QRadar EDR overview
IBM® Security QRadar® EDR is an Active Defense Intelligence Platform that detects and responds to threats in an automated and simplified process. QRadar EDR is an endpoint detection and response (EDR) and endpoint protection platform (EPP) solution with visibility capabilities.
QRadar EDR uses a behavioral detection approach to detect both known and unknown threats and to identify application abuse that might constitute a security risk. Any unknown threat detection occurs based on the behavior of the running application. The events that are generated by each process in execution are monitored and an alert is triggered when anomalies occur. When an alert is sent to the QRadar EDR Dashboard, the QRadar EDR Agent switches to deep monitoring mode.
Deep monitoring collects more events, such as file and registry operations, to enrich the alert. More information is collected only after an anomalous behavior is detected, which allows QRadar EDR to preserve storage and bandwidth.
QRadar EDR does not use signatures, which ensures that malicious payloads and behaviors can be detected regardless of the encryption that is used. QRadar EDR does not need frequent updates, can work in air-gapped environments, and can operate offline, without internet or a backend connection.
Architecture
QRadar EDR has three main components: endpoint agent, server, and dashboard. The three components work together to detect malicious behavior by tracking all the activities on the endpoints and learning the behavior of the endpoints. The collected information is presented in a readable format to allow your security team to quickly respond to incidents and protect your infrastructure.
The following diagram shows how the components are integrated.
- QRadar EDR Agent
- The QRadar EDR Agent is an AI agent that uses machine learning for decision-making. The agent is installed on every endpoint and is responsible for monitoring the endpoint, collection of the events, local behavior analysis, and policy enforcement.
- NanoOS
- The NanoOS is a core component of QRadar EDR Agent for Windows endpoints.
- Anti-Malware module
- The Anti-Malware module is an on-demand module that you install on the Windows 64-bit endpoints that already have the QRadar EDR Agent. When you enable the Anti-Malware module, the QRadar EDR Agent automatically downloads and installs the module.
- QRadar EDR Brain
- The QRadar EDR Brain is the central server and stores all data that is collected by the QRadar EDR Agent. The QRadar EDR Brain is responsible for event correlation and behavior analysis by using artificial intelligence and pretrained machine learning algorithms.
- QRadar EDR Dashboard
- The QRadar EDR Dashboard is the QRadar EDR user interface. The dashboard provides users with an optimized remediation workflow to monitor infrastructure, handle incidents, hunt for threats, and manage endpoints.
- Cyber Assistant
- Cyber Assistant is an automation tool that runs on the QRadar EDR Brain that learns from users how alerts are closed. It then uses this knowledge to suggest closing open incidents as false positives or true positives, depending on how users closed similar incidents. Cyber Assistant can also automatically close false positives, create allowlist policies, and change the impact score of alerts.
Communication
- Client to server - SSL/TLS 1.2
- Dashboard to server - internal networking
- Integration type to server - depends on the integration
Integrations
- QRadar SIEM
- QRadar SIEM can ingest QRadar EDR events. For more information, see IBM Security QRadar EDR.
- Other SIEM products
- Other SIEM products can ingest QRadar EDR alerts by using the QRadar EDR API. For information about the API, see Calling QRadar EDR API endpoints.
- You can integrate a mail server to provide mail notification for alerts and reports. For a complete list, check the Notification Center.
- Public Cloud
- QRadar EDR connects to the public cloud to score potential malicious executable files. Scoring of potential malicious executable files increases the level of confidence an analyst can have when they handle an alert.
Additional EPS entitlement in QRadar SIEM
- Contact your local sales representative and provide them with your sales order numbers to obtain the license key.
- Upload the license key in QRadar.
- Allocate the license key to a host.
- Deploy the changes.