Stellar Cyber 5.1.1 Release Notes

Actions Required

• Stellar Cyber will stop allowing customers to create users with case insensitive user names or email duplicates starting from the 5.3.0 release. Stellar Cyber recommends that you clean up any duplicate emails within your instance now to avoid issues in later releases.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• Global Event Status filters are now disabled in the Executive Overview dashboard, similar to the Operational Dashboard and Analyst View. The dashboard now displays all alerts, including those that are closed. You can use saved queries or the global search bar to filter by event status, if needed.

• The CLI now prevents you from entering non-printable characters as part of an HTTP proxy's URL, username, or password. This prevents the unintentional recording of the backspace or delete characters as part of these fields when setting them from a Windows-based console.

  As a best practice, it's a good idea to set the delete and backspace keys to ASCII 127 when using a Windows-based console.

• Changed the default Status filter for the XDR Kill Chain dashboard to All Open so that cases with a Status of Ignored or Closed are not shown in the Top Cases panel.

• Changed the default Status filters for the Cases page to Escalated, New, and In Progress. If at any point you deselect all Status filters, the user interface automatically restores these default filters.

Deprecations

• Note that Server Sensors installed on hosts running CentOS 6.x or Red Hat 6.x are not supported for upgrade to 5.1.1 due to a Python incompatibility.

• The set logforwarder httpjson command is hidden because there is a UI option to perform same action.

• The ZOOM feature was deprecated in 4.3.7 and is no longer in the platform in 5.1.1.

• The predefined Company Trends dashboard is no longer available in 5.1.1.

• In an upcoming release (5.2.0), the following will be changed:

  • Modification of Severity Field Handling in Raw Log: The existing severity field in the raw log will be deprecated. However, the original sophos.severity will be kept. Additionally, a new severity score will now be generated and reflected in the corresponding alert within the index aella-ser*.

  • Deprecation of sophos_malware_detection Rule in aella-sa, which is associated with the Malware on Disk alert type. Note that this alert type is also triggered by data from two sources: Sophos and Windows Defender. With the deprecation of the Sophos rule, Malware on Disk alerts can still be activated through Windows Defender.

Critical Bug Fixes

• Fixed: Resolved an issue that prevented the Force Linux Auditd to Stop option in the Sensor Profile from working on older systems with pre-3.16 kernels and a locked auditd configuration. The option works correctly in these situations in 5.1.1, ensuring that aella-audit events are generated and received, even on systems with pre-3.16 kernels and locked audit rules.

• Fixed: Missing ATH output that should have been generated with ML alert.

• Fixed: Email Correlation Alert Had a 900 alert spike in the same interval, alerts are malformed.

• Fixed: Sysmon Event ID 1 always has UserSID/User.Identifier for SYSTEM, Detections like User Process Usage Anomaly trigger without available User information.

• Fixed: Incorrect category mapping on SentinelOne detection.

• Fixed: System producing inaccurate alert score.

• Fixed: Vulnerabilities attached to multiple hosts (hostnames wrongfully aggregated into one asset).

• Fixed: Not able to Firewall Block on an alert with srcips generated from a calculation, due to field name being "key" rather than srcip.

• Fixed: CEF parser to support additional field parsing for malwarebyte.

• Fixed: Additional parsing on CEF parser for Fortinet.

• Fixed: Additional parsing on Palo Alto Firewall log parser.

• Fixed: Update on Fortinet parser to correct the application information.

• Fixed: Additional parsing on Infoblox parser.

• Fixed: IIS 10 ingest via NXLog reported different key error.

• Fixed: Additional parsing on Checkpoint Firewall parser.

• Fixed: Sophos FW - add field action separate from msgdata field.

• Fixed: Fortiweb XENserver logs parser.

• Fixed: Update to support Amazon Linux 2 audit log.

• Fixed: Ubiquiti parser.

• Fixed: Opensense parsing issue.

• Fixed: Palo Alto Data Cortex Syslog forwarding field changes.

• Fixed: Fortigate FW - add field action separate from msgdata field.

• Fixed: Fortigate firewall no fields parsing.

• Fixed: Cisco Firepower parser error: No Method Error.

• Fixed: Unexpected logs ingest to trend_micro_interescan_messaging parser.

• Fixed: Azure WAF parser issue. Failed to convert character.

• Fixed: McAfee EPO log parser update.

• Fixed: Update parser for Array LB.

• Fixed: F5 WAF parser failed.

