Stellar Cyber 4.3.0 Release Notes

Stellar Cyber 4.3.0 brings improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

For an overview, see the Stellar Cyber 4.3.0 Preview Video

Highlights

  • Redesigned Stellar Cyber UI navigation to simplify security analysis workflows.

  • Revamped the data sink feature with improved performance and flexibility.

  • Enhanced the system performance by introducing query coordinating nodes into the architecture.

  • Allow users to clone ATH playbook configurations.

  • Introduced Query Management to manage saved queries

  • Introduced Lookup Lists for conditional matching in queries

Deprecations

  • Deprecated SNMP index has been removed from the Threat Hunting page.

  • Deprecated the Proofpoint parser on port 5160. Please use port 5596 instead.

  • Starting from 4.2.2, Windows server sensor installation will not automatically install the Windows Sysmon utility. Customers are encouraged to install the software separately using the instructions in the Knowledge Base. The Windows server sensor is still able to collect Sysmon logs.

Platform Security Enhancements

Addressed the Log4j2 vulnerability (CVE-2021-44228) by disabling format msg lookup in all applications where Log4j2 is included.

Sensor Enhancements

  • Introduced a new show userapp all command in the sensor CLI to show a complete list of configured user defined apps in a sensor.

  • Enhanced the show version command in the Linux agent sensor CLI to include CPU, memory, and disk space information.

  • Added support for collection of AppLocker events.

Parser Enhancements

  • Introduced new parsers for the following:

    • RFC5424 Syslog on ingestion port 5589

    • Synology Directory Service on ingestion port 5597

    • Nasuni on ingestion port 5592

    • HPE switches on ingestion port 5595

    • Infoblox NIOS on ingestion port 5587

    • Juniper switches on ingestion port 5591

    • Arbor Peakflow SP on ingestion port 5598

    • DrayTek Firewall on ingestion port 5593

    • LanScope Cat on ingestion port 5588

    • Zyxel Firewall on ingestion port 5594

    • NXLog on ingestion port 5601

    • Snare Agent on ingestion port 5590

    • Proofpoint on ingestion port 5596

    • Windows DNS Server on ingestion port 5599

  • Added TCP ingestion support for Indusface WAF logs.

  • Improved the Barracuda Firewall parser to:

    • Parse the Syslog timestamp. It is stored as an epoch in “log.syslog.timestamp“.

    • Parse the event time. It is stored as an epoch in “event.timestamp“.

    • Moved the “event_description“ field to “log.event_description“ for the Barracuda Firewall parser.

  • Moved the “product”, “device_type”, and “permission” fields to vendor-specific in Trend Micro CEF log ingestion.

  • Improved the DLink parser to recognize more log messages correctly.

  • Improved Guardicore CEF log ingestion by moving the “incidentuuid”, “incidenturi”, “incidenttags”, “start”, “dproc”, “connection_type”, “connection_verdict”, “cnt”, “policy_rule”, and “id” fields to vendor-specific.

  • Improved the Cisco FirePower parser on ingestion port 5168:

    • Support new timestamp format in the header

    • Support detailed message parsing for msgid '%FTD-6-430002’ and '%FTD-6-430003'

    • Recognize the “fw_policyid” and “prefilter_policy” fields.

  • Improved the MCAS (Microsoft Cloud App Security) CEF log parser:

    • Moved the "device_ipv6_address", "portalurl", "uniqueserviceappids", "targetobjects", "policyids", "externalid", "start", "end", "destinationservicename", and "requestclientapplication" fields to vendor-specific namespace.

    • Logs are stored in the “wineventlog” index when the “cef_device_vendor“ field is “MCAS”.

  • Set dev_type to fw_checkpoint and dev_class to firewall when it’s Check Point firewall log in Check Point CEF log ingestion.

  • Moved the 'channel' and 'incident_source_(ad_account)' fields to vendor-specific in Trend Micro CEF log ingestion.

  • Improved the Cisco ASA parser to parse the “duration“ and “bytes“ fields.

  • Improved the Netscaler parser:

    • Split the “event_description“ field into “citrix.custom_value_1“, “citrix.custom_value_2“, “citrix.executed_action“, “citrix.custom_value_3“, and “citrix.custom_value_4“ for Netscaler parser on ingestion port 5166.

    • Normalized event_description_detail to log.event_description for the Netscaler parser

    • Added support for new log format in the Netscaler parser.

  • Moved the “block_reason”, “virus_name”, “protocol/version”, “url_categories”, “policy”, “reputation”, “requestmethod”, “filetype”, and “requestclientapplication” fields to vendor-specific in McAfee CEF log ingestion.

  • Improved the F5 VPN parser to cover more log types.

  • Improved the Check Point firewall parser as follows:

    • Added coverage for more log types.

    • Added the msg_origin.category field to the Check Point firewall parser.

  • Extracted field PolicyName from the XML part and store it under vendor namespace for Mcafee EPO parser at ingestion port 5533.

  • Added the “dev_class” field with value “firewall” to the Interflow json record from SECUI firewall parser.

  • Improved the SECUI MF2 parser to support more types of headers. Changed the data type of the “secui.fw_rule_id“ field from string to integer.

