NOTE: This is the second part of a blog series.
In this blog post, we will take a look at Endpoint Detection and Response (EDR) module in Qualys. We will learn the answers to questions such as “What is Qualys Qualys Endpoint Detection and Response?”, “What is it used for?”, “How does it work?”, “How to activate and set up?”, “What kind of features does it have?” and “What can we do with this module?”.
In the next and final part of this blog series, we will be discussing patching by using Qualys Patch Management (PM) and remediation with Qualys Endpoint Detection and Response (EDR). In addition, the impacts of PM and EDR on target hosts will be demonstrated.
Endpoint Detection and Response, or EDR, is a cybersecurity solution that detects and responds to cyber threats on a continuous basis.
The Qualys multi-vector EDR application is an evolved superset of the Indication of Compromise (IOC) application.
The Cloud Agent delivers Qualys EDR, allowing for continuous monitoring and data gathering from the agent via the EDR Manifest. After enabling EDR for an asset, the agent begins collecting data in real-time about the asset's numerous objects and associated actions/events. It uploads the data to the Qualys cloud platform for analysis.
This information is directly correlated with Qualys Malware Labs threat intelligence and research, and you can view the incidents recognized by EDR as well as the system events and details gathered by the cloud agent in the EDR app. Events are prioritized using a proprietary scoring system, allowing for a prioritized response, and the user is informed of harmful events, infected hosts, and attacks taking place in their environment, among other things.
EDR extends the Qualys Cloud Platform's threat hunting and remedial response capabilities. EDR identifies a suspicious activity, validates the presence of known and unknown malware, and responds to your assets' remediation needs.
Finally, EDR unifies various context vectors such as asset discovery, rich normalized software inventory, end-of-life or end-of-support visibility, vulnerabilities and exploits, misconfiguration, in-depth endpoint telemetry, and network reachability in a single cloud-based app with a powerful backend to correlate it all for accurate assessment, detection, and response. Correlation with all attack vectors aids in identifying the root cause and reducing the likelihood of future attacks.
The following configuration steps are required to use the Qualys Patch Management (PM) application successfully:
Note: Cloud Agent must be installed with an activation key that is compatible with the EDR module.
If you're not sure how to install and configure “Qualys Cloud Agent”, check out the Qualys Cloud Agent Installation Guide with Windows and Linux Scripts.
To create a “Configuration Profile” using assets, create a new asset tag.
Create a new Configuration Profile to work with.
PERFORMANCE: The high-performance option performs more frequent checks.
ASSIGN HOSTS: Choose which assets will receive this profile. Assets can be selected using by Asset Tag or by Name”.
EDR: For Configuration Profile, enable the EDR module.
You can manually activate the asset module instead of using the Configuration Profile to enable EDR.
On the EDR Welcome page, use Configure Agents for EDR to configure agents and upgrade activation keys for the EDR module.
Additionally, on the EDR Welcome page, you can simply manage tags.
Discover and Monitor: Install lightweight agents on your IT assets in minutes. These may be installed on your on-premises systems, as well as in dynamic cloud settings and on mobile devices. Cloud Agents (CA) are self-updating and are maintained centrally by the cloud agent platform (no reboot needed).
Detect and Investigate: In one central spot, you can view and investigate all of your EDR issues and events. You'll get a list of all occurrences that have been discovered across all of your assets. In a matter of seconds, you may search through all of your incidents and events.
Respond and Prevent: From a central, respond to suspicious and harmful activity. In the case of a harmful or suspicious occurrence, remedial action will be provided.
There are five sections to the EDR user interface:
- **DASHBOARDS:**Dashboards allow you to examine your assets, see your threat exposure, use stored searches, and quickly remediate harmful or suspicious occurrences.
Unified Dashboard (UD) and EDR have been merged. UD visualizes information from many Qualys apps in a single location.
To visualize particular information, you may utilize Qualys' EDR dashboards or create your own widgets and dashboards.
- INCIDENTS: This section includes a list of all occurrences that have been discovered in your environment. You may examine events by Malware family name and Malware category using Qualys advanced search and filter features.
