Stellar Cyber 3.12.0 Release Notes

Stellar Cyber 3.12.0 includes new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Highlights

• Introduced Stellar Cyber Central, where users can view summarized alerts from multiple regional DP deployments.

• Added Mimecast as a new Connector type under the Email category. The Mimecast connector collects logs from the Mimecast platform.

• Added support for Amazon S3 as one of the Data Sink destinations.

• For Perpetual Licenses, valid Support Licenses are now enforced for software updates, threat intelligence synchronization, intrusion and malware detections.

• Removed ambiguous table components and significantly improved the table views in dashboards.

New Features, Improvements, and Enhancements

New features include:

• Connector enhancements
• Parser enhancements
• Usability improvements
• Platform enhancements

Connector Enhancements

Following are the connector enhancements:

• Enhanced connectors to report more statistics for monitoring and troubleshooting.

• Added Mimecast as a new Connector type under the Email category. The Mimecast connector collects logs from the Mimecast platform.

• Moved the Palo Alto Prisma connector from the Endpoint Security category to the Cloud Security category.

• Stellar Cyber now performs partial commit instead of full commit for Palo Alto firewall responses.

• Fixed typo in Salesforce Connector Content Type, where SetupAduitTrail should be SetupAuditTrail.

Parser Enhancements

Following are the parser enhancements:

• Moved Sophos Endpoint parser ingestion port from 5900 to 5565. The ingestion port 5900 will still be available for the transition period.

• Improved the Cisco ASA parser to cover additional types of logs.

• Improved Watchguard LEEF log ingestion to support more types of logs. Added a dev_class field set to firewall when the vendor field equals WatchGuard and the product field equals XTM.

• Moved the following fields to kaperskylab namespace in Kaspersky Lab CEF log parsing: virusname, productname, productversion, taskname, groupname, taskoldstate, tasknewstate, and taskid.

• Improved the F5 BIGIP parser to store host as log.syslog.hostname.

• Improved pfsense firewall parser to support more types of logs.

• Added new log parser for Cisco MDS.

• Improved CEF parser to normalize dhost as dstip_host by default.

• Improved the Palo Alto Networks parser to support more types of Version 10 logs.

• Improved beats parser for CrowdStrike SIME connector to use crowdstrike.metadata.eventCreationTime as the event timestamp.

Usability Improvements

• Removed ambiguous table components and significantly improved the table views in dashboards.

• Administrators can now configure a custom Welcome message that appears when a user logs in.

• Platform administrators can customize the Support Portal hyperlink.

• Improved ingestion visibility by displaying storage consumption per-index, per-tenant.

• Improved the quick filter for top events.

• Allow administrators to set an ingestion target for a tenant that can display in the license consumption charts.

• Redesigned the status presentation in Enrichment configuration to improve clarity.

Platform Improvements

• Introduced Stellar Cyber Central, where users can view summarized alerts from multiple regional DP deployments.

• Amazon S3 can be configured as a Data Sink destination.

• For Perpetual Licenses, valid Support Licenses are enforced for software updates, threat intelligence synchronization, intrusion, and malware detections.

• Added support for a new signal index in ElasticSearch for critical events.

• Users can now change the Docker network through the DP’s CLI.

• Sensor stats are now written to the aella-ade index and can be shown on dashboards.

Critical Bug Fixes

• Resolved an issue where ML exclusions were not included in the configuration backup.

Known Issues

Known issues include:

• When multiple traffic filters are defined for a tenant with the same combination of ip, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions among filters.

• Files are not assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.
• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.
• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.
• The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor for Windows Server 2008 R2. This is due to a required patch from Microsoft . Patch target Windows Server 2008 R2 hosts before you install or upgrade so you can leverage traffic information from the Windows agent sensor.

Upgrading

You can upgrade Stellar Cyber from 3.11.0 (or later) to 3.12.0. You must:

• Prepare for the upgrade
• Upgrade the DP
• Upgrade the sensors
• Verify the upgrade

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 3.12.0

To upgrade the DP from 3.11.0 (or later) to 3.12.0:

1. Click Admin | Software Upgrade.
2. Choose 3.12.0.
3. Click Start Upgrade.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
• Upgrade sensors in batches instead of all at once.
• For agent sensors:
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade the sensors:

1. Click Collect | Sensor Overview. The Data Sensor List appears.
2. Click the MANAGE drop-down and choose SOFTWARE UPGRADE. The DATA SENSOR SOFTWARE UPGRADE panel appears.
3. Choose the 3.12.0 image.
4. Choose the sensors to upgrade.
5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.