Stellar Cyber 4.3.4 Release Notes

Stellar Cyber 4.3.4 brings improvements to the Stellar Cyber Open XDR platform, including new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

For an overview, see the Stellar Cyber 4.3.4 Preview Video

Highlights

  • Introduced per-tenant authentication configuration (SSO or Local).

  • Introduced the CYRISMA connector.

  • MalOps (alerts) ingested from Cybereason connectors are deduplicated and mapped to XDR alerts.

  • Introduced a public API to update properties of a Stellar Cyber Incident.

  • Enhanced the public API for incident search with a time range.

Behavior Changes / Deprecations

Changes that affect the way users interact with the product or interpret results are listed below.

  • With the introduction of per-tenant authentication override (Local or SSO), the user login flow is changed. Users need to enter just their username or email address before completing the authentication. For more details, refer to the online help topic on Logging In.

  • Parser changes are listed below.

  • Deprecated and removed the Session Deduplication option in the Data Analyzer Profile. The behavior now is always Off.

Critical Bug Fixes

  • Addressed a race condition during sensor software upgrade that can block sensors from sending data to Data Processors.

  • Fixed the issue the Public and Private addresses are reversed in the tooltip in the Visualize | ML-IDS dashboard.

  • Fixed a regression issue that correlated alerts do not have links to the underlying Interflow records.

  • Fixed the issue that in the Ingestion Dashboard only the top ten items are listed in each table.

  • Fixed a bug that a user cannot submit a newly created dashboard after changing the type from Per Record to Grouping.

  • Fixed an exception error in the tenable Nessus connector running in a sensor.

  • Fixed a Log Forwarder parser error where the log delimiter was not found when received in TCP sessions.

Usability Improvements

  • Enhanced incident management so that the assignee is based on the access scope of the assigner.

  • Added alert updates and score changes to the incident history.

  • Added a link to the original Interflow records for each alert in an incident’s alert table.

  • Enhanced the Windows Server Sensor profile to allow both inclusion and exclusion filters.

  • Introduced per-tenant authentication configuration. Each tenant can be configured to override the Global authentication model. A tenant can be set to use the strategy configured at the Global level, to use Local authentication, or to use a separate IdP provider for single sign-on (SSO). (The Root Tenant must be configured to the Default (same method as the Global authentication) or Local. It is not supported for configuration with an independent SSO.)

  • The help menu now links to the Stellar Cyber Support Community page instead of the FAQs.

Detection/ML Improvements

  • Alerts ingested from Cybereason connectors are deduplicated and mapped to XDR alerts.

  • The Process Anomaly, Abnormal Parent/Child Process, Uncommon Process Anomaly, and User Process Usage Anomaly alerts now use log source Sysmon event ID 1, whenever available, instead of Windows event ID 4688. This provides more information, including the binary hash value of the process.

  • Improved the Abnormal Parent / Child Process and Uncommon Process Anomaly alerts by removing processes belonging to the Stellar Cyber agent to reduce false alarms.

  • Improved the low-volume alert for Data Ingestion Volume Anomaly so that fewer alerts are reported.

  • Improved the Login Time Anomaly alert with tuned hyperparameters to reduce false positives. Changed the fidelity calculation to produce higher quality output.

  • The previous Google Workspace User Suspended alert is split into separate Google Workspace User Suspended and Google Workspace Account Manipulation alerts to reflect different types of user suspensions in Google Workspace.

  • improved the External & Internal Brute-Forced Successful User Login alerts to reduce the total number of alerts per day. We now report only one alert per day for each srcip identified as a brute forcer.

  • Introduced the DCSync Attack alert. This attack uses a legitimate Windows Domain Controller's API to simulate the process that replicates domain credential data from a remote host using a domain account with sufficient replication permissions. This alert identifies rarely seen domain replication events on the Domain Controller as the sign of potential compromise.

  • Enhanced Stellar Cyber alerts by always trying to find and merge an Interflow record with traffic metadata.

