Stellar Cyber 4.3.3 Release Notes

Stellar Cyber 4.3.3 brings improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

For an overview, see the Stellar Cyber 4.3.3 Preview Video

Highlights

  • Introduced the Deep Instinct connector.

  • Introduced new XDR alerts that are mapped from the following native third party alert sources:

    • Azure AD Risk Detection

    • Google Workspace: Gmail Phishing

    • Deep Instinct Events

  • Greatly improved data sink performance.

  • Improved the incident filtering capabilities.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Updated alert type Internal SMB Write Anomaly with:

    • XDR Kill Chain: Propagation

    • Tactic: Lateral Movement

    • Technique: Remote Services

  • Moved the Azure Event Hub connector to the PaaS category.

  • Cancelled incidents now remain in the list with their graphs, names, and scores intact so you continue to have visibility on them.

  • The Event Status global filter is intentionally ignored in reports that are based on the Operational View and Analyst View dashboards.

  • To address performance issues, the vulnerabilities and vulnerabilities_srcs columns are excluded in the asset table export. However, the fields can be exported in individual assets.

  • The new incident filters available in this release replace the pre-filtered tabs previously available at the top of the Incidents display. In addition, the Incidents page now uses the tabular view as its default instead of the grid.

  • If you change a cold retention time to 0, no new data of the corresponding type is moved to cold storage. However, any existing data in cold storage is left in cold storage.

  • Parser changes are listed below.

Sensor Improvements

  • Security Sensors can send reconstructed files to an external HTTPS server. The feature can be enabled in the sensor’s CLI. Please use this feature carefully – reconstructed files still have the possibility of being malicious.

Parser Enhancements

  • Introduced the following new parsers for ingestion:

    • ShareTech Firewall (port 5609)

    • Fortinet Fortimail (port 5616)

    • PIOLINK WEBFRONT-K (port 5617)

    • CheckPoint Harmony EP (port 5618)

    • Radware DefensePro (port 5619)

    • VMware UAG (port 5620)

    • BeyondTrust BeyondInsight (port 5621)

    • SentinelOne Singularity Mobile (port 5623)

  • Normalized the log.syslog.priority field to integers in the following parsers:

    • Wins IPS ONE-1 / Wins DDX

    • Zscaler ZIA Web

    • Avaya Switch parser

    • Brocade Switch system and admin logs parser

    • Trend Micro Proxy Parser

    • Mako Networks Firewall

    • Avaya Switch

    • Mcafee ePolicy Orchestrator

    • MonitorApp

    • Aliyun/AliCloud

    • McAfee Network Security

  • Updated the following parsers, and the parsed error-report object will only have the following fields: dev_type, parser_raw_msg, parser_err_msg, and timestamp:

    • Wins IPS ONE-1 / Wins DDX

    • Zscaler ZIA Web

    • Brocade Switch

    • Trend Micro Proxy,

    • Dell Switch

    • Hewlett Packard Unix

    • Cisco Meraki

    • Monitor App

    • Aliyun/AliCloud

  • Updated the Fortinet Fortimail parser:

    • Changed the vendor namespace to fortinet.

    • Changed the values of the fields dev_type and dev_class from forti_mail to fortinet_fortimail.

  • Updated the Zscaler ZIA Web parser:

    • Moved the msg_data.appid field to the top level as appid.

    • Set msg_origin.category to firewall.

    • Normalized the proto_name field to proto. When proto_name is http or https the proto_name field is kept.

  • Updated the Trend Micro Proxy parser:

    • Set msg_origin.category to websec.

  • Updated the Cisco Router Switch parser:

    • Supported new log format.

  • Updated the Centrify parser:

    • Moved the process_id, event_id and severity fields to the vendor namespace.

  • Updated the Mako Network Firewall parser:

    • Support more log formats.

  • Enhanced the Avaya Switch parser:

    • Supported new log format

  • Enhanced the Mcafee ePolicy Orchestrator parser:

    • Support a new log format

    • Removed the enriched fields for mcafee.Event.Name and mcafee.UpdateEvent.Name.

