What's new or changed
See what new features and improvements are available in IBM® Security QRadar® EDR.
August 2024
New in 3.12.10- Updated macOS QRadar EDR Agent
- Mac-only
- Updated Windows QRadar EDR Agent
- Windows-only
- Updated Linux® QRadar EDR Agent
- Linux-only
- Added new DeStra (Detection as Code) policies
-
Added twenty-three new DeStra (Detection as Code) policies to provide new detection capabilities by creating specific MITRE ATT&CK events and by triggering alerts.
The following detections are available for the Windows QRadar EDR Agent:- Process Discovery
- Account Discovery
- Credential Harvested
- Remote System
- Discovery System
- Script Proxy Execution
- Event Triggered Execution Configured
- Subvert Trust Controls
- Autostart Execution Configured
- Time Discovery
- XSL Scripting
The following detections are available for the Linux QRadar EDR Agent:- Network Share Discovery
- Application Window Discovery
- Network Sniffing Tools
- File and Directory Permissions Modification
- System Time Discovery
- Proxy Tools
- Software Discovery
The following detections are available for the macOS QRadar EDR Agent:- Clipboard Data Collection
- Credentials in Files
- Credential Prompt via Osascript
- System Network Connections Discovery
- In-memory Script Execution
- OSACompile Run-Only Execution
Important:- MITRE ATT&CK sub-techniques are supported when you create MITRE ATT&CK events in DeStra policies. To receive the full sub-technique details, verify that your QRadar EDR Agents are up to date. If the agents are not updated, the events display partial information.
- The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
- Removed DeStra (Detection as Code) policies
-
Removed seven default DeStra policies in favor of newly added policies that cover multiple use cases.
The following detections are removed QRadar EDR Agent:- Credential Dumping via Registry
- Suspicious Shim Database Installed
- Sticky Key Backdoor
- Signed Script Proxy Execution
- Suspicious XSL script
- WMI subscription
- SquiblyTwo behaviour
- Updated IBM Security QRadar EDR
-
The following updates are now available in IBM Security QRadar EDR:
- Added support to edit blocklist and allowlist policies.
- Added support for MITRE ATT&CK framework version 15.
- Added support for data removal to the QRadar EDR Agent backend.
- Added API endpoints to search and download the agent distributions and components.
- Added new events in the list of available Binding Events for the Linux agent and the Windows agent.
- Improved the copy and paste function in the user interface.
- Improved agent distribution validation when you use QRadar EDR Agent API.
- Enhanced server request handling.
- Enhanced performance when alerts contain many events.
- Clarified the error messages from Cyber Assistant when alerts are being processed.
- MSSP client admins can now create Anti-Malware exceptions.
- Removed the alert forwarding feature.
- Fixed the Agent distribution visibility for client admins.
- Fixed an issue with the dashboard not working when proxy is enabled.
- Fixed an issue in PDF reports where page breaks split charts or tables.
- Fixed a page loading issue when no groups exist in the Cyber Assistant configuration page.
- Fixed an issue with the endpoint-specific backend services running after an endpoint is reported as offline.
- Fixed various security vulnerabilities.
May 2024
New in 3.12.4- Updated Windows QRadar EDR Agent
- Windows-only
- Updated macOS QRadar EDR Agent
- Mac-only
- Updated Linux QRadar EDR Agent
- Linux-only
- Added default DeStra (Detection as Code) policies for Linux and macOS QRadar EDR Agents
-
Added ten new default DeStra (Detection as Code) were added to provide new detection capabilities by creating specific MITRE events and by triggering alerts.
The following detections are available for the Linux QRadar EDR Agent:- Pass the Hash
- RC Scripts Modification
- Indicator Removal
- Data Collection Tactics
- Impair Defenses
- Ingress Tool Transfer
The following detections are available for the macOS QRadar EDR Agent:- Hidden Account Creation
- Login Item Persistence
- Kerberos Cached Credentials Dumping
- Credentials from Keychain
Important: The new DeStra policies are disabled by default. To enable the DeStra policies, go to the Destra page and activate them globally or per endpoint group.
- Updated IBM Security QRadar EDR
-
- Fixed the missing Install Path header in CSV file export.
- The DLL Hijacking Protection policy is removed from default policies.
- Replaced in-product Changelog with a link to online documentation.
- For the Linux agent and the Windows agent, new events are added in the list of available Binding Events that is used to create a DeStra from the dashboard.
- Improved access for client administrators in endpoint groups that are created by using the public API.
- Fixed an issue with the buttons on the Alert Details widget that obscures data. For more information, see technote DT222093.
- Fixed an issue in PDF reports where page breaks split charts or tables. For more information, see technote DT258491.
January 2024
- Updated Windows QRadar EDR Agent
- Windows-only
- Added default DeStra (Detection as Code) policies
-
Added fourteen new default DeStra (Detection as Code) to provide new detection capabilities by creating specific MITRE events and by triggering alerts. The following detections are available:
- Known malicious tools or actors behaviors
- Suspicious software that is used for remote access or proxy capabilities
- Application shimming
- System modification to weaken system security
October 2023
- IBM Security QRadar EDR available as an on-premises deployment option
- IBM Security QRadar Suite Software 1.10 now includes QRadar EDR as an on-premises deployment option to provide the endpoint detection and response (EDR) function.
- Licensing updates
-
The licensing options document is updated to reflect current packaging and entitlements. For more information, see License options.
September 2023
- Updated macOS QRadar EDR Agent
- Mac-only
June 2023
- Session expiration
- To enhance the security posture of QRadar EDR:
- The Remember Me checkbox was removed from the Login screen.
- The default session length is reduced from 24 hours to 2 hours.
- Anti-malware
- Fixed a pagination issue on the Anti-malware configuration page.
March 2023
- EULA is no longer displayed on the QRadar EDR Dashboard
- To view the terms of your EULA or Service Description:
- If you purchased IBM Security QRadar EDR, see https://www.ibm.com/support/customer/csol/terms/?ref=i126-9330-05-10-2022-zz-en.
- If you purchased QRadar EDR Hive and you expanded or extended your contract with IBM after 1 September 1 2022, see https://www.ibm.com/downloads/cas/K5EWNP7Q and https://www.ibm.com/support/customer/csol/terms/?ref=i126-9495-01-09-2022-zz-en.
- If you purchased QRadar EDR Hive and you did not expand or extend your contract with IBM, see https://www.ibm.com/downloads/cas/K5EWNP7Q.
- Updated Linux QRadar EDR Agent
- Linux-only
October 2022
- Protected uninstallation
- Windows-only
- Updated Linux QRadar EDR Agent
- Linux-only
July 2022
- Automated actions against binaries based on their threat score
- Hive-Cloud is an integration between QRadar EDR and third-party threat intelligence services.
- Enforcement of TLS 1.2
- The TLS connection between the QRadar EDR Agent and the QRadar EDR Brain must now use TLS 1.2.
- New API endpoints
- New API endpoints were added for better integration in your workflows and environments.
- Isolation improvements
- When you isolate an endpoint in the QRadar EDR Brain, the isolation status is now shown. You can now isolate and deisolate endpoints by using the API.