- View and search assets that have been identified as being infected with malware.
- Look into events based on Active Threats and Malware Families/Categories.
- HUNTING: This section includes a list of all events gathered from EDR-enabled assets by the Cloud Agent. You may use this page to filter and search for harmful File, Process, Network, and Mutex events, as well as execute remedial activities.
- Examine the information gathered by EDR agents.
- Search for events based on their characteristics, skip to events that happened within a specific time range, and organize events based on their kind, activity, and score.
- Remedial action should be taken in the case of malicious files, processes, mutexes, and network events.
- Results of a “Search” can be exported
- ASSETS: This section includes a list of agent host assets that have the EDR module enabled. You may obtain up-to-date information on a specific asset's details, events, and occurrences all in one location.
When examining asset details, the user may examine the asset's inventory, vulnerability, compliance, EDR, and other data in one location.
The user is instantly routed to the Hunting or Incidents tabs while reading event or incident details.
- Lists all EDR-enabled agent assets.
- Provides up-to-date information about a certain asset's details, events, and occurrences.
- Asset data is available in CSV format for download.
- Show the assets that have been affected and the infections that have occurred.
- RESPONSES: This section shows the status of requests for remedial measures taken in response to harmful occurrences.
You may also set EDR to monitor events for conditions defined in a rule and give you notifications if events fit the condition.
- View the status of response actions.
- Set up rule-based notifications.
- An “object” is an artifact on the system, without state information
- Object Types:
File – PE files locally attached disks (called “image”)
Process – a running process, usually from an image
Process Network Connection – a network state of a process
Mutex – Mutant Handle, a shared memory resource used by processes
Registry – Windows, locations used for persistence (auto-start)
- Actions and events include state information:
File (Created | Deleted | Renamed | Write)
Process (Running | Terminated)
Mutex (Running | Terminated)
Network (Connected | Disconnected | Listening)
Registry (Created | Deleted)
Search for events using event attributes, skip to events that took place within a specific timeframe. Organize events by category, and see event and asset information.
For EDR-enabled assets, the Hunting section includes a list of all event data gathered by the Cloud Agent. Using various search queries, you may filter harmful events and search for malicious files, processes, mutexes, and network events.
You may also sort events by Type (file, process, mutex, and network), Action (file created, network connection formed or listening, a process running, and so forth), and Score.
Finally, you can take steps to correct harmful events.
Filter for harmful events to see a list of all malicious events, which you may then “delete” or “quarantine”.
The event's details page has all of the pertinent information. Click Quick Actions > Event Details to go to the Events Details page.
The Event Details page displays information about the object (file/process/mutex/network connection) and its state (file created, process/mutex running or terminated, network listening on a port, network connection established), such as the image path, associated user, process ID, MD5/SHA256 hash value, and so on.
The event tree for Process, Mutex, and Network events is displayed on the Event Details page.
We show all the events that are linked to the selected event in the event tree.
Only active asset events are shown:
- File Created (existence)
- Process Running
- Mutex Running
- Network Listening / Established
- Registry Created (existence)
“Look Back” Investigation
Stored as state change events:
- File Created / Deleted
- Process Running / Terminated
- Mutex Running / Terminated
- Network Listening / Established / Closed
- Registry Created / Deleted
You may check for available results/research on this threat by searching for the file hash on Google, or you can compare EDR findings to the VirusTotal database to see whether other scanning engines have recognized this file/process/mutex as dangerous.
VirusTotal gathers information from a variety of antivirus programs and internet scan engines to look for infections that the user's own antivirus may have missed, as well as to rule out any false positives.
What are the most interesting file properties?
- Examine the information about the signer and the certificate.
- Look for files running out of $RECYCLE.BIN, %temp% or %downloads%
What do you search for when you're looking for evasion methods?
- Malware files may be renamed to seem to be native Windows files.
- Compare filenames within %system% to files on disk.
- Look for suspicious use of SVCHOST, WMI, and PowerShell.
Is it safe to trust your files?
- Examine the information on the certificate.
