Migration to Kaspersky Next XDR Expert

This section describes the migration of data to Kaspersky Next XDR Expert from Kaspersky Security Center Windows.

About migration from Kaspersky Security Center Windows

Following this scenario, you can transfer the administration group structure, included managed devices and other group objects (policies, tasks, global tasks, tags, and device selections) from Kaspersky Security Center Windows under management of Kaspersky Next XDR Expert.

Limitations:

• Migration is only possible from Kaspersky Security Center 14.2 Windows to Kaspersky Next XDR Expert starting from version 1.0.
• You can perform this scenario only by using Kaspersky Security Center Web Console.

Stages

The migration scenario proceeds in stages:

1. Choose a migration method

   You migrate to Kaspersky Next XDR Expert through the Migration wizard. The Migration wizard steps depend on whether or not Administration Servers of Kaspersky Security Center Windows and Kaspersky Next XDR Expert are arranged into a hierarchy:

   • Migration by using a hierarchy of Administration Servers

     Choose this option if Administration Server of Kaspersky Security Center Windows acts as secondary to Administration Server of Kaspersky Next XDR Expert. You manage the migration process and switch between Servers within OSMP Console. If you prefer this option, you can arrange Administration Servers into a hierarchy to simplify the migration procedure. To do this, create the hierarchy before starting the migration.

   • Migration by using an export file (ZIP archive)

     Choose this option if Administration Servers of Kaspersky Security Center Windows and Kaspersky Next XDR Expert are not arranged into a hierarchy. You manage the migration process with two Consoles—an instance for Kaspersky Security Center Windows and OSMP Console. In this case, you will use the export file that you created and downloaded during the export from Kaspersky Security Center Windows and import this file to Kaspersky Next XDR Expert.

2. Export data from Kaspersky Security Center Windows

   Open Kaspersky Security Center Windows, and then run the Migration wizard.

3. Import data to Kaspersky Next XDR Expert

   Continue the Migration wizard to import the exported data to Kaspersky Next XDR Expert.

   If the Servers are arranged into a hierarchy, the import starts automatically after a successful export within the same wizard. If the Servers are not arranged into a hierarchy, you continue the Migration wizard after switching to Kaspersky Next XDR Expert.

4. Perform additional actions to transfer objects and settings from Kaspersky Security Center Windows to Kaspersky Next XDR Expert manually (optional step)

   You might also want to transfer the objects and settings that cannot be transferred through the Migration wizard. For example, you could additionally do the following:

   • Configure global tasks of Administration Server
   • Configure Network Agent policy settings
   • Create installation packages of applications
   • Create virtual Servers
   • Assign and configure distribution points
   • Configure device moving rules
   • Configure rules for auto-tagging devices
   • Create application categories
5. Move the imported managed devices under management of Kaspersky Next XDR Expert

   To complete the migration, move the imported managed devices under management of Kaspersky Next XDR Expert. You can do it by one of the following methods:

   • Through Kaspersky Security Center group task

     Use the Change Administration Server task to change the Administration Server to a different one for specific client devices.

   • Through the klmover utility

     Use the klmover utility and specify the connection settings for the new Administration Server.

   • Through installation or re-installation of Network Agent on the managed devices

     Create a new Network Agent installation package and specify the connection settings for the new Administration Server in the installation package properties. Use the installation package to install Network Agent on the imported managed devices through a remote installation task.

     You can also create and use a stand-alone installation package to install Network Agent locally.

6. Update Network Agent to the latest version

   We recommend that you upgrade the Network Agent to the same version as OSMP Console.

7. Make sure the managed devices are visible on the new Administration Server

   On Kaspersky Next XDR Expert Administration Server, open the managed devices list (Assets (Devices) → Managed devices), and check the values in the Visible, Network Agent is installed, and Last connected to Administration Server columns.

Other methods of data migration

Besides the Migration wizard, you can also transfer specific tasks and policies:

• Export the task from Kaspersky Security Center Windows, and then import the tasks to Kaspersky Next XDR Expert.
• Export the policies from Kaspersky Security Center Windows, and then import the policies to Kaspersky Next XDR Expert. The related policy profiles are exported and imported together with the selected policies.

