Stellar Cyber 6.2.0s Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.2.0s release advances the Stellar Cyber vision of an autonomous SOC by enhancing speed, clarity, and confidence across detection, automation, and user experience.

The release notes are organized into the following sections:

Highlights

  • Resource Center: Gives you immediate, in-product access to release updates, feature guidance, documentation, training, and Stellar Cyber News, helping you stay informed and learn new capabilities directly within the Stellar Cyber Platform.

  • Adaptive Alert Filters: Expands alert filtering into dynamic, context-aware controls that let you automatically adjust severity, add business-relevant tags, or exclude low-value alerts from case scoring, turning raw detections into prioritized insights that align with real business impact.

  • New Identity-Based Detections: Expands detection logic to focus on user and entity behaviors, improving clarity and precision in detecting identity-related threats.

  • ASN Enrichment: Adds Autonomous System Number metadata for public IP addresses, enriching key fields such as src_ip and dst_ip with the associated number and organization to provide greater context and visibility into external network relationships.

  • Object-Level Access Control: Introduces fine-grained role-based permissions, ensuring users only access specific cases, detections, or assets relevant to their role, enhancing data security and confidence.

  • TCP Reset Response Action: Adds an automated response action for sensors monitoring mirrored traffic to terminate malicious network sessions in real time, improving speed and effectiveness in active threat containment.

  • Arbor Peakflow SP Parser Enhancements: Enhances parsing precision and consistency in Arbor Peakflow SP logs, improving data accuracy and maintaining compatibility with existing integrations.

  • ESET Premium Feed: Seamlessly ingests ESET threat intelligence to enrich detections and hunts in real time, ensuring indicators are instantly recognized and correlated for faster context and higher confidence.

    This feed is supported only when the Threat Intelligence Platform is enabled in your deployment. If you don’t see it in your user interface, contact your Stellar Cyber Customer Success representative to request enablement.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-2964: Updated the Arbor Peakflow SP parser to extract alert_id values and normalize usage data. The field usage_pct now outputs as the numeric field usage_pct_number, removing the percent sign for easier aggregation in dashboards and queries. The msg_origin.category value changed from other to traffic for consistent classification with other network telemetry. These updates improve parsing for additional message variants and cause usage_pct to appear as numeric data and include new alert_id fields in Arbor Peakflow SP logs, which can affect saved filters or visualizations that previously used text values.

  • DATA-2957: Updated the Cynet (CEF) parser to correct field mappings and restore consistent classification. The parser no longer uses cynet_360 as the values for dev_type, dev_class, msg_origin.source, and msg_class. The dev_type and msg_origin.source fields now revert to cynet, while dev_class and msg_class values are determined dynamically by the cef.name field. This change ensures Cynet 360 logs normalize to the expected schema and that detections referencing cynet_alert match as intended. Parsed Cynet event data now displays cynet instead of cynet_360, which can affect filters, queries, or custom content based on the previous field values.

  • DATA-2936: Updated the NEC Indoor Unit parser to change how 419-character payloads are parsed. When a log payload contains 419 characters—419 characters being the fixed-width message format used by certain NEC IDU logs—the former event_detail field is no longer used. Instead, its components—event_type, slot, description, and result—are now parsed as separate fields according to their defined widths. Payloads of other lengths continue to use the previous parsing logic. This change improves field accuracy and visibility in event views, allowing queries and dashboards to filter or group by these individual values rather than a single aggregated event_detail field.

Deprecated Features

The third party alert integration for CrowdStrike based on DetectionSummaryEvent will be deprecated. Crowdstrike has deprecated DetectionSummaryEvent and replaced it with EppDetectionSummary. A new alert integration based on EppDetectionSummary will be in a future release.

Detection/ML

New Features

Improvements

Usability

New Features

  • Introduced the Resource Center to centralize walkthroughs, documentation, training, community discussions, support, and Stellar Cyber news options in one location. The Resource Center includes feature walkthroughs that highlight new or updated capabilities and provide guided, step-by-step instruction. After upgrading, an announcement banner introduces the current release and links to these walkthroughs, which can also be relaunched at any time from the Help | Resource Center menu. This enhancement makes it easier to learn new features, access guidance, and stay connected to Stellar Cyber resources directly within the product.

