Stellar Cyber 3.12.1 Release Notes

Stellar Cyber 3.12.1 includes new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Highlights

New Features, Improvements, and Enhancements

New features include:

Sensor Enhancement

Connector Enhancements

  • Introduced a new BlackBerry Cylance connector that can Contain a host with an expiration time as a response action.

  • Introduced a new Sophos connector that collects events and alerts with Sophos Central APIs.

  • Added support in G Suite connector to collect alerts from Google's G Suite Alert Center. Use the new scope (https://www.googleapis.com/auth/apps.alert) and App (alert) when you create your connector.

Log Ingestion Enhancements

  • Introduced a log parser for Dell iDRAC.

  • Introduced a log parser for Symantec Messaging Gateway.

  • Enhanced the Pfsense parser to use the Traffic index when logs contain 5-tuples.

  • Renamed the top-level field host to log.syslog.hostname for all parsers. If the host field is not from the syslog header, it is renamed to hostname.

  • Moved the following fields in Forcepoint CEF log ingestion to be vendor-specific: dvchost, from, to, and cc.

  • Forcepoint CEF log ingestion now parses the truesrc field as srcip on the top level.

  • Moved AWS vpcflow logs from the AWS Events index to the Traffic index when srcip and dstip exist. In addition, the bytes, packets, and protocol fields were renamed to totalbytes, totalpackets, and proto, respectively.

  • Enhanced the Pulse Secure parser to support additional log types

  • Enhanced the Ubiquiti parser to support additional log types.

  • Enhanced the LEEF parser to support additional VMware Carbon Black log types.

  • Moved the field f5 to vendor specific in Oracle logs.

Response Integration Enhancement

  • Improved the performance of Palo Alto Firewall responses by grouping multiple actions into one Palo Alto Firewall commit. This also improves the reliability of the response.

Usability Improvements

  • Scheduled reports and manual export allow up to 100,000 records in a table.

Critical Bug Fixes

  • Resolved an issue where assets displayed in Stellar Cyber’s Admin > Licensing > Asset Usage page could be undercounted. As part of this fix, note that after upgrading to 3.12.1, the first day asset count may be zero.

Known Issues

Known issues include:

  • If DP time is using a future time (e.g., 1 min ahead), the BlackBerry Cylance connector may fail. Workaround: Make sure to use the correct NTP server or set the time manually in UTC.

  • When multiple traffic filters are defined for a tenant with the same combination of ip, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions among filters.

  • Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

  • The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor in Windows Server 2008 R2. This is due to a required patch from Microsoft. Patch target Windows Server 2008 R2 hosts before you install or upgrade the sensor so you can leverage traffic information from the Windows agent sensor.

Upgrading

You can upgrade Stellar Cyber from 3.12.0 (or later) to 3.12.1. You must:

Preparing for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrading the DP to 3.12.1

To upgrade the DP from 3.11.0 (or later) to 3.12.1:

  1. Click Admin | Software Upgrade.
  2. Choose 3.12.1.
  3. Click Start Upgrade.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For agent sensors:
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade the sensors:

  1. Click Collect | Sensor Overview. The Data Sensor List appears.
  2. Click the MANAGE drop-down and choose SOFTWARE UPGRADE. The DATA SENSOR SOFTWARE UPGRADE panel appears.
  3. Choose the 3.12.1 image.
  4. Choose the sensors to upgrade.
  5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the Admin | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.