Exporting group objects from Kaspersky Security Center Windows

Migration administration group structure, included managed devices and other group objects from Kaspersky Security Center Windows to Kaspersky Next XDR Expert requires that you first select data for exporting and create an export file. The export file contains information about all group objects that you want to migrate. The export file will be used for subsequent import to Kaspersky Next XDR Expert.

You can export the following objects:

• Tasks and policies of managed applications
• Global tasks
• Custom device selections
• Administration group structure and included devices
• Tags that have been assigned to migrating devices

Before you start exporting, read general information about migration to Kaspersky Next XDR Expert. Choose the migration method—by using or not using the hierarchy of Administration Servers of Kaspersky Security Center Windows and Kaspersky Next XDR Expert.

To export managed devices and related group objects through the Migration wizard:

1. Depending on whether or not the Administration Servers of Kaspersky Security Center Windows and Kaspersky Next XDR Expert are arranged into a hierarchy, do one of the following:
   • If the Servers are arranged into a hierarchy, open OSMP Console, and then switch to the Server of Kaspersky Security Center Windows.
   • If the Servers are not arranged into a hierarchy, open Kaspersky Security Center Web Console connected to Kaspersky Security Center Windows.
2. In the main menu, go to Operations → Migration.
3. Select Migrate to Kaspersky Security Center Linux or Open Single Management Platform to start the wizard and follow its steps.
4. Select the administration group or subgroup to export. Please make sure that the selected administration group or subgroup contains no more than 10,000 devices.
5. Select the managed applications whose tasks and policies will be exported. Select only applications that are supported by Kaspersky Next XDR Expert. The objects of unsupported applications will still be exported, but they will not be operable.
6. Use the links on the left to select the global tasks, device selections, and reports to export. The Group objects link allows you to exclude custom roles, internal users and security groups, and custom application categories from the export.

The export file (ZIP archive) is created. Depending on whether or not you perform migration with Administration Server hierarchy support, the export file is saved as follows:

• If the Servers are arranged into a hierarchy, the export file is saved to the temporary folder on OSMP Console Server.
• If the Servers are not arranged into a hierarchy, the export file is downloaded to your device.

For migration with Administration Server hierarchy support, the import starts automatically after a successful export. For migration without Administration Server hierarchy support, you can import the saved export file to Kaspersky Next XDR Expert manually.

Importing the export file to Kaspersky Next XDR Expert

To transfer information about managed devices, objects, and their settings that you exported from Kaspersky Security Center Windows, you must import it to Kaspersky Next XDR Expert.

To import managed devices and related group objects through the Migration wizard:

1. Depending on whether or not the Administration Servers of Kaspersky Security Center Windows and Kaspersky Next XDR Expert are arranged into a hierarchy, do one of the following:
   • If the Servers are arranged into a hierarchy, proceed to the next step of the Migration wizard after the export is completed. The import starts automatically after a successful export within this wizard (see step 2 of this instruction).
   • If the Servers are not arranged into a hierarchy:
     1. Open OSMP Console.
     2. In the main menu, go to Operations → Migration.
     3. Select the export file (ZIP archive) that you created and downloaded during the export from Kaspersky Security Center Windows. The upload of the export file starts.
2. After the export file is uploaded successfully, you can continue importing. If the Servers are not arranged into a hierarchy, you can specify another export file by clicking the Change link, and then selecting the required file.
3. The entire hierarchy of administration groups of Kaspersky Next XDR Expert is displayed.

   Select the check box next to the target administration group to which the objects of the exported administration group (managed devices, policies, tasks, and other group objects) must be restored.

4. The import of group objects starts. You cannot minimize the Migration wizard and perform any concurrent operations during the import. Wait until the refresh icons () next to all items in the list of objects are replaced with green check marks () and the import finishes.
5. When the import completes, the exported structure of administration groups, including device details, appears under the target administration group that you selected. If the name of the object that you restore is identical to the name of an existing object, the restored object has an incremental suffix added.

If in a migrated task the details of the account under which the task is run are specified, you have to open the task and enter the password again after the import is completed.

If the import has completed with an error, you can do one of the following:

• For migration with Administration Server hierarchy support, you can start to import the export file again. In this case, you have to select the administration group as described at step 3.
• For migration without Administration Server hierarchy support, you can start the Migration wizard to select another export file, and then import it again.

