How to Deploy Open EDR

Need help with EDR ?
Please post here, we’ll get our team help you as soon as possible.

EDR Security

1 Like

Registering account, instaling step by step.
Information from Log details :
Xcitium Endpoint Detection and Response v. MSI Installation failed to install. Unsupported OS version
I have MS Windows 10 Professional 22H2 (19045.2311).
What am i doing wrong ?

Best regards


We are not “officially” supporting 22H2 version yet. We are testing compatibility right now and we will officially support in December release.

1 Like


Since 22H2 is not supported yet, is there any way to get the older version of EDR client from the Xcitium Dragon Platform portal? So that I can evaluate.


Yes you can change which version do you want to download from here:

Btw our tests are completed and no issues found with the compatibility. We will enable support for Win22H2 tomorrow (12/08/2022)

1 Like

That’s Great. Thanks for the response.

1 Like

Can i deploy openEDR in my own environment, if yes, on which OS is it supported?

Win22H2 is the latest …

let us know how it goes please.

I didn’t mean the endpoints, but the server that will host the Xcitium platform. I have currently deployed openEDR as a Cloud Platform but now I want to store all the information
locally(without any outside interaction) and I was wondering if I can deploy this platform on my own server? I found a github repo but it was marked as old so I wanted to clarify if it is still valid?
If so, in which OS can I deploy it to (ubuntu, centos, etc)?

for that you need to setup ELK so that you can store it locally.

Or are you saying you want to use the Xcitium platform to manage it, but push the data to somewhere else (locally)?

yes I meant ELK setup, I looked through the repository but found it a bit confusing, while some of the instructions were done on linux and some on windows, so can i deploy it on centos or ubuntu? And also, if I deploy it like this,it can work in a closed network segment without any external connection(if network will not have access to the internet), right?

yes we can setup forwarders to export EDR data we collect to any of your cloud storage. The export can be either in CSV, JSON, Avro or Parquet formats.

We do not support Linux yet but we are working on it. 2023 Q1 we will have Linux EDR too.

If you want to install ELK on your environment, you can use Docker (either on Windows or Linux) to deploy it. The agents only supports Windows currently but this way will enable you to deploy EDR in a closed network segment too.

But please note that, you can not use any of the Platform capabilities. You need to deploy, update the agents and manage the logs yourself. Plus since EDR can not access our Verdict Cloud + Threat Intels, you will lose that functionality too.

Isn’t it an open source project? It turns out there is no way to deploy openEDR using your web platform for management?

If you want to install it locally without web platform : here is the instructions

Hi @ozer

My company is looking to implement this solution for a SOC for our clients and I’m starting to test it locally following the instructions. Are there any limitations as to the amount of machines that send their data to the Elastic Search installations?

I’d really appreciate your take. Thank you.

For production deployments , I would suggest to install Elastic on 3 machines as cluster (1 master , 2 data) and 2 for Kibana , 2 for logstash. Of course for initial deployment you can start with 3 only.

I would suggest 64 GB of RAM on Elastic nodes where 16/32 will be enough for Kibana and Logstash
8 vCPU is good , 16 vCPU is better of course. Total disk size will depend on how much log retention you want. Please note that it also depends on replicas and sharding too.

The telemetry data volume will depend on your policy but on average 1 agent will generate 1000-5000 events per day. Each raw event is app. 1 KB (uncompressed) , so 1 day of collection will be 2MB (2000 event per day) per endpoint. You can calculate your disk requirements based on the data retention you want.

1 Like

You can also use OpenEDR within Xcitium platform as another option.

I’m a bit confused by this platform. Is OpenEDR hosted in the Xcitium web platform a completely free solution, or is it just the OpenEDR client the free solution that you have to attempt to roll your own hosting platform and create your own dashboards and drill downs, etc?

This feels very much similar to Wazuh, but that provides both the client and the server for you to host yourself as a complete package.

Wazuh is a package that combines OSSEC and OSQuery on agent and ELK on Server. They don’t have an EDR agent or similar capability to what we call as an EDR. Instead they just install ossec and osquery agents and communicate back to management portal. They do not have any rules other than OSSEC rules, which are not EDR but HIDS. You also need to deploy all those server components separately and manage them yourself. OSSEC does its monitoring functionality using sysmon only. You need to install that too on top. It has no protection against detection and unloading sysmon drivers. Many malware families can evade sysmon only monitoring in our experience.

OpenEDR is a full blown EDR agent, like you would find in commercial products like Crowdstrike and Sentinelone, and we believe OpenEDR is even better than what you pay for commercial ones in our view. It has its own hooking and low level I/O filter drivers. It can construct full process execution tree and combines those with process/registry/file monitoring events. You can manage the telemetry collection by Adaptive Event policies and also can extend it with alerting rules. While with Wazuh you are limited to filter by Sysmon Event IDs by Ossec Rules, OpenEDR gives you extensive filter and collection rules. These rules can be managed dynamically with our Platform. OpenEDR also uses Xcitium Valkyrie to get verdicts to any unknown files using Cloud Sandboxing and Verdict Engine, which is priceless, because you no longer have to analyze files, it gets done for you, for free (there is no such capability in Wazuh either). OpenEDR will also introduce Blocking Rules so that you can have auto-response capability in next 3 months.

How you can manage this agent comes in two flavors:
1)Setup your own ELK stack: This is very similar with Wazuh deployment scenario, you need to manage full cluster as well as deal with endpoint management distribution etc.
2)Use Free Xcitium Platform: SaaS based fully managed for you. It comes with full capability Endpoint Manager to deploy & distribute our agents, update them, manage other packages, remote desktop etc. (pretty powerful)…