  • Enhanced Dell switch parser

  • Support syslogs in format specified in RFC5424.

  • Enhanced the HP Unix parser:

    • Support more log types.

  • Updated the Cisco Meraki parser:

    • Map transport_protocol to normalized field proto.

    • The fields of the vendor-specific field list are moved into the field msg_data.

  • Updated the Sonicwall Firewall parser:

    • Normalized the field spkt to outpkts_total.

    • Normalized the field rpkt to inpkts_total.

  • Enhanced F5 Silverline parser:

    • Removed the event.threat_campaign_names field

    • Mapped the f5.threat_campaign_name field to the event.threat_campaign_name field.

  • Enhanced the Cisco ISE parser:

    • Support new log format.

  • Enhanced the Checkpoint appliance parser:

    • Moved the following fields from msg_data to the vendor namespace: service_id, encryption failure , vpn_user , src_machine , dst_machine , rule_uid, rule_name, Product Name , svc.

    • Moved the service field from the top-level to the vendor namespace

  • Enhanced the Fortinet Analyzer parser:

    • Logs with 5-tuples are forwarded to the Traffic index.

  • Improved the Cisco ASA parser to cover more log types.

  • Enhanced McAfee Network Security parser:

    • Normalized the time field to log.syslog.timestamp.

    • Normalized the event_description field to log.event_description.

    • Removed spaces at the start/end of thr result field.

  • Updated the CoreLight Sensor parser:

    • Support millisecond precision in the timestamp field.

  • Enhanced the MonitorApp parser:

    • Set the msg_origin.category field to websec

    • Set the dev_class field to monitor_app.

    • The event.time_str field stores the original timestamp string if the timestamp string cannot be parsed.

    • The log.event_description field stores the original message part when the message cannot be recognized.

  • Updated all records from the Windows Server agent to include msg_origin.source: windows_agent.

Connector Enhancements

  • Introduced the Deep Instinct connector that collects Devices, Events, and Suspicious events and mapped the events to XDR alerts..

  • Enhanced the Cloudtrail connector:

    • Mapped userIdentity.userName to normalized user.name field.

    • Mapped userIdentity.accountId to normalized field user.id field.

  • Updated the Azure AD Connector and Google Workspace Connector, moving the id field und er the respective vendor namespace (azure_ad and gsuite).

  • Enhanced the Windows Defender connector with more evidence attributes.

Detection/ML Improvements

  • Improved the User Login Location, Login Time Anomaly, and Impossible Travel alerts to reduce false positives. As part of the improvement, adjusted the fidelity score of Login Time Anomaly

  • Alerts from the following third party data sources are mapped to XDR alerts:

    • Azure AD Risk Detection

    • Google Workspace: Gmail Phishing alerts

    • Deep Instinct Events

  • Improved the Mimikatz Credential Dump alert to lower the false positives.

Platform Enhancements

  • Greatly improved the data sink performance.

  • Included alert IDs in the external API /connect/api/incidents.

Usability Improvements

  • Improved the incident filtering capabilities. Users can now filter incidents by Score, Creation or Modifiied dates, Assignee, Status, Priority, or Tags.

  • To clean up the display, only default key fields with values are shown in the Detailed Alert view.

  • Added a direct link to the Stellar Cyber Learning Portal in the dropdown menu.

  • Improved the incident filtering capabilities. Now users can filter incidents by name, status, priority, etc.

  • Sensor profiles can be cloned and updates can be made in the duplicated profiles.

  • Introduced multiple usability improvements in the Alerts page.

  • Improved the System | Exclusions | Alert Filters to support filtering on values contained in arrays embedded in JSON objects. Array fields can be referenced with .in a JSON object.

  • Improved the incident graph so that Stellar Cyber sensors are shown with a special icon.

Critical Bug Fixes

  • Fixed the issue that “Unknown” is shown in the Vendor column for all MAC Identified Assets.