• Fixed: Palo Alto Networks Firewall port 5515 parser error message.

• Fixed: ManageEngine CEF Windows alerts: missing information in description.

• Fixed: Zscaler ZPA log parser error 'unsupported format' (port 5551).

• Fixed: Zscaler ZIA parser failed.

• Fixed: Microsoft is Webserver NXLog parser error message: Log has different key numbers.

• Fixed: CEF Parser for TrendMicro: Seems to drop data when cef_device_product is Apex Central.

• Fixed: InfoCyte CEF custom parser is parsing incorrectly.

• Fixed: Netscaler 'username' is not parsed correctly.

• Fixed: Parser ubiquiti (5552), value of MAC is valid, should be stored on top level.

• Fixed: Parser ciscovpn 5156, some new samples can be parsed more detailed.

• Fixed: Parser beats (5044), beats-dhcp events do not have the field msg_origin.source.

• Fixed: Field proto_name parsed incorrectly in parser SonicWall Firewall 5152.

• Fixed: Timestamp missing millisecond data in parser lanscope_cat 5588.

• Fixed: "Hibun Print Operations" from predefined seems to need adjustment on the default query "hibun.operation:PRT".

• Fixed: AWS CloudTrail 'PutObject' is not able to be filtered.

• Fixed: Request Ticket - “PDF export results do not always match UI” to backport to 4.3.7002.

• Fixed: System Action Center: Cannot select an "All Tenants" recipient when scoped to a single tenant.

• Fixed: Fields in epoch time when added as column they are listed as long numbers.

• Fixed: When creating alert filter the filtering is lost.

• Fixed: PDF export results do not always match UI.

• Fixed: Remove checking in UI profile if channel exists, when custom channel added by customer.

• Fixed: event_summary.password_spraying.unique_user_count mapped to wrong type in metadata dictionary, needs to be a number.

• Fixed: Tenable.sc connector form "Port" sometimes does not allow submission, does not register it is a number.

• Fixed: Remove Status Filter from Executive Overview Report.

• Fixed: Field distance_deviation should have the same operators as event_score.

• Fixed: Error "Filtering by Onedrive is not supported for this chart currently" when applying filter.

• Fixed: Ability to add comments with API integration with ServiceNow.

• Fixed: Selected items were unselected after modification like adding a comment.

• Fixed: Queries in filter section not listed in alphabetical order.

• Fixed: Export 100,000 in Threat Hunting records timed out.

• Fixed: Error on send scheduled report.

• Fixed: Workflow issue on Case Management.

• Fixed: Filter in/out option is missing for many fields.

• Fixed: Missing acknowledged field in the case column selection.

• Fixed: Hide correlate with case option on ATH rule configure correlation.

• Fixed: Multiple UI bugs in 4.3.7 release.

• Fixed: Change TimeZone changes the authentication to default.

• Fixed: "IDS" and "APT" Columns only appear for some users on System | Sensors.

• Fixed: System | Sensors page: Software Upgrade, Authorization page should respond to select filters.

• Fixed: Cannot see email recipient in All Tenants when configured in the Root tenant.

• Fixed: Volume Usage Daily Average Sum appears to be incorrectly calculated.

• Fixed: Submit button is grayed out in authentication setting to admin user.

• Fixed: Created at field reset between configuration updates in other fields rather than staying static.

• Fixed: Customer cannot submit Sensor Profile in single tenant view, but can view and edit it.

• Fixed: Ingestion dashboard report ingestion higher than the overall ingestion.

• Fixed: Cluster Size jumped from 7-9 when worker node was added, leading to ES scheduling fail.

• Fixed: XDR Kill Chain - incidents resolved are still listed.

• Fixed: Change drop downs to a searchable list.

• Fixed: Problem with "" when the case is exported to PDF.

• Fixed: Incident naming issue.

• Fixed: Unable to create log filter using IP CIDR range.

• Fixed: API not pulling alert IDs from Cases.

• Fixed: Logical Partition failure after applying patch for 4.3.5 file descriptor issue.

• Fixed: Circuit Breakers cause aella-ser records to be lost due to SEF filter. Added logic for retry.

• Fixed: No response from System Action Center for connector.

• Fixed: Processor did not restart when cache was stuck, required manual recovery.

• Fixed Auto-recovery for data sink lag failed to start.

• Fixed: Generic webhook connector responder - webhooks are not being sent to Zendesk.

