Installing QRadar EDR by using the Red Hat OpenShift Console

Install IBM® Security QRadar® EDR by using the Red Hat® OpenShift® Console.

Gather the information needed to install QRadar EDR

Make sure you know the registry key and other information to successfully install QRadar EDR.

Table 1. Information needed to install QRadar EDR
Information needed Description
The IBM Entitled Registry key

After you purchase a license for QRadar EDR, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar EDR by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation.

  1. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library.
  2. In the Container software library, from the menu bar, click Get entitlement key.
  3. In the Entitlement keys section, click Copy Key, and copy the key to a safe location.

You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform.

Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar EDR. If you do not replace the key on QRadar EDR, services fail.
The Fully Qualified Domain Name (FQDN) chosen for the QRadar EDR application

The FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN. You can choose to create a unique FQDN for the QRadar EDR platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN.

For more information about the FQDN requirements, see Domain name and TLS certificates.
Certificate of Authority (CA), if required for the QRadar EDR application domain. For more information about certificates, see Domain name and TLS certificates.
The persistent storage and storage class to be used. For more information about the persistent storage required for QRadar EDR, see Storage requirements.

Installing QRadar EDR by using the Red Hat OpenShift Console

Use the Red Hat OpenShift Console.

Procedure

  1. Go to Projects > Create Project and create a namespace where you want to install QRadar EDR. The namespace must meet the following criteria.
    • Contain only lowercase alphanumeric characters or -
    • Start and end with an alphanumeric character
    • Be a dedicated namespace for QRadar EDR Software.
    • Not be one of the following parameters: default, kube-, or openshift-.
    Tip: For example, you might call your QRadar EDR namespace edr.
  2. Create a secret for the Docker registry.
    1. Go to Workloads > Secrets and ensure that the Project is set to the namespace that you created.
    2. Click Create, select Image pull secret, and set the following parameters for the secret.
      Table 2. IBM Entitlement Registry secret parameters
      Parameter Value
      Secret Name ibm-entitlement-key
      Authentication Type Image Registry Credentials
      Registry Server Address cp.icr.io
      Username cp
      Password Your IBM Entitled Registry key.
    3. Click Create to create the secret.
  3. If you are using your own domain and certificates, create a TLS secret.
    1. Go to Workloads > Secrets and ensure that the Project is set to the namespace that you created.
    2. Click Create and select Key/value secret.
    3. Set the secret name to isc-ingress-default-secret.
    4. If you are using custom or self-signed certificates, add a key that is called ca.crt and upload the CA file as the value.
    5. Add a key called tls.crt and upload the TLS certificate as the value.
    6. Add a key called tls.key and upload the TLS key as the value.
    7. Click Create to create the TLS secret.
  4. Install the IBM Operator catalog source.
    1. Click the plus sign icon (+) in the Red Hat OpenShift Console.
    2. In the Import YAML box, paste the following text into the Import YAML field.
      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      metadata:
          name: ibm-operator-catalog
          namespace: openshift-marketplace
      spec:
          displayName: ibm-operator-catalog
          publisher: IBM Content
          sourceType: grpc
          image: icr.io/cpopen/ibm-operator-catalog
          updateStrategy:
              registryPoll:
                  interval: 45m
    3. Click Create.
  5. Verify that the pod is running in the openshift-marketplace namespace.
    1. Go to Workloads > Pods.
    2. Ensure that the Project is set to the openshift-marketplace namespace.
      Tip: You might need to toggle Show default projects to the on position to see the openshift-marketplace namespace.
    3. Search for ibm-operator-catalog.
    4. Verify that the pod is in the Running state.
  6. Install the IBM Security QRadar EDR operator.
    1. Go to Operators > OperatorHub.
    2. Search for QRadar EDR and click the IBM Security QRadar EDR tile in the search results.
    3. Click Install.
    4. In the Update Channel section, select the 3.12 channel.
    5. In the Installation Mode section, select the All namespaces on the cluster option to install the operator to all namespaces, or the A specific namespace on the cluster option to install the operator to a single namespace.
    6. In the Installed Namespace section, select your own namespace where you created your IBM Entitlement Registry secret to install the operator using the A specific namespace option. Or, select the openshift-operators option to install the operator using the All namespaces option.
    7. Select the Automatic approval strategy.
    8. Click Install to install the IBM Security QRadar EDR operator.
  7. Install QRadar EDR.
    1. Set the Project to <qradar_edr_namespace> that you created in step 1 and go to Operators > Installed Operators.
    2. In the list of installed operators, click IBM Security QRadar EDR.
    3. On the Details tab, click Create instance on the QRadar EDR card.
      Warning: Do not rename the instance.
    4. Review the license agreement and accept the license.
    5. Expand the Basic Deployment Configuration section and enter the admin user in the Admin User field.
    6. If you are using your own domain, enter your FQDN in the Domain field.
    7. Expand the Extended Deployment Configuration section and enter values for the type of QRadar EDR license you have acquired in the License Type field and set an appropriate size in the Deployment Size field. You can also configure the following parameters.
      Table 3. QRadar EDR installation parameters
      Parameter Description Do you need to update this parameter?
      clusterProxy If you are installing in a cluster that is using a cluster-wide proxy, set to true. If you are not installing in a cluster that is using a cluster-wide proxy, set to false. Cluster-wide proxy is not supported in a disconnected environment. No, unless you are installing in a cluster that is using a cluster-wide proxy. For more information, see Configuring a cluster-wide HTTPS proxy.
      deploymentSize The size of deployment is small, medium, large, 10k, or 15k. For more information about choosing the cluster size, see Hardware requirements.

