Qualys Multi-Vector EDR

Lab Tutorial Supplement

1
Table of Contents
EDR ACTIVATION AND SETUP ............................................................................................................................. 3
IDENTIFY ASSETS MISSING EDR .................................................................................................................................................. 3
ACTIVATE EDR MODULE .............................................................................................................................................................. 4
CONFIGURATION PROFILE ............................................................................................................................................................ 5
VIEW EDR ASSETS ...................................................................................................................................................................... 6
UPGRADE AGENT KEYS ................................................................................................................................................................ 6
SEARCH EVENTS AND INCIDENTS ...................................................................................................................... 8
HUNTING SECTION ........................................................................................................................................................................ 8
EVENT SCORE ................................................................................................................................................................................. 9
EVENT RELATIONSHIP TREE ...................................................................................................................................................... 10
INCIDENTS SECTION ................................................................................................................................................................... 11

HUNT FOR SUSPICIOUS ACTIVITY .................................................................................................................. 12

HUNTING SECTION ...................................................................................................................................................................... 12
THREAT HUNTING QUERIES ...................................................................................................................................................... 13
TRACKING THREATS VIA DASHBOARDS .................................................................................................................................. 15
PERFORM REMEDIATION ACTION .................................................................................................................. 16
REMEDIATION ACTIONS ............................................................................................................................................................. 16
RULE BASED ALERTS .................................................................................................................................................................. 16
CORRELATE MULTIPLE VECTORS FOR PREVENTION .............................................................................. 18
ELIMINATE BLIND SPOTS ........................................................................................................................................................... 18
IDENTIFY ASSETS WITH EOL SOFTWARE ................................................................................................................................. 19
IDENTIFY VULNERABILITIES WITH MALWARE ASSOCIATIONS ............................................................................................. 19
IDENTIFY VULNERABILITIES ASSOCIATED WITH RTIS ........................................................................................................... 20
ADDRESS VULNERABILITIES WITH PM ..................................................................................................................................... 20
IDENTIFY AND ADDRESS MISCONFIGURATION ........................................................................................................................ 21

EDR CERTIFICATION EXAM ............................................................................................................................... 22

2
EDR Activation and Setup
To successfully install and use Qualys EDR in your environment, the following
configuration steps are required:
1. Install the Qualys Cloud Agent on target host
2. Activate EDR for the target agent host
3. Assign the target agent host to an EDR enabled Cloud Agent Configuration Profile

Please note, when Asset Tags are strategically used for host assignment, steps 2, and 3
(listed above) can potentially be performed prior to agent installation (step 1).

Identify Assets Missing EDR

Endpoint security starts with visibility. The EDR application automatically identifies
agent hosts that do not have EDR enabled and hosts running older version of the Cloud
Agent. You can find such assets on the EDR Welcome page under the “Discover and
Monitor” section. The “Windows hosts missing EDR” widget identifies agent hosts that
do not have EDR enabled and the “Windows hosts with older agent versions” widget
identifies hosts running Cloud Agent version lower than 4.0.0.

3
Clicking on the “Windows hosts missing EDR” widget automatically runs the following
search query in the Cloud Agent application:
operatingSystem:"Windows" and not activatedForModules:"EDR"

You can then select such assets and activate EDR on them.

Activate EDR Module

Within the “Cloud Agent” application, the EDR module must be activated for target
assets.

4
Simply use the “Quick Actions” menu of an agent host, to select the “Activate for FIM or
EDR or PM” option. Alternatively use the Cloud Agent API, to activate agents in bulk.

Configuration Profile

EDR host assets must belong to a Configuration Profile with the “EDR” module enabled.

Ensure the “Enable EDR module for this profile” switch is in the “ON” position.

Max event log size – EDR events are transmitted to the Qualys Cloud platform when the
EDR event log file reaches the maximum specified size. You can specify a file size
between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload
threshold time is lower.
Payload threshold time – EDR events are transmitted to the Qualys Cloud platform
when the EDR payload threshold time is hit, i.e., the specified seconds elapse after the

5
previous payload was sent to the Qualys Cloud Platform. You can specify a threshold
between 30 seconds and 1800 seconds. Default is 60 seconds. This value is lower the
better to prevent data loss on busy systems.
Maximum disk usage for EDR Data – This is the maximum size on disk available to a
Cloud Agent for caching EDR events to be sent to the Qualys Cloud Platform for
processing. If the maximum size is reached, the oldest events are deleted in order to
create space for newly generated events. You can specify a disk usage size between 100
MB and 2048 MB. Default is 1024 MB.

