What's new or changed

See what new features and improvements are available in IBM® Security QRadar® EDR.

November 2025

New in 3.12.19

This release contains updates from 3.12.17 through 3.12.19.

Updated IBM Security QRadar EDR
  • Corrected an issue where an error occurs when creating policy from behavioral anomaly incident, see DT434407.
  • Corrected an issue where MSSP license expiration notification are not sent.
  • Fixed various security vulnerabilities.
  • Support DeStra validation and editing DeStras.
  • Renamed the Has Alert header in the threat hunt results table to Triggered Alert.
  • Improved form validation in the UI.
  • External API: corrected an issue where it should not be possible to add multiple clients associated with one endpoint in an MSSP environment.
  • Corrected an issue where deleting a MSSP client was affecting the visibility of associated agent distributions.
  • Corrected an issue where the App install time on the Endpoint Activities page was incorrect under certain conditions.
  • Corrected an issue where the App install date and time was invalid in the Endpoint Export CSV.
  • Corrected an issue where searching by username in the Audit Log page was not working correctly under some conditions.
  • Upgraded libraries and fixed security issues.
  • Fixed an issue which caused a UI error when trying to create an alert form a behavioral-anomaly event. For more information, see DT434407.
Updated Windows QRadar EDR Agent 3.12.8
  • Added new functionalities to the Destra engine to calculate the SHA256 checksum of a file and adjust the agent configuration.
  • Improved event handoff to the backend for better management of event spikes and caching.
  • Fixed a condition in which the MSI overwrites vcruntime140.dll with an older version during installation, see DT390910.
  • Fixed false-positive alerts for Process Impersonation, see DT423472.
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Fixed a parsing error in a library causing the keeper service to crash, see DT426430.
  • Fixed a condition in a library causing the keeper service not to stop active ETW traces.
  • Fixed networking issues with QRadar EDR deployments using internally signed SSL certificates.
Updated Linux® QRadar EDR Agent 0.92.0
  • Updated libraries to fix vulnerabilities.
  • Increased scope of Executable Dropped event analysis.
  • Fixed issues related to wrong local IP address reported by agent on hosts with multiple interfaces, see DT419804.
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Updated libraries to fix vulnerabilities.
Updated macOS QRadar EDR Agent 1.2.0
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Improved events accuracy when using xpcproxy.
  • Improved checksum computation efficiency.
  • Improved event handling and hand-off to EDR Hive.
  • Fixed incompatibility of Apple Silicon Endpoints with older versions of EDR Hive.
  • Fixed issued on registration failure.
Added new DeStra (Detection as Code) policies
The following detections are available for the Windows QRadar EDR Agent:
  • Bring Your Own Vulnerable Driver.
  • Suspicious Executable Dropped by PowerShell.
  • Windows Credential Manager Dump.
The following detections are available for the Linux QRadar EDR Agent:
  • Fileless Malware Execution.
  • System Service Discovery.
Updated DeStra (Detection as Code) policies
The following detections are updated for the Linux QRadar EDR Agent to improve their coverage and reduce false positives:
  • Indicator removal.
  • Ingress Tool Transfer.
  • Proxy Tools.

May 2025

New in 3.12.16

This release contains updates from 3.12.14 through 3.12.16.

