Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
To migrate sensors from Hosted EDR (HEDR) to an On-prem EDR solution.
Environment
Hosted EDR: 7.8.0
EDR: 7.8.0
Resolution
The HEDR certificates, watchlists and sensors will migrate. The older data (cbevents, binaries, etc) do not migrate.
The overall procedure to migrate to On-prem EDR:
Contact the Account Manager or MSSP for the HEDR instance. If the Account Manager is not accessible, notify CB Support. The Account Manager is expected to: a. Set up a new record for on-prem EDR instance. b. Generate a new RPM required for installation. c. Discuss the opportunity for Professional Services to perform the migration (Quick and easy).
Open a Support Case to obtain: a. The certificates. These are essential for sensor migration. b. The watchlists & optionally a Watchlist Report. The watchlists should be exported using cbapi. The Watchlist Report contains hints to improve accuracy and performance. c. Average documents ingested per day in HEDR for this instance. This value should be used to calculate the resources needed for an On-prem EDR.
Install the RPM on the On-prem Primary EDR server. Save the RPM, it contains the license and alliance certificates which are unique for each organization.
Backup the certificates created by the EDR install.
cp -pr /etc/cb/certs /root/
The on-prem EDR requires a) carbonblack-alliance-client* key pair from step #6 and b) HEDR key pairs for cb-server, cb-client, cb-redis and cb-redis-ca. Place the HEDR bkup file from the Support Case into the /tmp/ directory on the Standalone or Primary On-prem EDR server. Restore the HEDR certificates onto the on-prem EDR server. This automatically moves the current on-prem certs to a subdirectory named /etc/cb/certs/orig.<date>.
/usr/share/cb/cbssl restore --in=/tmp/<CB alias>.certs.bkup
<enter the password provided by CB Support>
Move the correct Alliance certificate key pair (from Step 6) back to the /etc/cb/certs directory.
Confirm the certificates are correct (this is important to smoothly migrate the sensors). The hash for cb-server, cb-client, cb-redis and cb-redis-ca should match the certhash file, that came with the bkup file. The carbonblack-alliance-client md5 should NOT match the certhash file.
Check the Alliance certificates' level of security. If the Alliance certs are using SHA1 algorithm, request CB Support provide the updated SHA256 Alliance certificate pair.
Select a HEDR Sensor Group to migrate to the On-prem EDR, then create an On-prem EDR group to match.
Modify the HEDR's Sensors > Group > variable Server URL to the On-prem EDR server name. (Use HTTPS and the correct port.)
Repeat 13 & 14 until the groups have migrated.
Additional Information
Solr and Postgres data cannot be migrated to the On-prem EDR. The events, binary collection, user accounts, etc would start fresh on the new On-prem EDR.
The watchlists can alternatively be provided in a CSV file that would need to be manually added to the On-prem EDR.