• Fixed: Unable to filter/search on ingestion.warning.xxxx in DP Monitoring Index.

• Fixed: m6000 appliance 4.3.4 upgrade to 4.3.6 failed only DL-master.

• Fixed: Domain recently registered missed.

• Fixed Non-standard port on VOIP protocol.

• Fixed: DP - NTP not synced.

• Fixed: Missing ap-southeast-3 when creating S3 DataSink.

• Fixed: Deleting "Records" for "Root Tenant" in Data Management deletes data for all tenants in all indices.

• Fixed: The scope of the Internal XDR Malware and External XDR Malware is reverse.

• Fixed: Case sensitivity 5.1.x causing duplicate Asset/User counting.

• Fixed: Severe asset count drop after 4.3.7 pre-SaaS upgrade.

• Fixed: metadata.score in incident_score_change record not in Interflow dictionary/schema anymore, needs to be a number.

• Fixed: "Asset Risk Over Time" Chart in Asset Detail View Only shows the current day.

• Fixed: Log filter not filtering data.

• Fixed: NUMA issue with Photon 400: Panic in DPDK.log.

• Fixed: aella_flow failed to come up on a Photon-160 running 4.3.7 release.

• Fixed: engid change unattended.

• Fixed: Network sensors disconnecting due to aella_conf.

• Fixed: No "commands run on a Linux host" since upgraded to 4.3.7.

• Fixed: td-agent failing to stop during upgrade to 4.3.7.

• Fixed: Wait for reply - 2 Sensors Nonfunctional with "aella_cli service restarting".

• Fixed: Windows agent upgrade failed from 5.0.2 to 5.0.4.

• Fixed: /etc/resolv.conf symbolic link broken, file becomes static before 4.3.6 upgrade.

• Fixed: Data filter name enriched to other tenant's appid_name.

• Fixed: Log Forwarder Filter updating on Sensor, but cannot filter on any fields.

• Fixed: Bug in Winlogbeat seems to cause group name not to appear for events 4732 and 4728.

• Fixed: Cases APIs call missing alert information and missing case score breakdown.

• Fixed: Unable to delete tenant group if previously an ATH rule was attached to it.

• Fixed: CM did not update Connector Status until it was restarted after 4.3.7 upgrade.

• Fixed: Alert filter configured with CIDR address block does not filter event.

• Fixed: Asset import verify on UI.

• Fixed: Clone sensor profile cannot be deleted and edited.

• Fixed: Windows Agent Profile template reset to default after 4.3.7 upgrade.

• Fixed: Medium template is set on all existing Sensor Profiles.

• Fixed: SentinelOne connector in 4.3.6 report "Conflict - Query: " message.

• Fixed: Connector Log filter not filtering data.

• Fixed: Sophos Connector errors preventing collection.

• Fixed: Ctrl - Salesforce connector should skip non-existing columns.

• Fixed: Office365 filter applied, but did not match expected data until Log-collector master was manually restarted.

• Fixed: Parse the Cato Networks log following the NDR logs parsing scheme.

• Fixed: SentinelOne connector: “Server could not process the request.“

• Fixed: SentinelOne Deep Visibility Checkpoint does not advance on time.

• Fixed: Duo Connector field mappings cause "Authentication" events to be dropped.

• Fixed: 4.3.7 upgrade causes Azure AD connector to drop checkpoint, pull 15 days of duplicates.

• Fixed: Box enterprise plus account connector failed in authentication.

• Fixed: Google Workspace missing login content type after 4.3.6 upgrade.

• Fixed: Investigate: O365 receives duplicate alerts days later, with the same ID and timestamp.

• Fixed: Cloudflare Logpull connector does not function after following documentation.

• Fixed: Sophos Central connector using client ID to report URL error.

• Fixed: Additional parsing for O365 Connector: "TRC".

• Fixed: Fix pagination bug in Office 365 Connector.

• Fixed: SentinelOne Deep Visibility time split threshold should apply.

• The Cylance responder is unable to perform the Contain Host action due to a limitation from the Cylance REST API. All requests return a 500 Internal Server Error response.

• Fixed the default Technique mapping for SentinelOne alerts, changed from XDR Adware to XDR Miscellaneous Malware.

• Fixed an alert score normalization issue where CrowdStrike alerts may have a score above 100.

• Alerts from User Login Time Anomaly now correctly display timezones whose offsets are not an integer number of hours.

