Sep 8th, 2021

Qualys Endpoint Detection and Response (EDR)

Qualys EDR / Patch Management Blog Series [Part 2]

NOTE: This is the second part of a blog series.

Part 1: Qualys Patch Management (PM)

Part 2: Qualys Endpoint Detection and Response (EDR)

Part 3: PM and EDR Remediation Demonstration

Overview

In this blog post, we will take a look at Endpoint Detection and Response (EDR) module in Qualys. We will learn the answers to questions such as “What is Qualys Qualys Endpoint Detection and Response?”, “What is it used for?”, “How does it work?”, “How to activate and set up?”, “What kind of features does it have?” and “What can we do with this module?”.

In the next and final part of this blog series, we will be discussing patching by using Qualys Patch Management (PM) and remediation with Qualys Endpoint Detection and Response (EDR). In addition, the impacts of PM and EDR on target hosts will be demonstrated.

Index

Part 1: Qualys Patch Management (PM)

  1. . Patch Management (PM) with Qualys: An Overview
  2. . Patch Management Features
  3. . Patch Sources
  4. . PM Activation & Setup
    1. Cloud Agent Module
      1. install Cloud Agent on target host.
      2. Assign target agent host to a Configuration Profile that has PM enabled.
      3. Activate PM module on target agent host (Alternative to Configuration Profile
    2. Patch Management Module
      1. Assign target agent host to an enabled PM Assessment Profile.
      2. Assign hosts to PM Jobs (activate license).
  5. . Overview of the PM Application
    1. Patch Management UI
    2. Assessment Profile
    3. License Consumption
  6. . PM Deployment Job/ PM Uninstall Job
    1. Job Status
    2. Patching from VM and VMDR
    3. VMDR Prioritization Report
  7. . PM Assets
  8. . Patch Catalog (Patches)

Part 2: Qualys Endpoint Detection and Response (EDR)

  1. . Qualys Endpoint Detection and Response (EDR) Overview
  2. . EDR Activation and Setup
    1. Install Cloud Agent on target host.
    2. Assign target agent host to a Configuration Profile that has PM enabled.
    3. Activate PM module on target agent host (Alternative to Configuration Profile
  3. . EDR Application Overview
    1. EDR User Interface
  4. . Events and Incidents
    1. Hunting Events
    2. Using Queries for Hunting Suspicious Activity
  5. . EDR Investigation and Response Actions
  6. . Rule-Based Alerts
    1. Configure Rules
    2. Trigger Criteria
    3. Aggregating Alerts
    4. Activity Tab
  7. . Prevention
    1. Global Asset Inventory (AI)
    2. Detect Vulnerabilities and Missing Patches
    3. Additional Context from Configuration Management

Part 3: PM and EDR Remediation Demonstration

  1. . PM Patching (Virtual Machine)
  2. . Remediation with EDR (Virtual Machine)
    1. Dealing with Malicious Event
    2. Response Actions

1. Qualys Endpoint Detection and Response (EDR) Overview

Endpoint Detection and Response, or EDR, is a cybersecurity solution that detects and responds to cyber threats on a continuous basis.

The Qualys multi-vector EDR application is an evolved superset of the Indication of Compromise (IOC) application.

The Cloud Agent delivers Qualys EDR, allowing for continuous monitoring and data gathering from the agent via the EDR Manifest. After enabling EDR for an asset, the agent begins collecting data in real-time about the asset's numerous objects and associated actions/events. It uploads the data to the Qualys cloud platform for analysis.

Image shows Qualys Endpoint Detection and Response EDR Overview

This information is directly correlated with Qualys Malware Labs threat intelligence and research, and you can view the incidents recognized by EDR as well as the system events and details gathered by the cloud agent in the EDR app. Events are prioritized using a proprietary scoring system, allowing for a prioritized response, and the user is informed of harmful events, infected hosts, and attacks taking place in their environment, among other things.

EDR extends the Qualys Cloud Platform's threat hunting and remedial response capabilities. EDR identifies a suspicious activity, validates the presence of known and unknown malware, and responds to your assets' remediation needs.

Finally, EDR unifies various context vectors such as asset discovery, rich normalized software inventory, end-of-life or end-of-support visibility, vulnerabilities and exploits, misconfiguration, in-depth endpoint telemetry, and network reachability in a single cloud-based app with a powerful backend to correlate it all for accurate assessment, detection, and response. Correlation with all attack vectors aids in identifying the root cause and reducing the likelihood of future attacks.