  • Improved the SMB Suspicious Copy alert to detect more types of SMB file copy behaviors.

Platform Enhancements

  • Introduced a public API to update properties of a Stellar Cyber incident, including the priority, status, assignee, tags, or description.

  • Enhanced the public API for incident search with a time range.

Sensor Improvements

  • Introduced built-in Sensor Profile templates for different levels of Windows Server Sensor log collection:

    • Windows Detect Profile (Low Volume). The selection covers the minimal events required for native detections in Stellar Cyber.

    • Windows Context Profile (Medium Volume). Adds events commonly used by third-party detection rules.

    • Windows Compliance Profile (High Volume). Covers all Windows events.

  • Added the Windows PowerShell option under Other Channels in the Windows sensor profile.

  • A Tenable Nessus vulnerability scanner is integrated in the Stellar Cyber modular sensor and can be enabled with a license and Link Key from Tenable. You configure this option in a Modular Sensor profile before applying that profile to a sensor that has been upgraded to 4.3.4.

  • Improved the sensor CLI to allow an unreachable domain in set cm <domain>. This lets you configure the sensor in an offline setup environment.

  • Removed the Powershell dependency for Windows server sensor installation.

Connector Enhancements

  • Introduced the CYRISMA connector. When configured in the Root tenant, vulnerability data from multiple CYRISMA tenants can be collected and mapped to the matching tenants.

  • Introduced the Isolate an Endpoint response action for the Deep Instinct connector.

  • Enhanced the Azure EventHub connector to support Bastion and Key Vault as content types.

  • Enhanced the Tenable.sc connector with an added option for ingesting Severity 0 logs.

  • For the Cybereason connector, the primaryRootCauseName in the cybereason_malops_all_types content type is mapped differently depending on the value of cybereason.rootCauseElementType:

    • If the value is process, then primaryRootCauseName is set to process.name

    • For all other values, including file, then primaryRootCauseName is set to file.name

Parser Enhancements

  • Introduced the following new built-in parsersClosed

    • Ordr Connected Device Security

    • Stormshield Network Security Firewall

    • Microsoft Office 365 logs

    • Sophos Web Appliance

    • Deep Instinct

  • Made the following parser enhancementsClosed

    • Enhanced the HTTP JSON parser to accept Bitdefender log push when HTTPS is enabled.

    • Enhanced the VMware ESXi and the VMware vCenter parser:

      • Added support for new log format.

    • Enhanced the pfSense Firewall log parser:

      • Field type of log.syslog.priority is set to integer.

      • Field msg_origin.category is set to firewall.

      • Field msg_class is set to firewall.

    • Enhanced SentinelOne CEF parser:

      • Logs containing full 5 tuples go to the traffic index.

    • Enhanced the Privacy-i log parser:

      • Field msg_class is set to “privacy” and field msg_origin.category is set to dlp.

      • Original field priority is normalized to log.syslog.priority.

      • Original field syslog_time is normalized to log.syslog.timestamp.

      • Logs are sent to the Traffic index when they contain a full 5-tuple.

    • Enhanced Wins IPS ONE-1 / Wins DDX Parser:

      • Original field proto_name is normalized to proto. When proto_name cannot be parsed, the original string value is stored in winstech.protocol.

      • Field winstech.msg_data is merged into msg_data.

    • Enhanced the Palo Alto Networks firewall log parser:

      • Added support for logs from version 10.2.

      • Addressed the parsing error "Can’t find matched key list."

    • Enhanced the Netflow parser:

      • Original field IN_PKTS is normalized into field inpkts_delta instead of inpkts_total.

      • IN_BYTES is normalized into field inbytes_delta instead of inbytes_total.

    • Enhanced the Pulse Secure log parser:

      • Added support for new log formats.

      • Original field log.syslog.app_name is now normalized to log.syslog.appname.

    • Enhanced the Barracuda Email parser:

      • Recognize new log format.

      • Original field score is normalized to score_str.