  • Introduced a new option in case settings that lets you configure the maximum number of alerts that can be correlated into a single case. The previous limit of 5,000 alerts is now adjustable within a range of 1 to 5,000. Setting a higher maximum increases correlation scope, providing greater context for understanding how alerts relate to each other, but also raises memory use and processing time. Setting a lower maximum improves performance and efficiency but can fragment related alerts across multiple cases, increasing the risk of missing patterns that indicate coordinated attacks. This enhancement lets you balance correlation depth with system capacity and investigative visibility.

  • Added public API endpoints under custom_response_actions that let you trigger response actions such as running scripts, invoking webhooks, isolating endpoints, or containing hosts. The update also unifies identity provider queries under a single idp path for Microsoft Entra ID and Active Directory integrations. It adds the ability to revert previously executed actions through an authenticated API request, improving control and auditability of response workflows. These enhancements expand automation capabilities and simplify integration with external security platforms. To see the interactive API reference, select the Help icon (question mark in a circle) at the top of the Stellar Cyber UI and then select API Docs. Refer to Introducing the Stellar Cyber API for information on working with the API.

  • Added public API endpoints under custom_response_actions that let you list and execute webhook and endpoint response actions. The APIs include discovery endpoints for available actions and execution endpoints that trigger webhooks or supported endpoint integrations such as contain_host. Requests require authenticated access and use JSON payloads to define action parameters and targets. The run_script action is not included in this release. These additions expand automation coverage for response actions and simplify integration with external systems through a consistent API framework. To see the interactive API reference, select the Help icon (question mark in a circle) at the top of the Stellar Cyber UI and then select API Docs. Refer to Introducing the Stellar Cyber API for information on working with the API.

  • Added a new interface for the ESET Premium feed that lets you discover available TAXII collections and create or update threat intelligence feeds from selected sources. The interface communicates with the https://taxii.eset.com/taxii2/ endpoint using configured authentication credentials and supports up to ten feed selections. It also lets you adjust the polling interval for each feed to control data retrieval frequency. This enhancement streamlines integration with ESET threat intelligence and simplifies feed management through a guided, self-service workflow.

  • Added new RBAC privileges that let you control who can add, edit, or delete XDR connectors. The update also introduces the XDR Ingestion Only role, which limits users to ingestion configuration without broader connector management permissions. Connector visibility in the interface is now enforced by assigned privileges, hiding XDR connectors when access is not granted. These enhancements strengthen administrative control and support more secure delegation of connector management tasks.

  • Introduced object-level sharing and access control that let you assign granular permissions to dashboards. Dashboard owners can grant or revoke Editor and Reader access, while global settings define the default visibility for new dashboards. When a user without permission attempts to open a dashboard, the system displays an access request option and sends email notifications when access is granted. These enhancements provide a secure, flexible framework for controlling who can view and edit dashboards.

Improvements

Stellar Cyber Platform

New Features

Improvements

  • Added stage-output metrics for message type 39 sensor-monitoring events to include NetFlow/IPFIX data. The Ingestion Dashboard and the Sensor Monitoring index now display IP Flow Information Export (IPFIX) sources and classes, showing IPFIX traffic in the Top Log Sources and Top Log Source Classes panels. This enhancement improves accuracy and completeness of network-flow statistics in ingestion monitoring views.

  • Changed case closure behavior so that closing a case now automatically closes all associated alerts by default, keeping case and alert statuses synchronized. This improvement ensures greater consistency between cases and their associated alerts, simplifying post-investigation cleanup and status tracking. You can adjust this behavior in Case Settings if you prefer a different workflow.

  • AELDEV-57725: Added Autonomous System Number (ASN) metadata enrichment for public IP addresses.

    Added ASN enrichment for public IP fields, including src_ip and dst_ip. The enrichment process identifies the associated Autonomous System Number and organization for each public IP, providing fields such as src_ip_asn, src_ip_asn_org, dst_ip_asn, and dst_ip_asn_org. This enhancement enables more precise filtering, alert suppression, and anomaly detection based on network ownership or routing domain, improving context for threat analysis and correlation.