View EDR Assets

The “Assets” section in the EDR application contains list of agent host assets with the
EDR module activated. Here you can get up-to-date views on a selected asset's details,
its events and incidents in one place. You can also download asset report data in CSV
format. When viewing asset details, you can see asset inventory, vulnerability,
compliance, EDR and other data for the asset in once place.

Navigate to the following URL to view the “EDR Activation and Setup 1” tutorial:

http://ior.ad/7fE0

Upgrade Multiple Agent Keys

Within the EDR application, you can upgrade multiple Activation Keys to use EDR.

6
On the EDR welcome page, simply click “Configure Agents for EDR” and then select one
or more agent keys to upgrade. All the agents associated with the activation key/keys
will be upgraded and enabled for EDR.

Navigate to the following URL to view the “EDR Activation and Setup 2” tutorial:

http://ior.ad/7gh9

7
Search Events and Incidents
The Cloud Agent collects data about various objects (PE files, process, mutex, registry,
network connections) and associated actions\events on the object in real-time.
Objects with their state information can be traced as follows:
• File
Created | Deleted
• Process
Running | Terminated
• Mutex
Running | Terminated
• Network
Connected | Disconnected | Listening
• Registry
Created | Deleted

Hunting section
You can see information about objects along with their state in the EDR app under the
Hunting section.

You can filter and search for malicious file, process, mutex and network related events.
This way, you reduce potentially thousands of events, to the few that matter.

8
You can group events by event Type (file, process, mutex and network), Action (file
creation, network connection established or listening, process running or terminated
and so on) and Score and perform remediation actions.

Simply use the “Quick Actions” menu of an event, to select the “Event Details” option

The “Event Details” page displays details such as image path, associated user, process
ID, MD5/SHA256 hash value, etc. about the object (file/process/mutex/network
connection) and the object state (file created, process/mutex running or terminated,
network listening on a port, network connection established).

Indicator Score
The Qualys EDR detection and scoring engine natively correlates all event telemetry
data to commercial threat feed and research from Qualys Malware Labs and assigns
each event and asset, a score between 0 to 10. The scoring system is dependent on the
object type associated with the event and the threat perception.

An event with score 0 is a non-malicious event. An object\event with a score 1 indicates

that a remediation\corrective action was performed on the object\event and it is no
longer a threat. Scores between 2 to 10 indicate malicious behavior related to file,
process or network activity with varying confidence levels.

9
Scores between 2 to 4 indicate malicious events at a low confidence level, 5 to 7
indicate malicious events at a medium confidence level and scores between 8 to 10
indicate confirmed malicious events with a high confidence score.

These scores assist incident responders to prioritize their response actions.

Event Relationship Tree

On the “Event Details” page, you can see the event relationship tree which helps you
visualize how a malicious object is tied to other objects on the asset which provides
better context for understanding the attack chain. For example, an event of “Process”
type will show its parent and child processes along with the mutex and network
connection of the process. For the event of Network type, you see network connection
of a process and for the event of Mutex type, mutex connection of a process. As with all
things hunting, context is important, and we can often get more context by looking at
the parent and children of processes.

This information is useful for proactive hunting for indicators of activity or attacks and
also for analysis during a post-breach investigation.

10
Incidents Section
The Incidents section contains the list of all active incidents in your environment. Using
Qualys search and filter capabilities, you can investigate incidents by Active Threats By
Host, Active Threats by Malware name, and by Malware family name.

Asset Score
The highest event score is the asset's score during the selected time period.
The asset's score can dynamically change as new events come in, e.g. known bad file (8),
process launches from that file (9), process terminates leaving only bad file (8), etc.
The Asset score combined with the host Vulnerability and Patch status helps to prioritize
remediation along with Patching.

Navigate to the following URL to view the “Search Events and Incidents” tutorial:

http://ior.ad/7fU3

11
Hunt for Suspicious Activity
Adversaries, and cybercriminal organizations in particular, are building tools and using
techniques that are becoming so difficult to detect that organizations are having a hard
time knowing that intrusions are taking place.

Threat hunting is the proactive technique that’s focused on the pursuit of attacks and
the evidence that attackers leave behind when they’re conducting reconnaissance,
attacking with malware, or exfiltrating sensitive data.

