Stellar Cyber 4.1.0 Release Notes

Stellar Cyber 4.1.0 brings major improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Note that many of the new features in 4.1.0 were originally introduced in a controlled 4.0.0 release and are now making their public debut. For convenience, all new features in 4.0.0 and 4.1.0 are listed in this release note.

Highlights

• Introduced a new XDR Kill Chain™ that replaces the Lockheed-Martin Cyber Killchain.

• Added support for MITRE | ATT&CK Framework under the XDR Kill Chain.

• Replaced the home dashboard with the new XDR Kill Chain dashboard.

• Introduced new Incidents feature which automatically group individual, related alerts into incidents, leveraged by machine learning.

• Detections are replaced with Alert Types in the UI and documentation.

• Added a new Alerts interface that simplifies the search and display of available alert types.

• Improved ATH custom security alerts to support the XDR Kill Chain.

• Introduced connectors for integration with Box, Jumpcloud, and Forescout.

• Introduced several new log parsers and parser enhancements.

• Allow users to change their default home page.

• Allow users to set the GeoLocation of an IP address manually in order to override the result from the built-in IP GeoLocation database.

• Alert descriptions are automatically enriched with context information to assist security analysts to triage alerts and incidents.

• Users with a User Scope of root and RBAC privileges to change user interface settings can specify the minimum incident score and number of alerts for an incident to be displayed.

Deprecated Features

• Threat Hunting no longer supports the ability to combine a custom security event with built-in Alert Types. There are no behavior changes to existing configurations. However, we encourage users to migrate existing ATH configurations by creating custom security alerts in custom Alert Types. An automatic migration will take place in a future release in the next six months.

Data Model Terminology

As of the 4.1.0 release, the following data model terminology is standardized in Stellar Cyber products and documentation:

• Raw Events: Raw or enriched records from traffic or log ingestion.

• Alert Types and Alerts: Alert Types categorize security alerts generated by a set of analytics or machine learning algorithms. An alert is a triggered instance of an alert type. Alert Types can be classified by XDR Kill Chain Stage > ATT&CK Tactic > ATT&CK Technique..

• Incidents: Multiple alerts grouped into an incident for efficient and effective SoC investigation.

New Incidents Feature

The Incidents feature that replaces the legacy Case Management tool. Incidents provide the following benefits:

• Multiple security alerts can be grouped into an incident automatically by ML or manually by analysts.

• Users can be assigned to incidents for investigation.

• Incidents are automatically assigned a score based on the scores and status of their underlying alerts. Incident scores represent the overall risk of the incident.

• A graphical view assists incident investigation by illustrating the causal and timeline relationships among associated alerts.

• Users with a User Scope of root and RBAC privileges to change user interface settings can click the Settings button at the upper right of the Incident display to specify the minimum incident score and number of alerts for an incident to be displayed.

  The settings made with these options form a system-wide policy for Stellar Cyber and affect the display of incidents in both the Home Dashboard and all incident displays.

XDR Kill Chain

This release includes a new XDR Kill Chain that better represents the stages and significance of security alerts in an enterprise environment.

• XDR Kill Chain replaces the Lockheed Martin Cyber Killchain.

• XDR Kill Chain incorporates tactics and techniques and is compatible with the V8 MITRE | ATT&CK framework.

• ExtendedMITRE | ATT&CK tactics and techniques with a set of extended XDR Alert Type categories

• Introduced Alert Type tags to organize Alert Types so they can capture hot trends

• Introduced internal and external alerts to indicate lateral movement of alerts.

• Added a new Home dashboard that features the XDR Kill Chain.

• Added a new Alerts interface that simplifies the search and display of available alert types.

• Improved ATH custom security alerts to support the XDR Kill Chain.

Parser Enhancements

• Introduced the following new parsers:

  • Versa Network Firewall

  • Ahnlab Policy Center

  • SSR MetiEye

  • SECUI MF2

  • Graylog

  • Untangle

• Added support for the following additional log formats:

  • Winstech IPS

  • Winstech DDX

  • Linux syslog

• Renamed the top-level field host as log.syslog.hostname for all parsers. As an exception, if the host field is not from the syslog header, it is renamed as hostname.

• Improved the Forti Fortigate parser to recognize fields and values for devid, app, appcat, srccountry and dstcountry.

