What's new or changed

See what new features and improvements are available in IBM® Security QRadar® EDR.

August 2024

New in 3.12.10
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.1.0
  • Added a pre-execution block for hash-based blocklisted policies. The blocklisted process is now blocked at the kernel level before it starts running.
  • Added support for using YARA rules in DeStra policies.
  • Added support for new events for macOS Ventura and macOS Sonoma: File Created, File Read, File Written, File Renamed, and File Deleted.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Fixed a bug where the file name field is not populated for some events when event data is created.
  • Renamed the agent to IBM Security QRadar EDR from IBM Security ReaQta.
Important: If you are running agents with versions that are older than macOS agent 1.0.1, upgrade to macOS agent 1.0.1 before you upgrade to macOS agent 1.1.0 to avoid failures in subsequent macOS agent updates.
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.6
  • Added new events to the DeStra engine: File Created, File Read, File Written, File Renamed, Registry Value Set, Registry Entry Deleted, and Kerberos Pre-Auth Failed.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added Windows 11 version reports in endpoint details.
  • Migrated some MITRE ATT&CK event generation rules from the agent to the new DeStra policies.
  • Fixed potential security vulnerabilities.
  • Fixed a bug in endpoint isolation on IPv6 targets. For more information, see DT381580.
Important: To ensure continued MITRE ATT&CK coverage, enable the new DeStra policies in your environment. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated Linux® QRadar EDR Agent
Linux-only
Linux agent 0.81.0
  • Added support for Executable Dropped events.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added support for using YARA rules in DeStra policies.
  • Simplified the installation for endpoints by using the kernel module. You do not need to set the KMOD_IGNORE_TAINT configuration option anymore.
  • Enhanced driver preparation and loading.
  • Enhanced event reports for user authentication and user detail resolution.
Added new DeStra (Detection as Code) policies

Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.

The following detections are available for the Windows QRadar EDR Agent:
  • Process Discovery
  • Account Discovery
  • Credential Harvested
  • Remote System
  • Discovery System
  • Script Proxy Execution
  • Event Triggered Execution Configured
  • Subvert Trust Controls
  • Autostart Execution Configured
  • Time Discovery
  • XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:
  • Network Share Discovery
  • Application Window Discovery
  • Network Sniffing Tools
  • File and Directory Permissions Modification
  • System Time Discovery
  • Proxy Tools
  • Software Discovery
The following detections are available for the macOS QRadar EDR Agent:
  • Clipboard Data Collection
  • Credentials in Files
  • Credential Prompt via Osascript
  • System Network Connections Discovery
  • In-memory Script Execution
  • OSACompile Run-Only Execution
Important:
  • MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
  • The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Removed DeStra (Detection as Code) policies

Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.

The following detections are removed QRadar EDR Agent:
  • Credential Dumping via Registry
  • Suspicious Shim Database Installed
  • Sticky Key Backdoor
  • Signed Script Proxy Execution
  • Suspicious XSL script
  • WMI subscription
  • SquiblyTwo behaviour
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Added support to edit blocklist and allowlist policies.
  • Added support for MITRE ATT&CK framework version 15.
  • Added support for data removal to the QRadar EDR Agent backend.
  • Added API endpoints to search and download the agent distributions and components.
  • Added new events in the list of available Binding Events for the Linux agent and the Windows agent.
  • Improved the copy and paste function in the user interface.
  • Improved agent distribution validation when you use QRadar EDR Agent API.
  • Enhanced server request handling.
  • Enhanced performance when alerts contain many events.
  • Clarified the error messages from Cyber Assistant when alerts are being processed.
  • MSSP client admins can now create Anti-Malware exceptions.
  • Removed the alert forwarding feature.
  • Fixed the Agent distribution visibility for client admins.
  • Fixed an issue with the dashboard not working when proxy is enabled.
  • Fixed an issue in PDF reports where page breaks split charts or tables.
  • Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.
  • Fixed an issue with the endpoint-specific backend services running after an endpoint is reported as offline.
  • Fixed various security vulnerabilities.

May 2024

New in 3.12.4
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.5
  • Improved the overall anti-ransomware performance.
  • Fixed a typographical error in the is_dns_activity destra function name.
  • Fixed a case of event duplication.
  • Updated the certificate that is used to sign the application.
Windows agent 3.11.4
  • Fixed the error messages that appear when you use file event data in DeStra rules.
  • Optimized telemetry generation for Exchange server endpoints.
Windows Anti-Malware 1.5.9
  • Updated the certificate that is used to sign the application.
Windows Anti-Malware 1.5.8
  • Fixed potential security vulnerabilities.
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.0.1
  • Enhanced the installer to improve the user experience.
  • Introduced MITRE event support for event enrichment.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.80.1
  • Added support for new events: File Created, File Read, File Written, File Renamed, File Deleted, User Login, User Logout, User Login Failed, User Account Creation by using Custom Event, and Filesystem Persistence.
  • Added support for new events in DeStra policies: Network Connection Established, MITRE ATT&CK, File Created, File Read, File Written, File Renamed, File Deleted, Custom Event, and Filesystem Persistence.
  • Increased support for Linux Distribution.
  • Added support for the deep monitoring mode.
  • Added support for eBPF CO-RE driver. Prerequisite packages are no longer required for kernels 5.8 or later.
  • Improved Linux OS recognition.
  • Updated libraries to address the license violation and fix potential vulnerabilities.
Important: The Linux agent 0.80.1 fails to start on Debian 10 due to a driver issue. For more information about the known issue and the workaround, see technote 7148175.
Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents

Added ten new default DeStra (Detection as Code) were added to provide new detection capabilities by creating specific MITRE events and by triggering alerts.

