What's new or changed

See what new features and improvements are available in IBM® Security QRadar® EDR.

January 2025

New in 3.12.15
Updated Windows QRadar EDR Agent 3.12.2
Windows-only
  • Updated external libraries to fix multiple security vulnerabilities.
  • Updated the certificate that is used to sign the application.
  • Fixed a bug where the Keeper service in Stop Pending status causes a continuous memory increase. For more information, see DT400969.
  • Fixed a bug where allowlist policies do not trigger as expected.
Important: If you are running agents with versions older than Windows agent 3.12.0, upgrade to Windows agent 3.12.0 before you upgrade to Windows agent 3.12.2 or later to avoid failures in subsequent Windows agent updates. For more information, see technote 7180461.
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a bug where behavioral trees do not build correctly.
  • Fixed a bug where an update license request was incorrectly applied to groups in MSSP environments.
  • Fixed a bug where enabling a global policy on a group does not result in an error.
  • Fixed a bug that prevents backup and restore from starting.
  • Added support for 20k endpoints.

December 2024

New in 3.12.14
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a bug where editing a disabled or partially enabled policy incorrectly enables the policy for all groups.
  • Fixed a bug where an API request to enable or disable a policy modifies the policy details.
  • Fixed a bug where Graphy miscalculates the last seen alert.
Updated Linux® QRadar EDR Agent
Linux-only
Linux agent 0.82.0
  • Added support for user account deletion events, including in DeStra policies.
  • Enhanced username information that is reported in authentication events.
  • Fixed an issue where the Linux agent failed to start or send events when SELinux is enabled. For more information, see DT398501.
  • Fixed minor issues with the agent execution, termination, and uninstallation.

November 2024

New in 3.12.13
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.12.0
  • Added support for NanoOS for Windows 10 and Windows 11 kernels. For more information, see technote 7173575.
  • Added tamper protection for the QRadar EDR Agent file system.
  • Added support for new IBM certificates that are used to sign the application.
  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Fixed an issue in which the QRadar EDR Agent database grows in size continuously. For more information, see DT364171.
  • Fixed an issue in which the QRadar EDR Agent causes a stop error. For more information, see DT390698.
Windows Anti-Malware 1.5.11
  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Updated the certificate that is used to sign the application.
Updated IBM Security QRadar EDR
  • Added support for MITRE ATT&CK framework version 15.1.
  • Fixed various security vulnerabilities.

October 2024

New in 3.12.12
Updated IBM Security QRadar EDR
  • Added support for administrators with restricted access to view their clients' logs on the Audit page.
    Important: Administrators with restricted access cannot view audit logs with actions that are made by an administrator with unrestricted access or access to more than one client.
  • Fixed various security vulnerabilities.

August 2024

New in 3.12.11
Updated DeStra (Detection as Code) policies

Updated thirteen DeStra (Detection as Code) policies to provide MITRE ATT&CK ID information.

The following detections are updated for the Windows QRadar EDR Agent:
  • Mimikatz Behaviour
  • Nvidia Leaked Certificates
  • Proxy Tools
  • Remote Access Tools
  • Windows Code Signing Policy Modification
The following detections are updated for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Impair Defenses
The following detections are updated for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
New in 3.12.10
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.1.0
  • Added a pre-execution block for hash-based blocklisted policies. The blocklisted process is now blocked at the kernel level before it starts running.
  • Added support for using YARA rules in DeStra policies.
  • Added support for new events: File Created, File Read, File Written, File Renamed, and File Deleted.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Fixed a bug where the file name field is not populated for some events when event data is created.
  • Renamed the agent to IBM Security QRadar EDR from IBM Security ReaQta.
Important: If you are running agents with versions that are older than macOS agent 1.0.1, upgrade to macOS agent 1.0.1 before you upgrade to macOS agent 1.1.0 to avoid failures in subsequent macOS agent updates.
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.6
  • Added new events to the DeStra engine: File Created, File Read, File Written, File Renamed, Registry Value Set, Registry Entry Deleted, and Kerberos Pre-Auth Failed.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added Windows 11 version reports in endpoint details.
  • Migrated some MITRE ATT&CK event generation rules from the agent to the new DeStra policies.
  • Fixed potential security vulnerabilities.
  • Fixed a bug in endpoint isolation on IPv6 targets. For more information, see DT381580.
Important: To continue MITRE ATT&CK coverage, enable the new DeStra policies in your environment. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.81.0
  • Added support for Executable Dropped events.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added support for using YARA rules in DeStra policies.
  • Simplified the installation for endpoints by using the kernel module. You do not need to set the KMOD_IGNORE_TAINT configuration option anymore.
  • Enhanced driver preparation and loading.
  • Enhanced event reports for user authentication and user detail resolution.
Added new DeStra (Detection as Code) policies

Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.

