mEDR: SentinelOne Agent Upgrade Process

mEDR: SentinelOne Agent Upgrade Process

Overview

CyFlare’s mEDR service includes the ongoing management and upgrading of SentinelOne agents across customer environments. This ensures endpoints are consistently protected with the latest detection capabilities, performance improvements, and security enhancements.

This article outlines how CyFlare manages SentinelOne agent upgrades, what customers can expect, and recommended best practices.

Scope

This process applies only to:

  1. CyFlare Managed SentinelOne Instances

Upgrade Strategy & Versioning

CyFlare adopts General Availability (GA) versions of SentinelOne agents after completing internal validation to ensure stability and compatibility across customer environments.

  1. GA Versions include, but not limited too:
    1. Detection enhancements
    2. Engine updates
    3. Bug fixes
    4. Performance and operability improvements
In addition:
  1. CyFlare has access to Early Access (EA) versions
  2. Customers or partners interested in participating in pre-release testing may opt in
    1. This can be coordinated through the Operations Engineering team or your dedicated CSM.

Upgrade Deployment Process

  1. Upgrades are deployed via centrally managed CyFlare policies
  2. Rollouts occur incrementally over a defined maintenance window
  3. CyFlare:
    1. Uploads required agent packages per OS
    2. Enables auto-upgrade policies
    3. Monitors upgrade progress through the SentinelOne console

Key Behaviors

  1. Endpoints must be online to receive the upgrade
  2. If offline:
    1. The upgrade command is queued
    2. It will execute when the device reconnects
  3. Agents on older versions will:
    1. Upgrade directly to the latest version, skipping intermediate versions if necessary

Supported Operating Systems & Requirements

For optimal performance and upgrade success:
  1. Endpoints should be running supported operating systems
  2. Systems should be fully patched and up to date
  3. Hardware should meet SentinelOne minimum requirements
Note: Systems outside of these requirements are more likely to experience disruption.

What to Expect During Upgrades

  1. Minimal to no disruption expected for supported environments
  2. No reboot required
  3. Temporary increase in CPU or Memory utilization may occur during the upgrade
    1. CPU and Memory usage returns to normal after completion
  4. No loss of protection or visibility during the upgrade process
In rare cases:
  1. New agent versions may identify previously undetected threats
  2. These will be handled through standard SOC escalation procedures

Performance & Risk Considerations

While most environments will experience seamless upgrades, the following may introduce risk:
  1. Outdated or unsupported operating systems
  2. Resource-constrained endpoints
  3. Unique or highly sensitive environments
If you believe your environment may be impacted:
  1. Contact CyFlare prior to the upgrade window
-- -- (or your assigned CSM)

Opt-Out & Upgrade Control

Partners have flexibility in how upgrades are applied:
  1. Opt-out is available at:
    1. Account level
    2. Site level
CyFlare can assist in tailoring upgrade policies to meet operational requirements.

Failure Handling & Remediation

  1. Upgrade failures are:
    1. Monitored within the SentinelOne console
    2. Remediated by CyFlare when identified
  2. If necessary:
    1. Agent rollback may be used as a resolution
In rare cases where failures are not visible in the console, customers should notify CyFlare to investigate.

Customer Responsibilities

To ensure successful upgrades, customers should:
  1. Keep endpoints online during maintenance windows
  2. Maintain supported and fully patched operating systems
  3. Notify CyFlare of:
    1. Sensitive systems
    2. Known performance constraints
    3. Any concerns prior to scheduled upgrades

Frequently Asked Questions (FAQs)

1. Do SentinelOne agent upgrades require a reboot?
            Answer: No, reboots are not required.

2. What happens if an endpoint is offline during the upgrade?
            Answer: The upgrade command is queued and will execute when the endpoint reconnects.

3. Will there be any performance impact?
            Answer: A temporary CPU or Memory increase may occur during installation. This returns to normal after completion.

4. Can agents skip versions during upgrades?
            Answer: Yes, agents can upgrade directly to the latest version without installing intermediate versions.

5. What happens if an upgrade fails?
            Answer: CyFlare monitors and remediates failures when identified. Rollback is available if needed. If not visible in the console, customers should notify CyFlare.

6. Will upgrades impact detection or visibility?
            Answer: No. There is no expected loss of protection or visibility.

7. Can we participate in testing new versions?
            Answer: Yes. Customers may opt into Early Access (EA) versions to assist in testing.

8. Where can I review SentinelOne release notes?
            Answer: You must be an active user within our SentinelOne instances, and then navigate to the following link: https://usea1-cyflare.sentinelone.net/docs/en/agent-release-notes.html (OneBox Instance)

If you have any questions or would like to coordinate upgrade preferences, please contact:

📧 TechOps@cyflare.com

    • Related Articles

    • mXDR: Stellar Cyber Agent Upgrade Process

      Overview CyFlare’s Managed XDR (mXDR) service includes proactive management and upgrading of Stellar Cyber Agents (Sensors) on behalf of our customers. This article outlines: How and when upgrades occur What customers should expect Required customer ...

    • Use Case #5: Scan/Remediate/Rollback Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • Use Case #6: Isolate Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...

    • Use Case #3: Disable User Account

      Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...