Managing endpoints

Edit online

You can monitor the processes, services, and connections that are active on endpoints in your environment. You can also download files from an endpoint, enable anti-ransomware detection, update policies on an endpoint, and isolate an endpoint from the network.

Monitoring an endpoint

Edit online

You can monitor a specific endpoint to view the active processes, services, and connections to help investigation by providing updated information and context on what is happening on the endpoint in real time.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Live Response.
  4. Click the + icon.
  5. To view a list of active processes on the endpoint, click show processes.
  6. To view a list of active services on the endpoint, click show services.
  7. To view a list of active connections on the endpoint, click show connections.

Downloading files from an endpoint

Edit online

You can download files to help evaluate security incidents. You can use these files to collect malicious samples, for further manual analysis, or for working with other tools.

Before you begin

Downloading a file from a Microsoft Windows network share can result in credential leakage due to the NT LAN Manager (NTLM) authentication protocol. To minimize this risk, restrict NTLM traffic to local servers or within trusted domains when possible. Set the QRadar® EDR user role to follow the least privilege principle and allow file downloads only to a restricted set of users. For more information, see Managing users.

About this task

You can download a specific file from an endpoint as described here.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Live Response.
  4. To download a file from the endpoint, type the following command. 
    download file “<path_to_file>

Results

The file is downloaded to your workstation. The file is also available for download from the QRadar EDR Brain. For more information, see Downloading files from the QRadar EDR Brain to your workstation.

Deleting files from an endpoint

Edit online

You can delete files from an endpoint as part of your response to a security incident. You can delete files from an endpoint to remove malicious artifacts such as code executables, configuration files, or service files.

About this task

You can delete a specific file from an endpoint as described here.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Live Response.
  4. To delete a file from the endpoint, type the following command. 
    delete file “<path_to_file>

Results

The file is deleted from the endpoint.

Downloading forensic data from an endpoint

Edit online

You can download a .zip archive that contains a forensic data package for an endpoint to help identify anomalous or malicious behavior on the endpoint across processes, services, and connections. The forensic data package provides a snapshot of key information of an endpoint's state, configuration, and past security events, helping you to collect all the relevant information to assess the state of an endpoint.

About this task

You can download a basic forensic data package, or an advanced forensic data package. It takes approximately 5 minutes to collect the data for the basic package, and approximately 15 minutes to collect the data for the advanced package. The package is available to download for 1 day.

The following table shows the forensic data that is available in the basic and advanced forensic data packages.

Table 1. Forensic data packages
Basic Advanced
Processes running All data from the basic package
Services Missing updates
Network connections Environment variables
AddressResolutionProtocolCache Prefetch files
DNS cache BitLocker information
System information Named pipes
Installed programs Samba sessions
Updates FILE associations
Security event logs Host file
Scheduled asks Extended event logs
Users and groups UAC settings
Shares Audit policy
Proxy information Firewall rules

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Collect Forensic Data.
  4. Enter a name for the .zip archive in the Description field.
  5. Set an Unzip Password to be used to extract the archive.
  6. Choose the Basic or Advanced package and click Collect.
  7. When the package is ready, click the Download link in the Forensic Data section of the Endpoint Details screen.

Exporting a list of endpoints

Edit online

You can export a list of endpoints that you have permission to see in QRadar EDR Dashboard to get an overview of all of the endpoints on which QRadar EDR is installed.

Procedure

  1. Click Endpoints.
  2. If you want to export a subset of the endpoints that you have permission to see, click Advanced Filters and filter the endpoints as needed.
  3. Click Export as CSV.

Results

The list of endpoints is downloaded in a .csv file.

Updating policies on an endpoint

Edit online

Policies define the malicious behaviors to be detected and for which alerts are generated and which are potentially blocked. You can view and manage the policies that are loaded on any specific endpoint.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Live Response.
  4. If you want to see the policies that are loaded on the endpoint, type the following command. 
    show pol
  5. To force the policies that are loaded on the endpoint to be deleted and refreshed, type the following command. 
    clean pol

Results

The policies that are loaded on the endpoint are deleted, and policies are downloaded to the endpoint from QRadar EDR. For more information, see Managing policies.

Isolating an endpoint

Edit online

Windows-only You can isolate a specific endpoint to stop all network access on the endpoint as part of your response to prevent network communications from the infected endpoint to other endpoints.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Isolate.

Results

The endpoint is isolated from the network, but can still communicate with QRadar EDR Dashboard.