2. EDR Activation and Setup

The following configuration steps are required to use the Qualys Patch Management (PM) application successfully:

2.1 On the target host, install the Cloud Agent.

Note: Cloud Agent must be installed with an activation key that is compatible with the EDR module.

Image shows install the Cloud Agent

If you're not sure how to install and configure “Qualys Cloud Agent”, check out the Qualys Cloud Agent Installation Guide with Windows and Linux Scripts.

Image shows Qualys Cloud Agent Installation Guide with Windows and Linux Scripts.

2.2 Assign the target agent host to an EDR-enabled Configuration Profile.

To create a “Configuration Profile” using assets, create a new asset tag.

Image shows create a “Configuration Profile” using assets.

Create a new "Configuration Profile" to work with.

Image shows Create a new "Configuration Profile" to work with.

PERFORMANCE: The high-performance option performs more frequent checks.

Image shows the high-performance option

ASSIGN HOSTS: Choose which assets will receive this profile. Assets can be selected using "by Asset Tag" or "by Name”.

Image shows choose which assets will receive this profile

EDR: For Configuration Profile, enable the EDR module.

Image shows choose which assets will receive this profile

2.3 On the target agent host, activate the EDR module.

You can manually activate the asset module instead of using the Configuration Profile to enable EDR.

Image shows you can manually activate the asset module instead of using the Configuration Profile to enable EDR Image shows you can manually activate the asset module instead of using the Configuration Profile to enable EDR

3. EDR Application Overview

On the "EDR Welcome page," use "Configure Agents for EDR" to configure agents and upgrade activation keys for the "EDR module".

Additionally, on the "EDR Welcome page," you can simply manage tags.

Image shows additionally, on the "EDR Welcome page," you can simply manage tags.

Discover and Monitor: Install lightweight agents on your IT assets in minutes. These may be installed on your on-premises systems, as well as in dynamic cloud settings and on mobile devices. Cloud Agents (CA) are self-updating and are maintained centrally by the cloud agent platform (no reboot needed).

Detect and Investigate: In one central spot, you can view and investigate all of your EDR issues and events. You'll get a list of all occurrences that have been discovered across all of your assets. In a matter of seconds, you may search through all of your incidents and events.

Image shows Detect and Investigate

Respond and Prevent: From a central, respond to suspicious and harmful activity. In the case of a harmful or suspicious occurrence, remedial action will be provided.

Image shows Respond and Prevent

3.1 EDR User Interface

There are five sections to the EDR user interface:

  1. DASHBOARDS:Dashboards allow you to examine your assets, see your threat exposure, use stored searches, and quickly remediate harmful or suspicious occurrences.

Unified Dashboard (UD) and EDR have been merged. UD visualizes information from many Qualys apps in a single location.

To visualize particular information, you may utilize Qualys' EDR dashboards or create your own widgets and dashboards.

Image shows DASHBOARDS

  1. INCIDENTS: This section includes a list of all occurrences that have been discovered in your environment. You may examine events by Malware family name and Malware category using Qualys advanced search and filter features.
  2. View and search assets that have been identified as being infected with malware.
  3. Look into events based on Active Threats and Malware Families/Categories.

Image shows INCIDENTS

  1. HUNTING: This section includes a list of all events gathered from EDR-enabled assets by the Cloud Agent. You may use this page to filter and search for harmful File, Process, Network, and Mutex events, as well as execute remedial activities.

Image shows HUNTING

  • Examine the information gathered by EDR agents.
  • Search for events based on their characteristics, skip to events that happened within a specific time range, and organize events based on their kind, activity, and score.
  • Remedial action should be taken in the case of malicious files, processes, mutexes, and network events.
  • Results of a “Search” can be exported

Image shows results of a “Search” can be exported

  1. ASSETS: This section includes a list of agent host assets that have the EDR module enabled. You may obtain up-to-date information on a specific asset's details, events, and occurrences all in one location.

When examining asset details, the user may examine the asset's inventory, vulnerability, compliance, EDR, and other data in one location.

The user is instantly routed to the Hunting or Incidents tabs while reading event or incident details.

Image shows ASSETS

  • Lists all EDR-enabled agent assets.
  • Provides up-to-date information about a certain asset's details, events, and occurrences.
  • Asset data is available in CSV format for download.
  • Show the assets that have been affected and the infections that have occurred.

Image shows the assets that have been affected and the infections that have occurred.

  1. RESPONSES: This section shows the status of requests for remedial measures taken in response to harmful occurrences.

You may also set EDR to monitor events for conditions defined in a rule and give you notifications if events fit the condition.

  • View the status of response actions.
  • Set up rule-based notifications.