- Look for persistent untrustworthy files, untrusted processes, and untrusted programs that generate network traffic to add to your results.
“Suspicious Use of Windows Command Shell and PowerShell” is a threat actor tactic and hunting approach:
- Threat actors aim to avoid detection by loading malicious scripts into memory via whitelisted applications
- PowerShell or cmd.exe are not invoked using MS Office applications in normal use.
- Hunting approach: open cmd.exe or powershell.exe after executing word.exe, excel.exe, or powerpnt.exe
Query: type:PROCESS and parent.name:[winword.exe, excel.exe, powerpnt.exe] and process.name:[ cmd.exe,powershell.exe ] and process.arguments:-e*
Identify any MS Office processes that have used the Windows command shell or PowerShell.
Threats such as fileless attacks involve the use of legitimate\whitelisted programs such as Windows command shell\PowerShell to load malware directly into memory. Although Microsoft’s PowerShell is preinstalled on nearly all Microsoft systems and is considered trusted software, seeing it launched via MS Word or PowerPoint or Excel is highly anomalous and suspicious.
“Suspicious Use of WMI” is a threat actor tactic and hunting approach:
- WMI (“wmiprvse.exe”) is a system process that runs WMI commands on a remote host
- Threat actors use it as a remote execution utility and to establish persistence
- Hunting approach: powershell.exe running with wmiprvse.exe as parent process may be suspicious
Query: type:PROCESS and parent.name:wmiprvse.exe and process.name:powershell.exe and process.arguments:-e*
Find all WMI-invoked PowerShell processes that are currently executing.
WMI was created as Microsoft's interpretation of web-based enterprise management (WBEM) for system administration and auditing; however, attackers may utilize it at any point throughout the Attack Lifecycle, from gaining a foothold on a system to stealing data from the environment, and anything in between.
Because WMI is so versatile, hackers have found a variety of methods to use it to run malicious code. Because of the large quantity of legitimate activity in today's organization, finding malicious WMI and PowerShell in memory might be difficult. Context is crucial in hunting, and looking at the parent and children of processes may frequently provide further context.
Active Threats should be used to investigate incidents. Active Threats by Host, Malware Name, and Malware Family.
- All Hosts with threats listed under Incidents
- Filter results by Malware Family and Category
- The highest event score is used to calculate the asset score
Details about incidents may be viewed by clicking on their names.
Display file details from the process tree.
In addition, “remediation action” may be found under “View Mode > Process Tree”.
When you run a delete or quarantine action, you'll get a message and the status of the action will change to In Progress.
On the “RESPONSE” page, you can see all quarantined or deleted files and their statuses.
Note: For windows assets, response actions are only supported in Cloud Agent version 4.0.0 and higher.
- You must first configure a rule action and indicate what action should be performed when events meeting a condition are identified in order for EDR to generate alerts.
- Then, in order to issue the alert, you must create a rule containing trigger criteria and rule actions. EDR will give you the notifications based on the rule action settings.
Configure a rule action that will be referenced in the alert rule as the first step. In the Response section, under the Actions tab, you may configure a rule action.
The next step is to create a rule that will send out notifications when harmful events occur. In the Response section, under the Rule Manager tab, you may configure rules. To create a new rule, fill in the needed information in the appropriate sections:
- Give the new rule a name and a description in the Rule Name and Description section of the Rule Information section.
- Provide a query for the rule in the Rule Query area. This query is used by the system to look for events. To test your query, click the Test Query button.
- To choose from a list of pre-defined queries, click the Sample Queries link.
- Three trigger criteria are available to use in combination with the rule query. Single Match, Time-Window Count Match, and Time-Window Scheduled Match are the Trigger criterion.
- Choose the steps you want the system to take when an alert is generated in the Action Settings section.
- Select Single Match if you want the system to send you an alert every time it finds an event that matches your search query.
- Select the Time-Window Count option. When you want to set up alerts depending on the number of events returned by a search query over a set period of time, use Match. For example, if three similar occurrences are detected within a 15-minute interval, an alert will be delivered.