Organizations need tools that not only detect and respond to threats, but can
proactively hunt them as well. Such tools can accelerate threat discovery to identify a
potential compromise before it’s too late.

Hunting Section
The Hunting section provides search and filter capabilities to quickly find all about your
incidents, events and assets in one place. You can search for incidents and assets in the
respective tabs in the similar way. You'll notice the Search box while viewing dynamic
lists of events, incidents, and assets. This is where you'll enter your search query. Enter
the value you want to match. As you start typing in the search box, you will see a
predefined list of query tokens that you can choose from.

Use query tokens to

search for specific events
or assets

12
EDR online help provides details on the search language and sample queries.

Once you have your search results you may want to organize them further into logical
groupings. Choose a group by option on the left side. You’ll see the number of events or
assets per grouping. Click on any grouping to update the search query and view the
matching events.

Tip - Use your queries to create dashboard widgets on the Dashboards tab.

You can download event search results to your local system you can easily manage
incidents or events outside of the Qualys platform and share them with other users. You
can export results in multiple formats (CSV, XML, PDF, DOC, PPT, HTML-ZIP, HTML-Web
Archive).

Threat Hunting Queries

Threat hunting is a combination of tools and techniques. Tools can provide information
across endpoints; how these tools are used constitute the techniques. Needless to say
that any technique you use is only effective with a proper understanding of your own IT
environment.

The following examples can be used to identify suspicious activity in your environment.

Suspicious use of system processes

Service Host (“svchost.exe”) is a system process that hosts multiple Windows services.
Normal usage is to use the “-k” argument to define the service (via DLL) to instantiate,
e.g. “svchost.exe -k imgsvc”. This will display the service name that is loaded by svchost.
Threat actors try to evade detection by injecting malware directly into svchost.exe
instead of calling their code directly, thus there is no “-k” argument. The following query
will easily identify such suspicious instances:
type: PROCESS and process.name: svchost.exe and action:
RUNNING and not process.arguments: “-k”

System process not running from windows directory

If a file named similar to a system process such as svchost.exe or csrss.exe
but is located in a directory other than "C:\Windows\System32\", this indicates that it
is not a system file and is malicious. You can identify instances of such system processes
not running from their expected locations by using the following query:
process.name:svchost.exe and type:process and not
process.fullPath:"C:\Windows\System32\svchost.exe"

13
PowerShell Execution Bypass
The PowerShell execution policy is the setting that determines which type of PowerShell
scripts (if any) can be run on the system. By default it is set to “Restricted“, which
basically means none. When PowerShell is invoked with the execution bypass argument
nothing is blocked and there are no warnings or prompts. Attackers can use this method
to launch PowerShell scripts and evade detection. The following query identifies such
PowerShell invocations:
type:PROCESS and process.name:powershell.exe and
process.arguments:"ExecutionPolicy Bypass"

PowerShell Obfuscation encoded command

The attacker could use PowerShell encoded commands in Base64 to obfuscate the
malicious activity to evade legacy antivirus and other traditional means of detection.
Executing PowerShell scripts with encoded commands could be an indicator of a
malicious attack. The following query can be easily used to identify such instances.
type:PROCESS and process.name:powershell.exe and
(process.arguments:"-encodedCommand" or
process.arguments:"-enc")

Process running from Recycle bin or TEMP location

The $RECYCLE.BIN has a special purpose in Windows Explorer so items inside of it
cannot be interacted with. This does not prevent the executables from being listed as a
service, start-up entry, or used from command line. So malware in such locations could
be dangerous as well. You can easily identify if any process was launched by a malicious
file in the recycle bin as illustrated by this query:
process.image.path:Recycle.bin

Process with network connection

Some attackers are writing their malware in Java, a language antivirus software doesn't
typically scan for. Java is a common platform in enterprises, and many data centres have
it on their white lists, allowing these applications to bypass security controls. Just
blocking the Java language isn't typically an option. So tracking suspicious activity
involving Java may come in handy to uncover such attacks. The following query
identifies any java processes making network connections where the environment may
not be configured to allow such an activity:
network.process.name:java or network.process.name:jre

14
Tracking Threats via Dashboards

Dashboards help you visualize your assets, see your threat exposure, leverage saved
searches, and remediate priority of malicious/suspicious events quickly. You can use the
default EDR dashboard provided by Qualys or easily configure widgets to pull
information from other modules/applications and add them to your dashboard. You can
also configure widgets to track remediations and to find if a host is getting re-infected
over time. You can add as many dashboards as you like to customize your vulnerability
posture view.

