PM and EDR Remediation Demonstration

September 15, 2021



NOTE: This is the latest part of a blog series.

Part 1: Qualys Patch Management (PM)

Part 2: Qualys Endpoint Detection and Response (EDR)

Part 3: PM and EDR Remediation Demonstration

Overview

In Part 1 and Part 2 of these blog series, we learned about Qualys Patch Management (PM) and Qualys Endpoint Detection and Response (EDR).

This blog post will be about patching with Qualys Patch Management (PM) and remediation with Qualys Endpoint Detection and Response (EDR).

Index

Part 1: Qualys Patch Management (PM)

  1. . Patch Management (PM) with Qualys: An Overview
  2. . Patch Management Features
  3. . Patch Sources
  4. . PM Activation & Setup
    1. Cloud Agent Module
      1. install Cloud Agent on target host.
      2. Assign target agent host to a Configuration Profile that has PM enabled.
      3. Activate PM module on target agent host (Alternative to Configuration Profile
    2. Patch Management Module
      1. Assign target agent host to an enabled PM Assessment Profile.
      2. Assign hosts to PM Jobs (activate license).
  5. . Overview of the PM Application
    1. Patch Management UI
    2. Assessment Profile
    3. License Consumption
  6. . PM Deployment Job/ PM Uninstall Job
    1. Job Status
    2. Patching from VM and VMDR
    3. VMDR Prioritization Report
  7. . PM Assets
  8. . Patch Catalog (Patches)

Part 2: Qualys Endpoint Detection and Response (EDR)

  1. . Qualys Endpoint Detection and Response (EDR) Overview
  2. . EDR Activation and Setup
    1. Install Cloud Agent on target host.
    2. Assign target agent host to a Configuration Profile that has PM enabled.
    3. Activate PM module on target agent host (Alternative to Configuration Profile
  3. . EDR Application Overview
    1. EDR User Interface
  4. . Events and Incidents
    1. Hunting Events
    2. Using Queries for Hunting Suspicious Activity
  5. . EDR Investigation and Response Actions
  6. . Rule-Based Alerts
    1. Configure Rules
    2. Trigger Criteria
    3. Aggregating Alerts
    4. Activity Tab
  7. . Prevention
    1. Global Asset Inventory (AI)
    2. Detect Vulnerabilities and Missing Patches
    3. Additional Context from Configuration Management

Part 3: PM and EDR Remediation Demonstration

  1. . PM Patching (Virtual Machine)
  2. . Remediation with EDR (Virtual Machine)
    1. Dealing with Malicious Event
    2. Response Actions

1. PM Patching (Virtual Machine)

Using the Qualys Patch Management (PM) module, we'll deploy missing patches to target hosts.

We'll look at various patch deployment strategies to see how they perform.

Check out the first part of this blog series to learn how to create a new Deployment Job in Part 1: QualysPatch Management (PM).

  • Once a new Deployment Job has been created. (“On demand job” for Virtual Machine), give your job a name. “PATCHNOW - On Demand VM Test” is the name of our job.

Image shows PM Patching Virtual Machine

  • Select the assets for which you want this job to apply patches. In this example, “WinDev2104Eval” is selected. This is our virtual machine.

Image shows select the assets

  • Add patches that are needed for the job. Selected all VM patches that were missing.

Image shows add patches

  • Either select “On Demand” to test immediately or schedule the job.

Also, you can configure a patch window to run the deployment job only within a particular time frame. Enabling this setting ensures that the agent starts the job within the specified patch window (e.g. start time + 6 hours). If the job does not start within this time window, it will time out.

Image shows you can configure

You can configure “Communication Options''. We enabled all “Deployment messages” and set “Deferment” to “Remind again in 10 minutes 5 times”.

Image shows communication options

We enabled the “Suppress Reboot” option no to receive reboot requests on the target host. We enabled “Minimize job progress window” to allow end-users to minimize message windows.

“Opportunistic patch download” can’t be enabled for “On Demand” jobs.

Note: You can enable that for your scheduled jobs.

Image shows you can enable that for your scheduled jobs

As the last part of the configuration, all options need to be confirmed. After that click “Saved & Enabled”.

Image shows part of the configuration

The patch status changes to Completed after saving and enabling the deployment job. (On-demand Deployment Job completes instantly after saving and enabling.)

Image shows view progress

Patch progress may be monitored by clicking View Progress.

Image shows the patching status will be changed after 10-15 minutes.

The patching status will be changed after 10-15 minutes. Image shows another option is to select the “Defer” option. This message was sent to the destination host since the Upgrade Request option was chosen and Qualys PM needed to gain authorization to download patch files. The notification pop-up appears for this reason and the “OK” button should be clicked to proceed.