You can check whether the group objects included in the export scope have been successfully imported to Kaspersky Next XDR Expert. To do this, go to the Assets (Devices) section and ensure whether the imported objects appear in the corresponding subsections.

Note that the imported managed devices are displayed in the Managed devices subsection, but they are invisible in the network and Network Agent is not installed and running on them (the No value in the Visible, Network Agent is installed, and Last connected to Administration Server columns).

To complete the migration, you need to switch the managed devices to be under management of Kaspersky Next XDR Expert as described at stage 5 in Migration to Kaspersky Next XDR Expert.

Switching managed devices to be under management of Kaspersky Next XDR Expert

After a successful import of information about managed devices, objects, and their settings to Kaspersky Next XDR Expert, you need to switch the managed devices to be under management of Kaspersky Next XDR Expert to complete the migration.

You can move the managed devices to be under Kaspersky Next XDR Expert by one of the following methods:

• Using the klmover utility.
• Using the Change Administration Server task.
• Installing Network Agent on the managed devices through a remote installation task.

To switch managed devices to be under management of Kaspersky Next XDR Expert by installing Network Agent:

1. Remove Network Agent on the imported managed devices that will be switched under management of Kaspersky Next XDR Expert.
2. Switch to Administration Server of Kaspersky Security Center Windows.
3. Go to Discovery & deployment → Deployment & assignment → Installation packages, and then open the properties of an existing installation package of Network Agent.

   If the installation package of Network Agent is absent in the package list, download a new one.

   You can also create and use a stand-alone installation package to install Network Agent locally.

4. On the Settings tab, select the Connection section. Specify the connection settings of Administration Server of Kaspersky Next XDR Expert.
5. Create a remote installation task for imported managed devices, and then specify the reconfigured Network Agent installation package.

   You can install Network Agent through Administration Server of Kaspersky Security Center Windows or through a Windows-based device that acts as a distribution point. If you use Administration Server, enable the Using operating system resources through Administration Server option. If you use a distribution point, enable the Using operating system resources through distribution points option.

6. Run the remote installation task.

After the remote installation task finishes successfully, go to Administration Server of Kaspersky Next XDR Expert and ensure that managed devices are visible in the network, and that Network Agent is installed and running on them (the Yes value in the Visible, Network Agent is installed, and Network Agent is running columns).

About migration from KUMA

This section covers the migration from KUMA standalone to Kaspersky Next XDR Expert. Please note that the provided scenario refers to a situation, where you perform an initial Kaspersky Next XDR Expert installation along with the migration of existing KUMA standalone. If you already have a deployed instance of Kaspersky Next XDR Expert, you will not be able to migrate KUMA standalone with the respective data by following this scenario.

You must migrate data from KUMA 3.4. If you are using an earlier version, you have to update KUMA standalone up to 3.4, and then perform the migration to Kaspersky Next XDR Expert.

You can perform the migration for the following types of KUMA standalone deployment:

• Installation on a single server.
• Distributed installation.
• Distributed installation in a high availability configuration.

Migration implies two stages:

1. Migrating KUMA standalone to Kaspersky Next XDR Expert.
2. Running the migrator to transfer data.

After you complete both stages, the transferred data and services are available. All services of KUMA standalone are configured for operating as a part of Kaspersky Next XDR Expert. Also, the transferred services are restarted.

What is transferred

• The /opt/kaspersky/kuma/core/data directory.
• The encryption key file /opt/kaspersky/kuma/core/encryption/key.
• The MongoDB base backup.
• Hierarchy of Kaspersky Security Center administration servers.

  The administration servers that migrate to Kaspersky Next XDR Expert become bound to its root Administration Servers.

• Tenants.

  The migrated tenants are registered in Kaspersky Next XDR Expert and become a child of the Root tenant. Each tenant belongs to an administration group in Kaspersky Next XDR Expert.

  To migrate Kaspersky Security Center Administration Servers, domain users, and their roles, create a configuration file, and then set necessary parameters in this file.

• Binding of tenants to Kaspersky Security Center Administration Servers.

  The secondary administration server of Kaspersky Security Center is registered in the corresponding service of the tenant settings of Kaspersky Security Center.

  A link between a tenant and an Administration Server remains the same as it was in KUMA.

  You can bind tenants only to physical Administration Servers. Binding tenants to virtual Administration servers is unavailable.