The following detections are available for the Windows QRadar EDR Agent:
  • Process Discovery
  • Account Discovery
  • Credential Harvested
  • Remote System
  • Discovery System
  • Script Proxy Execution Event Triggered Execution Configured Subvert Trust Controls Autostart Execution Configured Time Discovery XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:
  • Network Share Discovery
  • Application Window Discovery
  • Network Sniffing Tools
  • File and Directory Permissions Modification
  • System Time Discovery
  • Proxy Tools
  • Software Discovery
The following detections are available for the macOS QRadar EDR Agent:
  • Clipboard Data Collection
  • Credentials in Files
  • Credential Prompt via Osascript
  • System Network Connections Discovery
  • In-memory Script Execution
  • OSACompile Run-Only Execution
Important:
  • MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
  • The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Removed DeStra (Detection as Code) policies

Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.

The following detections are removed QRadar EDR Agent:
  • Credential Dumping via Registry
  • Suspicious Shim Database Installed
  • Sticky Key Backdoor
  • Signed Script Proxy Execution
  • Suspicious XSL script
  • WMI subscription
  • SquiblyTwo behaviour
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Added support to edit blocklist and allowlist policies.
  • Added support for MITRE ATT&CK framework version 15.
  • Enhanced performance when alerts contain many events.
  • Enhanced server request handling.
  • Improved the copy and paste function in the user interface.
  • MSSP client admins can now create Anti-Malware exceptions.
  • Added API endpoints to search and download the agent distributions and components.
  • Fixed various security vulnerabilities.

July 2024

New in 3.12.9
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Clarified the error messages from Cyber Assistant when alerts are being processed.

June 2024

New in 3.12.8
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.

May 2024

New in 3.12.7
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.80.1
  • Added support for new events: File Created, File Read, File Written, File Renamed, File Deleted, User Login, User Logout, User Login Failed, User Account Creation by using Custom Event, and Filesystem Persistence.
  • Added support for new events in DeStra policies: Network Connection Established, MITRE ATT&CK, File Created, File Read, File Written, File Renamed, File Deleted, Custom Event, and Filesystem Persistence.
  • Increased support for Linux Distribution.
  • Added support for the deep monitoring mode.
  • Added support for the eBPF CO-RE driver. Prerequisite packages are no longer required for kernels 5.8 or later.
  • Improved the Linux OS recognition capability.
  • Updated the libraries to address the license violation and to fix potential vulnerabilities.
Important: The Linux agent 0.80.1 fails to start on Debian 10 due to a driver issue. For more information about the known issue and the workaround, see technote 7148175.
Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents

Added ten new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts.

The following detections are available for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Data Collection Tactics
  • Impair Defenses
  • Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated IBM Security QRadar EDR
  • Fixed various security vulnerabilities.
  • Fixed the Agent distribution visibility for client admins.

March 2024

New in 3.12.5
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.5
  • Improved the overall anti-ransomware performance.
  • Fixed a typographical error in the is_dns_activity destra function name.
  • Fixed a case of event duplication.
  • Updated the certificate that is used to sign the application.
Windows Anti-Malware 1.5.9
  • Updated the certificate that is used to sign the application.
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.0.1
  • Enhanced the installer to improve the user experience.
  • Introduced MITRE event support for event enrichment.
Support for 15k Endpoints

Added support for 15k Endpoints.

New information For more information, see Hardware requirements and Storage requirements.
Updated IBM Security QRadar EDR
  • Fixed an issue with the dashboard not working when proxy is enabled.
  • Fixed an issue in PDF reports where page breaks split charts or tables.
  • For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the UI.
Attention: Restores on fresh installations by using backups from previous fix-pack versions fail to restore successfully. After you upgrade to version 3.12.5, back up your IBM Security QRadar EDR data. For more information, see Backup and restore.
New in 3.12.3
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.4
  • Fixed the error messages that appear when you use file event data in DeStra rules.
  • Optimized telemetry generation for Exchange server endpoints.
Windows Anti-Malware 1.5.8
  • Fixed potential security vulnerabilities.
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Fixed various security vulnerabilities.
  • Fixed warnings for creating a duplicated policy.
  • Replaced in-product Changelog with a link to online documentation.