Sensors

New Features

Improvements

Connectors

New Features

Improvements

Parsers

New Features

  • Added a built-in parser for ingesting BIO-key PortalGuard logs in RFC 5424 syslog format on port 5954. The parser extracts key-value pairs, normalizes keys by replacing spaces with underscores, and maps values to standard fields. Parsed data is immediately available for search, correlation, dashboards, and detections, providing unified visibility into PortalGuard authentication activity.

  • Added a built-in parser for ingesting GTB Data Loss Prevention (DLP) logs in RFC 3164 syslog format on port 5951. The parser extracts DLP-specific and network fields and flags truncated or split messages as error events. This parser improves monitoring of data-exfiltration alerts and network policy violations.

  • Added a built-in parser for ingesting IronWhale Eguard logs in RFC 3164 syslog format on port 5953. The parser extracts session fields including source and destination IP addresses, ports, and protocols, enabling accurate identification of traffic patterns and connection details. This parser enhances session-level visibility for IronWhale Eguard telemetry.

  • Added a built-in parser for ingesting Sangfor NDR logs in CEF format with embedded JSON on port 5952. The parser correctly handles complex base64-like values containing = within event evidence fields to ensure accurate field extraction. This parser improves reliability and completeness in Sangfor NDR event normalization and enhances visibility into network detection telemetry.

  • Added a built-in parser for ingesting Hillstone Network Intrusion Prevention System (NIPS) logs in custom StoneOS remote syslog format on port 5949. The parser extracts core session details including source and destination IP addresses, ports, and protocols, enabling precise mapping of intrusion prevention traffic flows. This enhancement strengthens visibility into network intrusion activity and policy enforcement events.

  • Added a built-in parser for ingesting Elastic Stack logs in RFC 3164 syslog or JSON format on port 5950. The parser supports either RFC 3164 headers followed by JSON payloads or pure JSON inputs, providing flexibility across deployment configurations. This addition enables direct ingestion of Elastic Stack event data for centralized monitoring and correlation within Stellar Cyber.

  • Added a built-in parser for ingesting Wallix Bastion logs in RFC 5424 syslog format on port 5948. The parser focuses on Bastion event logs and normalizes session-related data for privileged-access activities. This addition improves monitoring of administrative sessions and enhances audit visibility for Privileged Access Management (PAM) environments.

  • Added a built-in parser for ingesting ManageEngine Site24x7 logs in JSON format on port 5946. The parser extracts service and performance data to support IT infrastructure monitoring. This parser enables comprehensive visibility into Site24x7 events, simplifying correlation between infrastructure alerts and related operational metrics.

  • Added a built-in parser for ingesting Segura logs in Common Event Format (CEF) on port 5143. The parser extracts session, access-control, and governance details from Senhasegura events to normalize user and system interactions. This addition improves visibility into privileged-access operations and strengthens correlation between identity management and session activity.

  • Added a built-in parser for ingesting Cloudflare Audit Logs v2 in syslog format with JSON payloads on port 5945. The parser extracts audit and DNS record change data, enabling monitoring and alerting on create, update, and delete actions for DNS resources. This parser enhances visibility into Cloudflare configuration changes and strengthens oversight of DNS integrity.

  • Added a built-in parser for ingesting GHX Vendormate logs in RFC 3164 syslog format on port 5947. The parser extracts identity-related activity details to support monitoring of vendor access and compliance events. This addition improves visibility into authentication and onboarding actions within GHX Vendormate environments.

Improvements

  • Refined the enrichment logic for authentication events from Check Point Connectra to ensure accurate population of login fields. Logs with an action value of Log In now populate login_result=success and login_type=vpn, while logs with an action value of Failed Log In populate login_result=fail and login_type=vpn. The event.outcome field now aligns with the action value for consistent parsing, correlation, and search. These corrections apply automatically to existing deployments using the CheckPoint firewall parser and require no configuration changes on the Stellar Cyber Platform.

  • Enhanced the Seqrite Endpoint Security parser to support the version 8.3 log format, which uses a CEF header variant with one omitted field and additional extension keys. The parser now maps msg_data_name and msg_data_strvalue elements to normalized antivirus fields representing alerts, actions, and outcomes. This improvement ensures accurate parsing and complete normalization of Seqrite Endpoint Security 8.3 logs for correlation across detections, dashboards, and reports.

