Managing MSSP clients

On an MSSP server, you can have multiple clients in a multi-tenant environment. The data for each client is segregated from the data for other clients.

MSSP servers can have three types of administrators.

Global Administrator
A global administrator has full access to all the information available on the server and can manage all users and clients.
Multi-Client Administrator
A multi-client administrator manages two or more clients, groups, users, and endpoints. They can also create new clients and update licenses for clients they manage.
Single-Client Administrator
A single-client administrator can view and manage a single client.

Creating a client

Procedure

  1. Click Administration > Manage Clients.
  2. Click Create Client.
  3. Enter a Company Name and select an Expiration Date for the client. You can also add a description and an image for the client.
  4. Click Create.

Creating a group for a client

Procedure

  1. Click Administration > Manage Clients.
  2. Click View Details on a client card.
  3. On the Groups tab, click Create group.
  4. Give the group a name and a description.
  5. Click the group in the group list.
  6. On the Users tab, click Edit Users and add users to the group.
  7. On the Endpoints tab, click Edit Endpoints and add endpoints to the group.

Deleting a group from a client

Procedure

  1. Click Administration > Manage Clients.
  2. Click the group in the group list.
  3. Click the edit settings icon .
  4. Click Delete.

Enabling the Anti-Malware module for a client

About this task

Windows-only

Procedure

  1. Click Administration > Manage Clients.
  2. Click View Details on a client card.
  3. Click the edit settings icon .
  4. Click Configure Anti-Malware.
    The Anti-Malware module is automatically downloaded and installed by the QRadar EDR Agent.
  5. Select the protection level for endpoints with the Anti-Malware module.
    Protection level Description
    Detection Identify threats in new files and all installed applications, create alerts without removing artifacts from the disk.
    Standard Protection Identify and remove threats in a user's Documents and Downloads folders, and in running applications.
    Advanced Protection Extend protection and scanning to all installed software applications.
    Aggressive Protection Run in-depth scans of every application and file, including system folders.
  6. If you need to exclude any paths from Anti-Malware module protection, click Create antimalware exceptions.
    1. Provide an exception policy name and description.
    2. Provide the path to be excluded.
      The following paths are examples of paths that might be excluded.
      • *
      • %SystemDrive%
      • %SystemRoot%
      • %PROGRAMDATA%
      • %PROGRAMFILES%
      • %PROGRAMFILES(X86)%

      You can also exclude specific executable files by using the following notation.

      <process>C:\<path_to>\<file_name>.exe

  7. Click Administration > Update Manager, and enable the Anti-Malware distribution.
  8. Edit the Targets field.
    • To deliver the updated package to specific endpoints, add a list of clients or groups.
    • To deliver the updated package to all eligible endpoints, set the field to Global.

Enabling protected uninstallation for a client

Enable protected uninstallation to prevent users from uninstalling the QRadar EDR Agent from an endpoint without authorization.

About this task

Windows-only

Requires Windows agent 3.10 or later

Procedure

  1. Click Administration > Manage Clients.
  2. Click View Details on a client card.
  3. Set Protected Uninstallation to On.

Results

Protected uninstallation is enabled for all Windows endpoints for this client that have agent 3.10 or later installed. If a compatible endpoint is offline when you enable protected uninstallation, the protected uninstallation status for that endpoint shows as Enablement pending until the endpoint is online and receives the update.

Deleting a client

Procedure

  1. Click Administration > Manage Clients.
  2. Click View Details on a client card.
  3. Click the edit settings icon .
  4. Click Delete Client.
  5. On the Remove Client window, enter the name of the client.
  6. If you want to delete users who are associated with this client who aren't associated with other clients, select the Also delete any users who *only* belong to this client checkbox.
  7. Click Confirm.

Results

The client is deleted. The QRadar EDR Agent is uninstalled from all of the endpoints that were associated with the client. Any data that is associated with the client's endpoints is deleted at the end of the data retention period. If the client is re-created and the QRadar EDR Agent agent is reinstalled on an endpoint before the end of the retention period, any historical data for that endpoint is visible in QRadar EDR Dashboard.