Note: Some of the queries mentioned in this lab activity are used at different places in
the lab tutorial. You may copy and paste the queries from this guide so as to avoid typing
the query in the lab tutorial.

Navigate to the following URL to view the “Hunt for Suspicious Activity” tutorial:

http://ior.ad/7gnT

15
Perform Remediation Action
After data that describes the threat has been collected, the business and technical
impact has been identified, and context data has been gathered — remediation can get
underway.

Remediation Actions
You can remediate malicious file events, using the following options:
• Quarantine File: Using this option, the file is encrypted and then moved to the
Quarantine folder (C:\ProgramData\Qualys\QualysAgent\Quarantine\) on your
asset. The Quarantine folder is automatically created once you upgrade to agent
4.0 and above. You can undo this action and restore the file to its original
position using the UnQuarantine option from the User Activity tab. For more
information, see UnQuarantine File.
• Delete File: Using this option, the file is permanently deleted from your asset.
You cannot undo this action.

For process, mutex, and network events, we provide Kill Process remediation action.
When you perform the Kill Process action for mutex or network events, it kills the
corresponding parent process.

Remediation actions can be performed for File, Process, Network, and Mutex events
from the Hunting section and from the Event Details page. The remediation options are
available only for:
- Events in Active\Current View
- Events that score between 1 to 10

Rule Based Alerts

Rule Based alerts provide ongoing detection even after you’ve completed your hunt,
automatically triggering alerts for similar malicious behaviour based on both historical
and real-time activity. This eliminates the need to manually search the same security
holes over and over by leveraging time-saving automation.

Under the “Responses” section, ”Actions” tab you need to first configure a rule Action
that will be used with the rule configured in the subsequent step.

16
Currently, EDR supports three actions: Send Email (Via Qualys), Post to Stack and Send
to Pager Duty for alerts.

Next, under “Rule Manager”, you need to create a rule with trigger conditions and rule
actions for sending the alert. EDR will use the rule action settings to send you the alerts.
You can monitor alerts under the “Activity” tab.

You can also create rules directly from custom queries used for searching events or
threat hunting as illustrated above.

Navigate to the following URL to view the “Perform Remediation Action” tutorial:

http://ior.ad/7fLG

17
Correlate Multiple Vectors for Prevention
Multi-vector attacks take advantage of common vulnerabilities, combining elements like
social engineering and ‘spear phishing’ e-mail messages with malicious attachments that
contains code that exploits known or unknown (zero-day) vulnerabilities on the target
system. While these attacks might rely on commodity malware, they are often
tailored to bypass most antivirus engines.

Qualys EDR creates a Single View of the Asset, showing threat hunting details unified
with other Qualys Cloud Apps for hardware and software inventory, vulnerability
posture, policy compliance controls, and file integrity monitoring change alerts for on-
premise servers, cloud instances, and off-net remote endpoints.

A single user interface significantly reduces the time required for incident responders
and security analysts to hunt, investigate, detect, and respond to threats before breach
or compromise can occur.

With combination of AI, VMDR, Patch Management (PM) and EDR you can eliminate the
root-cause of most malicious attacks by addressing exploitable vulnerabilities and
misconfigurations.

Eliminate Blind Spots

Endpoint security starts with visibility. Qualys Global Asset Inventory (AI) provides you a
single source of truth for your assets. It’s a central location where you can view your
data collected from your different sensors you’ve deployed. Data collected from your
sensors automatically populate into asset inventory. That data is then normalized and
categorized so you can better make sense of it and group it in many ways. Because
you’re getting an inventory, you are completing the first step of the security and
compliance teams which is visibility.

Qualys EDR comes with AI to gain visibility across the infrastructure. AI tells what
endpoints, servers, technologies you have in your environment. This provides vital
context needed for endpoint security and lets you know exactly where EDR can be
deployed for eliminating blind spots.
AI supports use of elastic queries which helps you quickly identify assets from your
infrastructure missing EDR capability. You can run search queries from the Assets or
Software tab from under the Inventory section in AI. The following query identifies
18
Windows assets with Cloud Agents that are not activated for EDR:
operatingSystem:"Windows" and not
sensors.activatedForModules:"IOC”

You can then create dynamic widgets to track if any endpoint with above conditions
does not have EDR. And you can tag such assets and assign them to a configuration
profile enabled for EDR.

