Stellar Cyber 6.3.0 Release Notes

Highlights

Usability and UX Enhancements

• Query Manager Import/Export: Adds import and export support to share and reuse queries easily across instances and tenants.

• “Add to Watchlist” Experience: Simplifies adding entities to watchlists directly from investigation workflows, improving speed and usability.

Detections and Machine Learning

• User Login Location Anomaly Enrichment: Enhances login anomaly detections with ASN and User Agent data for greater triage accuracy.

• Fortinet UTM Enhancements: Expands and refines Fortinet UTM detection coverage for improved visibility into network-based threats.

Integrations

• XDR Connect Webhook: Enables streamlined ingestion of third-party alerts through a flexible, webhook-based integration framework.

• Domain Service: Introduces centralized domain management for connectors to improve scalability and reliability.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• DATA-3110: Updated the Forcepoint Data Loss Prevention (CEF) parser to align field mappings with the normalized data model. The parser now maps duser to dstip_username and sourceHost to srcip_host, ensuring Forcepoint DLP logs conform to the standard naming convention used across normalized data sources. The existing mapping from destinationHosts to dstip_host remains available. These changes improve field consistency for correlation and reporting. Saved queries, dashboards, or detections that referenced the legacy field names now display values under the updated normalized fields. No configuration changes are required, and the new fields populate automatically when present in incoming CEF messages.

• DATA-2986: Corrected event category mapping in the Cynet 360 (CEF) parser. The msg_origin.category field now maps to endpoint instead of xdr to align with the standardized taxonomy used across Stellar Cyber parsers. This correction ensures consistent classification for filtering, dashboards, and correlation across endpoint and detection data sources. Saved searches, reports, or dashboards that reference msg_origin.category:xdr should be updated to use endpoint. Existing detections and automated workflows are unaffected.

• DATA-2966: Normalized vendor-derived identifiers in Common Event Format (CEF) parser output. The default values for msg_origin.source, msg_class, dev_type, and dev_class now apply stricter normalization rules derived from cef_device_vendor. Normalization allows only lowercase letters, digits, and underscores, removes invalid characters, and prefixes values beginning with a digit with cef. These changes ensure consistent and valid field naming across correlated data and prevent ingestion errors. Saved filters, queries, or dashboards that reference vendor-derived field values containing invalid characters may display updated normalized values.

Deprecated Features

The following feature is planned for deprecation in a future version.

Upcoming Deprecation: Netskope Connector (API V1) – The Netskope connector supports API V1 and V2, but Netskope has deprecated API V1 so Stellar Cyber will retire the V1 API in a future release. Begin planning to migrate to the V2 API.

Detection/ML

New Features

• AELDEV-61608: Added alert integration for SonicWall Endpoint Security.

  Added alert integration for SonicWall Endpoint Security alerts. See Integration of Third Party Native Alerts.

• AELDEV-58576: Added alert integration for Cyble.

  Added alert integration for Cyble alerts. The following alert types are supported: leaked_credentials, stealer_logs, darkweb_data_breaches, darkweb_marketplaces, suspicious_domains, vulnerability, new_vulnerability ip_risk_score, and ssl_expiry. See Integration of Third Party Native Alerts.

• AELDEV-58171: Introduced an API endpoint for link safety verification.

  Introduced an API endpoint (GET /verify) in the stellar-indicator-verify service for link safety verification. The endpoint evaluates Indicators of Compromise (IoCs) such as URLs or domains and returns results that include is_safe and related IoC details when a link is unsafe. The service aggregates threat intelligence from multiple sources and supports future expansion without schema changes, providing a consistent way to validate link safety through the API.

• AELDEV-58034: Added alert integration for SentinelOne Singularity Identity.

  Added alert integration for SentinelOne Singularity Identity unified alerts. See Integration of Third Party Native Alerts.

• AELDEV-56598: Added Sigma rules for Active Directory attack patterns.

  Added Sigma rules for Active Directory attack patterns to identify advanced threats such as Golden SAML, Skeleton Key, and suspected SID-History injection.These include a new certutil.exe Certificate Extraction alert type and additional rules for Suspicious Process Creation Commandline and Sensitive Windows Active Directory Attribute Modification alert types. An existing Suspicious PowerShell Script rule, powershell_scriptblock_126, was also updated. See Rule-Based Alert Types.