• Original records for External / Internal Credential Stuffing alerts can now be retrieved correctly when there is an ingestion delay (i.e., a big difference between timestamp and write_time) on Windows events that triggers the alerts.

• Improved case update performance and now the case score will be updated right after one or more alerts are removed from a case.

• Improved performance for Sigma Rule detections especially for rules scanning a large volume of data.

• Fixed: Updated sensor profile for Windows event log names. With this fix, the Windows sensor will be able to report "Token Right Adjusted Events", "Non Sensitive Privilege Use", "User / Device Claims", and "Plug and Play Events".

Detection/ML Improvements

Sigma Rules

• New Rule Alert Types for Microsoft Entra ID, with 33 new rules in total:

  • Microsoft Entra Application Configuration Changes

  • Microsoft Entra Application Permission Changes

  • Microsoft Entra Bitlocker Key Retrieval

  • Microsoft Entra Changes to Conditional Access Policy

  • Microsoft Entra Changes to Device Registration Policy

  • Microsoft Entra Changes to Privileged Account

  • Microsoft Entra Changes to Privileged Role Assignment

  • Microsoft Entra Federation Modified

  • Microsoft Entra Guest User Invited By Non-Approved Inviters

  • Microsoft Entra ID Discovery Using AzureHound

  • Microsoft Entra PIM Setting Changed

  • Microsoft Entra Privileged Account Assignment or Elevation

  • Microsoft Entra Sign-in Failures

  • Microsoft Entra Suspicious Sign-in Activity

  • Microsoft Entra Unusual Account Creation

• New Rule Alert Type: Steal or Forge Kerberos Tickets, with 3 new or improved rules:

  • New rule: win_susp_rc4_kerberos: Suspicious Kerberos RC4 Ticket Encryption.

  • windows_security_16: Register new Logon Process by Rubeus, moved from Alert Type Potentially Malicious Windows Event to Steal or Forge Kerberos Tickets.

  • windows_security_116: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess', moved from Alert Type Potentially Malicious Windows Event to Steal or Forge Kerberos Tickets.

• New Rule Alert Types for Sysmon events:

  • Suspicious Windows Registry Event: Persistence (1 new rule)

    • To enable Sysmon data collection, apply the up-to-date System reference configuration shipped with 5.1.1 Windows Agent Sensor.

  • Suspicious Windows Registry Event: Impact (1 new rule)

    • To enable Sysmon data collection, apply the up-to-date System reference configuration shipped with 5.1.1 Windows Agent Sensor.

  • Suspicious Windows Network Connection (5 rules, reorganized from Alert Type Potentially Malicious Windows Event)

    • windows_security_64: Network Activity From MSBuild was renamed to windows_network_connection_1 and reorganized to this Alert Type.

    • windows_security_75: Network Activity From mshta was renamed to windows_network_connection_2 and reorganized to this Alert Type.

    • windows_security_30: Network Activity From msxsl was renamed to windows_network_connection_3 and reorganized to this Alert Type.

    • windows_security_91: Network Activity From verclsid was renamed to windows_network_connection_4 and reorganized to this Alert Type.

    • windows_security_66: Unexpected Network Activity from Microsoft Tool was renamed to windows_network_connection_5 and reorganized to this Alert Type.

  • Suspicious LSASS Process Access (8 rules)

    • windows_security_100: Suspicious LSASS Access via MalSecLogon was renamed to windows_process_access_4 and reorganized to this Alert Type.

    • windows_security_78: Potential Credential Access via DuplicateHandle in LSASS was renamed to windows_process_access_5 and reorganized to this Alert Type.

    • windows_security_36: Potential Credential Access via LSASS Memory Dump was renamed to windows_process_access_6 and reorganized to this Alert Type.

    • windows_security_68: Potential LSASS Memory Dump via PssCaptureSnapShot was renamed to windows_process_access_7 and reorganized to this Alert Type.

• New Rule Alert Type: AWS CloudTrail Privilege Escalation:

  • aws_200: AWS Privilege Escalation via Group/Role/User Policy

• New rule windows_security_201: Windows Privilege Escalation through Security Group Modification, contributing to Alert Type Potentially Malicious Windows Event.

• Improved the following Sigma rules based on customer feedback and telemetry:

  • windows_security_167: Suspicious Outbound Kerberos Connection - Security

    • Added more relaxed whitelist filters to reduce false positives.

