Question & Answer
Question
Answer
Agent
WindowsCan the QRadar EDR agent be deployed automatically?
Yes, it can. The installer supports unattended installation through GPO/SCCM/RMM.
Is VDI supported for QRadar EDR solution and how can I install it?
Yes, it is. ReaQta-Hive supports Citrix VDI infrastructures. The agent must be installed on the master image by adding the --vdi parameter option. Make also sure to have enough licenses available before the provisioning. Then, switch off the master image endpoint and provision the infrastructure.
How can I install the Windows agent from the command line?
* In a case where gids are provided (in a multi-tenanted server):
* For more detailed information about it, you can check the next link ReaQta: Installing and uninstalling Windows agents
How to install Linux Agent?
What are the hardware requirements for ReaQta Hive Agent?
Processor: Intel/AMD 32 and 64 bits.
Hard disk: 90MB
Minimal memory usage: Approx. 60MB
What is the network bandwidth requirement for ReaQta Hive Agent?
10MB+
Does the endpoint need to reach the backend to be installed?
Yes, it does. Connection is mandatory at installation time. ReaQta supports direct connections and simple nonauthenticated proxies. Every solution that performs Man In The Middle, disrupts the connection of the agent.
Which CPU architectures are supported?
Intel and AMD.
Which OS are supported?
- Windows:
Workstation: (7 fully updated to 10).
Server: Windows 2008 R2 (fully updated), Windows 2012 R2 (fully updated) to the most recent ones.
- Linux (64bit): Ubuntu(18.04 and higher), CentOS (7), Debian (8), Red Hat Enterprise, and CentOS 8.
- MacOS: from HighSierra onwards.
- Android: from 4.2 onwards.
Does the agent require a reboot?
No, it does not. Occasionally you can be prompted with a message box that offers the option to reboot, it can be safely ignored.
Why do not I see the UI of the QRadar EDR agent?
ReaQta’s agent does not implement a UI. The solution is centrally handled from the dashboard.
Anti-malware
Do I need an internet connection to have the Antimalware module?
Yes, you do. You need a connection in order to download the signatures.
How can I install the Antimalware module (non-MSSP)?
Once ReaQta licensed is enable for Antimalware, you need to:
- Install the ReaQta-Hive.
- Enable the Antimalware package from Administration -> Update Manager
- Enable the Anti-Malware Protected Endpoints module delivery (upper-right corner slider) from Administration -> Antimalware settings.
Backend
What happens when the license expires?
For how long the data is kept within QRadar EDR system?
I moved/migrated my ReaQta hive server and it is not longer working, what should I do?
The license might be no longer valid, contact QRadar EDR support.
How do I switch off QRadar EDR server?
systemctl stop reaqta.service
systemctl start reaqta.service
"Server Error" message from the hive dashboard in a closed environment, what should I do?
- Collect from the server the following logs:
sudo journalctl CONTAINER_NAME=event-hive > event-hive.log
sudo journalctl CONTAINER_NAME=elasticsearch > elasticsearch.log
sudo journalctl CONTAINER_NAME=cassandra > cassandra.log
- Install the following:
sudo apt install fio ioping
- Follow the procedure mentioned below:
sudo systemctl stop reaqta
sudo fio --randrepeat=1 --ioengine=libaio --direct=1 --gtod_reduce=1 --name=test --filename=/data/fio-test --bs=4k --iodepth=64 --size=4G --readwrite=randrw - Collect the file: /data/fio-test
sudo rm -f /data/fio-test
sudo ioping -c 10 /data
sudo systemctl start reaqta
Storage is filled, I extended the disk but the server is not working, what should I do?
* If the server is not publicly reachable, issue the following command after the storage space is added:
Frontend
Dashboard ManagementWhen I close an alert as Malicious, will it be blocked?
No it will not. Benign/Malicious are labels only.
How do I know whether I am protected by QRadar EDR?
Check with the ReaQta Dashboard administrator if the protection policies are enabled.
Which 2FA Authenticator is supported?
- Google Authenticator.
- Authy
- MS Authenticator
Email generic error, unable to receive the messages, what to do?
