Installing the QRadar EDR Agent on Windows
The QRadar EDR (Endpoint Detection and Response) agent is software that can be installed on endpoints, such as laptops, desktops, and servers, to collect and analyze security-related data.
As a part of AXS Guard’s Observe & Protect solution, this data can be used to quickly identify, analyze and respond to cyberattacks.
This manual serves as a guide for administrators and IT professionals on the installation, configuration, and usage of the QRadar EDR agent.
Downloading the Installer
Log in to the AXS Guard Cloud and proceed to the Endpoint Central dashboard by logging in with the credentials provided in your order confirmation. 2FA is required.
Go to Administration > Update Manager.
- Select the appropriate Hive Package.
- Select the Installer Download tab.
- Click Download.
- If you are installing the QRadar EDR Agent on an endpoint that is not the same endpoint where you downloaded the agent, copy the installer file to the other endpoint.
- Administrator privileges are required when running the installer.
In an MSSP deployment, you must specify a group ID when you install the QRadar EDR agent, otherwise the endpoint registration will fail. Select the groups in the Parameters section to get the group IDs.
Running the Installer
|Hive server URL:
|A comma-separated list of group IDs. At least one group ID is required in MSSP deployments, for example:
--gids 123456789123456789. The group IDs must be retrieved from the Endpoint Central dashboard in the AXS Guard Cloud, specifically from the same location where you downloaded the installer.
|If you are connecting to the Internet through a proxy, specify the proxy URL and port, for example:
--proxy http://proxy.example.com:3128. Support is limited to unauthenticated proxies only.
|The file name of the installer that you downloaded.
- Log in with a user account that has administrative privileges and go to the folder where you downloaded the installer.
- Double-click on the installer.
Enter the parameters that are required to successully register the QRadar EDR agent.
Windows Command Line
- Open the Windows Start menu and type
- Next, right-click on
cmd.exefrom the programs list, then click on run as administrator.
- Go to the folder where you downloaded the installer, e.g.
Enter the following command, using the provided group ID.
msiexec /i ReaqtaHive.msi /qbn /norestart /quiet IPFORM="https://reaqta.axsguard.cloud:5225 --gids xxx"
Installation Through GPO
A Group Policy Object (GPO) can be used to install the QRadar EDR agent on Windows endpoints. Refer to the official IBM Security QRadar documentation for additional information and detailed steps.
Verifying the Agent Status
You can verify the successful installation of the agent via the Endpoint Central dashboard in the AXS Guard Cloud.
- Select Endpoints in the top pane.
- Search the endpoint by entering its name, e.g.
A green dot indicates that the endpoint was successfully registered and is now being monitored.
Uninstalling the Agent
Agents are uninstalled automatically when your license expires, or when your client is deleted. You can also uninstall an agent for a specific endpoint from the dashboard if needed.
Windows generates a file in the
%temp% folder that starts with
rqt. This file contains information about failures. If the agent is unable to reach the Hive server, verify the following:
Checking the registration URL:
Ensure the registration URL specified in the agent configuration matches the actual address of the Hive server. A mismatch in the address will prevent the agent from establishing a connection.
Verifying direct endpoint access:
Test whether the endpoint computer can directly reach the Hive server without any interference from third-party software, such as Man-in-The-Middle products or authenticated proxies. These intermediaries can sometimes block or modify network traffic, hindering communication between the agent and the Hive server.
Examining Windows firewall settings:
Check the Windows firewall configuration to ensure that the agent is not being blocked from accessing the Hive server. The firewall may have default rules that restrict certain types of connections, potentially affecting the agent's ability to communicate with the Hive server.
Evaluating the Hive server status:
Check the server response codes. If the Hive server is down or has network connectivity issues, it will prevent the agent from successfully registering.
|The endpoint is already registered. Check the
endpointId field for details. This error is often associated with a cloned machine. Sysprep may be necessary in such cases.
|Too many registered endpoints; the license cap is reached. Add more licenses or remove existing endpoints.
gids parameter is missing, which is required with an MSSP installation.
|Contact support for assistance.
If you encounter a problem
If you encounter any issues with the QRadar EDR agent, don't hesitate to reach out to our technical support department.