Image shows RESPONSES

4. Events and Incidents

  • An “object” is an artifact on the system, without state information
  • Object Types:

File – PE files locally attached disks (called “image”)

Process – a running process, usually from an image

Process Network Connection – a network state of a process

Mutex – Mutant Handle, a shared memory resource used by processes

Registry – Windows, locations used for persistence (auto-start)

  • Actions and events include state information:

File (Created | Deleted | Renamed | Write)

Process (Running | Terminated)

Mutex (Running | Terminated)

Network (Connected | Disconnected | Listening)

Registry (Created | Deleted)

4.1 Hunting Events

Search for events using event attributes, skip to events that took place within a specific timeframe. Organize events by category, and see event and asset information.

For EDR-enabled assets, the Hunting section includes a list of all event data gathered by the Cloud Agent. Using various search queries, you may filter harmful events and search for malicious files, processes, mutexes, and network events.

You may also sort events by Type (file, process, mutex, and network), Action (file created, network connection formed or listening, a process running, and so forth), and Score.

Finally, you can take steps to correct harmful events.

Image shows Hunting Events

Filter for "harmful events" to see a list of all malicious events, which you may then “delete” or “quarantine”.

Image shows harmful events

The event's details page has all of the pertinent information. Click Quick Actions > Event Details to go to the Events Details page.

The Event Details page displays information about the object (file/process/mutex/network connection) and its state (file created, process/mutex running or terminated, network listening on a port, network connection established), such as the image path, associated user, process ID, MD5/SHA256 hash value, and so on.

Image shows The Event Details

The event tree for Process, Mutex, and Network events is displayed on the Event Details page.

Image shows The event tree for Process, Mutex, and Network events is displayed on the Event Details page.

We show all the events that are linked to the selected event in the event tree.

Current View

Active State

Only active asset events are shown:

Image shows Current View.

  • File Created (existence)
  • Process Running
  • Mutex Running
  • Network Listening / Established
  • Registry Created (existence)

Historic View

“Look Back” Investigation

Image shows Historic View.

Stored as state change events:

  • File Created / Deleted
  • Process Running / Terminated
  • Mutex Running / Terminated
  • Network Listening / Established / Closed
  • Registry Created / Deleted

Image shows Historic View.

You may check for available results/research on this threat by searching for the file hash on Google, or you can compare EDR findings to the VirusTotal database to see whether other scanning engines have recognized this file/process/mutex as dangerous.

Image shows You may check for available results/research

VirusTotal gathers information from a variety of antivirus programs and internet scan engines to look for infections that the user's own antivirus may have missed, as well as to rule out any false positives.

Image shows VirusTotal gathers information

4.2 Using Queries for Hunting Suspicious Activity

Image shows Using Queries for Hunting Suspicious Activity

What are the most interesting file properties?

  • Examine the information about the signer and the certificate.
  • Look for files running out of $RECYCLE.BIN, %temp% or %downloads%

What do you search for when you're looking for evasion methods?

  • Malware files may be renamed to seem to be native Windows files.
  • Compare filenames within %system% to files on disk.
  • Look for suspicious use of SVCHOST, WMI, and PowerShell.

Is it safe to trust your files?

  • Examine the information on the certificate.
  • Look for persistent untrustworthy files, untrusted processes, and untrusted programs that generate network traffic to add to your results.

Sample Hunting Search

“Suspicious Use of Windows Command Shell and PowerShell” is a threat actor tactic and hunting approach:

  • Threat actors aim to avoid detection by loading malicious scripts into memory via whitelisted applications
  • PowerShell or cmd.exe are not invoked using MS Office applications in normal use.
  • Hunting approach: open cmd.exe or powershell.exe after executing word.exe, excel.exe, or powerpnt.exe

Query: type:PROCESS and parent.name:["winword.exe", "excel.exe", "powerpnt.exe"] and process.name:[ "cmd.exe","powershell.exe" ] and process.arguments:"-e*"

Identify any MS Office processes that have used the Windows command shell or PowerShell.

Image shows Query

Threats such as fileless attacks involve the use of legitimate\whitelisted programs such as Windows command shell\PowerShell to load malware directly into memory. Although Microsoft’s PowerShell is preinstalled on nearly all Microsoft systems and is considered trusted software, seeing it launched via MS Word or PowerPoint or Excel is highly anomalous and suspicious.

