Stellar Cyber 4.3.5 Release Notes

Updated March 9, 2023

Stellar Cyber 4.3.5 brings improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Highlights

  • Introduced ten new connectors for API integrations.

  • Introduced EDR alert integrations with Cynet, Bitdefender, and FireEye HX.

  • Introduced a new Port Relay feature that lets you ingest logs from different sources on a single port. Use new sensor CLIs to configure multiple parsers running on the same TCP/UDP port (for example, UDP 514).

  • Introduced a new per connector details page to give better visibility on configured connectors.

  • Added 32 new parsers for log integrations.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Improved the IDS performance by:

    • Bypassing the sensor’s own communications with the DP.

    • Bypassing encrypted traffic after initial TLS handshake.

  • Limited the bulk event update API batch size to 5000 to avoid high memory usage in the management UI service.

  • Also review the section for Parser Improvements, below.

Deprecations

  • Deprecated weak cipher suites from sensor-DP communications. Because of these deprecations, upgrades of server sensors running in Red Hat 6.7 may fail. You can resolve this issue in either of the following ways:

    • Upgrade cURL to the latest version available in Red Hat 6.7.

    • Uninstall the old version of the server sensor and then reinstall version 4.3.5.

  • Removed the configuration field Number of Workers from the Log Forwarder section in both the Standard Sensor profile and the Modular Sensor profile. For existing profiles with customized Number of Workers, after DP is upgraded to 4.3.5:

    • When a sensor is running 4.3.4 and older versions, the customized worker number still applies in that sensor.

    • When a sensor is running 4.3.5 and later versions, the customized worker number is ignored. The worker number is automatically set in sensors.

  • The SentinelOne connector no longer supports credential authentication using username/passwords; only API keys are supported. This is to remain consistent with SentinelOne which does not support username/password unless 2FA is enabled. An Existing connector with username/password configuration needs to be updated with an API key to continue to work.

  • Renamed the Netskope WSG connector to Netskope connector and started to use the v2 APIs. Existing Netskope connectors are still using v1 APIs, but customers are strongly recommended to create v2 API credentials and switch to the v2 APIs. Customers are recommended to:

    1. Create a new Netskope connector with v2 API credentials

    2. Verify data ingestion compared to existing Netskope WSG connector with v1 APIs

    3. Delete existing Netskope WSG connector with v1 APIs

Critical Bug Fixes

  • Fixed: Addressed vulnerabilities discovered by pen testing in APIs used by the UI. We encourage all users to upgrade to 4.3.5.

  • Fixed: Improved the model to address the false alert of Outbound Destination Country Anomaly when the source and destination of communication is within the same country.

  • Fixed: Data Lake performance degradation experienced at customer sites.

  • Fixed: Illegal characters in filter names caused out of sync sensor configuration.

  • Fixed: Some events from Deep Instinct were not promoted to XDR alerts due to deduplication.

  • Fixed: Webhook path in ATH did not accept standard URL special characters “?=&”.

  • Fixed: Inconsistent time in charts in the asset and volume license pages. UTC is now used in both charts.

  • Fixed: Event ID filter did not work in Windows Server Sensors but would work after configuration changes.

  • Fixed: Image files could not be purged when the disk is full on DP.

  • Fixed: SentinelOne connector experienced authentication failure with API keys created in a service account.

  • Fixed: Language files were not being loaded when exporting incident PDFs. Chinese and Japanese are now supported for incident PDFs following the same behavior as dashboard PDFs.

  • Fixed: Traffic monitoring in Linux server sensors could fail due to a memory allocation failure.

  • Fixed: Exported incident PDFs showed unknown tenant.

Usability Improvements

  • Introduced a connector details page for details on configuration and ingestion, available by clicking a connector name.

  • Introduced a new Status field in the Connector Overview table. This field reports N/A for legacy connectors that do not yet support this feature.

  • Introduced new connector status fields Last Activity and Last Data Received in the Connector Overview table. However, those fields are not reported by connectors, such as AD and vulnerability scanner connectors, running in sensors of 4.3.4 or earlier versions.

  • When creating an alert filter from an existing alert, appid, srcport and dstport fields are now pre-populated if they exist.

  • Enhanced Certificate Management by allowing admins to upload chained certificates.

  • Enhanced the tag search in the Incident view to show all tags when typing.

  • Tightened the management scope of custom alerts created by ATH. Users can create, edit, and delete custom alert types from the Alerts page.

  • Simplified the tenant deletion process.