  • Added support for RFC 5424 syslog and expanded the OPNsense parser to include additional event types such as audit, configd.py, lighttpd, Unbound, and Zenarmor logs. The parser now recognizes structured data elements and high-precision timestamps and normalizes shared fields across event types. Filterlog events—that is, events from the firewall packet logging component in OPNsense—remain unsupported. This enhancement improves parsing consistency and visibility across a broader range of OPNsense components.

  • Improved handling of Cisco Firepower Management Center headers that include a four-digit year in the syslog_timestamp. The parser now accepts headers with or without a year and correctly extracts hostname, priority, timestamp, and message_id. Both formats normalize the syslog_timestamp field for consistent correlation. This update ensures reliable timestamp parsing across Firepower deployments without requiring any changes to Stellar Cyber configurations.

  • Updated the NGINX parser to recognize request lines that include quoted method and URL fields. Parsing now extracts method, url, status, bytes, and timestamp values, and classifies error events with dev_class set to nginx_err_msg when present. Unmatched lines populate parser_err_msg to aid troubleshooting. This improvement enhances accuracy and diagnostic visibility for both access and error logs in NGINX environments.

  • Expanded the Ubiquiti UDM Pro parser to support netfilter logs that include RFC 3164 syslog headers. The parser extracts standard connection attributes such as src, dst, spt, dpt, and proto to improve session classification. Logs must include properly formatted RFC 3164 headers for successful parsing. UniFi Network CEF logs remain unsupported in this parser and should be routed to the corresponding CEF parser.

  • Enhanced the FortiGate CEF parser to ensure consistent normalization across IPS, antivirus, and VPN events. Logs using the ad. prefix now populate threat fields, apply IPS enrichment, and are classified correctly into the IPS or Malware indices, while standard flow logs remain in the Traffic index. VPN events now normalize connect, disconnect, authentication success or failure, and tunnel state changes, populating event_type, category, src_ip, dst_ip, user, action, result, and session_id. These updates improve log classification accuracy and visibility of FortiGate threat and VPN activity across the platform and apply automatically without requiring any changes to Stellar Cyber configurations.

  • Enhanced the Palo Alto Networks Firewall parser to improve normalization of VPN events in GlobalProtect and SYSTEM authentication logs. The parser now enriches the login_result field and sets login_type to vpn for VPN-related records. Parsing also correctly processes GlobalProtect logs that omit tunnel_type. These updates improve rule matching and search accuracy for VPN authentication events.

  • Improved the Check Point Firewall parser to normalize and enrich VPN events. The parser now sets login_type to vpn when VPN data includes a login_result. SSL VPN events populate event.vpn.type as SSLVPN, and IPsec VPN events populate it as IPsec. These mappings standardize search, correlation, and rule logic across VPN variants, improving consistency in VPN-related analytics.

  • Enhanced the Fortinet FortiGate parser to improve field mapping and normalization for VPN and user-related events. These updates ensure that key values in FortiGate logs map to the correct fields in Interflow records for consistent analysis and correlation. The updated mappings include:

    • The VPN type in FortiGate logs maps to the event.vpn.type field in Interflow records (SSLVPN for SSL VPN and IPsec for IPsec VPNs).

    • The source IP (srcip) in FortiGate logs maps to the remip field in Interflow records.

    • The eapuser and xauthuser fields in FortiGate logs map to the srcip_username field in Interflow records, replacing the previous mapping from user.name.

    • The logid field in FortiGate logs maps to the logid field in Interflow records after extracting the last five digits for uniform indexing.

    These improvements strengthen event correlation, user attribution, and session visibility across FortiGate telemetry.

  • Expanded the Fortinet Fortimail parser to ingest logs in CEF format in addition to its existing regex + KVP parsing. The parser recognizes FortiMail CEF headers and vendor extensions and maps their values to normalized fields for consistent correlation and search. This addition improves visibility into FortiMail security and message-delivery events within the unified analysis environment.

