Upgrade the Cortex XSOAR Server - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Upgrading the Cortex XSOAR server including preparation, upgrade and post upgrade steps.

The installer automatically detects the existing configurations and applies them to the upgraded server.

When performing an upgrade, the following core content packs may automatically upgrade to a newer version:

  • AutoFocus

  • Base

  • CommonDashboards

  • CommonPlaybooks

  • CommonReports

  • CommonScripts

  • CommonTypes

  • CommonWidgets

  • DefaultPlaybook

  • DemistoLocking

  • DemistoRESTAPI

  • EDL

  • FeedMitreAttackv2

  • FeedUnit42v2

  • FiltersAndTransformers

  • HelloWorld

  • ImageOCR

  • Palo_Alto_Networks_WildFire

  • PAN-OS

  • TIM_Processing

  • TIM_SIEM

  • ThreatIntelReports

  • ThreatIntelligenceManagement

  • Unit42Intel

  • VirusTotal

  • Whois

  • rasterize

Caution

Before you begin:

  • If you are using a server with Elasticsearch for indicators only, you need to migrate all the data to Elasticsearch using the Migration Tool before upgrading.

  • Verify that your system meets the system requirements, including the required operating system.Cortex XSOAR System Requirements

Note

  • You can upgrade multi-tenant deployments, including high availability or disaster recovery.Upgrade Your Multi-Tenant Deployment

  • (High Availability) - When upgrading a high availability environment, you must stop the demisto service on all application servers prior to performing the upgrade. Rolling upgrades are not supported.

  • (Threat Intel Management) When upgrading from Cortex XSOAR v6.2 or earlier, the TIM license must be updated to enable full access to Unit 42 Intel features. Contact Customer Support to receive the updated TIM license file. In addition, the Unit 42 Intel Objects Feed and Palo Alto Networks Wildfire Reports integrations must be installed and enabled. For more information, see Unit 42 Intel Overview.Unit 42 Intel Overview

  1. Prepare the Cortex XSOAR server for upgrade.

    1. Take a snapshot of the server.

    2. Back up your content by selecting Settings > About > Troubleshooting > Export.

    3. Disable any external systems that push incidents to Cortex XSOAR, such as Splunk and Elasticsearch.

    4. Obtain a list of integrations that are in a failed state by running the !FailedInstances command in the CLI. This is useful to compare after upgrade.

    5. Download the new installer and copy it to all the servers that will be upgraded.

      wget -O demisto.sh "<downloadLink>"

      Note

      You can use the original URL that was sent to you when installing Cortex XSOAR by changing it to the following:

      • Change download.demisto.works to download.demisto.com

      • If you want a specific version (other than a general available release), add &downloadName=<version>_<latest or build number> to the end of the URL.

        For example, to upgrade to the latest v6.9 release, type https://download.demisto.com/download-params/?token=xxxxxxx&email=user@paloaltonetworks.com&downloadName=6_9_latest&eula=accept

      If you do not have the original URL, open a Customer Support ticket and select the Download Link option. The link is then sent automatically.

      Cortex XSOAR uses the /tmp folder for installation. If the folder is blocked by policy, you need to specify a new directory or use /var/tmp directory by adding the -target argument to installation before any other flag. For example, sudo ./demisto.sh -target /var/tmp --multi-tenant

  2. (Disaster Recovery and High Availability only) Stop the Cortex XSOAR server.

    sudo service demisto stop

    If you are using backup servers for Disaster Recovery, first stop the primary server and then any backup servers.

    For High Availability, stop all app servers.

  3. Run the following command to allow the .sh file to run as an executable file.

    chmod +x demisto.sh

  4. Run the installer file.

    sudo ./demisto.sh

    For Disaster Recovery, run the installer on the secondary (backup) server. Once it is up and running, run the installer on the primary server.

    For High Availability, run the installer file on one app server to trigger the database upgrade. When available, log in to the app server. You can then upgrade any additional app servers.

  5. After the upgrade completes, do the following.

    1. Confirm the Cortex XSOAR server status is active by running the systemctl status demisto command.

      If the server is not active, run the systemctl start demisto command to start the server.

    2. Confirm the Docker service status is active by running the systemctl status docker command.

    3. Check that all custom content prior to upgrade appears.

    4. Check that all incidents prior to upgrade appear.

    5. Run the !FailedInstances command to compare the results in step 1 and fix any failed instances.

    6. Ensure all integrations that were enabled prior to upgrade are available in the CLI/Playbooks.

    7. Upgrade any existing engines.

    8. Reattach out of the box Incident types (from Content Packs) to receive content updates.

      After upgrading from v6.0 and below, all installed incident types are in a Detached state, which means that updates from Content Packs do not affect the incident type configuration. If you want to receive content updates for detached incident types, reattach the incident type.

      When upgrading from v5.5, you need to migrate your content to content pack format to ensure that you receive content updates.Migrate All Content to Content Packs

    9. Enable the external systems you disabled in step 1c.