Installing QRadar EDR by using CASE

Install IBM® Security QRadar® EDR in an environment with internet connectivity by using the Container Application Software for Enterprises (CASE).

There are several prerequisite steps you must take before you install QRadar EDR by using CASE.

Install Windows Subsystem for Linux (WSL)

If you are using a Windows computer, you must install Windows Subsystem for Linux® (WSL).

For more information about installing WSL, see Install WSL.

Install Red Hat OpenShift CLI 4.14 or later

The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

Procedure

  1. Download Red Hat OpenShift CLI 4.14 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
  2. Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
    tar -xf <oc_cli_archive_file>
  3. Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
  4. Move the binary file to the /usr/local/bin directory by typing the following command.
    mv <oc_cli_binary> /usr/local/bin/oc
    Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
    sudo mkdir /usr/local/bin
  5. Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
    oc version
    Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Install Docker CLI 18.0.0 or later

If Docker is not available for your OS, install Podman CLI 1.4 or later instead

Procedure

Install Docker.

  1. Download and set up the Docker or Podman CLI tool for your computer operating system (OS).
    1. CentOS
    2. Debian
    3. Fedora
    4. MacOS
    5. Ubuntu
  2. Ensure that the Docker or Podman CLI tool is working by typing the following command.
     docker version 

If you can't install Docker, install Podman.

  1. Download and set up the Podman CLI tool for your computer OS.
    1. Linux distributions
    2. MacOS
      Important: To install Podman on MacOS, you must first install Homebrew .
  2. Ensure that the Podman CLI tool is working by typing the following command.
     podman version 

Install the IBM Catalog Management plug-in for Red Hat OpenShift CLI

The IBM Catalog Management plug-in simplifies the process for discovering required IBM product images and uses standard tooling for registry and cluster access.

Procedure

  1. Download the latest version of the plug-in.
    1. To download the latest release version from the public GitHub repo on MacOS, type the following command.
      curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz
    2. To download the latest release version from the public GitHub repo on Linux, type the following command.
      curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz
  2. Extract the plug-in from the archive file by typing the following command.
    tar -xvf oc-ibm_pak-plugin.tar.gz
  3. Move the extracted plug-in to your /usr/local/bin directory by typing the following command.
    mv oc-ibm_pak-*-amd64 /usr/local/bin/oc-ibm_pak
  4. Verify that the plug-in is installed successfully by typing the following command.
    oc ibm-pak --version

Gather the information needed to install QRadar EDR

Make sure you know the registry key and other information to successfully install QRadar EDR.

Table 1. Information needed to install QRadar EDR
Information needed Description
The IBM Entitled Registry key

After you purchase a license for QRadar EDR, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar EDR by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation.

  1. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library.
  2. In the Container software library, from the menu bar, click Get entitlement key.
  3. In the Entitlement keys section, click Copy Key, and copy the key to a safe location.

You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform.

Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar EDR. If you do not replace the key on QRadar EDR, services fail.
The Fully Qualified Domain Name (FQDN) chosen for the QRadar EDR application

The FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN. You can choose to create a unique FQDN for the QRadar EDR platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN.

For more information about the FQDN requirements, see Domain name and TLS certificates.
Certificate of Authority (CA), if required for the QRadar EDR application domain. For more information about certificates, see Domain name and TLS certificates.
The persistent storage and storage class to be used. For more information about the persistent storage required for QRadar EDR, see Storage requirements.

Installing QRadar EDR by using CASE

A CASE provides a package to configure multiple user roles to install, manage, and upgrade the software.

Procedure

  1. Create and go to the edr_install working directory by typing the following command.
    export QRADAR_EDR_DIR=$HOME/edr_install && mkdir $QRADAR_EDR_DIR && cd $QRADAR_EDR_DIR
    Set the following environment variables with CASE details.
    export CASE_NAME=ibm-security-edr 
    export CASE_VERSION=1.0.15 
    export QRADAR_EDR_DIR=$HOME/edr_install 
    export IBMPAK_HOME=$QRADAR_EDR_DIR
  2. Download and extract the QRadar EDR archive file by typing the following command.
    oc ibm-pak get $CASE_NAME --version $CASE_VERSION --disable-top-level-images-mode \
    && tar -xf $QRADAR_EDR_DIR/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/ibm-security-*.tgz \
    -C $QRADAR_EDR_DIR/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
  3. Log in to the cluster by using either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  4. Set the QRadar EDR namespace variable and create a namespace in the cluster by typing the following commands.
    export QRADAR_EDR_NAMESPACE=edr
    oc new-project $QRADAR_EDR_NAMESPACE
  5. Update the parameters in the $QRADAR_EDR_DIR/.ibm-pak/data/cases/ibm-security-edr/1.0.15/ibm-security-edr/inventory/ibmSecurityEdrOperatorSetup/files/values.conf file.

    The following table lists the configurable parameters for the QRadar EDR installation and their descriptions.