  • Moved the"ruleid", "deviceexternalid", "destinationservicename", "deviceinboundinterface", and "devicefacility" fields to vendor-specific in Forcepoint CEF log ingestion.

  • Set “dev_type” and “msg_class” with value “mcafee_web_gateway” for McAfee Web Gateway in CEF parser.

  • Improved LEEF parser as follows:

    • Only send logs with full tuple to the traffic index.

    • The “process_id” field is now stored under vendor namespace if it is not an integer.

    • Store the “event_id” field on the top level only when it's an integer and the vendor is Microsoft or Windows; otherwise it is stored as “event.id”.

Connector Enhancements

  • Renamed the “VMware Carbon Black” connector to “VMware Carbon Black Cloud”.

  • The Azure Event Hub Connector now supports more than one event source specified in a single connector.

  • The “More Info” option in the connector test function is now supported for all connectors. This option shows detailed log information, when available.

Detection/ML Improvements

Improved handling of EDR alerts ingested from log parsers or collectors configured for Blackberry Cylance as follows:

  • BlackBerry CylanceOptics events are processed directly through Stellar Cyber Machine Learning to generate Stellar Cyber ML-based alerts.

Platform Enhancements

  • Restructured the data sink framework with

    • Improved performance of the data sink process

    • Simplified configuration

    • New data sink types: Azure Blob Storage and NFS

  • Enhanced the system performance by introducing query coordinating nodes into the architecture.

  • Introduced an incidents API that returns a list of incidents with search parameters.

  • Introduced multiple ML framework improvements for better performance and troubleshooting capabilities.

Usability Improvements

  • Redesigned Stellar Cyber UI navigation to simplify security analysis workflows. For example, all administrative activities are accessed from a single System menu.

  • Introduced Query Management to manage saved queries.

  • Users can configure Lookup lists, which can be used in queries, in dashboards, and in ATH playbooks.

  • Users can now clone Automated Threat Hunting playbook configurations.

  • The XDR company trend dashboard has been updated with more usable charts and now maps to the current XDR Kill Chain.

  • IP address and domain name summarization has been applied to Incident graphs to reduce graph size when there are more than 20 alerts from a host node to other nodes that have IP addresses in the same or neighborhood subnet or have domain names sharing the same parent hierarchy. The summarized IP addresses are shown in a single node with CIDR notation, and summarized domain names with an asterisk (*) followed by their shared parent hierarchy. Clicking on a summarized node will show all its original nodes in the "Group Details" panel.

  • From the incident overview page, users can now export a CSV with up to 100K records.

Critical Bug Fixes

  • Resolved an issue where the asset count in the Asset Usage page could show zero.

  • Fixed an issue where data in cold storage was not properly purged.

  • Resolved the regex match query failure. As part of this fix, backslashes in query string queries must now be properly escaped.

  • Fixed a regression in 4.1.x and 4.2.x where customized GEOLocation enrichment did not take effect until the next configuration change after a system restart.

  • Fixed a bug in the MySQL/Klassify connector that caused the integration to fail with the following error message: “Failed to send http data: 401”.

  • Fixed a regression in 4.2.1 that alerts cannot be added to any existing incidents.

  • Addressed a performance issue in GuardDuty log ingestion to keep up with data generation.

  • Resolved an issue where modular sensor upgrades could fail with error message “dpkg: error processing package maltrace”.

  • System health status is now updated correctly when the system recovers from an overload condition.

  • Enabled auto timeout for the Stellar Cyber Central UI, same as with the Stellar Cyber UI.

  • Resolved an issue where the receiver IP was not synched to the aggregator module in a modular sensor.

  • Resolved an issue where the local disk filled up because external storage was disconnected.

Known Issues

  • In certain rare situations, the UI may not be accessible after upgrading to 4.3.0. If this happens, contact the Customer Success team for assistance in restarting the user interface service.

  • Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors running 3.7.x and later to 4.3.0. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and reinstallations and not for upgrades.

  • Since 4.0.0, custom alert identifiers were updated to be prefixed with “custom_”, but the display names are still the same.

  • Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors to version 4.3.0. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

  • Although data sink performance is improved, adding a data sink can still reduce DA performance by 30% - 40%, and data sink performance heavily depends on the I/O bandwidth between DA nodes and data sink storage.

  • With improvements made to the table management, some saved columns may not appear and users need to readjust columns.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, the additional log source IPs' statistics will be aggregated into a catch-all IP “0.0.0.0”.

  • A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

  • Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

  • The proxy settings do not work in the following connectors: Cisco Umbrella, VMware Carbon Black, Duo Security, Tenable.io, Prisma Cloud, AWS Cloudtrail, BlueCoat WSS, and Azure Event Hub.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

Upgrading

You can only upgrade Stellar Cyber from 4.2.x to 4.3.0. You must:

Please refer to the online documentation section Upgrading Software for more detailed instructions.

Preparing for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrading the DP to 4.3.0

To upgrade the DP to 4.3.0 please first upgrade to 4.2.x.

  1. Click Admin | Software Upgrade.

  2. Choose 4.3.0.

  3. Click Start Upgrade.

 Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For agent sensors:
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade Linux-based or Windows-server sensors:

  1. Click System | Sensors. The Data Sensor List appears.

  2. Click Software Upgrade in the Manage dropdown. The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the Admin | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.