  • Extended the Check Point parser to support structured logs introduced in version R81.20. The parser now accepts RFC 5424-formatted syslog events containing key-value arrays in brackets and correctly parses fields such as alert, attack, log_sys_message, and __policy_id_tag. It also handles repeated fields in Check Point logs such as layer_name, match_id, and rule_action, which can appear multiple times in a single event when several security layers or rules are applied. The parser processes concatenated events within a single payload, ensuring complete extraction and normalization. These updates provide full compatibility with Check Point R81.20 gateways and management servers.

  • Improved the F5 BIG-IP Local Traffic Manager (LTM) parser to recognize additional message variants and normalize key fields for consistent extraction. These updates extend support across a broader range of F5 LTM log types and ensure accurate field mapping and normalization for both existing and new deployments.

  • DATA-2964: Improved Arbor Peakflow SP parser.

    Enhanced the Arbor Peakflow SP parser to extract and normalize additional fields. The parser now outputs the usage_pct value as a numeric field (percent sign removed) and extracts alert_id from message text patterns such as alert #123456. It also recognizes additional message variants for improved field mapping and normalization of dynamic event content. These updates ensure more accurate data representation and consistency across Arbor Peakflow SP telemetry.

  • Expanded the Sangfor Internet Access Gateway (IAG) parser to include Sangfor Identity and Access Management (IAM) log formats. The parser recognizes opr_log and flux, normalizes log_type variants, and extracts record_time, opr_type, obj_type, user_name, ip_addr, user, group, host_ip, dst_ip, serv, app, site, tm_type, up_flux, and down_flux. Parsing handles mixed key-value tokens and spacing differences to ensure consistent field capture across messages. Previously supported formats continue to parse as before.

  • Improved parsing for IRONSCALES IronTraps events to populate email-related data. The parser now populates email.from.address, email.to.addresses, email.subject, and email.message_id from existing CEF fields (suser, duser, cs1 labeled "Email Subject", and cs2 labeled "Message-ID"). Parsing now applies to Phishing Email Attack, Phishing Email Attack Attachment, and Phishing Email Attack Link events. This enhancement increases visibility into email session context and supports better correlation for phishing-related detections without changing existing fields or mappings.

  • DATA-2957: Corrected field mapping in the Cynet (CEF) parser on port 5143.

    Corrected the msg_class produced by the Cynet (CEF) parser to output cynet_alert. The update removed overrides for dev_type and dev_class that previously overwrote this field. Normalization and enrichment now align with the expected schema, ensuring detections that reference cynet_alert function as intended. Custom detection content such as custom rules, correlation logic, and dashboards built on the now-obsolete cynet_360 field name must be updated to use the new cynet or cynet_alert field values, depending on the referenced field.

  • Expanded the Check Point Firewall (FW1) parser to support Unified Threat Management (UTM) and VPN event normalization. Parsing now covers Application Control, URL Filtering, Anti-Virus, Intrusion Prevention, and VPN negotiation logs. The parser populates standardized fields including category, application, action, disposition, signature, user, rule_name, and tunnel_id. These enhancements improve consistency in correlation, reporting, and dashboard visibility without requiring any changes to existing Check Point data sources or the Stellar Cyber Platform.

  • Enhanced the Palo Alto Networks Firewall parser to support Unified Threat Management (UTM) and Intrusion Prevention System (IPS) detections. Parsing now recognizes UTM and IPS threat events and maps attributes to standard fields such as file.name, event.utm.feature, action, fw_policy_id,and proto. Normalized records support consistent analytics, correlation, and alerting across sources. Existing Palo Alto Networks integrations on the Stellar Cyber Platform automatically ingest these events without additional configuration.

  • Enhanced the Fortinet FortiGate parser to improve normalization for Unified Threat Management (UTM) and VPN events. The parser now standardizes mappings for fields including event_type, category, threat_type, threat_name, severity, action, policy_id, session_id, src_ip, src_port, dst_ip, dst_port, username, app, tunnel, and vpn_type. Antivirus events parse consistently whether or not a virus identifier is present, and Voice over IP (VoIP) port handling now uses the correct field source. Subtypes for Intrusion Prevention System (IPS), Web Filter, antivirus, and VPN events align to a unified schema. These updates ensure uniform normalization across on-premises and SaaS deployments for improved correlation and reporting.