Detection/ML Improvements

  • Improved the User Login Failure Anomaly and the Account Login Failure Anomaly alerts to work better with Windows event ID 4776. Added a new "Source Realm" Key Field to the User Login Failure Anomaly alerts, populated as follows:

    • Shows a Source Workstation in absence of Source IP if event ID 4776 is detected

    • Shows a Domain name if event ID 4625 / 4768 is detected

    • Shows a Kerberos Realm if event ID 4771 is detected

    • Shows a Service ID / Organization ID if other cloud-based login failures are detected.

  • Improved the Account Login Failure Anomaly alerts with higher detection coverage on Windows Logon events as follows:

    • Extended the coverage for Windows Logon events 4624/4625 to all Logon types.

    • Changed the detected field for all Windows Logon events from srcip_usersid to srcip_username to improve coverage with unknown usernames and alert presentation.

    As a result of these improvements, you should expect to see more alerts from this Alert Type after upgrading to 4.3.5.

  • Introduced new alert types for:

    • Password Cracking with Hashcat

    • Password Spraying Attempts Using Dsacls

    • Hydra Password Guessing Hack Tool

  • The following third party alerts are now integrated and promoted as XDR alerts:

    • Cynet alerts (ingested through our CEF parser)

    • Bitdefender (ingested through parser) alerts

    • Trellix (FireEye) Endpoint Security HX alerts

  • Improved the Impossible Travel Anomaly alert:

    • Tuned fidelity score to boost the scores for intercontinental impossible travels;

    • Implemented history is track for frequent impossible travel locations to reduce false positives.

    After replaying recent data through the updated model, we observed 70% fewer alerts compared to the previous model. Our study of the surviving alerts showed a far lower rate of potential false positives. Additionally, the alerts that were dropped do not appear likely to have included any true positives.

  • Improved and reduced false positives of the Long App Session Anomaly alert.

  • Improved the SMB Impacket Lateralization alert to cover the psexec command.

  • Improved the User Login Location Anomaly alert to show past or typical login locations.

  • Created logs in the Syslog index when an incident’s score changes. Notification can be built using ATH rules.

  • Improved the Login Time Anomaly alerts to show the timezone in actual / typical login times. The timezone is first calculated from engid_gateway's location, and if it does not exist, DP timezone will be used.

  • Introduced more accurate alert descriptions for all IDS related alerts.

  • Added payload details for DNS and HTTP IDS events

Platform Enhancements

  • Introduced temporary account lockout when consecutive login failures are seen.

  • Added configuration, data backup status, and external test status to the DP monitoring index so customers can create custom alerts.

  • Introduced a new cold storage management mode so that while data is being backed up in a data sink, the cold data retention is still managed in the legacy cold storage.

Sensor Improvements

  • Introduced a process to reset a lost CLI password for a device sensor, including network, security, and modular sensors. Refer to Resetting a Device Sensor's Password for details.

  • Enriched the IDS events generated by a security sensor with evidence in payload_dtails.

  • Introduced a configuration option in the sensor profile to save raw logs in Interflow records by log parsers.

  • Enhanced the Windows log collection by allowing users to add Windows event channels in the sensor profile.

  • Introduced support for GCP traffic monitoring in security sensors.

Connector Enhancements

  • Introduced the Trellix (FireEye) Endpoint Security HX connector that collects endpoint alerts from the platform.

  • Introduced the Jamf Protect connector to collect alerts.

  • Introduced the Google Cloud Audit Logging connector that collects Admin Activity, Data Access, System Event, and Policy logs.

  • Introduced the Broadcom Symantec Endpoint Security (SES) connector that collects Device and Eventlogs.

  • Introduced the Cato Networks connector that collects the Cato Networks Security, Connectivity, Socket Management, Routing, System, and Audit logs.

  • Introduced the VMware Workspace ONE connector that collects Launch and Login logs.

  • Introduced the response capability in the Sophos Central connector. Also enhanced the Sophos Central connector to support Client ID/Client Secret authentication.

  • Introduced the response (blocking an IP) capability in the Cisco Firepower connector.

  • Introduced the Webroot connector that collects Endpoint, Threat History, Blocked Traffic, Traffic Summary, Phishing, and Block URL logs.

  • Introduced the Bitdefender response connector.

  • More connector operational stats are collected in the Sensor Monitoring Index.

  • The SentinelOne connector no longer supports credential authentication using username/passwords; only API keys can be provided. This is to remain consistent with SentinelOne which does not support username/password unless 2FA is enabled.

  • Updated the Netskope WSG connector name to Netskope and started to use the v2 APIs. Existing connectors are still using v1 APIs, but customers are strongly recommended to create v2 API credentials and switch to the v2 APIs.