Connector Enhancements

• Introduced a Forescout connector that allows Stellar Cyber to set Host Properties in Forescout. Users first need to install a Forescout plugin on their Forescout product from the following location in order to use the connector:

  https://github.com/Forescout/eyeExtend-Connect/tree/master/Connect-training-demo/ActionAPI

• Introduced a Box connector that ingests account events into Stellar Cyber.

• Introduced a JumpCloud connector that collects user profile data and directory events.

Usability Improvements

• Allow users to change the default home page.

• Allow users to select columns when generating a CSV report.

• Log filters can be created directly from the Threat Hunting interface with prefilled fields from events in the Traffic, Windows Events, Syslog, and ML-IDS/Malware Sandbox Events indices.

• The Automated Threat Hunting Playbooks table now reports Query Name as one of its default fields.

• Added a More Info button to correlation alerts to display alert details.

• Introduced new chart management capabilities under Investigate | Visualizer | Charts. Charts can be created or cloned and then included in a dashboard.

Alert/Machine Learning Improvements

• Alert descriptions are automatically enriched with context information to assist security analysts with triage of alerts and incidents.

• There is a major improvement and upgrade of the Machine Learning framework to separate internal and external attacks. As a result, ML models that depend on historical data will retrain as part of the upgrade from 3.12 to 4.1.0, requiring as much as 14 days of raw data to complete. During this time, the DP may use more CPU/memory and occasionally seem busier than usual.

Automated Threat Hunting Improvements

• Introduced a Mute feature in ATH that lets users specify a period of time during which Stellar Cyber will not create a new alert based on the same conditions. You can mute either a rule as a whole or individual actions associated with a playbook.

Platform Enhancements

• Allow users to set the GeoLocation of an IP address manually in order to override the result from the built-in IP GeoLocation database and improve accuracy.

• Stellar Cyber now guides the admin user through changing their default email address at the first login.

• Improved the Data Lake health reporting in Admin | System Status | Data Lake Health of conditions that may lead to Data Lake malfunctions.

Known Issues

Known issues include:

• Stellar Cyber Data Processor services could be interrupted if the DP has been deployed and running for one year due to expiration of an internal certificate. If you installed version 3.5.x/3.6.x of the DP in 2020, contact Technical Support to reset the condition manually before service is interrupted. A new release addressing this issue is expected at the end of Q3 2021.

• The upgrade package for Windows Server Sensors is not included in the 4.1.0 release and cannot be downloaded from Configure | Deployment | Agents. An upgrade package will be available in a future release; in the meantime, Windows Server Sensors cannot be upgraded to 4.1.0. Use the 3.12.1 installer for Windows sensor agents, in the interim.

• The Incidents table in Incidents does not currently support the ability to search in a specific column. As a workaround, you can search the table as a whole.
• Files are not assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.
• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.
• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.
• The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor for Windows Server 2008 R2. This is due to a required patch from Microsoft . Patch target Windows Server 2008 R2 hosts before you install or upgrade so you can leverage traffic information from the Windows agent sensor.

Upgrading

You can upgrade Stellar Cyber from 3.12.0 (or later) to 4.1.0. You must:

• Prepare for the upgrade
• Upgrade the DP
• Upgrade the sensors
• Verify the upgrade

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 4.1.0

To upgrade the DP from 3.12.0 (or later) to 4.1.0:

1. Click Admin | Software Upgrade.
2. Choose 4.1.0.
3. Click Start Upgrade.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
• Upgrade sensors in batches instead of all at once.
• For agent sensors:
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade Windows-based sensors:

 If your deployment is already running v3.12.1, you do not need to upgrade your Windows-based sensors. For deployments running older versions, manually download and upgrade using the 3.12.1 Windows installers below.

The software can be downloaded from the production server directly by using one of the following URLs.

• For 64-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1./datasensor/windows-x64.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x64.msi.sha1

• For 32-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi.sha1

To upgrade Linux-based sensors:

1. Click Collect | Sensor Overview. The Data Sensor List appears.
2. Click the MANAGE drop-down and choose SOFTWARE UPGRADE. The DATA SENSOR SOFTWARE UPGRADE panel appears.
3. Choose the 4.1.0 image.
4. Choose the sensors to upgrade.
5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.