Configure EDR settings

You can enable EDR module for a profile, and configure what events are transmitted to the Qualys Cloud Platform.

(1) Toggle Enable EDR module for this profile to ON. This is required for EDR data collection to occur.

(2) Configure what EDR artifacts are transmitted to the Qualys Cloud Platform. Defaults are provided as shown, so this step is optional. You can configure values for max event log size, payload threshold time, and maximum disk usage for EDR data. Toggle a configuration setting to ON before you using it. You must set at least one configuration setting to ON if you have enabled EDR for this profile.

Sample CA configuration profile showing EDR settings

(EDR settings are available only when EDR is enabled for your subscription)

Configure settings constitute the time lapse after which the following types of EDR events are transmitted to the Qualys Cloud Platform:

Max event log size - EDR events are transmitted to the Qualys Cloud platform when the EDR event log file reaches the maximum specified size. You can specify a file size between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload threshold time is lower.

Payload threshold time - EDR events are transmitted to the Qualys Cloud platform when the EDR payload threshold time is hit, ie., the specified seconds elapse after the previous payload was sent to the Qualys cloud Platform. You can specify a threshold between 30 seconds and 1800 seconds. Default is 60 seconds. This value is lower the better to prevent data loss on busy systems.

Maximum disk usage for EDR Data - This is the maximum size on disk available to a Cloud Agent for caching EDR events to be sent to the Qualys Cloud Platform for processing . If the maximum size is reached, the oldest events are deleted in order to create space for newly generated events. You can specify a disk usage size between 100 MB and 2048 MB. Default is 1024 MB.