Managing endpoints

You can monitor the processes, services, and connections that are active on endpoints in your environment. You can also download or files from an endpoint, enable antiransomware detection, update policies on an endpoint, and isolate an endpoint from the network.

Monitoring an endpoint
Downloading files from an endpoint
Deleting files from an endpoint
Downloading forensic data from an endpoint
Exporting a list of endpoints
Updating policies on an endpoint
Isolating an endpoint
Uninstalling the QRadar EDR Agent from an endpoint remotely
Uninstalling the QRadar EDR Agent on a Linux endpoint locally
Uninstalling the QRadar EDR Agent on a Mac endpoint locally
Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is disabled
Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is enabled

Monitoring an endpoint

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Live Response.
Click the + icon.
To show a list of active processes on the endpoint, click show processes.
To show a list of active services on the endpoint, click show services.
To show a list of active connections on the endpoint, click show connections.

Downloading files from an endpoint

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Live Response.
To download a file from the endpoint, type the following command.
```
download file “<path_to_file>”
```

Results

The file is downloaded to your workstation. The file is also available to be downloaded from the QRadar EDR Brain. For more information about downloading the file from the QRadar EDR Brain to your workstation, see Downloading files from the QRadar EDR Brain to your workstation.

Deleting files from an endpoint

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Live Response.
To delete a file from the endpoint, type the following command.
```
delete file “<path_to_file>”
```

Results

The file is deleted from the endpoint.

Downloading forensic data from an endpoint

You can download a .zip archive that contains a forensic data package for an endpoint.

About this task

You can download a basic forensic data package, or an advanced forensic data package. It takes approximately 5 minutes to collect the data for the basic package, and approximately 15 minutes to collect the data for the advanced package. The package is available to download for 1 day.

The following table shows the forensic data that is available in the basic and advanced forensic data packages.

Table 1. Forensic data
Basic	Advanced
Processes running	All data from the basic package
Services	Missing updates
Network connections	Environment variables
AddressResolutionProtocolCache	Prefetch files
DNS cache	BitLocker information
System information	Named pipes
Installed programs	Samba sessions
Updates	FILE associations
Security event logs	Host file
Scheduled asks	Extended event logs
Users and groups	UAC settings
Shares	Audit policy
Proxy information	Firewall rules

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Collect Forensic Data.
Enter a name for the .zip archive in the Description field.
Set an Unzip Password to be used to extract the archive.
Choose the Basic or Advanced package.
Click Collect.
When the package is ready, click the Download link in the Forensic Data section of the Endpoint Details screen.

Exporting a list of endpoints

You can export a list of endpoints that you have permission to see in QRadar EDR Dashboard.

Procedure

Click Endpoints.
If you want to export a subset of the endpoints that you have permission to see, click Advanced Filters and filter the endpoints as needed.
Click Export as CSV.

Results

The list of endpoints is downloaded in a .csv file.

Updating policies on an endpoint

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Live Response.
If you want to see the policies that are loaded on the endpoint, type the following command.
```
show pol
```
To force the policies that are loaded on the endpoint to be deleted and refreshed, type the following command.
```
clean pol
```

Results

The policies that are loaded on the endpoint are deleted, and policies are downloaded to the endpoint from QRadar EDR. For more information, see Managing policies.

Isolating an endpoint

About this task

Windows-only

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Isolate.

Results

The endpoint is isolated from the network, but can still communicate with QRadar EDR Dashboard.

Uninstalling the QRadar EDR Agent from an endpoint remotely

Agents are uninstalled automatically when your license expires, or when your client is deleted. You can also uninstall an agent for a specific endpoint from the dashboard if needed.

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Uninstall.
Click Uninstall.

Results

The agent is uninstalled from the endpoint.

Uninstalling the QRadar EDR Agent on a Linux endpoint locally

Procedure

Uninstall the agent by typing one of the following commands on the endpoint.

Debian-based Linux® endpoints
```
sudo dpkg -r keeperx
```
RPM-based Linux endpoints
```
sudo rpm -e keeperx
```

Uninstalling the QRadar EDR Agent on a Mac endpoint locally

Procedure

Go to the /Library/IBM Security ReaQta directory by typing the following command.
```
cd /Library/IBM\ Security\ ReaQta
```
Uninstall the agent by typing the following command.
```
sudo ./uninstall.sh
```
Verify that the /Library/IBM Security ReaQta directory no longer exists by typing the following command.
```
ls /Library
```
Verify that the /Applications/IBM Security ReaQta app no longer exists by typing the following command.
```
ls /Applications
```

Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is disabled

When protected uninstallation is disabled, a user can uninstall the agent from an endpoint without a token.

About this task

Windows-only

Procedure

Uninstall the agent by typing the following command on the endpoint.

"C:\Program Files\ReaQta\keeper.exe" uninstall

Results

The agent is uninstalled from the endpoint.

If protected uninstallation was previously enabled but is now disabled, an offline endpoint is not aware that protected uninstallation is disabled. In this case, follow one of these options to uninstall the agent.

Bring the endpoint online so that it receives the updated status, then repeat this procedure.
Enable protected uninstallation, then follow the steps in Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is enabled.
Follow the steps in Uninstalling the QRadar EDR Agent on a Windows endpoint locally in safe mode.

Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is enabled

When protected uninstallation is enabled, a user can uninstall the agent from an endpoint only if you provide them a token.

About this task

Windows-only

Procedure

Click Endpoints.
Click an endpoint in the endpoint list.
Click View Endpoint.
Click Uninstall.
Click Generate Uninstallation Token.
Enter a reason for uninstalling the agent from the endpoint, then click Generate & Download.

Important: The token file expires 24 hours after it is created.
Copy the token to the endpoint.
Uninstall the agent by typing the following command on the endpoint.
```
"C:\Program Files\ReaQta\keeper.exe" uninstall <path_to_token>
```

Results

The agent is uninstalled from the endpoint.

If you can't generate a token because the QRadar EDR Dashboard is offline, follow the steps in Uninstalling the QRadar EDR Agent on a Windows endpoint locally in safe mode.