  • Extended the Barracuda Web Application Firewall (WAF) parser to support Common Event Format (CEF) logs and expanded normalization coverage. The parser now recognizes CEF headers and extracts fields including attackId, attack_type, attackDescription, actionTaken, rt, src, spt, dst, dpt, userAgent, request, requestMethod, and referer. The attackId field maps to event.sig_id, and the attack_type field maps to event.reason. When rt is present, the parser uses it for the event time; otherwise, the syslog header supplies the timestamp. These updates improve normalization accuracy and visibility into Barracuda WAF attack and response activity. Existing Barracuda WAF sources require no changes on either the source device or the Stellar Cyber Platform

  • Expanded the Apache HTTPD parser to recognize multiple Apache HTTP Server error log formats, including ModSecurity-style custom variants. The parser now handles variations in field order and separators and extracts timestamp, severity, module, pid, tid, client_ip, vhost, and message when available. These improvements increase parsing reliability for both standard and customized Apache error logs and maintain backward compatibility with existing log formats. Existing Apache HTTP Server sources and Stellar Cyber parser settings continue to operate without needing modification.

  • Improved how the SAP Security Audit parser handles timezones in the event.timestamp field. When logs include timezone data, the parser now preserves it. When logs omit a timezone, the parser applies the timezone configured on the receiving sensor before converting the value to Coordinated Universal Time (UTC) during ingestion. This update ensures consistent time normalization across SAP Security Audit events for accurate correlation and reporting.

  • Extended the Apache HTTP Server (HTTPD) parser to recognize new log_type values and process MySQL error logs. Parsing now tolerates headers without a colon delimiter and improves pattern matching for message variants. These enhancements expand compatibility across Apache deployments that forward application and database logs together, ensuring consistent normalization without changes to existing Stellar Cyber configurations.

  • Enhanced the Prisma Cloud Compute Edition parser to support additional fields and JSON extraction in audit logs. The parser now correctly parses fields such as collections, image_id, image_name, labels, description, and severity from raw logs and embedded JSON structures. Duplicate key entries are ignored, and the misspelled escription now maps to description. Parsing covers event types including image_scan, container_scan, compliance, and vulnerability, ensuring consistent extraction even when payloads contain malformed JSON segments. These improvements enhance reliability and completeness of Prisma Cloud Compute audit event normalization. These improvements apply automatically to existing Prisma Cloud Compute connectors on the Stellar Cyber Platform.

  • DATA-2936: Improved the parsing of NEC Indoor Unit (IDU) logs.

    Refined the NEC Indoor Unit (IDU) parser to use fixed-width column alignment for consistent field extraction. The parser now correctly identifies fields such as Hostname, Username, Event Type, Source IP, and Category when present, and treats the Result field as optional and skips it if absent. It also ignores variable padding and enforces consistent spacing for accurate field detection. These updates increase parsing precision for NEC Indoor Unit telemetry and ensure automatic matching for events ingested through standard syslog pipelines on the Stellar Cyber Platform.

  • Updated the IRONSCALES IronTraps CEF parser to parse new elements in the msg_data section of the log. The parser now maps sender_name and employee_name into the ironscales namespace and normalizes email_subject to email.subject. These enhancements improve field completeness and event correlation for phishing-related logs. Newly ingested events automatically parse the additional fields; reparse historical data if you need backfilled values.

  • Refined the Ubiquiti parser to stabilize field counts and types by implementing a key allowlist and normalizing key casing. Unknown or invalid keys now route to msg_data instead of the vendor namespace, and embedded JSON content parses as structured data. The parser also ensures correct typing for MAC address fields. These improvements apply automatically to existing Ubiquiti syslog ingestion on the Stellar Cyber platform and require no configuration changes.

  • Enhanced the Check Point Appliance parser to improve syslog header handling and field mapping. The parser now accepts the updated key-value header format, correctly separates the hostname, and maps Action to the normalized action field. These updates prevent hostname text from prefixing field keys and ensure consistent extraction of action values. No changes are required to existing Stellar Cyber configurations using the Check Point Appliance parser. If a custom parser override exists for this source, it must be removed or updated to inherit the new header logic.