  • Enhanced the Tenable.io connector to support scan imports.

  • Improved the Tenable.sc connector’s performance by optimizing the number of API requests.

  • Enhanced the AWS CloudWatch and GuardDuty connectors with new AWS regions.

  • Enhanced the AWS CloudTrail connector to

    • support region-specific buckets.

    • collect cloudtrails from organizational buckets.

  • Enhanced the Azure Event Hub connector with new data types

    • Azure Bastion

    • Azure Keyvault

    • Azure Security Group logs

  • Enhanced the Crowdstrike connector to collect logs with the Falcon event streaming API. Log types include Detection Summary and Audit Event which are currently supported by the parser, and all other data types supported by the Falcon streaming API.

  • Enhanced the SentinelOne connector to collect more data types.

Parser Improvements

(For port details, refer to: Log Parser Ports .)

  • Validated the following for CEF, LEEF, and HTTPJSON parsersClosed

    • CitrixNetscaler (CEF)

    • Comodo- CIS CCS (CEF)

    • eDictionary (CEF)

    • ForcepointDLP (CEF)

    • ForcepointFirewall (CEF)

    • FortinetFortiGate (CEF)

    • ImpervaSecureSphere (CEF)

    • NetIQIdentity Manager (CEF)

    • Palo Alto NetworksTraps Agent (CEF)

    • RazLeeSecurityAudit (CEF)

    • SonicWallNSA 2400 (CEF)

    • Avanan (HTTPJSON)

    • VMWareCarbon Black (LEEF)

    • Trend MicroDeep Security Agent (LEEF)

    • WatchGuardXTM (LEEF)

    • LancopeStealthWatch (LEEF)

    • Palo Alto Networks Next Generation Firewall (LEEF)

       

  • Introduced the following new built-in parsersClosed

    • Ahnlab EMS

    • AhnLab AIPS logs

    • Ahnlab EPP logs

    • Absolute NetMotion logs

    • Aqua Security CNAPP(Aqua Cloud Native Application Protection Platform) logs.

    • AQTRONiX WebKnight

    • Cerberus FTP logs

    • CoSoSys Endpoint Protection

    • DNSVault RPZdb logs

    • ESET Protect logs

    • Future Systems WeGuardia SSL Plus (SSL VPN)

    • Fortinet FortiWeb (v6.3.19, v6.3.7)

    • FortiSandbox logs

    • FireEye HX logs

    • General purpose Unix logs

    • IBM AS/400 logs

    • Keycloak logs

    • Logstash Suricata

    • Medigate logs

    • Menlo MS-XL50M logs

    • Microsoft IIS

    • Microsoft Windows Event from LogRhythm

    • MicroWorld eScan logs

    • Netman Smart NAC logs

    • NetMotion

    • OpenCanary logs

    • OpenVPN logs

    • Sangfor NGAF

    • Secuwiz Secuway SSL VPN logs

    • Unix

    • Wazuh

    • WINS Sniper NGFW logs


  • Made the following parser enhancementsClosed

    • Enhanced the Avanan parser with multi-tenant support

    • Updated the VMware VCenter parser:

      • Moved any field with a name longer than 64 bytes into the msg_data

      • Added support for space character as the delimiter between key-value pairs for some logs

    • Updated the Open LDAP parser:

      • Field syslog_priority is normalized to log.syslog.priority

      • Changed the field event_time to log.syslog.timestamp

    • Updated the Sophos Firewall parser:

      • Normalized the action field so that alerts can be triggered

    • Updated the NXLog parser:

      • Supported logs from input module im_mseventlog

    • Updated the WatchGuard Firewall parser:

      • Normalized proto_name to proto; if proto_name is invalid, it is normalized into watchguard.proto_name

      • Set the dev_type field to watchguard_fw

    • Updated the Draytek Firewall Parser:

      • Normalized syslog_appname to log.syslog.appname

      • Moved log.event_description to draytek.custom_value_4 and syslog_message is now normalized into log.event_decription

    • Updated the Barracuda Firewall parser:

      • Fixed the vendor name barracuda

      • Improved the parser to support new log formats

      • Normalized field host_ip to log.syslog.hostname

    • Updated the Pulse Secure parser:

      • Supported more logs

      • Moved field msg to the vendor namespace when it cannot be parsed into deeper fields

    • Improved the IBM Aix parser:

      • Supported new log formats

      • Changed the vendor name from aix to ibm

      • Normalized the field event_time to log.syslog.timestamp as an epoch

      • Moved fields user, client, host, event_id, severity, and ibm into the vendor namespace