• Turned off the following noisy Sigma rules based on customer feedback and telemetry. In a future release, customers who want these rules will be able to turn them back on.

  • powershell_scriptblock_18: Suspicious Get Information for SMB Share

  • powershell_scriptblock_22: Active Directory Computers Enumeration with Get-AdComputer

  • powershell_scriptblock_46: Modify Group Policy Settings - ScriptBlockLogging

  • powershell_scriptblock_51: Detected Windows Software Discovery - PowerShell

  • powershell_scriptblock_87: Suspicious PowerShell Invocations - Specific

  • powershell_scriptblock_91: Execute Invoke-command on Remote Host

  • powershell_scriptblock_113: Extracting Information with PowerShell

Third-Party Alert Integration

• Trend Micro Vision One alert integration. New Alert Types from this alert integration will be in the form of Trend Micro Vision One: {Trend Micro Alert Type (Model Name)}, for example, Trend Micro Vision One: Suspicious File Creation in Uncommon Folder.

• LimaCharlie alert integration. New Alert Types from this alert integration will be in the form of LimaCharlie: {Technique Name}, for example, LimaCharlie: Data Manipulation.

• SentinelOne alert integration. Improved alert mapping to allow non-standard MITRE tactics.

Improvements

• Added normalization and detection integration for more WAF data sources. Now the following data sources can trigger WAF Rule Violation Anomaly and WAF Internal Attacker Anomaly.

  • F5 WAF

  • Barracuda WAF

  • AWS CloudWatch WAF

• Add support of Windows Security event 4688 for the following Alert Types. Before this support, they all require Sysmon event 1.

  • Password Spraying Attempts Using Dsacls

  • Backup Catalogs Deleted by Ransomware

  • Volume Shadow Copy Deletion via VssAdmin

  • Volume Shadow Copy Deletion via WMIC

  • Hydra Password Guessing Hack Tool

  • Password Cracking With Hashcat

• Split alert description for Command Anomaly based on whether it is triggered by a threshold learned from an individual host or multiple hosts to reduce customer confusion about the typical value presented in alerts.

• URL Reconnaissance Anomaly now displays up to 5 most frequent HTTP error codes in the alert description, instead of a generic description of “HTTP 4xx errors.“

• Updated the reference configuration for Sysmon to collect more Pipe and Registry events for detections. Customers who want to collect these events can update their Sysmon configuration using the updated reference configuration.

Usability Improvements

• Added a new search capability to many Stellar Cyber dropdowns, including the Tenants dropdown at the upper right of the user interface.

• Enhanced logging for email notifications sent from ATH Playbooks. The Last Status view available from the Respond | Automation page now includes details on the addresses to which email notifications were actually sent, along with their corresponding status codes.

• Added a new /cases/{id}/comments endpoint to the public API that supports both GET and POST methods for retrieving and adding comments in the Case Activity log for a case

  You can also use PUT and DELETE methods for specific comment IDs:

  • PUT /cases/{id}/comments/{commentID}

  • DELETE /cases/{id}/comments/{commentID}

• Increased the maximum size of log messages sent to an external server with the Forward to External Server option in the sensor profile from 1024 to 2048 bytes, including metadata, if you have enabled it (metadata adds roughly 100 bytes to each log).

• Improved the responsiveness of updates to case scores when alerts are removed from a case.

• Updated the way to register UserTrack/UserActivity for Public APIs.

• Collapsed Pie Charts on Cases tab.

• Removed legacy aggregator page on System | Sensor Profiles.

• Made Event IDs numeric on the Export CSV page and in the UI.

• Removed comma separators in CSV exports for fields such as Source Port and Total Bytes.

Platform Enhancements

• To improve the accuracy of asset counting for licensing purposes, destination IP addresses that have not sent packets are no longer counted as assets. This prevents the counting of, for example, IP addresses that were sent SNMP or ICMP requests but did not respond as assets.

• Added vulnerability sources and asset identifiers used during vulnerability enrichment to asset vulnerability information. Now each asset with vulnerabilities has two new fields: vulnerabilities.sources and vulnerabilities.find_by to indicate from which source(s) and through which asset identifier(s) a vulnerability is linked to the current asset.

• Added a Public API endpoint for Storage Usage.

• Added a Public API endpoint for Ingestion Statistics.

• Added ATH email to recipient information in watch_status.

• Added General S3-compatible data sink to support AWS S3-compatible storage solutions such as Wasabi S3.