Identify Assets with EOL Software

Every product has a lifecycle. The lifecycle begins when a product is released and ends
when it’s no longer supported. When software hits the end of its lifecycle, it no longer
receives updates from the vendor. If cybercriminals discover a vulnerability in such EOL
software, there is no guarantee that this vulnerability will be patched by the vendor.
Cybercriminals often tend to weaponize such a vulnerability and use it to their
advantage.

Timely response to security critical events becomes increasingly important if

EOL\obsolete and vulnerable software is present within the enterprise environment.

AI provides the necessary visibility into the asset and software inventory and EDR can
monitor activity on such assets and allow timely response to contain or eradicate
threats and prevent any breach\compromise from spreading across the enterprise
infrastructure.

The following query identifies Windows assets with EOL software:

operatingSystem: windows and software:
(lifecycle.stage:EOL)

Going further, you can identify Windows assets that are not enabled for EDR and which
have EOL software of the category “Network Application/ Internet Browser” using the
following query:
operatingSystem: windows and software:
((lifecycle.stage:EOL) and category:`Network Application /
Internet Browser`) and not sensors.activatedForModules:IOC

Identify Vulnerabilities with Malware Associations

In the hunting tab you can see Incidents related to different malware categories such as
trojans, backdoors, exploits and so on. You can then run queries under the

19
Vulnerabilities tab in the VMDR app to easily find out all vulnerabilities linked to the
specific malware categories. The following is a sample query to find vulnerabilities
linked to the malware category:
vulnerabilities: threatintel.malware = true and
vulnerabilities: threatintel.malware.malwarename=TROJ

From there, you can identify the assets with these vulnerabilities by simply switching the
search result to display asset information.

Identify Vulnerabilities associated with RTIs

Qualys Threat Protection allows you focus on vulnerabilities that have threats
associated with them. These RTI’s correlate asset vulnerabilities to external threat
vectors such as actively attacked vulnerabilities, wormable threat, zero-days, denial of
service attacks, high lateral movement, etc.

By correlating vulnerability information with threat intelligence and asset context, you
can quickly “zero in” on your highest risk vulnerabilities and quickly patch them.

The following is a sample query to look for assets with at least one vulnerability that is
considered wormable and is known to cause high data loss:
vulnerabilities.vulnerability.threatIntel:(wormable:"TRUE"a
nd highDataLoss:"true")

Address Vulnerabilities with PM

After identifying assets with exploitable vulnerabilities, you can quickly find out all
missing patches for these exploitable vulnerabilities. Then using VMDR’s integrated
workflows for Patch Management (PM), you can create a patch job to patch all such
vulnerabilities across the environment, which otherwise could have been exploited and
your team would need to put in time to detect, investigate, again correlate and respond
to such incidents.
20
Identify and Address Misconfiguration
An adversary may identify and exploit weaknesses in the configuration of your
infrastructure. These weaknesses could include architectural flaws, misconfigurations,
or improper security controls. Searching for failing controls mapped to spread of
malware or ransomware or controls mapped to MITRE technique may help identify such
misconfigurations and reduce the attack surface.

Combining this context with EDR provides for better threat investigation and assists in
fixing misconfiguration that may otherwise lead to malware infections in your
environment.

Note: Some of the queries mentioned in this lab activity are used at different places in
the lab tutorial. You may copy and paste the queries from this guide so as to avoid typing
the query in the lab tutorial.

Navigate to the following URL to view the “Correlate Multiple Vectors for Prevention”
tutorial:

http://ior.ad/7fUF

21
EDR Certification Exam
Participants in this training course have the option to take the EDR
Certification Exam. This exam is provided through our Learning Management
System (qualys.com/learning).
To take the exam, candidates will need a “learner” account.

If you would like to take the exam, but do not already have a “learner” account, click the
“Request a new account” link, from the “Qualys Training & Certification” login page
(qualys.com/learning).

Once you have created a “learner” account (and for those who already have an
account), click the following link to access the “Qualys Multi-Vector Endpoint Detection
and Response - QSC 2020” course page:

https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?id=2251106565
3

22
From the “Qualys Multi-Vector EDR – QSC 2020” course page, click the “Enroll” button
(lower-right corner).

After successfully completing the course enrollment, click the “Launch” button, for
the Qualys EDR certification Exam.

Each candidate is provided five attempts to pass the exam.

23
With a passing score of 75% (or greater), click the “Print Certificate” button to
download and print your course exam certificate.

24