Uninstalling the QRadar EDR Agent from an endpoint remotely

Edit online

Agents are uninstalled automatically if your license expires, or when your client is deleted. If necessary, you can also uninstall an agent for a specific endpoint from the dashboard.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Uninstall.

Results

The agent is uninstalled from the endpoint.

Uninstalling the QRadar EDR Agent on a Linux endpoint locally

Edit online

You might want to decommission an endpoint from QRadar EDR, or in some cases remove QRadar EDR as part of support procedures to help resolve issues.

About this task

You can uninstall QRadar EDR Agent on a Debian-based or RPM-based Linux® endpoint locally.

Procedure

Uninstall the agent by typing one of the following commands on the endpoint.
  • Debian-based Linux endpoints.
    sudo dpkg -r keeperx
  • RPM-based Linux endpoints.
    sudo rpm -e keeperx

Uninstalling the QRadar EDR Agent on a Mac endpoint locally

Edit online

You might want to decommission an endpoint from QRadar EDR, or in some cases remove QRadar EDR as part of support procedures to help resolve issues.

About this task

You can uninstall the QRadar EDR Agent on a Mac endpoint locally.

Procedure

  1. Go to the /Library/IBM Security ReaQta directory by typing the following command. 
    cd /Library/IBM\ Security\ ReaQta
  2. Uninstall the agent by typing the following command. 
    sudo ./uninstall.sh
  3. Verify that the /Library/IBM Security ReaQta directory no longer exists by typing the following command. 
    ls /Library
  4. Verify that the /Applications/IBM Security ReaQta app no longer exists by typing the following command. 
    ls /Applications

Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is disabled

Edit online

Windows-only You might want to decommission an endpoint from QRadar EDR, or in some cases remove QRadar EDR as part of support procedures to help resolve issues.

About this task

When protected uninstallation is disabled, you can uninstall the agent from an endpoint without a token.

Procedure

Uninstall the agent by typing the following command on the endpoint. 
"C:\Program Files\ReaQta\keeper.exe" uninstall

Results

The agent is uninstalled from the endpoint.
If protected uninstallation was previously enabled but is now disabled, the update is not reflected in an offline endpoint. In this case, follow one of these options to uninstall the agent.

Uninstalling the QRadar EDR Agent on a Windows endpoint locally when protected uninstallation is enabled

Edit online

Windows-only You might want to decommission an endpoint from QRadar EDR, or in some cases remove QRadar EDR as part of support procedures to help resolve issues.

About this task

When protected uninstallation is enabled, you can uninstall the agent from an endpoint only if you provide them with a token.

Procedure

  1. Click Endpoints.
  2. Click an endpoint in the endpoint list.
  3. Click View Endpoint > Uninstall > Generate Uninstallation Token.
  4. Enter a reason for uninstalling the agent from the endpoint, then click Generate & Download.
    Important: The token file expires 24 hours after it is created.
  5. Copy the token to the endpoint.
  6. Uninstall the agent by typing the following command on the endpoint. 
    "C:\Program Files\ReaQta\keeper.exe" uninstall <path_to_token>

Results

The agent is uninstalled from the endpoint.

If you can't generate a token because the QRadar EDR Dashboard is offline, follow the steps in Uninstalling the QRadar EDR Agent on a Windows endpoint locally in safe mode.

Uninstalling the QRadar EDR Agent on a Windows endpoint locally in safe mode

Edit online

Windows-only If the standard QRadar EDR Agent uninstallation fails, you can uninstall the agent in safe mode.

Procedure

  1. Enter safe mode, then open the command prompt as an administrator.
  2. Stop and delete keeper by typing the following command. 
    sc stop keeper & sc delete keeper
  3. Stop and delete rqtsentry by typing the following command. 
    sc stop rqtsentry & sc delete rqtsentry
  4. Stop and delete rqtnetsentry by typing the following command. 
    sc stop rqtnetsentry & sc delete rqtnetsentry
  5. Stop and delete i00 by typing the following command. 
    sc stop i00 & sc delete i00
  6. Remove the ReaQta folder by typing the following command. 
    rmdir c:\Program Files\ReaQta
  7. Remove the rqtsentry, rqtnetsentry, and i00 system files by typing the following commands. 
    del c:\windows\system32\drivers\rqtsentry.sys
    del c:\windows\system32\drivers\rqtnetsentry.sys
    del c:\windows\system32\drivers\i00.sys
  8. Open the registry editor by typing the following command. 
    regedit
  9. Search the registry for reaqta and remove any entries that are found.