• Added support for the new document server and chatbot on the Knowledge Base.

• Added support for the new Alert Filter schema change.

Sensor Features and Improvements

• Improved supportability of sensors by adding additional hardware-related information (CPU, RAM, and NUMA) to diagnostic commands used with Customer Support to troubleshoot issues.

• When a Windows token is enabled or disabled or, starting from Windows 10, its privilege or "right" is dynamically adjusted, Windows logs a "token right adjusted event" with event ID 4703. However, Stellar Cyber was using the incorrect key and not ingesting these events until the 5.1.1 release.

• Improved ability to identify UDP-related logforwarder package drops, including the ability to use the netstat command from the command line.

  Running netstat without proper restrictions can expose sensitive information about network connections. Always follow best practices for security, restrict access to sensitive information, and keep your system and utilities up to date to mitigate potential risks.

• Added support for the following Linux distributions to the Linux Server Sensor:

  • Linux Oracle 7 Server Sensor

  • Linux Mint Server Sensor

  • Linux Rocky Server Sensor

  • SUSE 15 Linux Server Sensor support for GA, SP1, and SP2

• You can now upload your own TLS server certificate in the System | Administration | Certificates page and assign it to a specific sensor's log forwarder in the Sensors list. .

• Added self-contained installation for Linux Server Sensor on Debian distributions.

• Added Linux Server all-in-one installation script. There is no need to download packages from the ACPS server during installation.

• Removed auditd rate limit and increased backlog limit from 256 to 8192.

• Increased the log size on syslog forward to external server.

• Improvement to reduce noise on destination IP asset reporting on aella_flow.

• The limit of Log source IPs with stats was increased from 100 to 200 on sensors with more than 8GB memory.

• Improved ability to identify UDP-related logforwarder packet drops, including the ability to use the netstat command from the Sensor CLI.

• Updated stellar_syswatcher.xml contents to a new version with PipeEvent.

• Added Sensor CLI show system command to show Service uptime.

• Added Sensor CLI show userapp and show metalist commands to support filtering.

• Added Sensor CLI show logforwarder filter command to display invalid filter IDs at the beginning.

Connector Features and Improvements

• Implemented CyberCNS connector for vulnerability scans.

• Implemented Netskope connector v2 endpoints.

• Implemented Trellix MVISION connector.

• Implemented Amazon Security Lake connector.

• Implemented Carbon Black response action.

• Implemented Gov Cloud support in Microsoft Entra ID (formerly Azure Active Directory connector).

• Added support for AWS Control Tower in AWS CloudTrail connector.

• Added LDAP authentication over Kerberos in Active Directory connector.

• Added support for Gov Cloud region in AWS CloudTrail connector.

• Added JumpCloud> Multi-Tenant API support.

• Added support for Salesforce Cert Authentication.

• Added AWS CloudWatch Assumed Role Authentication.

• Added support for Web Application Firewall (WAF) logs to AWS CloudWatch connector.

Parser Improvements

• Introduced new built-in parsers for various log sources:

  • AXGATE Next Generation Firewall

  • Cisco ACI Data Center

  • Cisco Catalyst Firewall

  • Cisco Secure Network Analytics (Stealthwatch)

  • Cygna Labs Cygna Auditor

  • ECS Suricata

  • ECS Windows

  • Exium SASE

  • Extreme Networks X690

  • HAProxy

  • Ivanti Pulse Secure

  • Kaspersky Security Center

  • Keeper Security Enterprise

  • Linux Audit

  • Melapress WordPress

  • Palo Alto Networks Prisma Cloud (Compute Edition)

  • PNPSECURE NODESAFER

  • Qumulo Core

  • Radware Alteon

  • Sangfor EDR

  • Sectona PAM

  • Splashtop

  • Syslog4Net

  • ThreatLocker Zero Trust EPP

• In Sophos Firewall parser, device is normalized into sophos.device now.

• In Cisco Meraki parser, device is normalized into cisco.device now.

• Added Microsoft IIS log format support for NXlog parser.

• Added new log format support for VMWare NSX T parser.

• Introduced the new CEF log ingestion for Malwarebytes Endpoint Protection on port 5143.

• In Fortinet CEF parser, the fields ad.dstcity, ad.dstregion, ad.dstreputation, ad.scertcname, ad.scertissuer, ad.srcfamily, ad.srchwversion, ad.srcswversion, ad.unauthuser, and ad.unauthusersource are moved into fortinet.

