Installing the QRadar EDR Agent on Windows endpoints

Edit online

Install the QRadar® EDR Agent on your Windows endpoints to monitor the endpoints, collect events, analyze behavior, and enforce policies.

The QRadar EDR Agent is supported on the following Windows versions.
  • Windows client 7 (SP1), 8, 8.1, 10, 10-POS, 11 (Fully updated)
  • Windows server 2008 R2 (SP2), 2012 R2, 2016, 2019 (Fully updated)

In an MSSP deployment, you must specify a GID when you install the QRadar EDR Agent, otherwise the endpoint registration fails.

Installing the QRadar EDR Agent on Windows endpoints by using the command prompt

Edit online

Before you begin

In an MSSP deployment, you must specify a GID when you install the QRadar EDR Agent, otherwise the endpoint registration fails.

Procedure

  1. Click Administration > Update Manager.
  2. Select a Hive Package.
    • For a 64-bit Windows endpoint, click Windows Hive Package.
    • For a 32-bit Windows endpoint, click Windows Hive Package (32).
  3. Click Installer Download.
  4. Click Download.
    Tip: Select groups in the Parameters section to get the group IDs that you need when you run the installer.
  5. If you are installing the QRadar EDR Agent on an endpoint that is not the same endpoint where you downloaded the agent, copy the installer file to the other endpoint.
  6. Run the installer.
    Table 1. QRadar EDR Dashboard parameters
    Parameter Description
    URL Your QRadar EDR Dashboard server URL, including the port.
    Note: If your QRadar EDR Dashboard server uses port 443, you don't need to include the port.
    Group IDs A comma-separated list of group IDs. At least one group ID is required in MSSP deployments.
    Proxy If you are using a proxy to access QRadar EDR Dashboard, enter the proxy URL and port. It must be a nonauthenticated proxy.
    Installer The file name of the installer that you downloaded. 
    msiexec /I <installer>.msi IPFORM="<URL> --gids <group_IDs>" /qb

Results

The agent is installed on the endpoint, and it automatically registers the endpoint in QRadar EDR Dashboard if it has an internet connection.

Installing the QRadar EDR Agent on Windows endpoints through a scheduled task GPO

Edit online

Before you begin

In an MSSP deployment, you must specify a GID when you install the QRadar EDR Agent, otherwise the endpoint registration fails.

About this task

When you install the QRadar EDR Agent through a Group Policy Object (GPO), the QRadar EDR Agent is deployed to each endpoint in the domain controller (DC) that receives the GPO.

Procedure

  1. Click Administration > Update Manager.
  2. Select a Hive Package.
    • For a 64-bit Windows endpoint, click Windows Hive Package.
    • For a 32-bit Windows endpoint, click Windows Hive Package (32).
  3. Click Installer Download.
  4. Click Download.
    Tip: Select groups in the Parameters section to get the group IDs that you need when you run the installer.
  5. Download the installation batch file from the How to install the ReaQta agent on a Windows endpoint? > Push Installation Using Group Policy Objects (GPO) - Scheduled Task section of https://www.ibm.com/support/pages/reaqta-installing-and-uninstalling-windows-agents.
  6. Type reaqta when you are prompted for an extract password.
  7. Edit the batch file and replace https://hive-server:4443 --gids 123456789012345678 with your QRadar EDR Dashboard server URL. Do not include :4443 --gids 123456789012345678.
  8. Upload the QRadar EDR Agent installation package and the installation batch file on a network-shared drive.
    The installation package is a .msi file and the installation batch file is a .bat file.
    The network-shared drive must have local SYSTEM and Authenticated User accounts with minimum privileges of read-only and run.
  9. In the Domain Controller folder, start the Group Policy Editor GPMC.msc.
  10. Create a policy under the domain.
  11. Right-click the policy and click Create a GPO in this domain, and Link it here... to edit the policy.
  12. Click Control Panel Settings > Scheduled Tasks.
  13. Right-click and select New > Immediate Task (At least Windows 7).
  14. In the install_reaqta Properties window, on the General tab, enter a name for the policy.
  15. In the When running the task, use the following user account: field, select the SYSTEM account.
  16. In the Configure for field, select Windows 7, Windows Server 2008R2.
  17. On the Actions tab, create a new action to start the installation batch file from the network share.
  18. Click OK.

Results

The policy is pushed to the endpoints that are connected to the DC and the installation starts immediately. On the QRadar EDR Dashboard, new endpoints are registered to the QRadar EDR server.