February 2024

New in 3.12.2

Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.0
  • Added support for both QRadar EDR and IBM digital signatures.
  • Fixed an issue with anti-malware download.
  • Fixed a potential vulnerability in some parameters that are passed to system APIs.
  • Fixed missing certificate chain validation for QRadar EDR components.
  • Fixed an issue with restart loop in edge cases of QRadar EDR Agent uninstallation.
  • Fixed a heap corruption issue.
Windows agent 3.11.1
  • The Windows distribution components are now IBM-signed.
  • The 32-bit NanoOS is deprecated.
  • Fixed an issue with certificate expiration for agents.
  • Fixed alert flags due to expired certificates in the agent.
Attention:
  • Due to the use of the new code-signing certificate in the Windows agent 3.11.1, the signature is changed. The end-of-life (EOL) versions of Windows do not support the new signature verification and can lead to failure during agent updates.
  • The following Windows versions are no longer supported:
    • Windows Server 2008 R2 (SP2) - 32 bit
    • Windows Server 2008 R2 (SP2) - 64 bit
    • Windows client 7 (SP1) - 32 bit
    • Windows client 7 (SP1) - 64 bit
    • Windows 8 - 32 bit
    • Windows 8 - 64 bit
    • Windows 8.1 - 32 bit
  • Windows agent 3.11.0 is the last QRadar EDR agent that can run on the Windows versions that are no longer supported. To phase out the unsupported endpoints and preserve the agent that is running, group the unsupported endpoints and exclude them from the automatic updates delivery. For more information, see technote 7161908.
Windows agent 3.11.3
  • NanoOS is turned off when memory integrity is enabled in Windows.
  • Fixed potential security vulnerabilities.
Important: If you are running agents with versions older than Windows agent 3.11.0, first upgrade to Windows agent 3.11.0 before you upgrade to Windows agent 3.11.1 or later to avoid failures in subsequent Windows agent updates. For more information, see QRadar EDR: Updating to the Latest Windows Agent Release (3.11.1). If you encounter a certificate chain issue after the upgrade to Windows agent 3.11.0, fix it manually before you install any later versions of the Windows agent. For more information, see QRadar EDR: Agent version 3.11.1 or higher failure on Windows Endpoint.
Added default DeStra (Detection as Code) policies

Added fourteen new default DeStra policies to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:

  • Known malicious tools or actors behaviors
  • Suspicious software that is used for remote access or proxy capabilities
  • Application shimming
  • System modification to weaken system security
Support for 10k Endpoints

Added support for 10k Endpoints.

New information For more information, see Hardware requirements and Storage requirements.
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Fixed various security vulnerabilities.
  • Fixed the missing Install Path header in CSV file export.
  • Fixed an edge case that was causing backend initialization crash.
  • Fixed resources allocation for medium and large types of deployments.
  • The DLL Hijacking Protection policy is removed from default policies.

October 2023

IBM Security QRadar EDR available as an on-premises deployment option
IBM Security® QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
Licensing updates

The licensing options document is updated to reflect current packaging and entitlements.

New information For more information, see License options.

September 2023

Updated macOS QRadar EDR Agent
Mac-only
The agent is now supported on macOS Monterey and Ventura, and on Apple silicon processors. This update also enhances the security and stability of the agent.
New information For more information, see Installing the QRadar EDR Agent on Mac endpoints.

June 2023

Session expiration
To enhance the security posture of QRadar EDR, the following updates are added:
  • The Remember Me checkbox was removed from the Login screen.
  • The default session length is reduced from 24 hours to 2 hours.
Anti-malware
Fixed a pagination issue on the Anti-malware configuration page.

March 2023

EULA is no longer displayed on the QRadar EDR Dashboard
View the terms of your EULA or Service Description by using one of the following methods:
Updated Linux QRadar EDR Agent
Linux-only
The agent is now supported on more Linux distributions.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

October 2022

Protected uninstallation
Windows-only
Requires Windows agent 3.10 or later
Enable protected uninstallation to prevent users from uninstalling the QRadar EDR Agent from an endpoint without authorization.
New information For more information, see Enabling protected uninstallation.
Updated Linux QRadar EDR Agent
Linux-only
The Linux agent is rewritten to use eBPF. For more information about eBPF, see What is eBPF?.
You can now specify the QRadar EDR Brain domain name rather than the IP address when you install the Linux agent.
The Linux agent also includes fixes to known issues. The agent now reports the correct endpoint IP address, displays process commands in full, correctly associated processes to alerts, and works independently from connectivity issues.
Important: Automatic updates of the Linux QRadar EDR Agent are not supported. For more information, see Installing the QRadar EDR Agent on Linux endpoints.

July 2022

Automated actions against binaries based on their threat score
Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
A Hive-Cloud score is the threat score that is associated with a binary the first time it is run in your organization. You can set the Hive-Cloud score ranges to allow a binary to run without an alert, run and generate an alert, or block it from running.
New information For more information, see Managing Hive-Cloud scores.
Enforcement of TLS 1.2
The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
New API endpoints
New API endpoints were added for better integration in your workflows and environments.
Isolation improvements
When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.