    Table 2. QRadar EDR installation parameters
    Parameter Description Do you need to update this parameter?
    airgapInstall This parameter is set to false when you are not installing in an airgap environment. No
    clusterProxy If you are installing in a cluster that is using a cluster-wide proxy, set to true. If you are not installing in a cluster that is using a cluster-wide proxy, set to false. Cluster-wide proxy is not supported in a disconnected environment. No, unless you are installing in a cluster that is using a cluster-wide proxy. For more information, see Configuring a cluster-wide HTTPS proxy.
    domain The fully qualified domain name (FQDN) created for QRadar EDR. No, unless you want or specify your own FQDN.
    domainCertificatePath The path of the TLS certificate that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates. No, unless you updated the domain parameter.
    domainCertificateKeyPath The path of the TLS key that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates. No, unless you updated the domain parameter.
    customCaFilePath The path of the custom TLS certificate associated with the QRadar Suite Software domain. For more information, see Domain name and TLS certificates. No, unless you are using a custom or self-signed certificate.
    storageClass The provisioned block storage class for all the PVCs that are used by QRadar EDR. For more information, see Storage requirements. No.
    backupStorageClass Storage class for the backup and restore pod. If this value is not set, QRadar EDR takes the value from the storageClass parameter. No, unless you are using a different storage class for the backup and restore pod than you set for the storageClass parameter. For more information about using a CSI storage class with volume expansion to create the backup and restore PVC, see Creating the backup and restore PVC.
    backupStorageSize The storage size for the backup and restore PVC. Must be 500 GB or larger. No, unless you need the storage size for the backup and restore pod to be greater than 500 GB. For more information, see Creating the backup and restore PVC.
    imagePullPolicy The pull policy for the images. When Red Hat OpenShift creates containers, it uses the imagePullPolicy to determine whether to pull the container image from the registry before it starts the container. Options are Always, IfNotPresent, or Never. No
    repository The IBM Entitled Registry from which the images are pulled. Must be set to cp.icr.io/cp/cp4s. No
    repositoryUsername The username for the IBM Entitled Registry that images are pulled from. Must be set to cp. No
    repositoryPassword The password to access the IBM Entitled Registry. Yes
    deploymentSize The size of deployment is small, medium, large, 10k, or 15k. For more information about choosing the cluster size, see Hardware requirements.

    The event volume might not be exact when you are installing the product, so select the estimated size of the deployment based on the general number of endpoints.

    The following list shows the estimated deployment size settings that you can use depending on the number of endpoints you have.

    small - up to 1k endpoints.

    medium - up to 3k endpoints.

    large - up to 5k endpoints.

    10k - up to 10k endpoints.

    15k - up to 15k endpoints.

    licenseType The type of QRadar EDR license you acquired. Must be one of:
    Enterprise
    Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is not being deployed in MSSP mode.
    Pro
    Select this license type when IBM Security QRadar EDR was purchased and the system is not being deployed in MSSP mode.
    MSSP-Pro
    Select this license type when IBM Security QRadar EDR was purchased and the system is being deployed in MSSP mode.
    MSSP-Enterprise
    Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is being deployed in MSSP mode.
    Note: MSSP mode is a Multi-tenant instance that allows strict customer (tenants) separation. MSSP admins can granularly handle each tenant and assign user roles and policies fitting each specific tenants' needs.
    Yes
  6. Install QRadar EDR.
    Table 3. QRadar EDR installation command arguments
    Argument Description
    --namespace The namespace where QRadar EDR will be installed. The namespace must meet the following criteria:
    • Contain only lowercase alphanumeric characters or -
    • Start and end with an alphanumeric character
    • Be a dedicated namespace for QRadar EDR
    • Not be default, kube-*, or openshift-

    The namespace is created automatically if it does not exist.

    --acceptLicense Read the QRadar EDR license that is in the $QRADAR_EDR_DIR/.ibm-pak/data/cases/ibm-security-edr/1.0.15/ibm-security-edr/LICENSE directory. By accepting the license, you confirm that you read the license and accept the terms. For the QRadar EDR installation to proceed, the acceptLicense true parameter is added to the installation action.

    For more information, see Managing licensing and usage.

    1. Install QRadar EDR by typing the following command.
      oc ibm-pak launch -t 1 \
      $CASE_NAME \
      --version $CASE_VERSION --inventory ibmSecurityEdrOperatorSetup \
      --namespace $QRADAR_EDR_NAMESPACE  \
      --action install --args "--acceptLicense true"
      Important: Installation takes approximately 30 minutes.
  7. Verify QRadar EDR installation by typing the following command.
    oc ibm-pak launch -t 1 $CASE_NAME --version $CASE_VERSION  --inventory ibmSecurityEdrOperatorSetup  --namespace $QRADAR_EDR_NAMESPACE  --action validate
    When the installation is complete, the following message displays:
    [INFO] IBM Security EDR deployment is complete.
  8. Log in to your QRadar EDR Dashboard as the initial admin user.
    1. Retrieve the URL for your QRadar EDR Dashboard by typing the following command.
      oc get route -n $QRADAR_EDR_NAMESPACE
      In the following example output, the QRadar EDR Dashboard URL is cp4s.example.eu-de.containers.appdomain.cloud.
        NAME                           HOST/PORT
      isc-route-default     cp4s.example.eu-de.containers.appdomain.cloud
    2. Retrieve your initial QRadar EDR Dashboard log in credentials by typing the following command.
      oc get secret reaqta-hive-maia-users-secret -o json -n $QRADAR_EDR_NAMESPACE | jq '.data | map_values(@base64d)'
      The following example output shows that the login username is admin@example.com, and the login password is <initial_admin_password>.
      {
      "admin.password": "<initial_admin_password>",
      "admin.username": "admin@example.com",
      "keeper.password": "<initial_keeper_password>",
      "keeper.username": "keeper@example.com"
      }
    3. In a web browser, go to your QRadar EDR Dashboard URL and log in with your initial admin credentials.

What to do next

Sign up for IBM My Notifications to receive notifications of new patches, fix packs, or other feature updates from IBM Support by completing the instructions in technote 6579103.