      • Changed the data type of field process_id from string to integer

    • Updated the Azure MFA parser:

      • Normalized field event_description to log.event_description

      • Normalized field hostname to log.syslog.hostname

      • Normalized field syslog_time to log.syslog.timestamp

    • Updated the Palo Alto Firewall parser:

      • Moved field palo_alto_networks.receive_time to palo_alto_networks.receive_time_str

      • Normalized field protocol to proto

      • Supported parsing “hip match” logs

    • Updated the Windows DNS server parser:

      • Supported European time format

      • Moved field client_ip to the vendor namespace if it is not a valid IPv4/v6 address

      • Enriched windows.protocol to proto when its value is http or https

    • Updated the Cisco Router and Switch parser:

      • Supported new log formats

      • Send logs to the Traffic index when the log message has a full tuple

      • Moved field custom_value_2 to cisco.custom_value_2

      • Moved field facility to cisco.facility

    • Updated the Snare Agent parser:

      • Supported new log formats

      • Normalized field protocol to proto

    • Updated the BlueCoatProxySG parser:

      • Supported new log formats

      • Normalized field protocol to proto

    • Updated the Cisco ISE parser

      • Normalized field UserName to cisco.UserName

      • Normalized field User-Name to cisco.User-Name

    • Updated the Aliyun parser

      • Supported more log formats

      • Moved field srcip to vendor namespace if it does not have a valid IP address

    • Updated the following parsers with bug fixes and new log format support:

      • CEF

      • Dell iDrac

      • Bitdefender

      • F5 BigIP

      • Automax

      • Brocade Switch

      • Cylance

      • Cisco Firepower

      • Fatpipe SD WAN

      • Juniper Switch

      • LEEF

      • SentinelOne

      • proofpoint

      • Avaya Switch

      • VMware Vcenter

      • Checkpoint Firewall

      • Linux NISl ogs

      • McAfee Network Security

      • Netwrix

      • Juniper SSG

      • Oracle

      • VMware NSX-T

      • Windows IIS

      • Windows DNS

         

Known Issues

  • In the rare case when the Stellar Cyber menu options have been significantly reorganized, it is possible that administrators will need to review settings for their custom user RBAC profiles. For example, any changed path to User Management, Connectors, or Visualize is considered by Stellar Cyber to be a "new feature." So if you have user profiles with Behavior for New Features in Future Releases set to No Access, they will not be able to access these features. Since the menu options were significantly changed in v4.3.0, migrations from older releases to v4.3.x and beyond warrant this review.

  • If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

  • Deleting a Data Sink Import task and then creating a new one with the same dates results in duplicate data for any pre-4.3.1 data requested by the import.

  • To prevent an inconsistent database state, make sure you delete any active Data Sink import or restore tasks before using the Clear Database option in the System | Data Processor | Data Management | Advanced tab.

  • Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

  • During upgrade to v4.x and later, the alert type definitions are migrated to a new internal format, but the alert name remains the same in the UI. If the data you are viewing contains alerts generated from prior to the upgrade, be advised that those will be treated as separate from the alerts generated by the new, migrated definition (even though the alert name appears to be the same). Optionally, rename your alerts to more easily identify alerts generated from the old definitions from those created post upgrade.

  • Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors running 3.7.x and later to 4.3.5. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and reinstallations and not for upgrades.

  • Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors to version 4.3.5. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

  • You cannot delete a Data Sink that has an active import or restore in the Data Sink Import or Data Sink Restore tabs. Delete any active import/restore tasks for the data sink, wait at least ten minutes, and then delete the data sink.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, the additional log source IPs' statistics will be aggregated into a catch-all IP “0.0.0.0”.

  • A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

  • Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

Upgrading

You can only upgrade Stellar Cyber from 4.2.x, 4.3.x, to 4.3.5. You must:

Please refer to the online documentation section Upgrading Software for more detailed instructions.

Preparing for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrading the DP to 4.3.5

To upgrade the DP to 4.3.5 please first upgrade to 4.2.x, 4.3.1, 4.3.2, 4.3.3 or 4.3.4.

  • Click Admin | Software Upgrade.

  • Choose 4.3.5.

  • Click Start Upgrade.

Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade security sensors before network sensors, because network sensors send data to security sensors for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For agent sensors:
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

To upgrade Linux or Windows Server Sensors:

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Click System | Sensors. The Data Sensor List appears.

  2. Click Software Upgrade in the Manage dropdown. The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the Admin | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.