If you are using our postfix config, the issue is typically that mail providers reject those emails by default, since our postfix container does not have reputation, and looks suspicious.
Not receiving the alerts on my Gmail email, what should I do?
Check the security settings on the account through.
ReaQta email configuration issue. Email sender and account are the same, what to do?
This occurs if the sender and account they put in to the ReaQta email configuration are the same. Many mail providers do not allow you to authenticate with one address then send as another.
General Information
What is QRadar EDR?
QRadar EDR is a next-generation Endpoint Threat Response Platform that, supercharges legacy security through behavioral-based monitoring at the OS/kernel level, which makes it unable to be shut down by attackers.
How does QRadar EDR work?
It uses machine learning to detect when application behavior deviates from a normalized baseline and allows an analyst to analyze, assess, and remediate an attack from within the same platform.
Can QRadar EDR coexist with any Anti-Virus?
Yes, it can. ReaQta-Hive coexists with any Antivirus solutions to provide an enhancement layer of security, visibility, and control. However, it is not recommended to have more than 1 antivirus solution installed on the end point, as it can cause conflict and malfunctioning of the security posture on the environment.
Is QRadar EDR Hive a high resource utilization tool?
No, it is not. In fact, ReaQta is a lightweight system with low RAM consumption (average 20MB) and it is designated to use no more than 1% of CPU.
Can I integrate QRadar EDR with other systems?
Yes, you can. You can push configuration or integrate ReaQta with other systems through the ReaQta API.
How to send alerts from QRadar EDR Hive to a third-party SIEM?
Use the Forward Alerts configuration in the ReaQta Hive Dashboard UI to configure your Hive server to send alert data to 3rd party solutions.
For more detailed information about it, follow the next link: ReaQta: Sending alerts from ReaQta Hive to a 3rd party SIEM
I have malicious samples on my desktop, why are they not detected?
ReaQta-Hive detects threats based on behaviors only. Hence, you can copy a malware into a machine (PC) and if it is executed - but if it is not malicious or if it is inactive, ReaQta-Hive does not trigger any incident. There is no business impact to the user in such a scenario. But if you run/execute the malware, there will be an event log (regardless of whether suspicious or not) so threat hunting allows you to find information about the suspicious application.
Troubleshooting
WindowsHow can I verify the Windows agent status?
Sc query keeper
Sc query rqtsentry
Sc query rqtnetsentry
Sc query i00
Getting "Registration Failed" message box at installation time, what should I do?
Collect the log created in %TEMP% (C:\Users\<Username>\AppData\Local\Temp) that begins with rqt (rqt_installer), and provide the file to ReaQta support.
For more detailed information about 'Registration Failed' error messages visit: ReaQta: Troubleshooting registration errors that occur during client installation
What the various NanoOS error codes mean?
17 = Hypervisor disabled.
-7 = VT-X not enabled or AVAST or Hyper-V.
-5 = CPU does not meet hypervisor requirements.
-3 = No consecutive memory segment.
11 = Other hypervisor present.
12 = Allocation failed.
13 = NanoOS Startup failed.
14 = DeviceIO failed.
15 = Internal error.
16 = Unknow error.
18/19 = Version not supported.
900/999 = Driver communication error (outdated machine).
9999 = Hypervisor not started.
I got a BSOD, what can I do?
- Take one of the Endpoint names and the timestamp of when this happens, verify whether it can be reproduced and report the steps.
- Collect the following files:
C:\Windows\Minidump
C:\Windows\MEMORY.DMP (not always available).
- Sent data to ReaQta Support.
The Agent is offline from the dashboard, what should I do?
- Check connectivity and determinate whether the endpoint is able to reach the backend server or not.
- If the service keeper is stopped, attempt a service restart.
- If it appears “stop pending”, kill and restart it.
Unable to uninstall the Windows agent locally, what should I do?
- Check if Keeper is running during the uninstallation, if yes, terminate Keeper process.
- If the corresponding endpoint entry is still available from the dashboard side, uninstalls it.
How can I verify the Linux agent status?
From console:
systemctl keeperx status
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
15 May 2023
UID
ibm16590983