    • Enhanced the NetIQ Access Manager Parser:

      • Original field netiq.timestamp is normalized to event.timestamp. When parsing fails, the original string is stored in the event.time_str field.

    • Enhanced Cynet CEF log parser:

      • Moved fields remedstat, gpfilehash, gppruser, gpparams, gpssdeep, gpsign psrule, and, pscmd to vendor specific.

      • Field dev_type is set to cynet.

      • Field msg_origin.category is set to endpoint.

      • Field msg_class is set to cynet_audit when field cef_name is Audit; otherwise set to cynet_alert.

      • Original field filepath is normalized to file.path, and the original field fname is normalized to file.name.

      • Moved the following fields from msg_data to vendor namespace: reqip, clientid, externalid, scangroupid, scangroupname, sev, rtutc, dtutc, hostls, over, epsver, confver, etwalertid, pruser, pparams, sign, pct.

    • Enhanced the Infoblox Network Identity OS parser:

      • Added support for a wider range of log messages.

      • Original field dst_ip is normalized into dstip.

      • Addressed parsing errors when encountering ( "", "n/a", "-", "null", "/") in logs.

      • When the dstip field is an invalid IP address, it is moved into the vendor namespace as infoblox.dst_ip.

    • Enhanced the Sophos Firewall log parser:

      • Added support for more log messages.

      • Original field sophos.protocol is normalized to sophos.proto_name and its value is converted into the lower case when the lower case of its value is http or https.

    • Enhanced the Netfilter parser:

      • Field type of log.syslog.priority is now integer.

      • Field msg_origin.category is set to netlogs.”

      • Field msg_class is set to netfilter.”

      • Removed the deprecated field syslog_time.”

      • Use field log.event_description to store the original message part when the message cannot be recognized.

    • Enhanced the Array Network Secure Access Gateway parser:

      • Field type log.syslog.priority is set to integer.

      • Field msg_origin.category is set to vpn.

      • Field msg_class added with its value set to array_sag.

      • Removed the deprecated syslog_time field .

      • Field log.event_description stores the original message part when the message cannot be recognized.

    • Enhanced the Guardicore CEF parser:

      • Moved the msg_data.destination_process_path field to destination_process_path.

      • Fields cs15, cs15Label, cs16, and cs16Label are extracted to field msg_data as customized key-value pairs.

    • Enhanced the Cisco ESA parser:

      • Field msg_class is set to cisco_esa.

      • Field msg_origin.category is set to email.

    • Enhanced the Sophos Endpoint parser:

      • Field msg_origin.category is set to endpoint.

    • Enhanced the Ericom ZTEdge parser:

      • Recognize more log messages.

      • When the field ericom.tags is not an array, the value is cast to a string and stored in field ericom.tags_str.

      • When the field ericom.Local_Browser is not an array, the value is cast to a string and stored in the field ericom.Local_Browser_str.

      • When the field ericom.Profile is not a number, the value is cast to a string and stored in field ericom.Profile_str.

    • Enhanced the SonicWall VPN parser:

      • Field msg_class is set to sonicwall_vpn.

      • Field msg_origin.category is set to vpn.

      • Field syslog_time is removed.

    • Enhanced the WatchGuard Firewall Security Appliance parser:

      • Field msg_class is set to sonicwall_vpn.

      • Field msg_origin.category is set to vpn.

      • Field syslog_time is removed.

    • Enhanced the Penta Security WAPPLES WAF parser:

      • Field msg_class is set to firewall.

      • Field msg_origin.category is set to firewall.

      • Field syslog_time is removed.

    • Enhanced the AhnLab TrusGuard parser:

      • Field msg_class is set to firewall.

      • Field msg_origin.category is set to firewall.

      • Field syslog_time is removed.

    • Enhanced the Checkpoint Firewall syslog parser:

      • Added support for new types of logs.

    • Enhanced the NetIQ Access Manager Parser:

      • When the netiq.username field does not exist, set it to the value of username.

    • Enhanced the Hewlett Packard Unix parser:

      • Moved the log.syslog.app_name field to log.syslog.appname.

