Stellar Cyber 4.1.2 Release Notes

Stellar Cyber 4.1.2 brings major improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Note: As of the 4.1.0 release, the following data model terminology is standardized in Stellar Cyber products and documentation:

• Raw Events: Raw or enriched records from traffic or log ingestion.

• Alert Types and Alerts: Alert Types categorize security alerts generated by a set of analytics or machine learning algorithms. An alert is a triggered instance of an alert type. Alert Types can be classified by XDR Kill Chain Stage > ATT&CK Tactic > ATT&CK Technique..

• Incidents: Multiple alerts grouped into an incident for efficient and effective SoC investigation.

Parser Enhancements

• Enhanced Sensor statistics collection to give better insight on contribution of different log source types to ingestion volume.

Connector Enhancements

• Introduced an Akamai connector that runs on the Data Processor and collects logs from a configured Akamai account.

• Introduced a Microsoft SQL Server connector that collects Klassify logs stored in the database. The connector can run on a network/security/modular data sensor of version 4.1.2 and later.

Threat Intelligence

• Allow admins to configure a customer-defined local data source for a managed Threat Intelligence source. Refer to the Stellar Cyber Knowledge Base for the supported data format and configuration details.

Known Issues

• Stellar Cyber Data Processor services could be interrupted if the DP has been deployed and running for one year due to expiration of an internal certificate. If you installed version 3.5.x/3.6.x of the DP in 2020, contact Technical Support to reset the condition manually before service is interrupted. A new release addressing this issue is expected at the end of Q3 2021.

• When multiple traffic filters are defined for a tenant with the same combination of ip, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions among filters.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

• The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor for Windows Server 2008 R2. This is due to a required patch from Microsoft . Patch target Windows Server 2008 R2 hosts before you install or upgrade so you can leverage traffic information from the Windows agent sensor.

• The Category setting for Box Connectors has been changed from SaaS to PaaS, but the the upgrade does not automatically migrate existing connectors. You must manually open any existing Box connector and change it to PaaS.

Upgrading

You can upgrade Stellar Cyber from 3.12.0 (or later) to 4.1.2. You must:

• Prepare for the upgrade

• Upgrade the DP

• Upgrade the sensors

• Verify the upgrade

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 4.1.2

To upgrade the DP from 3.12.1 (or later) to 4.1.2:

1. Click Admin | Software Upgrade.

2. Choose 4.1.2.

3. Click Start Upgrade.

Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
• Upgrade sensors in batches instead of all at once.
• For server sensors (agents):
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

  • Because Windows Server Sensors running 5.1.0 do not support sensor profiles that contain text in Unicode but Windows Server Sensors running 5.1.1 or later do, if you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows Server Sensors.

To upgrade Windows-based sensors:

 If your deployment is already running v3.12.1, or later you do not need to upgrade your Windows-based sensors. For deployments running older versions, manually download and upgrade using the 3.12.1 Windows installers below.

The software can be downloaded from the production server directly by using one of the following URLs.

• For 64-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1./datasensor/windows-x64.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x64.msi.sha1

• For 32-bit Windows:

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi

  https://acps.stellarcyber.ai/release/3.12.1/datasensor/windows-x86.msi.sha1

To upgrade Linux-based sensors:

1. Click Collect | Sensor Overview. The Data Sensor List appears.
2. Click the MANAGE drop-down and choose SOFTWARE UPGRADE. The DATA SENSOR SOFTWARE UPGRADE panel appears.
3. Choose the 4.1.2 image.
4. Choose the sensors to upgrade.
5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.