• Added new log format support for Radiflow CEF parser.

• Improved the Palo Alto Networks Firewall parser to support more kinds of logs.

• Added new log format support for Access Manager SaaS parser.

• Improved the Beats SAAS parser, the DHCP (beats) SAAS parser, and the Sophos Endpoint (beats) SAAS parser to move the unsupported top-level fields into the vendor namespace, instead of the field msg_data.

• Introduced the new Acalvio ShadowPlex CEF log ingestion on port 5143.

• In Fortinet Fortigate parser:

  • hostname is now moved from the top-level to fortinet.hostname.

  • Field app is normalized into appid_name now. Also, appid and appid_name will be matched with each other.

• Improved the Cisco Firepower parser to:

  • parse more kinds of messages in detail. These are the new message IDs: ["104001", "104002", "105003", "105004", "106021", "109201", "110002", "110003", "113004", "199016", "199017", "199018", "210022", "302010", "305006", "305011", "305012", "305013", "313005", "317012", "317077", "317078", "419002", "716058", "716059", "720027", "720028", "720032", "720037", "720039", "720040", "721002", "721003", "721016", "722022", "722023", "722033", "722034", "722037", "722051", "722055", "725001", "725002", "725003", "725007", "725016", "733100"]

  • support IPv6 address for Cisco Firepower 110002 message.

• Moved fields ad.appact, ad.applist, ad.apprisk, ad.devtype, ad.dstdevtype, ad.dsthwvendor, ad.dstmac, ad.dstuuid, ad.filesize, ad.filetype, ad.filtername, ad.masterdstmac, ad.mastersrcmac, ad.matchfilename, ad.matchfiletype, ad.osname, ad.policyname, ad.poluuid, ad.srchwvendor, ad.srcmac, ad.srcserver, ad.srcuuid, ad.tlsver, requestcontext, sourcetranslatedaddress, and sourcetranslatedport to the vendor namespace in Fortinet FortiGate (CEF) log ingestion.

• Added new log format support for Pulse Secure parser.

• Improved the pfSense Firewall parser to support OpenVPN logs from the pfSense Firewall.

• Introduced new Nozomi Networks CEF parser on ingestion port 5143.

• In the Ubiquiti UAP-AC-Pro parser:

  • the fields srcmac and dstmac will be moved into the vendor namespace when their value is not a valid MAC address.

  • the field log.syslog.app_name is renamed to log.syslog.appname.

  • the field proto_name will be moved into the vendor namespace as proto_str when its value is not in this case-insensitive list: ["1", "2", "6", "17", "tcp", "udp", "icmp", "igmp", "http", "https"].

• In the Ubiquiti UAP-AC-Pro on-prem parser, the field mac is now an array when the original value is a valid MAC address. Otherwise, it will be moved into the vendor namespace and named mac_str.

• In the Ubiquiti UAP-AC-Pro SAAS parser, the field ubiquiti.mac_str is changed to be an element of the top-level field mac when its value is a valid MAC address.

• In CEF2 parser, dev_type is enriched from the cef_device_vendor instead of using cef2.

• In Wazuh SIEM parser, data.HttpHost is now normalized into domain_list.

• Added new log format support for Access Manager SaaS parser.

• Added new log format support for Wazuh SIEM parser.

• Add new log format support for Infoblox NIOS parser. Also updated the normalization of DNS queries, DNS response, DNS update, and DNS notify logs using more accurate field names instead of custom_value_N.

• Introduced the new CEF ingestion for logs from Sky SKYSEA on ingestion port 5143.

• Added new log format support for Cisco VPN parser.

• In the Sophos Firewall parser:

  • Improved the parser to support the new format.

  • Parsed field action out from the key-value pair as sophos.action.

  • Parsed fields dst_ip, dstip out from the key-value pair as dstip when it is a valid IP address, otherwise, it will be moved to the vendor namespace.

  • Parsed field srcip out from the key-value pair as srcip when it is a valid IP address, otherwise, it will be moved to the vendor namespace.

  • Fields srcmac, src_mac, dstmac, and dst_mac will be moved to the vendor namespace when their value is not a valid MAC address.

  • For duplicated key-value pairs, except for the first pair, the rest will be moved into msg_data.

  • Fields proto and protocol will be moved into the vendor namespace when their value is unsupported. The field proto will be renamed as proto_str for this situation.

