as Code) policies
-
Added fourteen new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:
- Known malicious tools or actors behaviors
- Suspicious software that is used for remote access or proxy capabilities
- Application shimming
- System modification to weaken system security
- Support for 10k Endpoints
-
Added support for 10k Endpoints.
- Updated IBM Security QRadar EDR
-
The following updates are now available in IBM Security QRadar EDR:
- Fixed various security vulnerabilities.
- Fixed the missing Install Path header in CSV file export.
- Fixed an edge case that was causing backend initialization crash.
- Fixed resources allocation for medium and large types of deployments.
- The DLL Hijacking Protection policy is removed from default policies.
October 2023
- IBM Security QRadar EDR available as an on-premises deployment option
- IBM Security® QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
- Licensing updates
-
The licensing options document is updated to reflect current packaging and entitlements.
September 2023
- Updated macOS QRadar EDR Agent
- Mac-only
June 2023
- Session expiration
- To enhance the security posture of QRadar EDR, the following updates are added:
- The Remember Me checkbox was removed from the Login screen.
- The default session length is reduced from 24 hours to 2 hours.
- Anti-malware
- Fixed a pagination issue on the Anti-malware configuration page.
March 2023
- EULA is no longer displayed on the QRadar EDR Dashboard
- View the terms of your EULA or Service Description by using one of the following methods:
- If you purchased IBM Security QRadar EDR, see https://www.ibm.com/support/customer/csol/terms/?ref=i126-9330-05-10-2022-zz-en.
- If you purchased QRadar EDR Hive and you expanded or extended your contract with IBM after 1 September 2022, see https://www.ibm.com/downloads/cas/K5EWNP7Q and https://www.ibm.com/support/customer/csol/terms/?ref=i126-9495-01-09-2022-zz-en.
- If you purchased QRadar EDR Hive and did not expand or extend your contract with IBM, see https://www.ibm.com/downloads/cas/K5EWNP7Q.
- Updated Linux QRadar EDR Agent
- Linux-only
October 2022
- Protected uninstallation
- Windows-only
- Updated Linux QRadar EDR Agent
- Linux-only
July 2022
- Automated actions against binaries based on their threat score
- Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
- Enforcement of TLS 1.2
- The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
- New API endpoints
- New API endpoints were added for better integration in your workflows and environments.
- Isolation improvements
- When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.