  • Expanded the Fortinet FortiADC parser to support space-delimited log formats in addition to the existing comma-delimited format. Parsing now correctly extracts the date and time fields and retrieves key-value pairs embedded in the msg, pkt_hdr, and matched_part fields for search and analytics. The parser also supports configuration of key lists to extract only specific elements when required. These updates automatically apply to existing FortiADC data sources on the Stellar Cyber Platform and require no configuration changes.

  • Expanded the Tait Communications Linux Syslog (custom) parser to extract user identifiers (UID) and usernames from pam_unix session messages generated by sudo and su commands. Parsed values now populate the user.id field with the initiating account UID and the user.name field with the target account name. Session state remains available in linux_syslog.action and related fields. These updates improve visibility into privilege escalation and account-switching activity in Linux environments.

  • Enhanced the NXLog parser to extract tenant identifiers into the top-level tenantid field. When NXLog events contain a TenantID key in the event_data or nxlog field, the parser now populates tenantid and removes the nested key to prevent duplication. The match is case-insensitive, and both Windows and Linux JSON payloads are supported. These updates enable tenant-level separation and visibility without requiring changes to existing Stellar Cyber configurations.

  • Extended the Arista Data Center Switch Router parser to support RFC 5424 syslog headers in addition to RFC 3164. The parser now detects both header formats and extracts fields including timestamp, hostname, appname, procid, msgid, structured-data, and message. Configuring Arista devices to emit syslog in RFC 5424 format enables full field extraction on the Stellar Cyber Platform. Existing RFC 3164 log behavior on the Stellar Cyber Platform remains unchanged.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following are the EAP features available in this release:

Automated Triage of Phishing Email

The automated triage of suspected phishing email is available for SaaS deployments only. It classifies user-reported email messages through built-in threat intelligence, optional external threat intelligence, and AI-powered analysis. This feature provides an automated triage agent that analyzes reported emails, offering detailed analysis and AI-generated insights. As a result of automated processing, Stellar Cyber reduces manual workloads, enables faster response times, and ensures consistent, transparent alerting in the UI.

AI Case Analysis & Summary

This release includes AI-generated narratives within the Case Detail view to accelerate investigations. New AI-generated sections automatically summarize alerts into a case-level story, reconstruct timelines, explain relationships between entities, and provide tailored response recommendations. Analysts gain faster context and clearer next steps without manually stitching alerts together.

XDR Connect Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack.

Resolved Issues

  • Corrected query generation for scheduled reports so that the data returned in emailed or exported reports now matches the results shown in the on-screen report preview. While dashboards continue to apply default and global filters as designed, global filters are no longer applied to scheduled report queries. This change ensures consistency between previewed and delivered results, providing predictable report output without affecting dashboard filtering behavior.

  • Corrected synchronization logic so that both status and status_num values now update consistently when cases are imported or modified through ServiceNow integration. Previously, filtering and queries could mismatch status values—for example, returning resolved Cases when filtering for New. The fix ensures accurate filtering on the Cases page and through the /api/cases endpoint. This improvement takes effect automatically in Stellar Cyber without requiring any changes to the ServiceNow configuration.

  • Corrected tenant context handling so that lookup lists now appear correctly in the Value drop-down list when the operator is in lookup or is not in lookup is selected in the Add Alert Filter dialog box (renamed as Add Alert Customization in 6.2.0). In previous releases, users navigating to Detections | Alerts | View | More Info | Add Alert Filter could see lookup lists from other tenants or fail to see their own. This fix restores accurate tenant-based lookup visibility and ensures reliable alert customization in multi-tenant environments.

  • Eliminated the 300-second execution limit for Windows Sensor upgrades and disabled the automatic reinstallation that occurred when the process was incorrectly marked as failed after a version change. Longer upgrade tasks now complete normally without forced termination or unintended uninstall. The improvement increases upgrade reliability and stability for Windows Server Sensors.