• Renamed fields log.syslog.app_name and log.syslog.structured_data to log.syslog.appname and log.syslog.structured_data_str for the LanScope Cat parser and the RFC5424 Syslog parser.

Operational Notes

• Keep in mind the following tips when working with the new Alert Filters interface:

  • When creating alert filters by copying and pasting values from an alert's Event Details display, Stellar Cyber recommends that you use the Details tab instead of the JSON tab, as illustrated below. Values in the JSON tab may contain extra escape characters that are not handled correctly by the current implementation.

    

  • Alert filters do not currently support manual entry of multiline values. If you need to create a filter with a multiline value or other complex values, create it from an existing alert that contains the value. The value should also not be manually modified at any point.

• Keep in mind that the global Status filters available at the left of most Stellar Cyber tables (All Open, New, In Progress, Ignored, and Closed) apply only to security events (alerts). They do not apply to cases. You can apply Status filters to cases, too, but only from the Cases interface itself. The names of the Status filters for cases are also slightly different than those available for alerts.

• The following message can appear in logs on the Linux Server Sensor host when the number of generated audit events exceeds the performance capabilities of the audit process:

  audit: audit_backlog=8193 > audit_backlog_limit=8192

  If you encounter this entry in your logs, you can either provision additional resources for the host operating system or configure the system to generate fewer audit events.

• If you encounter a situation where the IP address for an aggregator configured for a sensor from the CLI unexpectedly resets to 0.0.0.0, it is possible that the aggregator configuration for the sensor is mismatched between the local CLI configuration and the DP. You can resolve this issue by specifying the correct IP address for the sensor's Primary Aggregator in the System | Collection | Sensors | Edit Sensor Parameters dialog box on the DP.

• Linux uses the Out of Memory Killer (OOM Killer) to terminate a service that has reached the maximum memory limit specified in its service file. When this happens, you will see oom-killer messages in syslog. As a workaround for this situation, try increasing the memory provisioned for the sensor.

Known Issues

• The Sensor content type for Cybereason's connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.

• Due to an ongoing issue with Cybereason's Query Sensors API, the Cybereason connector may not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete incident correlation.

• When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.

• In the rare cases when the Stellar Cyber menu options have been significantly reorganized, such as in v4.3.0, it is possible that administrators will need to review settings for their custom user RBAC profiles. For example, any changed path to User Management, Connectors, or Visualize is considered by Stellar Cyber to be a "new feature". So if you have user profiles with Behavior for New Features in Future Releases set to No Access, they will not be able to access these features. Since the menu options were significantly changed in v4.3.0, migrations from older releases to v4.3.x and beyond warrant this review.

• If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

• Deleting a Data Sink Import or Restore task and then creating a new one with the same dates results in duplicate data for any pre-4.3.1 data requested by the task.

• To prevent an inconsistent database state, make sure you delete any active Data Sink import or restore tasks before using the Clear Database option in the System | Data Processor | Data Management | Advanced tab.

• Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

• During upgrade to v4.x and later, the alert type definitions are migrated to a new internal format, but the alert name remains the same in the UI. If the data you are viewing contains alerts generated from prior to the upgrade, be advised that those will be treated as separate from the alerts generated by the new, migrated definition (even though the alert name appears to be the same). Optionally, rename your alerts to more easily identify alerts generated from the old definitions from those created post upgrade.

• Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and re-installations and not for upgrades.

• Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

• You cannot delete a Data Sink that has an active import or restore in the Data Sink Import or Data Sink Restore tabs. Delete any active import/restore tasks for the data sink, wait at least ten minutes, and then delete the data sink.

• Log Forwarder only collects statistics for limited different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed the limit, the additional log source IPs' statistics will be aggregated into a catch-all IP 0.0.0.0. Note: The limit was 100, and is increased to 200 sensors with more than 8GB of memory in the 5.1.1 release.

• When a modular sensor is configured as a Log Forwarder only sensor (Network Traffic and other features are not enabled), the Log Forwarder may restart periodically if there is not enough sensor memory. recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.

• A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

• Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

• When multiple traffic filters in different tenants are defined with the same combination of IP, port, protocol, and layer 7 rules, the sensor only takes the filter belonging to the same tenant with the sensor and ignores the others. Administrators should review the defined traffic filters and avoid creating duplicate definitions.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

• If you configure a sensor's aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.

• Deleting the Root Tenant's ES data in the System | Data Processor | Data Management | Advanced tab, deletes unexpected tenant's data.