• AELDEV-54976: Added alert integration for Hoxhunt.

  Added alert integration for Hoxhunt threat events. See Integration of Third Party Native Alerts.

• AELDEV-54021: Added alert integration for WithSecure Elements.

  Added alert integration for WithSecure Elements detections. See Integration of Third Party Native Alerts.

• AELDEV-53159: Added alert integration for SOCRadar.

  Added alert integration for SOCRadar incidents. See Integration of Third Party Native Alerts.

• AELDEV-33299: Added alert integration for Duo Security.

  Added alert integration for Duo Security's Trust Monitor events. See Integration of Third Party Native Alerts.

Improvements

• AELDEV-61942: Display all user accounts in Golden Certificate alerts.

  Updated Golden Certificate alerts to display all user accounts involved in suspicious Kerberos authentication events, instead of only one, to provide a complete view of affected users during investigations.

• AELDEV-61553: Expanded login-related detections to include VPN events.

  Updated the login-related detections to include Virtual Private Network (VPN) login events, specifically for the User Login Location Anomaly, Impossible Travel Anomaly, and Login Time Anomaly alert types.

• AELDEV-61488: Introduced evidence tracking for detections suppressed by silent mode.

  Implemented evidence storage for detections suppressed by silent mode across Stellar Cyber AI (SCAI) Machine Learning, SCAI Rule Engine, and Alert Integration. When a detection is suppressed, the corresponding signal includes the stellar.suppressed_reason field set to SILENT_MODE. This enhancement preserves visibility into detections that were triggered but silenced, allowing you to investigate them through the Threat Hunting view by filtering on stellar.suppressed_reason:SILENT_MODE. Guardrails control evidence volume to prevent ingestion spikes from high-frequency detections, ensuring efficient indexing and consistent system performance.

• AELDEV-61031: Improved Fortinet log normalization for failed-login detection.

  Enhanced normalization for Fortinet SSL VPN and administrative login events to populate the login_result field consistently. Stellar Cyber now maps success and failure outcomes from vendor fields such as status, logdesc, and action, enabling reliable failed-login detection across Fortinet log formats. You can query login_result: fail with username and source context from srcip or remote_ip to identify failed logins or unknown-user attempts. This improvement standardizes Fortinet authentication data for use in rule-based detections and correlation.

• AELDEV-60643: Enhanced severity mapping in the Bitdefender (Syslog JSON) parser.

  Enhanced severity derivation for Bitdefender (Syslog JSON) events to ensure consistent normalization when no native severity is provided. Stellar Cyber now derives severity from the event category, detection, and action fields using a prioritized fallback sequence. This improvement provides more reliable severity classification for correlation, dashboards, and reporting.

• AELDEV-59017: Prioritized user-based correlation for Microsoft identity alerts and normalized email addresses.

  Prioritized correlation by user identity for alerts with msg_class values office365_audit_azureactivedirectory and azure_ad_risk_detection for consistent case grouping. Correlation continues to evaluate the same user identifiers, including email address and user ID, but now normalizes email addresses to lowercase for consistent matching across data sources. When a user node already appears in a graph and the related host node has no incoming edges, the user node connects to the host even if the event is not User Behavior Analytics (UBA). By default, user nodes are not displayed in graphs; they appear only when required for correlation. These changes apply only to newly ingested alerts.

• AELDEV-57657: Improved destination IP aggregation for OCI SSH scanner alerts.

  Improved destination IP aggregation for Oracle Cloud Infrastructure (OCI) Secure Shell (SSH) scanner alerts. When multiple private destinations receive rejected SSH traffic from the same source, the alert now lists all unique destination IP addresses in a single view. This improvement helps you identify the full scope of targeted destinations without navigating between separate alerts. No configuration change is required.

• AELDEV-55998: User Login Location and Impossible Travel alert types using ASNs and user agents.

  Enhanced User Login Location Anomaly and Impossible Travel Anomaly to use Autonomous System Number (ASN) and user agents. To improve triage of location-based alerts, Stellar Cyber will begin collecting user history for ASN, ASN org, and user agents (if available from Microsoft 365), and then use this history to enrich alerts.

• AELDEV-55990: Adjusted ESET alert severity scoring.

  Adjusted ESET alert severity scoring to account for remediation status. When a threat is successfully handled, the alert severity is automatically reduced, helping you focus attention on unresolved or active threats without additional configuration.