Updated IBM Security QRadar EDR
  • Fixed a bug where the Latest Agent details of Linux agents is incorrect on the Endpoints page.
  • Fixed a bug in the Endpoint Details page to correctly display endpoints with long MAC addresses.
  • External API: Fixed a bug where pagination does not work correctly when the API applications are listed.
  • Updated MITRE ATT&CK definitions to version 16.1.
  • Fixed various security vulnerabilities.
  • Fixed a bug where behavioral trees do not build correctly.
  • Fixed a bug where an update license request was incorrectly applied to groups in MSSP environments.
  • Fixed a bug where enabling a global policy on a group does not result in an error.
  • Fixed a bug that prevents backup and restore from starting.
  • Added support for 20k endpoints.
  • Fixed a bug where editing a disabled or partially enabled policy incorrectly enables the policy for all groups.
  • Fixed a bug where an API request to enable or disable a policy modifies the policy details.
  • Fixed a bug where Graphy miscalculates the last seen alert.
Updated DeStra (Detection as Code) policies
Added two allowlist policies to mitigate false positives from forged digital signature events in the temporary directory and process impersonation events on Microsoft Teams, Mozilla Firefox, and Microsoft Edge. For more information, see DT423472.
Updated Windows QRadar EDR Agent 3.12.5
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Fixed a parsing error in a library causing the keeper service to crash, see DT426430..
  • Fixed a condition in a library causing the keeper service not to stop active ETW traces.
  • Fixed an issue where the keeper service fails due to a corrupted heap. For more information, see DT270530.
  • Fixed an issue where the keeper service fails to differentiate separate processes that share the same process ID (PID). For more information, see DT270524.
  • Fixed an issue where the uninstaller fails to remove all the agent components from the endpoint after the uninstallation process. For more information, see DT214084.
  • Updated external libraries to fix multiple security vulnerabilities.
  • Updated the certificate that is used to sign the application.
  • Fixed a bug where the Keeper service in Stop Pending status causes a continuous memory increase. For more information, see DT400969.
  • Fixed a bug where allowlist policies do not trigger as expected.
Important: If you are running agents with versions older than Windows agent 3.12.0, upgrade to Windows agent 3.12.0 before you upgrade to Windows agent 3.12.2 or later to avoid failures in subsequent Windows agent updates. For more information, see tech note 7180461.
Windows Anti-Malware 1.5.12

Fixed an issue where the anti-malware service is stuck in a stop pending state during updates.

Updated Linux® QRadar EDR Agent 0.91.0
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Updated libraries to fix vulnerabilities.
  • Updated the libraries and driver to fix vulnerabilities and extend the Linux distribution support.
  • Improved event handoff to the backend for better management of event spikes and caching.
  • Enhanced process details that are reported in events.
  • Fixed an issue where the Linux agent fails to start on the Debian 10, RHEL 8, and Oracle Linux 8 endpoints due to a driver loading failure. For more information, see DT416692.
  • Fixed an issue where the Linux agent fails when invalid UTF-8 characters are observed in the process command line or file names. For more information, see DT418556.
  • Added support for user account deletion events, including in DeStra policies.
  • Enhanced username information that is reported in authentication events.
  • Fixed an issue where the Linux agent failed to start or send events when SELinux is enabled. For more information, see DT398501.
  • Fixed minor issues with the agent execution, termination, and uninstallation.
Updated macOS QRadar EDR Agent 1.2.0
  • Improved network security for connections between QRadar EDR Agent and EDR Hive. For more information, refer to tech notes 7214611 and 7214666.
  • Improved events accuracy when using xpcproxy.
  • Improved checksum computation efficiency.
  • Improved event handling and hand-off to EDR Hive.
  • Fixed incompatibility of Apple Silicon Endpoints with older versions of EDR Hive.
  • Fixed issued on registration failure.

January 2025

New in 3.12.13
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.12.0
  • Added support for NanoOS for Windows 10 and Windows 11 kernels. For more information, see technote 7173575.
  • Added tamper protection for the QRadar EDR Agent file system.
  • Added support for new IBM certificates that are used to sign the application.
  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Fixed an issue in which the QRadar EDR Agent database grows in size continuously. For more information, see technote DT364171.
  • Fixed an issue in which the QRadar EDR Agent causes a stop error. For more information, see technote DT390698.

