HEDR: Migrating Hosted EDR to On-prem EDR
search cancel

HEDR: Migrating Hosted EDR to On-prem EDR

book

Article ID: 287627

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

To migrate sensors from Hosted EDR (HEDR) to an On-prem EDR solution.

Environment

  • Hosted EDR: 7.8.0
  • EDR: 7.8.0

Resolution

The HEDR certificates, watchlists and sensors will migrate.  The older data (cbevents, binaries, etc) do not migrate.

The overall procedure to migrate to On-prem EDR:

1.  Contact the Account Manager or MSSP for the HEDR instance.  Please let Support know if you need the Account Manager's information.
     The Account Manager is expected to:
     a. Set up a new record for on-prem EDR instance.
     b. Generate a new RPM required for installation.
     c. Discuss the opportunity for Professional Services to perform the migration (Quick and easy).

2.  Open a Support Case to obtain:
     a. The certificates.  These are essential for sensor migration.
     b. The watchlists & optionally a Watchlist Report.   The watchlists should be exported using cbapi.  The Watchlist Report contains hints to improve accuracy and performance.
     c. Average documents ingested per day in HEDR for this instance.  This value should be used to calculate the resources needed for an On-prem EDR.

3.  Determine the correct sizing for the On-prem EDR.  This is based on the average documents ingested per day and the Operational Environment Requirements (OER).

4.  Install the RPM on the On-prem Primary EDR server.

5.  Backup the certificates that the RPM created.
tar -cvf /root/certificates-orig.tar /etc/cb/certs

6.  Place the HEDR certificates from the Support Case in /etc/cb/certs/ on the Standalone or Primary On-prem EDR server.
rm -f /etc/cb/certs   (removing the certs that came with the RPM)
tar -xvf <instance-name>.certs.tar  (places the HEDR certs in /etc/cb/certs/)

7.  Fix the permissions on the /etc/cb/certs directory.
chown -R root:cb /etc/cb/certs
chmod 755 /etc/cb/certs
chmod 644 /etc/cb/certs/*.crt
chmod 640 /etc/cb/certs/*.key

8.  Install EDR (cb-enterprise) using the new certificates.

9. Initialize the EDR server.

10.  Add minions as needed to meet OER.

11. Import the watchlists using cbapi.    

12. Start the On-prem EDR.
Standalone:
     systemctl start cb-enterprise
Cluster:
     /usr/share/cb/cbcluster start

13. Select a HEDR Sensor Group to migrate to the On-prem EDR, then create an On-prem EDR group to match.

14. Modify the HEDR's Sensors > Group > variable Server URL to the On-prem EDR server name. (Use HTTPS and the correct port.) 

15.  Repeat 13 & 14 until the groups have migrated.

Additional Information

  • Solr and Postgres data cannot be migrated to the On-prem EDR.   The events, binary collection, user accounts, etc would start fresh on the new On-prem EDR.  
  • The watchlists can alternatively be provided in a CSV file that would need to be manually added to the On-prem EDR.