• AELDEV-53909: Prioritized Sysmon Event ID 1 over Event ID 4688 for Suspicious Windows Process Creation alerts.

  Prioritized System Monitor (Sysmon) Event ID 1 when both Sysmon Event ID 1 and Windows Security event ID 4688 are detected in a Suspicious Windows Process Creation alert. This update ensures that alert details display richer Sysmon data, such as file hash and process path, letting you analyze process creation events with more complete forensic context. If Sysmon Event ID 1 is unavailable, Event ID 4688 continues to populate alert details.

Stellar Cyber Platform

New Features

• AELDEV-57780, AELDEV-57624: Added support for defining a range of values in query conditions.

  Added support for defining value ranges in rule conditions, letting you define both minimum and maximum limits of a range. This enhancement improves precision when building queries for detections, dashboards, and analytics.

Improvements

• AELDEV-64265: Fixed inaccurate heartbeat security detection counts.

  Fixed inaccuracies in heartbeat security detection reporting to ensure consistent per-tenant metrics. Aggregation now correctly captures all detection types, and retries no longer produce inconsistent totals. This improvement provides more reliable visibility into detection volume and trend changes by tenant.

• AELDEV-55420: Enforced the automatic deletion of tenant-associated sensors on tenant removal.

  Implemented the automatic removal of sensors when a tenant is removed from Stellar Cyber. Previously, sensors that later reconnected using the deleted tenant identifier (for example, cust_id) were set to root tenant. From this release, they will be rejected and deleted at connection. To retain a sensor, re-enroll it under another tenant before deletion or re-register it after removing the original tenant.

• AELDEV-55207: Expanded the tenant name field to 256 characters.

  Expanded the tenant name field to support names up to 256 characters and full UTF-8 encoding across Stellar Cyber. The update ensures that long or non-ASCII tenant names display and function correctly in both the API and user interface. In mixed-version environments, components on older releases might reject or truncate values longer than 50 characters, so align names to the lowest supported limit in these cases.

Sensors

New Features

• AELDEV-61968: Introduced parsing for Netskope user and site identifiers in GENEVE tunnels.

  Introduced parsing of the Netskope-defined GENEVE options that carry per-packet user or site identifiers. The Modular Sensor now extracts the USER_ID or SITE_ID TLV added by the Netskope Cloud TAP stitcher from the outer GENEVE header and associates each identifier with its corresponding flow inside the tunnel. Because parsing occurs at the packet level, multiple users sharing the same tunnel are correctly recognized. Normalization maps the Netskope user identifier to srcip_username and the Netskope site identifier to srcip_siteid. No UI configuration is required, as the option identifier is fixed. Traffic from Netskope Cloud TAP is automatically parsed, and normalized fields are forwarded to the Data Processor for correlation and analytics.

Improvements

• AELDEV-61369: Introduced a CLI command to reapply custom parsers for the Sensor log forwarder.

  Introduced a new set logforwarder apply-custom-parser CLI command that forces the Sensor log forwarder to redownload and apply custom parsers. The enhancement lets you refresh parser and configuration files without manual intervention, ensuring that updated or corrected parsers are immediately applied. If no custom parser exists or a parser is invalid, the command reports the condition and skips changes. This capability helps maintain parser consistency across tenants and is supported on sensors in both SaaS and on-premises deployments.

• AELDEV-58444: Added SSL connectivity status to the show receiver debug command in the Sensor CLI.

  Added SSL connectivity status to the show receiver debug command in the Sensor CLI. Run show receiver for a quick status check, or show receiver debug to view certificate details and identify SSL inspection or certificate mismatches.

• AELDEV-57663: Added list of available Sensor CLI commands to the local CLI.

  Added a help command to the local CLI to display all available commands for a sensor. In a local CLI session, run help to view the complete command list, or help <command> to see syntax and parameters. The output reflects commands currently supported by the connected sensor, including module-specific commands when available. The help all option is supported in direct CLI sessions but not in remote CLI sessions.

  This feature complements the existing CLI support for the ? and help suffixes when used with a top-level show, set, unset, copy, or exec command (for example, set ? or set help). These techniques are available in a remote CLI session.

• AELDEV-56974: Introduced configuration change logging in a dedicated log for settings received from Configuration Manager.