Windows Anti-Malware 1.5.11

  • Fixed an issue in which the service is stuck in a Stop pending state.
  • Updated the certificate that is used to sign the application.
Updated DeStra (Detection as Code) policies
Updated thirteen DeStra (Detection as Code) policies to provide MITRE ATT&CK ID information. The following detections are updated for the Windows QRadar EDR Agent:
  • Mimikatz behaviour
  • Nvidia leaked certificates
  • Proxy tools
  • Remote access tools
  • Windows code signing policy modification
The following detections are updated for the Linux® QRadar EDR Agent:
  • Pass the hash
  • RC scripts modification
  • Indicator removal
  • Impair defenses
The following detections are updated for the macOS QRadar EDR Agent:
  • Hidden account creation
  • Login item persistence
  • Kerberos cached credentials dumping
  • Credentials from keychain
Updated IBM Security QRadar EDR
  • Dashboard users can now write Windows Agent Destras that use Registry Value Set and Registry Key Created events.
  • Dashboard users with admin privileges (and not only the global administrator) can view the audit page in MSSP mode.
  • Added support for MITRE ATT&CK framework version 15.1.
  • Fixed various security issues.

August 2024

New in 3.12.10
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.1.0
  • Added a pre-execution block for hash-based blocklisted policies. The blocklisted process is now blocked at the kernel level before it starts running.
  • Added support for using YARA rules in DeStra policies.
  • Added support for new events for macOS Ventura and macOS Sonoma: File Created, File Read, File Written, File Renamed, and File Deleted.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Fixed a bug where the file name field is not populated for some events when event data is created.
  • Renamed the agent to IBM Security QRadar EDR from IBM Security ReaQta.
Important: If you are running agents with versions that are older than macOS agent 1.0.1, upgrade to macOS agent 1.0.1 before you upgrade to macOS agent 1.1.0 to avoid failures in subsequent macOS agent updates.
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.6
  • Added new events to the DeStra engine: File Created, File Read, File Written, File Renamed, Registry Value Set, Registry Entry Deleted, and Kerberos Pre-Auth Failed.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added Windows 11 version reports in endpoint details.
  • Migrated some MITRE ATT&CK event generation rules from the agent to the new DeStra policies.
  • Fixed potential security vulnerabilities.
  • Fixed a bug in endpoint isolation on IPv6 targets. For more information, see DT381580.
Important: To ensure continued MITRE ATT&CK coverage, enable the new DeStra policies in your environment. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.81.0
  • Added support for Executable Dropped events.
  • Added support for sub-technique ID in the MITRE ATT&CK framework events.
  • Added support for using YARA rules in DeStra policies.
  • Simplified the installation for endpoints by using the kernel module. You do not need to set the KMOD_IGNORE_TAINT configuration option anymore.
  • Enhanced driver preparation and loading.
  • Enhanced event reports for user authentication and user detail resolution.
Added new DeStra (Detection as Code) policies

Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.

The following detections are available for the Windows QRadar EDR Agent:
  • Process Discovery
  • Account Discovery
  • Credential Harvested
  • Remote System
  • Discovery System
  • Script Proxy Execution
  • Event Triggered Execution Configured
  • Subvert Trust Controls
  • Autostart Execution Configured
  • Time Discovery
  • XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:
  • Network Share Discovery
  • Application Window Discovery
  • Network Sniffing Tools
  • File and Directory Permissions Modification
  • System Time Discovery
  • Proxy Tools
  • Software Discovery
The following detections are available for the macOS QRadar EDR Agent:
  • Clipboard Data Collection
  • Credentials in Files
  • Credential Prompt via Osascript
  • System Network Connections Discovery
  • In-memory Script Execution
  • OSACompile Run-Only Execution
Important:
  • MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
  • The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Removed DeStra (Detection as Code) policies

Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.

The following detections are removed QRadar EDR Agent:
  • Credential Dumping via Registry
  • Suspicious Shim Database Installed
  • Sticky Key Backdoor
  • Signed Script Proxy Execution
  • Suspicious XSL script
  • WMI subscription
  • SquiblyTwo behaviour
Updated IBM Security QRadar EDR
The following updates are now available in IBM Security QRadar EDR:
  • Added support to edit blocklist and allowlist policies.
  • Added support for MITRE ATT&CK framework version 15.
  • Added support for data removal to the QRadar EDR Agent backend.
  • Added API endpoints to search and download the agent distributions and components.
  • Added new events in the list of available Binding Events for the Linux agent and the Windows agent.
  • Improved the copy and paste function in the user interface.
  • Improved agent distribution validation when you use QRadar EDR Agent API.
  • Enhanced server request handling.
  • Enhanced performance when alerts contain many events.
  • Clarified the error messages from Cyber Assistant when alerts are being processed.
  • MSSP client admins can now create Anti-Malware exceptions.
  • Removed the alert forwarding feature.
  • Fixed the Agent distribution visibility for client admins.
  • Fixed an issue with the dashboard not working when proxy is enabled.
  • Fixed an issue in PDF reports where page breaks split charts or tables.
  • Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.
  • Fixed an issue with the endpoint-specific backend services running after an endpoint is reported as offline.
  • Fixed various security vulnerabilities.

