Skip to content

Installing the QRadar EDR Agent on Windows

Introduction

The QRadar EDR (Endpoint Detection and Response) agent is software that can be installed on endpoints, such as laptops, desktops, and servers, to collect and analyze security-related data.

As a part of AXS Guard’s Observe & Protect solution, this data can be used to quickly identify, analyze and respond to cyberattacks.

This manual serves as a guide for administrators and IT professionals on the installation, configuration, and usage of the QRadar EDR agent.

Downloading the Installer

  1. Log in to the AXS Guard Cloud and proceed to the Endpoint Central dashboard by logging in with the credentials provided in your order confirmation. 2FA is required.

    Image

  2. Go to Administration > Update Manager.

  3. Select the appropriate Hive Package.
  4. Select the Installer Download tab.
  5. Click Download.

Important

  • If you are installing the QRadar EDR Agent on an endpoint that is not the same endpoint where you downloaded the agent, copy the installer file to the other endpoint.
  • Administrator privileges are required when running the installer.
  • In an MSSP deployment, you must specify a group ID when you install the QRadar EDR agent, otherwise the endpoint registration will fail. Select the groups in the Parameters section to get the group IDs.

    Image

Running the Installer

Parameters

Parameter Description
URL Hive server URL: https://reaqta.axsguard.cloud:5225.
Group IDs A comma-separated list of group IDs. At least one group ID is required in MSSP deployments, for example: --gids 123456789123456789. The group IDs must be retrieved from the Endpoint Central dashboard in the AXS Guard Cloud, specifically from the same location where you downloaded the installer.
Proxy If you are connecting to the Internet through a proxy, specify the proxy URL and port, for example: --proxy http://proxy.example.com:3128. Support is limited to unauthenticated proxies only.
Installer The file name of the installer that you downloaded.

Manual Installation

  1. Log in with a user account that has administrative privileges and go to the folder where you downloaded the installer.
  2. Double-click on the installer.
  3. Enter the parameters that are required to successully register the QRadar EDR agent.

    Image

Windows Command Line

  1. Open the Windows Start menu and type cmd.exe.
  2. Next, right-click on cmd.exe from the programs list, then click on run as administrator.
  3. Go to the folder where you downloaded the installer, e.g. cd Downloads.
  4. Enter the following command, using the provided group ID.

    msiexec /i ReaqtaHive.msi /qbn /norestart /quiet IPFORM="https://reaqta.axsguard.cloud:5225 --gids xxx"
    

Installation Through GPO

A Group Policy Object (GPO) can be used to install the QRadar EDR agent on Windows endpoints. Refer to the official IBM Security QRadar documentation for additional information and detailed steps.

Verifying the Agent Status

You can verify the successful installation of the agent via the Endpoint Central dashboard in the AXS Guard Cloud.

  1. Select Endpoints in the top pane.
  2. Search the endpoint by entering its name, e.g. DESKTOP-JOHNDOE.

A green dot indicates that the endpoint was successfully registered and is now being monitored.

Image

Uninstalling the Agent

Agents are uninstalled automatically when your license expires, or when your client is deleted. You can also uninstall an agent for a specific endpoint from the dashboard if needed.

Troubleshooting

Windows generates a file in the %temp% folder that starts with rqt. This file contains information about failures. If the agent is unable to reach the Hive server, verify the following:

Checking the registration URL:

Ensure the registration URL specified in the agent configuration matches the actual address of the Hive server. A mismatch in the address will prevent the agent from establishing a connection.

Verifying direct endpoint access:

Test whether the endpoint computer can directly reach the Hive server without any interference from third-party software, such as Man-in-The-Middle products or authenticated proxies. These intermediaries can sometimes block or modify network traffic, hindering communication between the agent and the Hive server.

Image

Examining Windows firewall settings:

Check the Windows firewall configuration to ensure that the agent is not being blocked from accessing the Hive server. The firewall may have default rules that restrict certain types of connections, potentially affecting the agent's ability to communicate with the Hive server.

Evaluating the Hive server status:

Check the server response codes. If the Hive server is down or has network connectivity issues, it will prevent the agent from successfully registering.

Response Code Description
409 The endpoint is already registered. Check the endpointId field for details. This error is often associated with a cloned machine. Sysprep may be necessary in such cases.
442 invalid-license-max-endpoints Too many registered endpoints; the license cap is reached. Add more licenses or remove existing endpoints.
442 invalid-license-error-during-into-group-registration The gids parameter is missing, which is required with an MSSP installation.
503 license-not-ready-error Contact support for assistance.

Support

If you encounter a problem

If you encounter any issues with the QRadar EDR agent, don't hesitate to reach out to our technical support department.

Contact Information

(+32) 15-504-400
support@axsguard.com