Skip to content

Installing the QRadar® EDR Agent on Windows

Introduction

The QRadar® EDR (Endpoint Detection and Response) agent is software that can be installed on endpoints, such as laptops, desktops, and servers, to collect and analyze security-related data.

As a part of AXS Guard’s Observe & Protect solution, this data can be used to quickly identify, analyze and respond to cyberattacks.

This manual serves as a guide for administrators and IT professionals on the installation, configuration, and usage of the QRadar EDR agent.

Downloading the Installer

To download the installer, your must log in to the AXS Guard Cloud and proceed to the Endpoint Central dashboard. Use the credentials provided in your order confirmation. 2FA is required.

Running the Installer

Requirements

Important

  • Administrator privileges are required when running the installer.
  • If you are installing the QRadar EDR Agent on an endpoint that is not the same endpoint where you downloaded the agent, copy the installer file to the other endpoint.
  • In an MSSP deployment, you must specify a group ID when you install the QRadar EDR agent, otherwise the endpoint registration will fail. Select the groups in the Parameters section to get the group IDs.

    Image

Parameters

Parameter Description
URL Hive server URL: https://reaqta.axsguard.cloud:5225.
Group IDs A comma-separated list of group IDs. At least one group ID is required in MSSP deployments, for example: --gids 123456789123456789. The group IDs must be retrieved from the Endpoint Central dashboard in the AXS Guard Cloud, specifically from the same location where you downloaded the installer.
Proxy If you are connecting to the Internet through a proxy, specify the proxy URL and port, for example: --proxy http://proxy.example.com:3128. Support is limited to unauthenticated proxies only.
Server installation Use the --server parameter to install the agent on a Windows server.
VDI QRadar EDR supports Citrix virtual desktop infrastructures. The agent must be installed on the master image by adding the --vdi parameter. Make sure to have enough licenses available before the provisioning. Then, switch off the master image endpoint and provision the infrastructure.
Installer The file name of the installer that you downloaded.

Installation Wizard

  1. Log in with a user account that has administrative privileges and go to the folder where you downloaded the installer.
  2. Double-click on the installer.
  3. Enter the parameters that are required to successully register the QRadar EDR agent.

    Image

Windows Command Line

  1. Open the Windows Start menu and type cmd.exe.
  2. Next, right-click on cmd.exe from the programs list, then click on run as administrator.
  3. Go to the folder where you downloaded the installer, e.g. cd Downloads.
  4. Enter the following command, using the provided group ID.

    msiexec /i ReaqtaHive.msi /qbn /norestart /quiet IPFORM="https://reaqta.axsguard.cloud:5225 --gids xxx"
    

Installation Through GPO

A Group Policy Object (GPO) can be used to install the QRadar EDR agent on Windows endpoints. Refer to the official IBM Security QRadar documentation for additional information and detailed steps.

Verifying the Agent Status

You can verify the successful installation of the agent via the Endpoint Central dashboard in the AXS Guard Cloud. A green dot indicates that the endpoint was successfully registered and is being monitored.

Image

Uninstalling the Agent

Agents are uninstalled automatically when your license expires, or when your client is deleted. You can also uninstall an agent for a specific endpoint from the dashboard if needed.

Image

Troubleshooting

During installation, an rqt file is generated in the Windows %temp% folder. This file contains valuable troubleshooting information. If the agent is unable to reach the Hive server, verify the following:

Checking the registration URL:

Ensure the Hive server URL specified in the agent configuration matches the actual address of the Hive server. A mismatch in the address will prevent the agent from establishing a connection.

Verifying direct endpoint access:

Test whether the endpoint computer can directly reach the Hive server without any interference from third-party software, such as Man-in-The-Middle products or authenticated proxies. These intermediaries can sometimes block or modify network traffic, hindering communication between the agent and the Hive server.

Image

Examining Windows firewall settings:

Check the Windows firewall configuration to ensure that the agent is not being blocked from accessing the Hive server. The firewall may have default rules that restrict certain types of connections, potentially affecting the agent's ability to communicate with the Hive server.

Evaluating the Hive server status:

Check the server response codes. If the Hive server is down or has network connectivity issues, it will prevent the agent from successfully registering.

Response Code Description
409 The endpoint is already registered. Check the endpointId field for details. This error is often associated with a cloned machine. Sysprep may be necessary in such cases.
442 invalid-license-max-endpoints Too many registered endpoints; the license cap is reached. Add more licenses or remove existing endpoints.
442 invalid-license-error-during-into-group-registration The gids parameter is missing, which is required with an MSSP installation.
503 license-not-ready-error Contact support for assistance.

Support

If you encounter a problem

If you encounter any issues with the QRadar EDR agent, don't hesitate to reach out to our technical support department.

Contact Information

(+32) 15-504-400
support@axsguard.com