    • Enhanced the Radware DefensePro parser:

      • Added support for more log messages.

    • Enhanced the Redhat OpenShift parser:

      • Field msg_class is set to “redhat_openshift”.

      • Moved the log.syslog.app_name field to log.syslog.appname.

    • Enhanced the VMWare NSX T Data Center parser:

      • Moved the log.syslog.app_name field to log.syslog.appname.

      • Move the log.syslogstructured_data field to log.syslogstructured_data_str.

    • Enhanced to the Symantec Messaging Gateway parser:

      • Field msg_class is set to symantec_messaging_gateway.

    • Enhanced the Automox parser:

      • Logs containing full 5 tuples will go to the traffic index..

      • Field msg_class is set to automox.

    • Enhanced the RSA Auth parser:

      • Logs containing full 5 tuples go to the traffic index.

      • Field msg_class is set to rsa_auth.

      • Field msg_origin.category is set to iam.

    • Enhanced the Tripwire parser:

      • Logs containing full 5 tuples go to the traffic index.

      • Field msg_class is set to tripwire.

      • Field msg_origin.category is set to endpoint.

    • Enhanced the Zixmail parser:

      • Logs containing full 5 tuples go to the traffic index.

      • Field msg_class is set to zix_mail.

      • Field msg_origin.category is set to email.

    • Enhanced the Dell iDRAC parser:

      • Field `msg_class` is set to dell_idrac.

      • Field msg_origin.category is set to saas.

    • Enhanced the Dragos CEF parser:

      • Field msg_class is set to cef.

    • Enhanced- In Zscaler ZPA parser:

      • Field msg_class is set to zscaler_zpa.

      • Field msg_origin.category is set to vpn.

    • Enhanced In Zscaler Web parser:

      • Field msg_class is set to zscaler_zia_web.

      • Field msg_origin.category is set to weblogs.

    • Enhanced the DHCPD parser:

      • Field msg_class is set to dhcpd.

      • Field msg_origin.category is set to netmgmt.

      • Field syslog_time is removed.

    • Enhanced the MikroTik firewall and router parser:

      • Field msg_class is set to mikrotik.

      • Field msg_origin.category is set to netlogs.

      • Field syslog_time is removed.

    • Enhanced the Ubiquiti UAP-AC-Pro parser:

      • Field msg_class is set to ubiquiti.

      • Field msg_origin.category is set to netlogs.

      • Field syslog_time is removed.

    • Enhanced MONITORAPP parser:

      • Logs containing a full 5-tuple are sent to the traffic index.

    • Enhanced the Aliyun / AliCloud parser:

      • Field msg_class is set to aliyun.

    • Enhanced the Splunk Heavy Forwarder parser:

      • Field msg_class is set to splunk_forwarder.

      • Field msg_origin.category is set to netmgmt.

    • Enhanced the Juniper SSG parser:

      • Field msg_class is set to firewall.

      • Field msg_origin.category is set to firewall.

    • Enhanced the Hillstone parser:

      • Field msg_class is set to firewall.

      • Field msg_origin.category is set to firewall.

    • Enhanced the Nxlog parser:

      • Field Message is parsed into field event_data.Message_obj instead of log.event_description when the field syslog_appname contains Netwrix_Auditor_Integration_API.

    • Enhanced the AIX parser:

      • Field msg_class is set to aix.

      • Field msg_origin.category is set to unixlogs.

    • Enhanced the Cisco ASA parser:

      • Field rep_device_rule_id is mapped to cisco.message_id.

      • Added enriched field action based on rep_device_rule_id.

    • Updated the following parsers so that the error-report object will only have the following fields: dev_type, parser_raw_msg, parser_err_msg, and timestamp:

      • AhnLab TrusGuard

      • Ahnlab Policy Center

      • AIX

      • Array Network Secure Access Gateway

      • Aruba Switch

      • Automox

      • BlueCoat ProxySG

      • Checkpoint Firewall

      • Cisco ASA

      • Cisco ESA

      • Cisco MDS

      • Cisco UCS parser

      • Cisco VPN parser

      • DHCPD

      • Dragos CEF

      • Fatpipe Networks SD-WAN

      • Graylog

      • Hillstone.