  • Fixed the failure in importing a Snapshot from an external storage with error “Empty shards” when the APIs experience temporary failures and long latency.

  • Fixed the Cisco Umbrella connector to allow any S3 prefix specified in the Data Path field.

  • When a Packet Forwarding receiver is configured in a sensor profile, it is ignored by the security sensors rather than causing a MAC flipping and affecting network stability.

  • Fixed the issue that Guard Duty connector fails to pull any data when encountering errors.

  • Fixed the physical sensor port mapping issue after DHCP is enabled on the management interface.

  • Fixed a 4.3.1 regression that only one Email address could be entered in the Recipient configuration.

  • Fixed the issue that disabling an application category in a Windows sensor profile does not stop the application’s log collection.

  • Fixed the issue that an incomplete incident report is generated when the incident description or resolution is long.

  • In Snapshot Storage Configuration, import/export with scp can be configured on ports other than default 22.

  • Addressed an erroneous disk space warning for Windows Agents “Disk space no longer sufficient…”.

  • Allow the appID field to be added in a log filter for Palo Alto FW logs.

Known Issues

  • In the rare case when the Stellar Cyber menu options have been significantly reorganized, it is possible that administrators will need to review settings for their custom user RBAC profiles. For example, any changed path to User Management, Connectors, or Visualize is considered by Stellar Cyber to be a "new feature." So if you have user profiles with Behavior for New Features in Future Releases set to No Access, they will not be able to access these features. Since the menu options were significantly changed in v4.3.0, migrations from older releases to v4.3.x and beyond warrant this review.

  • If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

  • Deleting a Data Sink Import task and then creating a new one with the same dates results in duplicate data for any pre-4.3.1 data requested by the import.

  • To prevent an inconsistent database state, make sure you delete any active Data Sink import or restore tasks before using the Clear Database option in the System | Data Processor | Data Management | Advanced tab.

  • Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

  • During upgrade to v4.x and later, the alert type definitions are migrated to a new internal format, but the alert name remains the same in the UI. If the data you are viewing contains alerts generated from prior to the upgrade, be advised that those will be treated as separate from the alerts generated by the new, migrated definition (even though the alert name appears to be the same). Optionally, rename your alerts to more easily identify alerts generated from the old definitions from those created post upgrade.

  • Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors running 3.7.x and later to 4.3.3. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and reinstallations and not for upgrades.

  • Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors to version 4.3.3. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

  • You cannot delete a Data Sink that has an active import or restore in the Data Sink Import or Data Sink Restore tabs. Delete any active import/restore tasks for the data sink, wait at least ten minutes, and then delete the data sink.

  • With improvements made to the table management, some saved columns may not appear and users need to readjust columns.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, the additional log source IPs' statistics will be aggregated into a catch-all IP “0.0.0.0”.

  • A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

  • Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

  • For deployments with HTTP proxy configured for Sensors or Data Processors, note that the vendor APIs Stellar Cyber relies on for the following connectors do not support communication through a proxy: Proofpoint, Cisco Umbrella, VMware Carbon Black, Duo Security, Tenable.io, Prisma Cloud, AWS Cloudtrail, BlueCoat WSS, Proofpoint on Demand and Azure Event Hub.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

Upgrading

You can only upgrade Stellar Cyber from 4.2.x, 4.3.1, or 4.3.2, to 4.3.3. You must:

Please refer to the online documentation section Upgrading Software for more detailed instructions.

Preparing for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrading the DP to 4.3.3

To upgrade the DP to 4.3.3 please first upgrade to 4.2.x, 4.3.1, or 4.3.2

  • Click Admin |Software Upgrade.

  • Choose 4.3.3.

  • Click Start Upgrade.

 Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

    • Because Windows Server Sensors running 5.1.0 do not support sensor profiles that contain text in Unicode but Windows Server Sensors running 5.1.1 or later do, if you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows Server Sensors.

To upgrade Linux or Windows Server Sensors:

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Click System | Sensors. The Data Sensor List appears.

  2. Click Software Upgrade in the Manage dropdown. The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the Admin | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.