mXDR: Stellar Cyber Agent Upgrade Process

mXDR: Stellar Cyber Agent Upgrade Process

Overview

CyFlare’s Managed XDR (mXDR) service includes proactive management and upgrading of Stellar Cyber Agents (Sensors) on behalf of our customers.

This article outlines:
  1. How and when upgrades occur
  2. What customers should expect
  3. Required customer actions
  4. Support and escalation paths

This process applies to both CyFlare environments, with slight differences for Gov Cloud customers.

CyFlare Managed Environments

    1. For Gov Cloud Customers, processes may differ slightly due to environment-specific requirements. Please contact TechOps@cyflare.com or your Customer Success Manager for details specific to your deployment.

Upgrade Scheduling & Strategy

CyFlare upgrades Stellar Agents based on a balance of stability, security, and feature availability.
  1. Agent upgrades are typically scheduled 1 to 3 weeks after a stable Data Platform release
  2. Timing may be adjusted:
    1. Earlier for critical fixes or security improvements
    2. Later if risk is identified in a new release

CyFlare evaluates each release to ensure minimal risk to customer environments before broad deployment.

Maintenance Windows

Customers are notified at least one week in advance of scheduled upgrade windows.

Standard Upgrade Window

  1. Days: Monday through Friday
  2. Time: 7:00 AM - 7:00 PM EST
  3. Behavior: Upgrade attempts occur intermittently throughout the window
This staggered approach ensures the widest possible coverage across all customer environments.

Customer Responsibilities

To ensure successful upgrades:

  • ✅ Keep all devices powered on and connected to the network

  • ✅ Ensure systems meet minimum hardware requirements

  • ✅ Monitor for any unusual behavior during upgrade windows

⚠️ Important Limitation:
If a device is offline at the exact time an upgrade push occurs, it will not receive the upgrade command, even if it comes online shortly after.
This is a current limitation of the Stellar agent upgrade mechanism.

Upgrade Behavior & Impact

  1. Upgrades are performed in the background
  2. No reboot is required
  3. Minimal user impact under normal conditions

Expected Temporary Impact

  1. Some may experience a light increase in:
    1. CPU usage
    2. Memory usage

This is normal and consistent with standard software installation behavior.

System Requirements

To ensure optimal performance during upgrades, systems should meet Stellar Cyber’s recommended hardware requirements.

Troubleshooting & Support

If an agent does not upgrade or behaves unexpectedly:
  1. Contact: TechOps@cyflare.com
  2. CyFlare Operations Engineering will:
    1. Investigate upgrade failures
    2. Provide remediation steps
    3. Coordinate advanced troubleshooting if needed
In some cases, resolution may involve:
  1. Reinstalling the agent
  2. Validating system compatibility
  3. Manual intervention

Frequently Asked Questions (FAQ)

1. Are reboots required during the upgrade?
            Answer: No. Reboots are not required during standard Stellar Sensor upgrades, but customers must opt-out by informing CyFlare. This is not recommended and further complicates the process.

2. Can I opt out of CyFlare-managed upgrade windows?
            Answer: Yes, you can request to opt out by contacting your dedicated Customer Success Manager or reaching out to TechOps@cyflare.com.

3. Can I schedule a custom upgrade window?
            Answer: Yes, custom upgrade windows can be coordinated through Operations Engineering, though requests outside standard hours (7 AM–7 PM EST, Mon–Fri) may have limited monitoring.

4. If I choose not to upgrade, will I still receive support?
            Answer: Yes, but support may be limited if your agents are 3 or more versions behind, as these are considered End-of-Support by Stellar Cyber.

5. Am I susceptible to risk if I do not upgrade my agents?
            Answer: Yes, outdated agents can lead to gaps in telemetry, missed detections, lack of enhancements, and potential operational issues.

6. An older agent version is not properly upgrading, what can I do?
            Answer: Contact TechOps@cyflare.com for evaluation, though reinstalling the latest agent version often resolves the issue if system requirements are met.

7. Can I manage my own upgrades?
            Answer: Yes, but CyFlare is not responsible for issues resulting from missed upgrades or outdated agents if you choose to manage them independently.

8. If I am opted out of standard CyFlare upgrades, how can I get scheduled for an upgrade window?
            Answer: Reach out to your dedicated CSM or contact Operations Engineering directly at TechOps@cyflare.com.

Best Practices

  1. Keep devices online during upgrade windows
  2. Stay on CyFlare's upgrade plan and do not Opt-Out of upgrades
  3. Stay within 2–3 versions of current release
  4. Communicate early if:
    1. You need a custom window
    2. You have sensitive systems
    3. You observe upgrade issues

Contact Information

For any upgrade-related questions or issues:

📧 TechOps@cyflare.com

    • Related Articles

    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...

    • Use Case #3: Disable User Account

      Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...

    • Use Case #4: Email Integration 

      Exchange/Email servers are a vital part of implementing automated response actions as one of the most common entry points for malicious/unknown entities into customers’ environments. The SOC is enabled with these response actions to prevent and ...

    • Use Case #1: Firewall Policy Update

      Firewall response actions are the best way to deal with noisy public IPs attempting to ping/connect to external public-facing servers in the customer’s environment. This can also help respond to potential malicious IPs very quickly through automated ...

    • Use Case #5: Scan/Remediate/Rollback Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...