- When you need to create alerts for Configure Rules matching events that happened during a specified time, select Time-Window Scheduled Match. Only when an event matching your search criteria is detected during the time specified in the Schedule will the rule be activated.
Fill in all of the Rule Details fields.
For the trigger, you can group the alerts based on:
- Asset Agent ID
- Asset Hostname, etc.
Example for Aggregating Alert to find all running svchost.exe processes that do not have “-k” as an argument.
Find all running svchost.exe processes that do not have “-k” as an argument. Create alert rule to notify using a Slack channel if one or more instances of such process instance found.
Rule Based Alert Configuration:
- Rule query for search logic: process.name:svchost.exe and not process.arguments:-k
- Rule Trigger: Single Match (one alert for one match)
- Action Setting: Raise alert and post to Slack
The Activity tab displays all of the alert activity for the timeframe specified. The rule name, success or failure in delivering the alert message, aggregate enabled or disabled for the rule, action selected for the rule, matches discovered for the rule, and the user who authored the rule are all displayed here for each alert.
To correlate various attack vectors and offer a wider context for remediation and prevention, EDR integrates with other Qualys applications like AI, VMDR, PC, and PM.
Visibility is the first step toward endpoint security. For your assets, Qualys Global Asset Inventory (AI) delivers a single source of truth. It's a central spot where you can see all of the data collected by the various sensors you've installed. Asset inventory is automatically updated with data obtained from your sensors. To offer a better perspective, the data is standardized and classified. You're fulfilling the first step required by security and compliance teams, which is visibility, by acquiring an inventory.
- Gives you comprehensive visibility into your hybrid IT environment.
- Helps in the elimination of blind spots.
- Provides critical context for a multi-vector EDR strategy.
- Asset Inventory is included with EDR.
Use queries to:
- Missing assets can be quickly identified with EDR.
- Assets should be tagged for EDR activation.
- Create widgets to keep track of assets without using EDR.
Use queries to:
- Identify EOL or EOS software\browsers
- Identify assets with EOL or EOS software
- Enable EDR on target assets to monitor activity and prevent the threat from spreading
- Use VMDR to quickly find vulnerabilities linked to particular Malware types identified by EDR.
- Identify assets that have these vulnerabilities.
You can eliminate the root cause of malicious attacks for exploitable vulnerabilities using a combination of VMDR, Patch Management (PM), and EDR.
You can quickly identify all missing patches for these exploitable vulnerabilities. Then, you can use VMDR's integrated workflows for Patch Management to create a patch job to patch all such vulnerabilities across the environment, which could have been exploited otherwise and your team would have to spend time detecting, investigating, correlating, and responding to such incidents.
- Detect misconfigurations and ineffective security measures
- Utilize Qualys' out-of-the-box policies for control evaluation.
- Examine your compliance posture and take steps to limit the risk of malware and ransomware.
In addition to vulnerabilities, an adversary may identify and exploit vulnerabilities in your infrastructure's configuration. Architectural issues, misconfigurations, and insufficient security measures might all be examples of these issues.
Finding failed controls linked to malware/ransomware propagation or controls mapped to the MITRE method can assist with discovering misconfigurations and minimizing the attack surface.
In Part 2: We have learned about Qualys Endpoint Detection and Response (EDR) and discussed its features and benefits. We learned how to enable and configure EDR using configurations. The EDR application, events, reaction actions, and rule-based alerts were all examined. We learned about Hunting Events and Incidents, which are the most essential aspects of EDR, in great detail. We also discussed how EDR interacts with other Qualys products like AI, VMDR, PC, and PM to correlate various attack vectors and give more context for remediation and prevention.
In the next and last post of this blog series, Part 3: PM and EDR Remediation Demonstration, we'll see what Qualys Patch Management (PM) and Qualys Endpoint Detection and Response (EDR) perform on target hosts. We'll demonstrate:
- PM patching example
- EDR deleting/quarantining malicious file example
- EDR response action/alert example.
Read the Part 3: PM and EDR Remediation Demonstration here.
Check out our Endpoint Security services to stay secure!