      The event volume might not be exact when you are installing the product, so select the estimated size of the deployment based on the general number of endpoints.

      The following list shows the estimated deployment size settings that you can use depending on the number of endpoints you have.

      small - up to 1k endpoints.

      medium - up to 3k endpoints.

      large - up to 5k endpoints.

      10k - up to 10k endpoints.

      15k - up to 15k endpoints.

      licenseType The type of QRadar EDR license you acquired. Must be one of:
      Enterprise
      Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is not being deployed in MSSP mode.
      Pro
      Select this license type when IBM Security QRadar EDR was purchased and the system is not being deployed in MSSP mode.
      MSSP-Pro
      Select this license type when IBM Security QRadar EDR was purchased and the system is being deployed in MSSP mode.
      MSSP-Enterprise
      Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is being deployed in MSSP mode.
      Note: MSSP mode is a Multi-tenant instance that allows strict customer (tenants) separation. MSSP admins can granularly handle each tenant and assign user roles and policies fitting each specific tenants' needs.
      Yes
    8. Click Create to start installation.
      Important: Installation takes approximately 30 minutes.
  8. Verify the installation.
    1. If installed in All namespace mode, set the Project to openshift-operators and go to Operators > Installed Operators. If installed to A specific namespace, set the Project to that name and go to Operators > Installed Operators.
    2. In the list of installed operators, click IBM Security QRadar EDR.
    3. On the EDR tab, select the edr instance.
      On the Details page, the following message is displayed in the Conditions section when installation is complete.
      IBM Security QRadar EDR Deployment is successful.
  9. Log in to your QRadar EDR Dashboard as the initial admin user.
    1. To retrieve the URL for your QRadar EDR Dashboard, go to Networking > Routes and ensure that the Project is set to the namespace that you created.
    2. Go to Workloads > Secrets and ensure that the Project is set to the namespace that you created.
    3. Search for reaqta-hive-maia-users-secret.
    4. To retrieve the initial admin login credentials, click Reveal Values in the Data section.
    5. In a web browser, go to your QRadar EDR Dashboard URL and log in with your initial admin credentials.

What to do next

Sign up for IBM My Notifications to receive notifications of new patches, fix packs, or other feature updates from IBM Support by completing the instructions in technote 6579103.