Stellar Cyber 5.0.2 Release Notes

The Stellar Cyber 5.0.2 release brings the following improvements to the Stellar Cyber Open XDR platform. For detailed information, refer to the linked articles below.

Behavior Changes

Deprecations

  • Zoom Lateral View and Zoom Chronicle View are deprecated in 5.0.2. The pages will be removed in 5.1.0.

  • Custom Receivers can no longer be created in 5.0.2 and future releases.

Critical Bug Fixes

  • Fixed: Events were collected by the Windows Server Sensor even though they were not specified in the “Include Only” filter.

Platform Enhancements

  • Introduced temporary account lockout after consecutive login failures. Refer to Account Lockouts for details.

Sensor Improvements

  • Introduced the Aggregator feature in modular sensors. Currently, only Windows Server Sensors can communicate with Stellar Cyber SaaS through a Stellar Cyber aggregator. Linux Server Sensor support will be in a future release.

Connector Enhancements

  • Reintroduced the Rapid7 and Tenable.sc connectors.

  • Added the new connectors from the 4.3.5 release to 5.0.2. Refer to the Stellar Cyber 4.3.5 Release Notes for information on these connector enhancements.

Known Issues

  • When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search Column set to its default value of All do not work correctly. This will be fixed in a later release.

  • The Cylance responder is unable to perform the Contain Host action due to a limitation from the Cylance REST API. All requests return a 500 Internal Server Error response.

  • Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.

  • Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it is not installed already. If the installation of Visual C++ fails, the Windows Server Sensor may be unable to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber cloud. If this happens, use the following steps to proceed:

    1. Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.

    2. Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, statistics for the additional log source IPs are aggregated into the catch-all IP address of 0.0.0.0.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors in batches instead of all at once.

  • For Server Sensors:

    • Upgrade a small set of sensors that cover non-critical assets.

    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.

    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining Server Sensors.

    • If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.