QRadar EDR overview

Edit online

IBM® Security QRadar® EDR is an Active Defense Intelligence Platform that detects and responds to threats in an automated and simplified process. QRadar EDR is an endpoint detection and response (EDR) and endpoint protection platform (EPP) solution with visibility capabilities.

QRadar EDR uses a behavioral detection approach to detect both known and unknown threats and to identify application abuse that might constitute a security risk. Any unknown threat detection occurs based on the behavior of the running application. The events that are generated by each process in execution are monitored and an alert is triggered when anomalies occur. When an alert is sent to the QRadar EDR Dashboard, the QRadar EDR Agent switches to deep monitoring mode.

Deep monitoring collects more events, such as file and registry operations, to enrich the alert. More information is collected only after an anomalous behavior is detected, which allows QRadar EDR to preserve storage and bandwidth.

QRadar EDR does not use signatures, which ensures that malicious payloads and behaviors can be detected regardless of the encryption that is used. QRadar EDR does not need frequent updates, can work in air-gapped environments, and can operate offline, without internet or a backend connection.

Important: QRadar EDR scans running applications to detect potential threats, and bases its detection on the actions that the application takes.

Architecture

QRadar EDR has three main components: endpoint agent, server, and dashboard. The three components work together to detect malicious behavior by tracking all the activities on the endpoints and learning the behavior of the endpoints. The collected information is presented in a readable format to allow your security team to quickly respond to incidents and protect your infrastructure.

The following diagram shows how the components are integrated.

Architecture graphic showing the integration of QRadar EDR components.
QRadar EDR Agent
The QRadar EDR Agent is an AI agent that uses machine learning for decision-making. The agent is installed on every endpoint and is responsible for monitoring the endpoint, collection of the events, local behavior analysis, and policy enforcement.
The agent can work in online mode or offline mode. In online mode, the agent sends events and alerts in real time to the QRadar EDR Brain.
In offline mode, the agent collects events and alerts, and applies policies. This process protects an endpoint even when the endpoint is roaming and unable to reach the QRadar EDR Brain. The telemetry data is saved locally until the agent is able to reach the QRadar EDR Brain and offload the data.
NanoOS
The NanoOS is a core component of QRadar EDR Agent for Windows endpoints.
NanoOS is a hybrid type hypervisor able to virtualize the entire CPU and to offer memory inspection. The component acts as a telemetry source that is able to gather syscalls and generate process information. The component can operate in protection mode by blocking or inhibiting a specific syscall from succeeding.
NanoOS requires Intel VT-x or AMD-v to function, and is deployed as a driver.
NanoOS communicates with the QRadar EDR Agent driver through a custom callback mechanism. The driver commands the status of the NanoOS and receives the syscall data feed. The detection algorithms are stored in the QRadar EDR Agent driver and the user mode service.
Anti-Malware module
The Anti-Malware module is an on-demand module that you install on the Windows 64-bit endpoints that already have the QRadar EDR Agent. When you enable the Anti-Malware module, the QRadar EDR Agent automatically downloads and installs the module.
The Anti-Malware module works as a pre-execution detection and protection system, and scans any local file for malware signatures before the file is used or run.
Important:
  • The endpoints must have an internet connection at installation time and you must keep the signature database up to date.
  • You must enable the module on the license side. To activate it, contact your QRadar EDR representative.
Anti-Malware SDK © Bitdefender 1997-2024
QRadar EDR Brain
The QRadar EDR Brain is the central server and stores all data that is collected by the QRadar EDR Agent. The QRadar EDR Brain is responsible for event correlation and behavior analysis by using artificial intelligence and pretrained machine learning algorithms.
The server can run in two modes, single and MSSP.
QRadar EDR Dashboard
The QRadar EDR Dashboard is the QRadar EDR user interface. The dashboard provides users with an optimized remediation workflow to monitor infrastructure, handle incidents, hunt for threats, and manage endpoints.
Cyber Assistant
Cyber Assistant is an automation tool that runs on the QRadar EDR Brain that learns from users how alerts are closed. It then uses this knowledge to suggest closing open incidents as false positives or true positives, depending on how users closed similar incidents. Cyber Assistant can also automatically close false positives, create allowlist policies, and change the impact score of alerts.

Communication

The following standards and protocols are used for communication.
  • Client to server - SSL/TLS 1.2
  • Dashboard to server - internal networking
  • Integration type to server - depends on the integration

Integrations

The following integrations are supported.
QRadar SIEM
QRadar SIEM can ingest QRadar EDR events. For more information, see IBM Security QRadar EDR.
Other SIEM products
Other SIEM products can ingest QRadar EDR alerts by using the QRadar EDR API. For information about the API, see Calling QRadar EDR API endpoints.
Mail
You can integrate a mail server to provide mail notification for alerts and reports. For a complete list, check the Notification Center.
Public Cloud
QRadar EDR connects to the public cloud to score potential malicious executable files. Scoring of potential malicious executable files increases the level of confidence an analyst can have when they handle an alert.

Additional EPS entitlement in QRadar SIEM

When you have entitlements to both QRadar EDR and IBM Security QRadar SIEM, you are entitled to an extra 100 EPS to use in QRadar SIEM. To add this additional EPS in QRadar SIEM, follow these steps:
  1. Contact your local sales representative and provide them with your sales order numbers to obtain the license key.
  2. Upload the license key in QRadar.
  3. Allocate the license key to a host.
  4. Deploy the changes.