Question & Answer
Question
Why can I not see my QRadar EDR virtual machine endpoints, hosted on Microsoft Hyper-V, as virtual machines on the QRadar EDR Dashboard?
Cause
When installed on an endpoint, QRadar EDR lists all the endpoints in the endpoint tab on dashboard. It also provides with other vital information to monitor and identify the existing endpoints, such as Endpoint name, IP address, version, asset type, domain, client, registration date and last seen. In the asset type column, it provides information of the type of the endpoint, such as 
an OS logo for bare-metal, 
for server, 
for virtual machine, 
for domain controller.
an OS logo for bare-metal, for server, for virtual machine, for domain controller.In a case where the endpoint is installed on Microsoft Hyper-V, the asset type is shown as normal system instead of tagging it as 
for virtual machine. Hyper-V is a type-1 hypervisor and runs the virtual machine directly on the hardware. Whereas type-2 hypervisors like VirtualBox run on top of the OS, which enables QRadar EDR to classify the type of endpoint.
for virtual machine. Hyper-V is a type-1 hypervisor and runs the virtual machine directly on the hardware. Whereas type-2 hypervisors like VirtualBox run on top of the OS, which enables QRadar EDR to classify the type of endpoint.Examples of Type-1 hypervisors: Hyper-V, VMware ESXi and so on
Examples of Type-2 hypervisors: VirtualBox, VMware WorkStation and so on
Answer
The virtual machine hosted on Hyper-V shows on Endpoint tab as a normal hardware because Microsoft does not provide a practical way to detect the Hyper-V virtual machine as a virtual machine. It is a type-1 hypervisor and runs on the hardware directly. Irrespective of how it is categorized in this case, it is not an error but by design and does not affect the protection provided to the endpoint or its functions on dashboard in any way.
The following image shows what the endpoint tab on dashboard looks like:
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSSAA2","label":"Configuration-\u003EDetection"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
15 May 2023
UID
ibm16562909