Stellar Cyber 4.1.1 Release Notes

Stellar Cyber 4.1.1 brings major improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Note: As of the 4.1.0 release, the following data model terminology is standardized in Stellar Cyber products and documentation:

• Raw Events: Raw or enriched records from traffic or log ingestion.

• Alert Types and Alerts: Alert Types categorize security alerts generated by a set of analytics or machine learning algorithms. An alert is a triggered instance of an alert type. Alert Types can be classified by XDR Kill Chain Stage > ATT&CK Tactic > ATT&CK Technique..

• Incidents: Multiple alerts grouped into an incident for efficient and effective SoC investigation.

Highlights

• Introduced new integration with Trend Micro Apex Central, Trend Micro Cloud One Workload Security, and Trend Micro Vision One.

• Introduced new parsers for log ingestion.

• Introduced an API that returns detailed information on all sensors.

Parser Enhancements

• Introduced new parsers for:

  • Aruba Switch syslogs

  • Dell Switch syslogs

  • VMware NSX-T Data Center syslogs

  • Blue Coat ProxySG logs

  • Corelight sensor logs

  • OpenShift logs

  • Cisco UCS logs

• Enhanced the CEF parser to support Trend Micro Apex Central and Apex One logs.

• Improved the Ubiquiti UAP-ACPro parser to cover more log types.

• Improved the Linux syslog parser to cover more log types.

• Normalized the SonicWall sid log field to ids.signature_id and the msg field to ids.signature so that it can be stored in the Maltrace index.

Connector Enhancements

• Introduced a Trend Micro Apex Central connector that retrieves endpoint and server assets into Stellar Cyber.

• Introduced a Trend Micro Cloud One Workload Security connector that retrieves computer assets into Stellar Cyber.

• Introduced a Trend Micro Vision One connector that ingests Alerts and Observed Attack Techniques into Stellar Cyber.

• Admins can now configure the refresh frequency of different Azure AD data types to minimize latency.

• Moved the Box connector from the SaaS category to the PaaS category.

Usability Improvements

• Replaced the filter button in the Interflow Event Details display with separate buttons for Add an Alert Filter and Add a Log Filter.

• Removed the Thumbs Up and Thumbs Down buttons in the Interflow Event Details display.

• Added a G Suite dashboard to the Threat Hunting Library (Investigate | Threat Hunting | Threat Hunting Library) to provide visibility on G Suite Security Center alerts.

Platform Enhancements

Introduced an API that returns a list of all sensors, including Network Sensors, Security Sensors, and Server Sensors. The API can return all managed sensors, all sensors belonging to a particular tenant, or a specific sensor.

Known Issues

Known issues include:

• Stellar Cyber Data Processor services could be interrupted if the DP has been deployed and running for one year due to expiration of an internal certificate. If you installed version 3.5.x/3.6.x of the DP in 2020, contact Technical Support to reset the condition manually before service is interrupted. A new release addressing this issue is expected at the end of Q3 2021.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

• The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor for Windows Server 2008 R2. This is due to a required patch from Microsoft . Patch target Windows Server 2008 R2 hosts before you install or upgrade so you can leverage traffic information from the Windows agent sensor.

Upgrading

You can upgrade Stellar Cyber from 3.12.0 (or later) to 4.1.1. You must:

• Prepare for the upgrade
• Upgrade the DP
• Upgrade the sensors
• Verify the upgrade

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 4.1.1

To upgrade the DP from 3.12.1 (or later) to 4.1.1:

1. Click Admin | Software Upgrade.
2. Choose 4.1.1.
3. Click Start Upgrade.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
• Upgrade sensors in batches instead of all at once.
• For agent sensors:
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade Windows-based sensors:

 If your deployment is already running v3.12.1 or 4.1.0, you do not need to upgrade your Windows-based sensors. For deployments running older versions, manually download and upgrade using the 3.12.1 Windows installers below.

The software can be downloaded from the production server directly by using one of the following URLs.

• For 64-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1./datasensor/windows-x64.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x64.msi.sha1

• For 32-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi.sha1

To upgrade Linux-based sensors:

1. Click Collect | Sensor Overview. The Data Sensor List appears.
2. Click the MANAGE drop-down and choose SOFTWARE UPGRADE. The DATA SENSOR SOFTWARE UPGRADE panel appears.
3. Choose the 4.1.1 image.
4. Choose the sensors to upgrade.
5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.