• Domain users.

  For each domain with which the KUMA integration is configured, and which users have assigned roles in KUMA tenants, you must run domain controller polling by using Administration Server.

• Roles.

  After domain controller polling is finished and the domain users are migrated, these users are assigned XDR roles in Kaspersky Next XDR Expert and the right to connect to Kaspersky Security Center.

  If the migrated users had the assigned roles in secondary administration server of Kaspersky Security Center, you have to assign to these users the same roles in the administration group of its root Administration Server.

  If you manually assigned XDR roles and/or Kaspersky Security Center roles to the users before running the migrator, after migration is finished, the users are assigned new XDR roles in the tenant specified in the configuration file and the manually assigned XDR roles are deleted. Kaspersky Security Center roles are not overwritten.

• Integration with Kaspersky Security Center.
• Integration with LDAP and third-party systems remain available.
• Events.
• Assets.
• Resources.
• Active services

What is not transferred

• Alerts and incidents are not be available in Kaspersky Next XDR Expert after migration. If you want to have original alerts and incidents at hand, we recommend that you restore KUMA backup on an individual host. This way, you will be able to perform a retrospective scanning.
• Dashboards are not transferred and remain available only in KUMA standalone in the read only mode, you will not be able to go over to the related alerts.

  Integration with Active Directory (AD) and Active Directory Federation Services (ADFS).

Migrating KUMA standalone to Kaspersky Next XDR Expert

Expand all | Collapse all

This article covers transferring data and services from KUMA standalone to Kaspersky Next XDR Expert.

After the migration is complete, all services of KUMA standalone are reconnected to KUMA Core under Kaspersky Next XDR Expert, and then the services are automatically restarted. KUMA standalone Core is not modified during migration, but if any services were installed on the same host as the KUMA standalone Core, the KUMA standalone Core may become unavailable, since the binary files are replaced during the course of the procedure.

To perform the migration from KUMA standalone to Kaspersky Next XDR Expert, complete the following stages:

1. Preparing for migration.
2. Creating a backup copy.
3. Preparing the inventory file for migration.
4. Migration.

Preparing for migration

Before you perform the migration, follow the steps:

1. In KUMA standalone, generate a new token for a user who has rights to execute the /api/v1/system/backup request, and keep the token in a safe place. Later, you specify the new token to create a backup copy for KUMA standalone.
2. Prepare the hosts for installation of Kaspersky Next XDR Expert:
   • Verify that you opened the required ports.
   • Verify that you have SSH root access to the target hosts of KUMA standalone and access from Kaspersky Next XDR Expert worker nodes to port TCP 7223 of the deployed KUMA standalone. If necessary, run the following command to grant SSH root access to the target hosts of KUMA standalone:

     ssh-copy-id -i /home/xdr/.ssh/id_rsa.pub <user>@<ip_kuma>

The preparing for migration stage is complete.

Creating a backup copy for KUMA standalone

Create a backup for KUMA standalone and keep the backup in a safe place. You will be able to restore the instance of KUMA standalone and repeat the migration all over again. Otherwise, in case of a failure, KUMA Core may be corrupted and you will not be able to perform the migration.

Before you create a backup, verify that KUMA Core in Kaspersky Next XDR Expert has network access to API ports of KUMA standalone services.

Create the backup file for KUMA standalone and upload it on the target host:

curl -sS -k "https://<KUMA_standalone_core_FQDN>:7223/api/v1/system/backup" -H "Authorization: Bearer $(cat standalone_token)" --output kuma_standalone_backup.tar.gz

Where standalone_token is the token that you previously generated in KUMA standalone.. Also, you can specify the token instead of $(cat standalone_token).

Preparing the inventory file for migration

Prepare the inventory file. In the inventory file, list all hosts that you use for services in KUMA standalone. The hosts must match in both inventory files: the one you used for KUMA standalone deployment and the one you are going to use for migration. If necessary, you can get the required information regarding hosts in KUMA standalone, in Resources → Active services section.

If you want to expand the infrastructure and deploy KUMA services while performing the migration, make sure that you specify the additional hosts in the inventory file, and that the designation of hosts that you listed for migration in the inventory file remains unchanged.

Path to the inventory file that you prepared is specified in the multinode.smp_param.yaml or singlenode.smp_param.yaml file in the inventory parameter.