Sample Hunting Search – 2

“Suspicious Use of WMI” is a threat actor tactic and hunting approach:

  • WMI (“wmiprvse.exe”) is a system process that runs WMI commands on a remote host
  • Threat actors use it as a remote execution utility and to establish persistence
  • Hunting approach: powershell.exe running with wmiprvse.exe as parent process may be suspicious

Query: type:PROCESS and parent.name:"wmiprvse.exe" and process.name:"powershell.exe" and process.arguments:"-e*"

Find all WMI-invoked PowerShell processes that are currently executing.

Image shows Query

WMI was created as Microsoft's interpretation of web-based enterprise management (WBEM) for system administration and auditing; however, attackers may utilize it at any point throughout the Attack Lifecycle, from gaining a foothold on a system to stealing data from the environment, and anything in between.

Because WMI is so versatile, hackers have found a variety of methods to use it to run malicious code. Because of the large quantity of legitimate activity in today's organization, finding malicious WMI and PowerShell in memory might be difficult. Context is crucial in hunting, and looking at the parent and children of processes may frequently provide further context.

5. EDR Investigation and Response Actions

Active Threats should be used to investigate incidents. Active Threats by Host, Malware Name, and Malware Family.

Image shows EDR Investigation and Response Actions

  • All Hosts with threats listed under Incidents
  • Filter results by Malware Family and Category
  • The highest event score is used to calculate the asset score

Details about incidents may be viewed by clicking on their names.

Image shows Details about incidents may be viewed by clicking on their names.

Display file details from the process tree.

In addition, “remediation action” may be found under “View Mode > Process Tree”.

Image shows “remediation action” may be found under “View Mode > Process Tree”.

Delete or Quarantine files on the process tree. Image shows Delete or Quarantine files on the process tree. Image shows Delete or Quarantine files on the process tree.

Image shows Delete or Quarantine files on the process tree.

When you run a delete or quarantine action, you'll get a message and the status of the action will change to "In Progress".

Image shows you'll get a message and the status of the action will change to "In Progress".

On the “RESPONSE” page, you can see all quarantined or deleted files and their statuses.

Image shows On the “RESPONSE” page, you can see all quarantined or deleted files and their statuses.

Note: For windows assets, response actions are only supported in Cloud Agent version 4.0.0 and higher.

Image shows For windows assets, response actions are only supported in Cloud Agent version 4.0.0 and higher.

6. Rule-Based Alerts

  1. You must first configure a rule action and indicate what action should be performed when events meeting a condition are identified in order for EDR to generate alerts.
  2. Then, in order to issue the alert, you must create a rule containing trigger criteria and rule actions. EDR will give you the notifications based on the rule action settings.

Image shows Rule-Based Alerts

Configure a rule action that will be referenced in the alert rule as the first step. In the Response section, under the Actions tab, you may configure a rule action.

Image shows Configure a rule action Image shows Configure rules

6.1 Configure Rules

The next step is to create a rule that will send out notifications when harmful events occur. In the Response section, under the Rule Manager tab, you may configure rules. To create a new rule, fill in the needed information in the appropriate sections:

  • Give the new rule a name and a description in the Rule Name and Description section of the Rule Information section.
  • Provide a query for the rule in the Rule Query area. This query is used by the system to look for events. To test your query, click the Test Query button.
  • To choose from a list of pre-defined queries, click the Sample Queries link.
  • Three trigger criteria are available to use in combination with the rule query. Single Match, Time-Window Count Match, and Time-Window Scheduled Match are the Trigger criterion.
  • Choose the steps you want the system to take when an alert is generated in the Action Settings section.

Image shows Trigger Criteria

6.2 Trigger Criteria

  • Select Single Match if you want the system to send you an alert every time it finds an event that matches your search query.
  • Select the Time-Window Count option. When you want to set up alerts depending on the number of events returned by a search query over a set period of time, use Match. For example, if three similar occurrences are detected within a 15-minute interval, an alert will be delivered.
  • When you need to create alerts for Configure Rules matching events that happened during a specified time, select Time-Window Scheduled Match. Only when an event matching your search criteria is detected during the time specified in the Schedule will the rule be activated.

Image shows Trigger Criteria Image shows Trigger Criteria Image shows Trigger Criteria

Fill in all of the "Rule Details" fields.

Image shows Rule Details

6.3 Aggregating Alerts

For the trigger, you can group the alerts based on:

  • Action
  • Asset Agent ID
  • Asset Hostname, etc.

Image shows Rule Details

Example for Aggregating Alert to find all running svchost.exe processes that do not have “-k” as an argument.

Goal:

Find all running svchost.exe processes that do not have “-k” as an argument. Create alert rule to notify using a Slack channel if one or more instances of such process instance found.