Another option is to select the “Defer” option. The number of deferral rights can be selected in the configuration options. In this example, a total of five deferral rights were set.

Image shows Download in Progress.

The job status changed to Download in Progress when we clicked OK”.

Image shows another option is to select the “Defer” option.

After that, the target host receives an Upgrade in Progress notification. As you can see in the Task Manager, Qualys Cloud Agent UI is in charge of patching.

Image shows Upgrade in Progress.

After a short amount of time, the job status was changed to Patching”.

Image shows Patching

When the patching was finished, the message Upgrade completed appears and the status of the job has been changed to Completed”.

Image shows Upgrade completed

We can list all the installed patches by clicking the INSTALLED count on the column under PATCHES in the STATUS view.

Image shows INSTALLED

Skipped patches and their reasons for skipping them can be displayed by clicking the “SKIPPED” count.

Image shows “SKIPPED”

2. Remediation with EDR (Virtual Machine)

For testing the EDR module, our virtual machine host has a lot of harmful files like trojan, infosteallar, etc.

To remediate, we will use the EDR module. The EDR module will show all malicious files/events and will assist you in deleting or quarantining them. This section will begin with a remediation example.

You can also use the EDR module to send alerts (send an email, post on slack, send to PagerDuty) for response actions.

Please see the second part of this blog series for additional information on EDR: Part 2: Qualys Endpoint Detection and Response (EDR).

2.1 Dealing with Malicious Event

These are the malwares that should be tested on a virtual machine host. (Client-side)

Image shows dealing with malicious event dealing with malicious event

These can be found under the EDR HUNTING tab.

Image shows these can be found under the EDR HUNTING tab.

By clicking on the names of malicious events, you may see more details about them. In View Mode, you can also quarantine or delete files.

Image shows View Mode

The event's Process Tree can be viewed.

Image shows Process Tree

Delete all malicious files from the Hunting or View Mode > Process Tree sections.

Image shows Hunting

The status “in progress” is displayed.

Image shows in progress status

Deleted files are no longer visible in the current hunting view and on the computer of the target host.

Image shows in Deleted files status

The status of deleted files can be viewed on the RESPONSE page.

Image shows RESPONSE

The files that were deleted were also deleted from the VM host. (Client-side)

Image shows The files that were deleted were also deleted from the VM host

2.2 Response Action

For response actions on the EDR module, you can send alerts to people (send email, post on slack, send to PagerDuty).

To generate a response alert, you must first create an action. Click Actions in RESPONSES and click New Action.

Image shows response action

We provided all of the required information. If you're unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

Image shows provided all of the required information

You can choose from the following options:

Image shows choose from the following options

The action has been created.

Image shows The action has been created.

Now we must use the rule's action that we created previously. Creating a New Rule”.

Image shows Creating a New Rule”.

We provided all of the required information. If you're unfamiliar with these steps, read the second part of this blog series: Part 2: QualysEndpoint Detection and Response (EDR).

Image shows we provided all of the required information

We added the action that we created previously. On this configuration option, we can adjust the action configurations.

Image shows we added the action that we created previously

A response action rule has been created. Now it's time to wait for the process, file, or event that will trigger the rule in action.

Image shows response action rule has been created

When the rule we created is activated, an email will be sent to Recipient.

We received that response alert email after triggering that rule with a malicious file.

Image shows received that response alert email

Conclusion

In Part 1 of our blog series, We learned about Qualys Patch Management (PM) capabilities, benefits, and sources. In addition, we learned about how to activate and configure PM using configurations. We made an overview of the PM application, assets, and patches. We also learned about the Deployment job, which is the most critical part of a PM, in great detail.

In Part 2 of our blog series, we've learned about the features and benefits of Qualys Endpoint Detection and Response (EDR). We learned how to enable and configure EDR using configurations. We went over the EDR application, events, reaction actions, and rule-based alerts in detail. We also learned about Hunting Events and Incidents, two of the most significant aspects of EDR.

In Part 3 of our blog series, we used PM and EDR modules to remediate the target host. We demonstrated how to patch using PM and delete/quarantine harmful files/events with EDR. We also sent an email with EDR for a response action alert.

If you’ve followed this blog post to the end, you should have a detailed understanding of:

  • PM and EDR modules.
  • When to use PM and EDR.
  • How to use PM and EDR for remediation on hosts

If you want to improve the security of your hosts' endpoints, consider deploying PM and EDR applications. As you can see from this blog series, they provide a wide range of endpoint security solutions.