The following detections are available for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Data Collection Tactics
  • Impair Defenses
  • Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated IBM Security QRadar EDR
  • Fixed the missing Install Path header in CSV file export.
  • The DLL Hijacking Protection policy is removed from default policies.
  • Replaced in-product Changelog with a link to online documentation.
  • For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the dashboard.
  • Improved access for client administrators in endpoint groups that are created by using the public API.
  • Fixed an issue with the buttons on the Alert Details widget that obscures data. For more information, see technote DT222093.
  • Fixed an issue in PDF reports where page breaks split charts or tables. For more information, see technote DT258491.

January 2024

Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.0
  • Added support for both QRadar EDR and IBM digital signatures.
  • Fixed an issue with anti-malware download.
  • Fixed a potential vulnerability in some parameters that are passed to system APIs.
  • Fixed missing certificate chain validation for QRadar EDR components.
  • Fixed an issue with restart loop in edge cases of QRadar EDR Agent uninstallation.
  • Fixed a heap corruption issue.
Windows agent 3.11.1
  • The Windows distribution components are now IBM-signed.
  • The 32-bit NanoOS is deprecated.
  • Fixed an issue with certificate expiration for agents.
  • Fixed alert flags due to expired certificates in the agent.
Attention:
  • Due to the use of the new code-signing certificate in the Windows agent 3.11.1, the signature is changed. The end-of-life (EOL) versions of Windows do not support the new signature verification and can lead to failure during agent updates.
  • The following Windows versions are no longer supported:
    • Windows Server 2008 R2 (SP2) - 32 bit
    • Windows Server 2008 R2 (SP2) - 64 bit
    • Windows client 7 (SP1) - 32 bit
    • Windows client 7 (SP1) - 64 bit
    • Windows 8 - 32 bit
    • Windows 8 - 64 bit
    • Windows 8.1 - 32 bit
  • Windows agent 3.11.0 is the last QRadar EDR agent that can run on the Windows versions that are no longer supported. To phase out the unsupported endpoints and preserve the agent that is running, group the unsupported endpoints and exclude them from the automatic updates delivery. For more information, see technote 7161908.
Windows agent 3.11.3
  • NanoOS is turned off when memory integrity is enabled in Windows.
  • Fixed potential security vulnerabilities.
Important: If you are running agents with versions older than Windows agent 3.11.0, first upgrade to Windows agent 3.11.0 before you upgrade to Windows agent 3.11.1 or later to avoid failures in subsequent Windows agent updates. For more information, see QRadar EDR: Updating to the Latest Windows Agent Release (3.11.1). If you encounter a certificate chain issue after the upgrade to Windows agent 3.11.0, fix it manually before you install any later versions of the Windows agent. For more information, see QRadar EDR: Agent version 3.11.1 or higher failure on Windows Endpoint.
Added default DeStra (Detection as Code) policies

Added fourteen new default DeStra (Detection as Code) to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:

  • Known malicious tools or actors behaviors
  • Suspicious software that is used for remote access or proxy capabilities
  • Application shimming
  • System modification to weaken system security

October 2023

IBM Security QRadar EDR available as an on-premises deployment option
IBM Security QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
Licensing updates

The licensing options document is updated to reflect current packaging and entitlements. For more information, see License options.

September 2023

Updated macOS QRadar EDR Agent
Mac-only
The agent is now supported on macOS Monterey and Ventura, and on Apple silicon processors. This update also enhances the security and stability of the agent.
New information For more information, see Installing the QRadar EDR Agent on Mac endpoints.

June 2023

Session expiration
To enhance the security posture of QRadar EDR:
  • The Remember Me checkbox was removed from the Login screen.
  • The default session length is reduced from 24 hours to 2 hours.
Anti-malware
Fixed a pagination issue on the Anti-malware configuration page.

March 2023

EULA is no longer displayed on the QRadar EDR Dashboard
To view the terms of your EULA or Service Description:
Updated Linux QRadar EDR Agent
Linux-only
The agent is now supported on more Linux distributions.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

October 2022

Protected uninstallation
Windows-only
Requires Windows agent 3.10 or later
Enable protected uninstallation to prevent users from uninstalling the QRadar EDR Agent from an endpoint without authorization.
New information For more information, see Enabling protected uninstallation.
Updated Linux QRadar EDR Agent
Linux-only
The Linux agent now uses eBPF. For more information about eBPF, see What is eBPF?.
You can now specify the QRadar EDR Brain domain name rather than the IP address when you install the Linux agent.
The Linux agent also includes fixes to known issues. The agent now reports the correct endpoint IP address, displays process commands in full, correctly associated processes to alerts, and works independently from connectivity issues.
Important: Automatic updates to version 0.60.0 of the agent are not supported.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

July 2022

Automated actions against binaries based on their threat score
Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
A Hive-Cloud score is the threat score that is associated with a binary the first time it is run in your organization. You can set the Hive-Cloud score ranges to allow a binary to run without an alert, run and generate an alert, or block it from running.
New information For more information, see Managing Hive-Cloud scores.
Enforcement of TLS 1.2
The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
New API endpoints
New API endpoints were added for better integration in your workflows and environments.
Isolation improvements
When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.