How to Deploy Open EDR

melih · November 21, 2022, 12:38pm

Need help with EDR ?
Please post here, we’ll get our team help you as soon as possible.

saarkazm · November 21, 2022, 5:52pm

Hello,
Registering account, instaling step by step.
Information from Log details :
Xcitium Endpoint Detection and Response v. 2.5.0.40 MSI Installation failed to install. Unsupported OS version
I have MS Windows 10 Professional 22H2 (19045.2311).
What am i doing wrong ?

Best regards
Saar

ozer · November 21, 2022, 7:25pm

Hello,

We are not “officially” supporting 22H2 version yet. We are testing compatibility right now and we will officially support in December release.

asg100 · December 7, 2022, 1:18pm

Hello,

Since 22H2 is not supported yet, is there any way to get the older version of EDR client from the Xcitium Dragon Platform portal? So that I can evaluate.

Thanks
asg

ozer · December 7, 2022, 1:29pm

Yes you can change which version do you want to download from here:

Btw our tests are completed and no issues found with the compatibility. We will enable support for Win22H2 tomorrow (12/08/2022)

asg100 · December 8, 2022, 3:55am

That’s Great. Thanks for the response.

p.lio · December 12, 2022, 12:44pm

Can i deploy openEDR in my own environment, if yes, on which OS is it supported?

melih · December 12, 2022, 12:46pm

Win22H2 is the latest …

let us know how it goes please.

p.lio · December 12, 2022, 1:13pm

I didn’t mean the endpoints, but the server that will host the Xcitium platform. I have currently deployed openEDR as a Cloud Platform but now I want to store all the information
locally(without any outside interaction) and I was wondering if I can deploy this platform on my own server? I found a github repo but it was marked as old so I wanted to clarify if it is still valid?
If so, in which OS can I deploy it to (ubuntu, centos, etc)?

melih · December 12, 2022, 1:23pm

for that you need to setup ELK so that you can store it locally.

Or are you saying you want to use the Xcitium platform to manage it, but push the data to somewhere else (locally)?

p.lio · December 12, 2022, 1:38pm

yes I meant ELK setup, I looked through the repository but found it a bit confusing, while some of the instructions were done on linux and some on windows, so can i deploy it on centos or ubuntu? And also, if I deploy it like this,it can work in a closed network segment without any external connection(if network will not have access to the internet), right?

ozer · December 12, 2022, 5:48pm

yes we can setup forwarders to export EDR data we collect to any of your cloud storage. The export can be either in CSV, JSON, Avro or Parquet formats.

We do not support Linux yet but we are working on it. 2023 Q1 we will have Linux EDR too.

ozer · December 12, 2022, 8:26pm

If you want to install ELK on your environment, you can use Docker (either on Windows or Linux) to deploy it. The agents only supports Windows currently but this way will enable you to deploy EDR in a closed network segment too.

But please note that, you can not use any of the Platform capabilities. You need to deploy, update the agents and manage the logs yourself. Plus since EDR can not access our Verdict Cloud + Threat Intels, you will lose that functionality too.

p.lio · December 14, 2022, 7:44pm

Isn’t it an open source project? It turns out there is no way to deploy openEDR using your web platform for management?

ozer · December 14, 2022, 9:51pm

If you want to install it locally without web platform : here is the instructions

github.com

ComodoSecurity/openedr/blob/main/getting-started/InstallationInstructions.md

# Installation Instructions
OpenEDR is a single agent that can be installed on Windows endpoints. It generates extensible telemetry data for overall security-relevant events. It also uses file lookup, analysis, and verdict systems from Comodo, https://valkyrie.comodo.com/. You can also have your own account and free license there.

The telemetry data is stored locally on the endpoint itself. You can use any log streaming solution and analysis platform. Here we will present, how can you do remote streaming and analysis via open source tools like Elasticsearch ELK and Filebeat.

