Qualys TotalCloud 2.20.0 Release Updates 

Qualys TotalCloud 2.20.0 introduces new capabilities, features, and updates. The release is expected to be available by mid-December 2025.

QQL Search Token Standardization 

We have implemented Qualys Query Language (QQL) token standardization across all Qualys applications. This update introduces a unified naming convention for both common and TotalCloud-specific tokens, improving consistency and usability.

Key Benefits 

• Standardized Token Names: Tokens now follow the structured format provider.entity.attribute (e.g., aws.account.status), where the provider identifies the cloud platform, the entity specifies the object, and the attribute defines the property.  

• Backward Compatibility: Existing Dashboard widgets and Saved Search Queries continue to support old tokens in edit mode, ensuring no disruption to current workflows.  

• Improved Interoperability: This update streamlines QQL queries, enhances interoperability across all Qualys products, and ensures a smoother user experience while maintaining backward compatibility for existing configurations. 

CSPM Enhancements 

To ensure your environment remains protected, Qualys CSPM is continuously updated with the latest controls and changes introduced by cloud providers. These updates keep your security checks current and aligned with evolving cloud configurations, so you always have the most relevant and effective protections in place.

Event-Driven Connector Processing (Beta) 

We are excited to introduce Event-Driven Connector Processing (beta), a major advancement in how Qualys TotalCloud interacts with your AWS environment. This intelligent processing model shifts connectors from scheduled full scans to a responsive, event-aware approach. 

How does it work? 

• Connectors continue to run on their defined schedules; however, instead of performing comprehensive inventory sweeps each time, they now leverage AWS EventBridge to detect changes and limit API calls exclusively to resource types with detected modifications. 

• When a change occurs, such as an S3 bucket update in us-east-1, the connector fetches inventory only for that specific resource type within the affected region, dramatically reducing redundant processing while maintaining complete visibility. 

• To maintain data integrity, a full inventory sweep is automatically executed every 48 hours regardless of event activity.  

• Additionally, users gain visibility into deleted resources using the deletedFromCloud:true/false QQL token in the Inventory and Posture pages, with this field also included in CSV Assessment reports.  

This feature is currently available for AWS Commercial Cloud connectors and can be enabled by contacting Qualys Support, who will provide a CloudFormation Template (CFT) for deployment in your AWS environment. 

Updates to CIS Version  

We have updated our CSPM policy library for the CIS Foundations Benchmarks to ensure your compliance assessments align with the latest industry standards and security best practices.  

The updated support now includes:

• CIS Microsoft Azure Foundations Benchmark v4.0.0 

• CIS Google Cloud Platform Foundation Benchmark v4.0.0 

• CIS Oracle Cloud Infrastructure Foundations Benchmark v3.0.0 

Key Benefits:

• Latest Security Standards: Incorporates updated recommendations to address evolving threats and compliance requirements. 

• Improved Accuracy & Coverage: Reflects recent cloud provider changes for more precise risk assessments and fewer false positives. 

Deprecated Controls 

When cloud providers deprecate specific services or features, the corresponding Qualys CSPM controls are also deprecated to maintain alignment.  

This ensures your compliance posture accurately reflects the current state of your cloud environments, eliminating outdated or irrelevant findings.

For detailed information on impacted controls, refer to the control metadata for:

• AWS
• Azure
• GCP
• OCI 

Key Benefits: 

• Enhanced Accuracy: Eliminates false positives and reduces noise in reports by removing checks for cloud features or configurations that are no longer supported or relevant. 

• Streamlined Policy Management: Reduces the operational overhead of maintaining obsolete rules, allowing teams to focus their remediation efforts on active and valid security risks. 

Reason of Deprecation	Deprecated Control  (with identifiers)
Azure does not support MariaDB starting September 19, 2025, and migrated to Azure Database for MySQL – Flexible Server	50109, 50110, 50111, 50112, 50113
Azure databases for PostgreSQL single server has been retired on the 28th of March 2025 and migrated to a flexible server	50040, 50041, 50042, 50043, 50044, 50045, 50074, 50096, 50115, 50116, 50117, 50118, 50119, 50120, 50132, 50177, 50240, 50349
Azure Database for MySQL – Single Server service has been retired on September 16, 2024.	50039, 50103, 50104, 50105, 50106, 50107, 50131, 50263, 50268, 50445, 50446
Amazon Web Services (AWS) has announced the discontinuation of its Amazon Quantum Ledger Database (QLDB) by July 31, 2025.	180, 251, 384

For more updates on the control changes, please refer to TotalCloud Release Notes for TotalCloud 2.20, which will be published soon. 

IaC Security: SARIF Format Enhancements 

Qualys is addressing inconsistencies in the SARIF output for IaC Scan to ensure seamless integration with GitHub Actions Code Scanning Alerts.

The SARIF file will now populate the level field under Results with the appropriate criticality (High, Medium, or Low) instead of defaulting to “Error” for all findings. Additionally, URIs in the SARIF response will be updated to comply with SARIF v2.0 standards, removing the leading slash (/) to align with the specification.

These fixes ensure accurate severity reporting and broader interoperability with GitHub and other SARIF-compliant tools.

Key Benefits: 

• Accurate Severity Mapping: Findings in GitHub Actions will reflect the true criticality (High/Medium/Low) instead of a generic “Error,” enabling better prioritization of risks. 

• Standards-Compliant Output: SARIF v2.0-compliant URI formatting ensures reliable parsing by GitHub and other tools, reducing integration errors and improving workflow consistency. 

CDR Enhancements 

Enhanced CSV Reports: MITRE Information Added 

We have enhanced the CSV reports for CDR threats generated through the UI to include comprehensive MITRE ATT&CK framework data. The reports now contain two additional fields: MITRE TACTICS and MITRE TECHNIQUES, with the techniques column also listing the corresponding MITRE rule IDs.

This update provides deeper context for security findings and improves alignment with established threat-classification standards.

Key Benefits: 

• Improved Threat Context: Quickly identify which adversary tactics and techniques are associated with each finding, enabling faster and more informed incident analysis. 

• Streamlined Compliance & Reporting: Easily map detections to the MITRE ATT&CK framework for security audits, executive reporting, and integration with existing threat intelligence workflows. 

Resources 

Find out how TotalCloud™ brings the power of a risk-minded CNAPP to your cloud environment: Learn more about TotalCloud CNAPP. 

Additional Resources

• Get online Help for TotalCloud, Connectors, and TotalCloud API User Guide 

• Explore How-to Training Videos

If you have questions, please contact your Technical Account Manager (TAM) or Qualys Technical Support.