      • Indesface Web Application Firewall

      • Jsonar Database Security Tool

      • Juniper SSG

      • Linux syslog

      • MikroTik firewall and router

      • Mailboarder Agent

      • McAfee Advanced Threat Defense

      • Netfilter

      • OngLogin

      • Penta Security WAPPLES WAF

      • pfSense Firewall

      • Privacy-i

      • Red Hat OpenShift

      • RSA Auth

      • Sophos Endpoint

      • SonicWall VPN

      • Splunk Heavy Forwarder

      • Security Strategy Research(SSR) Metieye

      • Symantec Messaging Gateway

      • Ubiquiti UAP-AC-Pro

      • WatchGuard Firewall Security Appliance

      • VMWare NSX-T Data Center

      • Zixmail

      • Zscaler ZPA

Known Issues

  • In the rare case when the Stellar Cyber menu options have been significantly reorganized, it is possible that administrators will need to review settings for their custom user RBAC profiles. For example, any changed path to User Management, Connectors, or Visualize is considered by Stellar Cyber to be a "new feature." So if you have user profiles with Behavior for New Features in Future Releases set to No Access, they will not be able to access these features. Since the menu options were significantly changed in v4.3.0, migrations from older releases to v4.3.x and beyond warrant this review.

  • If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

  • Deleting a Data Sink Import task and then creating a new one with the same dates results in duplicate data for any pre-4.3.1 data requested by the import.

  • To prevent an inconsistent database state, make sure you delete any active Data Sink import or restore tasks before using the Clear Database option in the System | Data Processor | Data Management | Advanced tab.

  • Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

  • During upgrade to v4.x and later, the alert type definitions are migrated to a new internal format, but the alert name remains the same in the UI. If the data you are viewing contains alerts generated from prior to the upgrade, be advised that those will be treated as separate from the alerts generated by the new, migrated definition (even though the alert name appears to be the same). Optionally, rename your alerts to more easily identify alerts generated from the old definitions from those created post upgrade.

  • Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors running 3.7.x and later to 4.3.4. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and reinstallations and not for upgrades.

  • Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors to version 4.3.4. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

  • You cannot delete a Data Sink that has an active import or restore in the Data Sink Import or Data Sink Restore tabs. Delete any active import/restore tasks for the data sink, wait at least ten minutes, and then delete the data sink.

  • With improvements made to the table management, some saved columns may not appear and users need to readjust columns.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, the additional log source IPs' statistics will be aggregated into a catch-all IP “0.0.0.0”.

  • A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

  • Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

  • For deployments with HTTP proxy configured for Sensors or Data Processors, note that the vendor APIs Stellar Cyber relies on for the following connectors do not support communication through a proxy: Proofpoint, Cisco Umbrella, VMware Carbon Black, Duo Security, Tenable.io, Prisma Cloud, AWS Cloudtrail, BlueCoat WSS, Proofpoint on Demand and Azure Event Hub.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

Upgrading

You can only upgrade Stellar Cyber from 4.2.x, 4.3.x, to 4.3.4. You must:

Please refer to the online documentation section Upgrading Software for more detailed instructions.

Preparing for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrading the DP to 4.3.4

To upgrade the DP to 4.3.4 please first upgrade to 4.2.x or 4.3.x.

  • Click Admin | Software Upgrade.

  • Choose 4.3.4.

  • Click Start Upgrade.

Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

    • Because Windows Server Sensors running 5.1.0 do not support sensor profiles that contain text in Unicode but Windows Server Sensors running 5.1.1 or later do, if you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows Server Sensors.

To upgrade Linux or Windows Server Sensors:

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Click System | Sensors. The Data Sensor List appears.

  2. Click Software Upgrade in the Manage dropdown. The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the Admin | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.