May 2024

New in 3.12.4
Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.5
  • Improved the overall anti-ransomware performance.
  • Fixed a typographical error in the is_dns_activity destra function name.
  • Fixed a case of event duplication.
  • Updated the certificate that is used to sign the application.
Windows agent 3.11.4
  • Fixed the error messages that appear when you use file event data in DeStra rules.
  • Optimized telemetry generation for Exchange server endpoints.
Windows Anti-Malware 1.5.9
  • Updated the certificate that is used to sign the application.
Windows Anti-Malware 1.5.8
  • Fixed potential security vulnerabilities.
Updated macOS QRadar EDR Agent
Mac-only
macOS agent 1.0.1
  • Enhanced the installer to improve the user experience.
  • Introduced MITRE event support for event enrichment.
Updated Linux QRadar EDR Agent
Linux-only
Linux agent 0.80.1
  • Added support for new events: File Created, File Read, File Written, File Renamed, File Deleted, User Login, User Logout, User Login Failed, User Account Creation by using Custom Event, and Filesystem Persistence.
  • Added support for new events in DeStra policies: Network Connection Established, MITRE ATT&CK, File Created, File Read, File Written, File Renamed, File Deleted, Custom Event, and Filesystem Persistence.
  • Increased support for Linux Distribution.
  • Added support for the deep monitoring mode.
  • Added support for eBPF CO-RE driver. Prerequisite packages are no longer required for kernels 5.8 or later.
  • Improved Linux OS recognition.
  • Updated libraries to address the license violation and fix potential vulnerabilities.
Important: The Linux agent 0.80.1 fails to start on Debian 10 due to a driver issue. For more information about the known issue and the workaround, see technote 7148175.
Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents

Added ten new default DeStra (Detection as Code) were added to provide new detection capabilities by creating specific MITRE events and by triggering alerts.

The following detections are available for the Linux QRadar EDR Agent:
  • Pass the Hash
  • RC Scripts Modification
  • Indicator Removal
  • Data Collection Tactics
  • Impair Defenses
  • Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:
  • Hidden Account Creation
  • Login Item Persistence
  • Kerberos Cached Credentials Dumping
  • Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
Updated IBM Security QRadar EDR
  • Fixed the missing Install Path header in CSV file export.
  • The DLL Hijacking Protection policy is removed from default policies.
  • Replaced in-product Changelog with a link to online documentation.
  • For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the dashboard.
  • Improved access for client administrators in endpoint groups that are created by using the public API.
  • Fixed an issue with the buttons on the Alert Details widget that obscures data. For more information, see technote DT222093.
  • Fixed an issue in PDF reports where page breaks split charts or tables. For more information, see technote DT258491.

