Upgrade Cortex XDR Agents - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

You can upgrade the Cortex XDR agent software by using the appropriate method for the endpoint operating system.

After you install the Cortex XDR agent and the agent registers with Cortex XSIAM, you can upgrade the Cortex XDR agent software using a method supported by the endpoint platform:

Important

The following list includes important points to take into account when upgrading the Cortex XSIAM agent:

  • You cannot upgrade the Cortex XSIAM agent on VDI endpoints or a Golden Image.

  • You must reinstall (uninstall and install again) the relevant agent version on the Golden Image,

  • Installing a Golden Image for the Citrix App Layering environment must be performed on OS layer only.

  • Every new agent version installation must be performed on OS layer's version where the agent was not previously installed. There is no possibility to reinstall agent on the Golden Image for the Citrix App Layering environment.

Warning

  • You must ensure that the System Extensions were approved on the endpoint. Otherwise, if the extensions were not approved, after the upgrade the extensions remain on the endpoint without any option to remove them which could cause the agent to display unexpected behavior. To check whether the extensions were approved, you can either verify that the endpoint is in Fully Protected state in Cortex XSIAM, or execute the following command line on the endpoint to list the extensions: systemextensionsctl list. If you need to approve the extensions, follow the workflow explained in the Cortex XDR agent administration guide for approving System Extensions.

  • Android—Upgrade the app directly from the Google Play Store or push the app to your endpoints from an endpoint management system such as AirWatch.

  • Windows, Mac, or Linux—Create new installation packages and push the Cortex XDR agent package to up to 5,000 endpoints from Cortex XSIAM.

Upgrades are supported using actions that you can initiate from the Action Center or from All Endpoints as described in this workflow.

  1. Create an Agent Installation Package for each operating system version for which you want to upgrade the Cortex XDR agent.

    Note the installation package names.

  2. Select EndpointsAll Endpoints.

    If needed, filter the list of endpoints. To reduce the number of results, use the endpoint name search and filters Filters at the top of the page.

  3. Select the endpoints you want to upgrade.

    You can also select endpoints running different operating systems to upgrade the agents at the same time.

  4. Right-click your selection and select Endpoint ControlUpgrade Agent Version.

    For each platform, select the name of the installation package you want to push to the selected endpoints.

    Starting in the Cortex XDR agent 7.1 release, you can install the Cortex XDR agent on Linux endpoints using a package manager. When you upgrade an agent on a Linux endpoint that is not using a package manager, Cortex XSIAM upgrades the installation process by default according to the endpoint Linux distribution. Alternatively, if you do not want to use the package manager, clear the option Upgrade to installation by package manager.

    Note

    The Cortex XDR agent keeps the name of the original installation package after every upgrade.

  5. Upgrade.

    Cortex XSIAM distributes the installation package to the selected endpoints at the next heartbeat communication with the agent. To monitor the status of the upgrades, go to ResponseAction Center. From the Action Center you can also view additional information about the upgrade (right-click the action and select Additional data) or cancel the upgrade (right-click the action and select Cancel Agent Upgrade).

    Note

    • Custom dashboards that include upgrade status widgets, and the All Endpoints page display upgrade status.

    • During the upgrade process, the endpoint operating system might request a reboot. However, you do not have to perform the reboot for the Cortex XDR agent upgrade process to complete it successfully.

    • After you upgrade to a Cortex XDR agent 7.2 or a later release on an endpoint with Cortex XSIAM Device Control rules, you need to reboot the endpoint for the rules to take effect.