When preparing the inventory file, verify that you observe the following conditions:

• In the kuma_utils group of parameters, specify hosts with services. Also, in this group of parameters, if you want to expand the infrastructure along with the migration, you can specify new hosts where KUMA services are be deployed.
• For all hosts, specify both FQDN and IP address.
• Skip the kuma_core section.
• In the all group of parameters, avoid changing the ansible_connection and ansible_user variables, since the variables correspond to the user and the type of connection used for invocation image.
• In the kuma group of parameters, the ansible_connection and ansible_user variables must correspond to the user who performs the installation on the remote hosts. For details about inventory file, users, and rights, refer to KUMA help.
• If DNS resolves all names, you can specify false for the generate_etc_hosts parameter or skip the generate_etc_hosts parameter.

Sample of the inventory.yaml with KUMA standalone services installed on a single host

Sample of the inventory.yaml with KUMA standalone services installed on multiple hosts.

Migration

To perform the migration:

1. Place the KUMA standalone backup copy on a target host, where you are going to install Kaspersky Next XDR Expert.
2. On the administrator host, run the following command with the kuma_backup_file parameter. Specify the path to the transport archive with the Kaspersky Next XDR Expert components and the path to the prepared multinode.smp_param.yaml or singlenode.smp_param.yaml file, same as for initial installation.

   ./kdt apply -k <path_to_transport_archive> -i <path_to_configuration_file> --accept-eula -p --if kuma_backup_file=./<kuma_standalone_backup>.tar.gz

After migration is complete, all services connect to KUMA Core in Kaspersky Next XDR Expert and become available in KUMA Console under Resources → Active services.

If KUMA standalone Core was installed on an individual host, after you perform the migration, KUMA standalone Core maintains the option to address the services migrated to Kaspersky Next XDR Expert. In this case, service statuses are displayed and you are able to restart the services, change the services configuration, get the service log, and view the events. To avoid such case, use any of the following options:

• Before you perform the migration, disable KUMA standalone Core.
• After you perform the migration, in Kaspersky Next XDR Expert, go to KUMA Console Settings → Common and click Reissue internal CA certificates, and then run the following command and wait till KUMA Core and all services are restarted in Kaspersky Next XDR Expert:

  ./kdt invoke kuma --action resetServicesCert

Running the migrator to transfer data

After migration from KUMA standalone is complete, you have to run the migrator to transfer data.

You can obtain the migrator through Technical Support.

To transfer Kaspersky Security Center Administration Servers, domain users, and assigned roles:

1. Run the installation of KUMA migrator in the command line.

   kdt apply --force -k kuma-migrator_<version>.tar --accept-eula

2. Fetch the data for migration by running the following command:

   kdt invoke kuma-migrator --action fetch

3. Copy the result of the data fetch, and then create a configuration file in the YAML format.
4. Open the configuration file and insert the result of the data fetch.

   If necessary, you can delete Kaspersky Security Center Administration Servers or users that you do not want to migrate.

5. For Kaspersky Security Center Administration Servers, specify information in the following fields:
   • Login.
   • Password.
   • URL. You have to specify the full path by adding https://.
   • Thumbprint_sha1_encoded. You have to specify the SHA1 thumbprint of the Kaspersky Security Center Server certificate.

     You can get the Administration Server certificate in OSMP Console. To do this, in the main menu, click the settings icon () next to the name of the required Administration Server, and then on the General tab click the View Administration Server certificate link to download the certificate.

   • Insecure_skip_verify.

     The false value is selected for this parameter by default. In this case, the Administration Server certificate is verified when performing the migration. If you want to disable certificate verification, you can specify the true value in this field.

     We do not recommend that you disable certificate verification.

6. Run the corresponding commands to migrate data.

   If you want to migrate all data, run the following command:

   kdt invoke kuma-migrator --action migrate-all --param migrationConfigFilePath=<configuration file name>.yaml

   If you want to migrate only Kaspersky Security Center Administration Servers, run the following command:

   kdt invoke kuma-migrator --action migrate-ksc-servers --param migrationConfigFilePath=<configuration file name>.yaml

   If you want to migrate only users, run the following command:

   kdt invoke kuma-migrator --action migrate-users --param migrationConfigFilePath=<configuration file name>.yaml