January 2024

Updated Windows QRadar EDR Agent
Windows-only
Windows agent 3.11.0
  • Added support for both QRadar EDR and IBM digital signatures.
  • Fixed an issue with anti-malware download.
  • Fixed a potential vulnerability in some parameters that are passed to system APIs.
  • Fixed missing certificate chain validation for QRadar EDR components.
  • Fixed an issue with restart loop in edge cases of QRadar EDR Agent uninstallation.
  • Fixed a heap corruption issue.
Windows agent 3.11.1
  • The Windows distribution components are now IBM-signed.
  • The 32-bit NanoOS is deprecated.
  • Fixed an issue with certificate expiration for agents.
  • Fixed alert flags due to expired certificates in the agent.
Attention:
  • Due to the use of the new code-signing certificate in the Windows agent 3.11.1, the signature is changed. The end-of-life (EOL) versions of Windows do not support the new signature verification and can lead to failure during agent updates.
  • The following Windows versions are no longer supported:
    • Windows Server 2008 R2 (SP2) - 32 bit
    • Windows Server 2008 R2 (SP2) - 64 bit
    • Windows client 7 (SP1) - 32 bit
    • Windows client 7 (SP1) - 64 bit
    • Windows 8 - 32 bit
    • Windows 8 - 64 bit
    • Windows 8.1 - 32 bit
  • Windows agent 3.11.0 is the last QRadar EDR agent that can run on the Windows versions that are no longer supported. To phase out the unsupported endpoints and preserve the agent that is running, group the unsupported endpoints and exclude them from the automatic updates delivery. For more information, see technote 7161908.
Windows agent 3.11.3
  • NanoOS is turned off when memory integrity is enabled in Windows.
  • Fixed potential security vulnerabilities.
Important: If you are running agents with versions older than Windows agent 3.11.0, first upgrade to Windows agent 3.11.0 before you upgrade to Windows agent 3.11.1 or later to avoid failures in subsequent Windows agent updates. For more information, see QRadar EDR: Updating to the Latest Windows Agent Release (3.11.1). If you encounter a certificate chain issue after the upgrade to Windows agent 3.11.0, fix it manually before you install any later versions of the Windows agent. For more information, see QRadar EDR: Agent version 3.11.1 or higher failure on Windows Endpoint.
Added default DeStra (Detection as Code) policies

Added fourteen new default DeStra (Detection as Code) to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:

  • Known malicious tools or actors behaviors
  • Suspicious software that is used for remote access or proxy capabilities
  • Application shimming
  • System modification to weaken system security

October 2023

IBM Security QRadar EDR available as an on-premises deployment option
IBM Security® QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
Licensing updates

The licensing options document is updated to reflect current packaging and entitlements. For more information, see License options.

September 2023

Updated macOS QRadar EDR Agent
Mac-only
The agent is now supported on macOS Monterey and Ventura, and on Apple silicon processors. This update also enhances the security and stability of the agent.
New information For more information, see Installing the QRadar EDR Agent on Mac endpoints.

June 2023

Session expiration
To enhance the security posture of QRadar EDR:
  • The Remember Me checkbox was removed from the Login screen.
  • The default session length is reduced from 24 hours to 2 hours.
Anti-malware
Fixed a pagination issue on the Anti-malware configuration page.

March 2023

EULA is no longer displayed on the QRadar EDR Dashboard
To view the terms of your EULA or Service Description:
Updated Linux QRadar EDR Agent
Linux-only
The agent is now supported on more Linux distributions.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

October 2022

Protected uninstallation
Windows-only
Requires Windows agent 3.10 or later
Enable protected uninstallation to prevent users from uninstalling the QRadar EDR Agent from an endpoint without authorization.
New information For more information, see Enabling protected uninstallation.
Updated Linux QRadar EDR Agent
Linux-only
The Linux agent now uses eBPF. For more information about eBPF, see What is eBPF?.
You can now specify the QRadar EDR Brain domain name rather than the IP address when you install the Linux agent.
The Linux agent also includes fixes to known issues. The agent now reports the correct endpoint IP address, displays process commands in full, correctly associated processes to alerts, and works independently from connectivity issues.
Important: Automatic updates to version 0.60.0 of the agent are not supported.
New information For more information, see Installing the QRadar EDR Agent on Linux endpoints.

July 2022

Automated actions against binaries based on their threat score
Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
A Hive-Cloud score is the threat score that is associated with a binary the first time it is run in your organization. You can set the Hive-Cloud score ranges to allow a binary to run without an alert, run and generate an alert, or block it from running.
New information For more information, see Managing Hive-Cloud scores.
Enforcement of TLS 1.2
The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
New API endpoints
New API endpoints were added for better integration in your workflows and environments.
Isolation improvements
When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.