Rule Based Alert Configuration:

  1. Rule query for search logic: process.name:"svchost.exe" and not process.arguments:"-k"
  2. Rule Trigger: Single Match (one alert for one match)
  3. Action Setting: Raise alert and post to Slack

Image shows Rule Based Alert Configuration

6.4 Activity Tab

The Activity tab displays all of the alert activity for the timeframe specified. The rule name, success or failure in delivering the alert message, aggregate enabled or disabled for the rule, action selected for the rule, matches discovered for the rule, and the user who authored the rule are all displayed here for each alert.

Image shows Activity Tab

7. Prevention

To correlate various attack vectors and offer a wider context for remediation and prevention, EDR integrates with other Qualys applications like AI, VMDR, PC, and PM.

Image shows Prevention

7.1 Global Asset Inventory (AI)

Visibility is the first step toward endpoint security. For your assets, Qualys Global Asset Inventory (AI) delivers a single source of truth. It's a central spot where you can see all of the data collected by the various sensors you've installed. Asset inventory is automatically updated with data obtained from your sensors. To offer a better perspective, the data is standardized and classified. You're fulfilling the first step required by security and compliance teams, which is visibility, by acquiring an inventory.

  • Gives you comprehensive visibility into your hybrid IT environment.
  • Helps in the elimination of blind spots.
  • Provides critical context for a multi-vector EDR strategy.
  • Asset Inventory is included with EDR.

Use queries to:

  • Missing assets can be quickly identified with EDR.
  • Assets should be tagged for EDR activation.
  • Create widgets to keep track of assets without using EDR.

Image shows use queries to

Use queries to:

  • Identify EOL or EOS software\browsers
  • Identify assets with EOL or EOS software
  • Enable EDR on target assets to monitor activity and prevent the threat from spreading

Image shows use queries to

7.2 Detect Vulnerabilities and Missing Patches

Detect Vulnerabilities and Missing Patches

  1. Use VMDR to quickly find vulnerabilities linked to particular Malware types identified by EDR.
  2. Identify assets that have these vulnerabilities.

Image shows Identify assets that have these vulnerabilities.

You can eliminate the root cause of malicious attacks for exploitable vulnerabilities using a combination of VMDR, Patch Management (PM), and EDR.

Image shows Identify assets that have these vulnerabilities.

You can quickly identify all missing patches for these exploitable vulnerabilities. Then, you can use VMDR's integrated workflows for Patch Management to create a patch job to patch all such vulnerabilities across the environment, which could have been exploited otherwise and your team would have to spend time detecting, investigating, correlating, and responding to such incidents.

Image shows You can quickly identify all missing patches for these exploitable vulnerabilities.

Image shows You can quickly identify all missing patches for these exploitable vulnerabilities.

7.3 Additional Context from Configuration Management

  • Detect misconfigurations and ineffective security measures
  • Utilize Qualys' out-of-the-box policies for control evaluation.
  • Examine your compliance posture and take steps to limit the risk of malware and ransomware.

Image shows Additional Context from Configuration Management

In addition to vulnerabilities, an adversary may identify and exploit vulnerabilities in your infrastructure's configuration. Architectural issues, misconfigurations, and insufficient security measures might all be examples of these issues.

Finding failed controls linked to malware/ransomware propagation or controls mapped to the MITRE method can assist with discovering misconfigurations and minimizing the attack surface.

Conclusion

In Part 2: We have learned about Qualys Endpoint Detection and Response (EDR) and discussed its features and benefits. We learned how to enable and configure EDR using configurations. The EDR application, events, reaction actions, and rule-based alerts were all examined. We learned about "Hunting Events" and "Incidents," which are the most essential aspects of EDR, in great detail. We also discussed how EDR interacts with other Qualys products like AI, VMDR, PC, and PM to correlate various attack vectors and give more context for remediation and prevention.

In the next and last post of this blog series, Part 3: PM and EDR Remediation Demonstration, we'll see what Qualys Patch Management (PM) and Qualys Endpoint Detection and Response (EDR) perform on target hosts. We'll demonstrate:

  • PM patching example
  • EDR deleting/quarantining malicious file example
  • EDR response action/alert example.

Stay tuned!

If you liked this post, share it now!

Our Recent Posts

PM and EDR Remediation Demonstration

Explore how to patch using Qualys PM and remediate the target host with Qualys EDR modules. Fin...

Read More

Qualys Patch Management (PM)

Need a guide for Qualys PM? Explore the Qualys PM application, assets and patches. Follow the P...

Read More

AWS IAM for Red and Blue Teams

Learn how you can securely manage access to AWS services and resources. See AWS IAM from two pe...

Read More