IBM Security QRadar

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

Giuseppe

Are you saying Windows Defender alerts can be picked up and reported by Reaqta, can you elaborate on this, Thank you.   

In that case, should I disable Windows Defender or is it okay to put it in passive mode?

Microsoft Defender can stay on as an added layer of detection, ReaQta is also able to receive the broadcasted AV events sent bt Microsoft Defender, they are called AMSI (Anti-Malware Scan Interface).

Thank you in advance

John

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

Hi John,

You are welcome.
In this case not the alerts but more specifically the AMSI events (Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn). These are special events triggered by Defender when suspicious scripts are analyzed by Defender, the analysis is sent to all the registered products (basically Microsoft Defender acts as a Source of data). 

These events are recorded by QRadar EDR and can be searched, they are not (yet) exportable as events but they are included in the EDR alerts and can be also used to create DeStra (Detection Strategy) policies. Alerts and DeStra related events can be retrieved via the QRadar EDR and imported into a SIEM or any other aggregator.

My suggestion is to keep Microsoft Defender active as it is, in this way you can both leverage AMSI enrichment events and have an additional layer of security.

Hope this helps

Kind Regards,
Giuseppe

Giuseppe

Are you saying Windows Defender alerts can be picked up and reported by Reaqta, can you elaborate on this, Thank you.   

In that case, should I disable Windows Defender or is it okay to put it in passive mode?

Microsoft Defender can stay on as an added layer of detection, ReaQta is also able to receive the broadcasted AV events sent bt Microsoft Defender, they are called AMSI (Anti-Malware Scan Interface).

Thank you in advance

John

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra

Giuseppe

I appreciate your prompt reply, I was told by support that a fix is in the pipeline and wonder if any ETA has been communicated.

Thank you 

John 

Hi John,

You are welcome.
In this case not the alerts but more specifically the AMSI events (Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn). These are special events triggered by Defender when suspicious scripts are analyzed by Defender, the analysis is sent to all the registered products (basically Microsoft Defender acts as a Source of data). 

These events are recorded by QRadar EDR and can be searched, they are not (yet) exportable as events but they are included in the EDR alerts and can be also used to create DeStra (Detection Strategy) policies. Alerts and DeStra related events can be retrieved via the QRadar EDR and imported into a SIEM or any other aggregator.

My suggestion is to keep Microsoft Defender active as it is, in this way you can both leverage AMSI enrichment events and have an additional layer of security.

Hope this helps

Kind Regards,
Giuseppe

Giuseppe

Are you saying Windows Defender alerts can be picked up and reported by Reaqta, can you elaborate on this, Thank you.   

In that case, should I disable Windows Defender or is it okay to put it in passive mode?

Microsoft Defender can stay on as an added layer of detection, ReaQta is also able to receive the broadcasted AV events sent bt Microsoft Defender, they are called AMSI (Anti-Malware Scan Interface).

Thank you in advance

John

Hi,

I am currently testing out ReaQta SaaS and I have a few questions. 

I've noticed that when installing ReaQta, there are no attempts from ReaQta to take over as the primary EDR as I don't see any information on it in the Windows Security Settings. However, I do know the agent is installed successfully on my test machine as I can see it in the installed apps and on the ReaQta Dashboard. 

My questions are: Is this expected behaviour or should I be seeing it as a registered EDR in Windows Security? 

I also know that ReaQta is a behavioural based EDR too and the general consensus is not to run simultaneous EDRs to ensure there aren't conflicts but I'm unsure on if that's the case for behaviour based EDRs too. In that case, should I disable Windows Defender or is it okay to put it in passive mode? 

Any advice is appreciated.

Kind Regards,

Iqra