## OpenEDR:
OpenEDR project will release installer MSI’s signed by Comodo Security Solutions, The default installation folder is C:\Program Files\OpenEdr\EdrAgentV2

The agent outputs to C:\ProgramData\edrsvc\log\output_events by default, there you will see the EDR telemetry data where you should point this to Filebeat or other log streaming solutions you want. Please check following sections for details

## Docker and Docker Compose:
Docker is widely known virtualizon method for almost all environments you can use use docker for installing Elasticsearch and Log-stash to parse and more visibiltiy we used Docker to virtualize and make an easy setup process for monitoring our openedr agent. You can visit and look for more details and configure from https://github.com/docker


## Logstash:
Logstash is an open-source data ingestion tool that allows you to collect data from a variety of sources, transform it, and send it to your desired destination. With pre-built filters and support for over 200 plugins, Logstash allows users to easily ingest data regardless of the data source or type. We used Logstash to simplify our output to elasticsearch for more understandable logs and easily accessible by everyone who uses openedr and this example. You may visit and configure your own system as well https://github.com/elastic/logstash

## Elasticsearch:
There are multiple options to run Elasticsearch, you can either install and run it on your own machine, on your data center, or use Elasticsearch service on public cloud providers like AWS and GCP. If you want to run Elasticsearch by yourself. You can refer to here for installation instructions on various platforms https://www.elastic.co/guide/en/elasticsearch/reference/current/install-elasticsearch.html

This file has been truncated. show original

Teo · January 16, 2023, 9:31pm

Hi @ozer

My company is looking to implement this solution for a SOC for our clients and I’m starting to test it locally following the instructions. Are there any limitations as to the amount of machines that send their data to the Elastic Search installations?

I’d really appreciate your take. Thank you.

ozer · January 16, 2023, 10:57pm

For production deployments , I would suggest to install Elastic on 3 machines as cluster (1 master , 2 data) and 2 for Kibana , 2 for logstash. Of course for initial deployment you can start with 3 only.

I would suggest 64 GB of RAM on Elastic nodes where 16/32 will be enough for Kibana and Logstash
8 vCPU is good , 16 vCPU is better of course. Total disk size will depend on how much log retention you want. Please note that it also depends on replicas and sharding too.

The telemetry data volume will depend on your policy but on average 1 agent will generate 1000-5000 events per day. Each raw event is app. 1 KB (uncompressed) , so 1 day of collection will be 2MB (2000 event per day) per endpoint. You can calculate your disk requirements based on the data retention you want.

melih · January 16, 2023, 11:00pm

You can also use OpenEDR within Xcitium platform as another option.

mdiorio · January 18, 2023, 6:41pm

I’m a bit confused by this platform. Is OpenEDR hosted in the Xcitium web platform a completely free solution, or is it just the OpenEDR client the free solution that you have to attempt to roll your own hosting platform and create your own dashboards and drill downs, etc?

This feels very much similar to Wazuh, but that provides both the client and the server for you to host yourself as a complete package.

ozer · January 18, 2023, 11:59pm

Wazuh is a package that combines OSSEC and OSQuery on agent and ELK on Server. They don’t have an EDR agent or similar capability to what we call as an EDR. Instead they just install ossec and osquery agents and communicate back to management portal. They do not have any rules other than OSSEC rules, which are not EDR but HIDS. You also need to deploy all those server components separately and manage them yourself. OSSEC does its monitoring functionality using sysmon only. You need to install that too on top. It has no protection against detection and unloading sysmon drivers. Many malware families can evade sysmon only monitoring in our experience.

OpenEDR is a full blown EDR agent, like you would find in commercial products like Crowdstrike and Sentinelone, and we believe OpenEDR is even better than what you pay for commercial ones in our view. It has its own hooking and low level I/O filter drivers. It can construct full process execution tree and combines those with process/registry/file monitoring events. You can manage the telemetry collection by Adaptive Event policies and also can extend it with alerting rules. While with Wazuh you are limited to filter by Sysmon Event IDs by Ossec Rules, OpenEDR gives you extensive filter and collection rules. These rules can be managed dynamically with our Platform. OpenEDR also uses Xcitium Valkyrie to get verdicts to any unknown files using Cloud Sandboxing and Verdict Engine, which is priceless, because you no longer have to analyze files, it gets done for you, for free (there is no such capability in Wazuh either). OpenEDR will also introduce Blocking Rules so that you can have auto-response capability in next 3 months.

How you can manage this agent comes in two flavors:
1)Setup your own ELK stack: This is very similar with Wazuh deployment scenario, you need to manage full cluster as well as deal with endpoint management distribution etc.
2)Use Free Xcitium Platform: SaaS based fully managed for you. It comes with full capability Endpoint Manager to deploy & distribute our agents, update them, manage other packages, remote desktop etc. (pretty powerful)…