  • Resolved an issue in Cases | <case-name> | Analysis | Timeline where the timeline did not refresh after selecting a different path in the interactive graph. The timeline now updates correctly to reflect the chosen path and associated alerts, providing accurate temporal context and improving investigative efficiency.

  • Updated the SSH server configuration on Modular Sensors to disable the obsolete ssh-rsa host key algorithm, which uses SHA-1. Servers now support only the stronger SHA-2–based algorithms rsa-sha2-256, rsa-sha2-512, and ssh-ed25519. Legacy SSH clients that still rely on ssh-rsa must be upgraded or reconfigured because connections using the deprecated algorithm will now fail. This update strengthens encryption security and aligns Modular Sensor SSH services with current cryptographic standards.

  • Upgraded the OpenSSH package in the Modular Sensor base image to version 8.9p1-3ubuntu0.13 to enhance security and resilience against remote exploits. This update includes security fixes for the regreSSHion remote code execution, authentication bypass, and CVE-2025-26465 vulnerabilities. The reported sensitive information disclosure issue does not apply to the Ubuntu OpenSSH package, which Stellar Cyber has included in Modular Sensors since version 6.0.0. No user action is required.

  • Corrected the sensor upgrade process so that the TLS certificate verification option for log forwarding remains intact after upgrades to 6.2.0s. In earlier versions, this setting could reset to its default value, requiring administrators to reapply the preferred configuration manually. The fix applies to Modular Sensors, which forward normalized data and third-party device logs to the Stellar Cyber Data Processor, and to Windows Server Sensors, which forward host telemetry to the Data Processor. This improvement ensures consistent log forwarding behavior and reduces post-upgrade maintenance effort.

  • Added logic to the Windows Server Sensor to apply a safe default value when the memory_monitor_enabled parameter is missing from the aos.yaml configuration file. Previously, the absence of this parameter caused the sensor to stop reporting status, leading sensors to be purged automatically and later reappear as unauthorized after reconnection. The update ensures the sensor continues communicating with the Stellar Cyber Platform without requiring manual intervention, maintaining uninterrupted sensor reporting and operational stability.

  • Corrected a startup failure that could occur on Debian 12 systems, where Linux Server Sensors sometimes stopped reporting to the Stellar Cyber Platform after upgrade. The update ensures that sensors on Debian 12 start normally and maintain continuous connectivity after upgrading to 6.2.0. This fix improves operational stability for environments deploying Linux Server Sensors on Debian 12.

  • Enhanced event processing in the Mimecast connector to eliminate duplicate entries for mimecast_email_attachment_protect_log events when using API version 2.0. Previously, repeated entries could generate redundant alerts for Mimecast Attachment Protect and Mimecast Antivirus detections. Deduplication now uses the processingId field to identify and suppress duplicates, ensuring accurate alert correlation and reducing unnecessary alert volume.

  • Fixed stability issues in single-node Data Lake environments that included a standby node. Previously, users might have experienced temporary unavailability or UI readiness warnings during system joins or synchronization. This update eliminates these interruptions, allowing standby systems to synchronize smoothly and remain stable throughout operation. In doing so, this fix improves reliability and ensures consistent Data Lake accessibility during normal and standby transitions.

  • Updated report logic to ensure an accurate calculation of Average Daily Data Volume and consistent use of data units. Previously, the Executive Summary Report and Case Report displayed inflated values and differed from results returned by the /daily_average API endpoint. Metrics now show true daily averages using standardized byte-based values. The fix ensures that data volume information is accurate and consistent between reports and APIs, improving reporting reliability and alignment with integrated tools.

  • Resolved an issue where switching the MFA policy from mandatory to optional could disable MFA for users who were already enrolled. Under the corrected behavior, accounts with an existing MFA factor continue to authenticate using MFA, while unenrolled accounts can sign in without it and enroll later if desired. Enrolled users retain their existing factors when the policy is toggled between optional and mandatory. This change ensures consistent enforcement of MFA policies and preserves user enrollments across configuration updates.

Upgrading Sensors

You can upgrade Stellar Cyber Sensors from 6.0.0 or later to 6.2.0. You must:

  • Prepare for the upgrade

  • Upgrade the sensors

  • Verify the upgrade

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.2.0 release from any 6.0.x or 6.1.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.