  Introduced configuration change logging for device configurations received from Configuration Manager. During initialization, each sensor writes a baseline configuration snapshot to config_change.log. Subsequent updates record ADDED, DELETED, and MODIFIED entries with paths and values, including previous and new values. Logs reside at /var/log/aella/config_change.log on Linux and C:\ProgramData\StellarCyber\Windows Agent Sensor\log\config_change.log on Windows. The file is included in phonehome logs for remote diagnostics. If Filebeat is enabled, modified Filebeat settings also appear in configuration_conf.log.

• AELDEV-55789: Added timestamped logging for CLI commands that execute actions.

  Added timestamped logging for CLI commands that execute actions rather than displaying information. Each log entry records the executed command and parameters in JSON format with a timestamp, letting you review administrative activity for auditing and troubleshooting. Logs can be viewed through the CLI with the show history command or accessed in the aella_cli_set.log file for offline analysis.

• AELDEV-55739: Added Windows Server Sensor support for Microsoft Windows Server 2025.

  Added support for deploying the Windows Server Sensor on Microsoft Windows Server 2025. The enhancement extends compatibility for event collection from Windows Event Log and File Integrity Monitoring (FIM), letting you maintain continuous monitoring and detection coverage when upgrading to the 2025 operating system. All existing detection and correlation rules apply without reconfiguration.

• AELDEV-49775: Added Oracle Linux 9 support to the Linux Server Sensor.

  Added compatibility with Oracle Linux 9.x to the Linux Server Sensor using the standard installation procedure. You can deploy a 6.3.0 Linux Server Sensor on hosts that report Oracle Linux 9.x in /etc/os-release with no installer edits required.

Connectors

New Features

• AELDEV-61070: Introduced the Wiz connector.

  Added the Wiz connector to ingest Issues and Vulnerabilities through the Wiz API. See Configuring Wiz Connectors.

• AELDEV-60305: Introduced the SonicWall Endpoint Security connector.

  Added the SonicWall Endpoint Security connector to ingest Alerts and Endpoints through the SonicWall 3rd Party API. See Configuring SonicWall Endpoint Security Connectors.

• AELDEV-59374: Introduced the Halcyon connector.

  Added the Halcyon connector to ingest Alerts and Events through the Halcyon API. See Configuring Halcyon Connectors.

• AELDEV-58704: Introduced the iManage Threat Manager connector.

  Added the iManage Threat Manager connector to ingest Behavioral Analytics Alerts and Detect and Protect Alerts through the iManage Threat Manager API. See Configuring iManage Threat Manager Connectors.

• AELDEV-58698: Introduced the Memcyco connector.

  Added the Memcyco connector to ingest Admin Activities, Devices, and Events through the Memcyco API. See Configuring Memcyco Connectors.

• AELDEV-41995: Introduced the ConnectSecure V4 connector.

  Added the ConnectSecure V4 connector to support the V4 CyberCNS API. The new connector also reflects the ConnectSecure name. The existing CyberCNS connector (see Configuring CyberCNS Connectors) remains the same. The ConnectSecure V4 connector ingests Asset, Remediation Plan, and Vulnerability Suppression data. See Configuring ConnectSecure V4 Connectors.

Improvements

• AELDEV-63506: Fixed an issue in the CODA Footprint connector that occurred when processing records without the last-seen timestamp.

  Fixed an issue in the CODA Footprint connector that caused crashes when API responses omitted the lastSeen timestamp field. The connector now handles records that lack timestamp data without interruption. No configuration changes are required.

• AELDEV-61348: Added new content types to the Trend Micro Cloud App Security connector.

  Updated the Trend Micro Cloud App Security connector add content types for Exchange, OneDrive, and Teams. See Configuring Trend Micro Cloud App Security Connectors.

• AELDEV-60191: Added a response action configuration schema for the Palo Alto Networks CORTEX XDR connector.

  Added a response action configuration schema for the Palo Alto Networks CORTEX XDR connector for Automated Threat Hunting (ATH).

• AELDEV-60188: Added Microsoft Entra ID response actions to UI.

  Added the UI elements for Microsoft Entra ID response actions: Revoke Existing Sign-In Sessions and Remove User from Group. These actions can be manually triggered or run through Automated Threat Hunting (ATH). See Configuring Microsoft Entra ID (formerly Azure Active Directory) Connectors.

• AELDEV-59981: Improved normalization for Microsoft Defender for Endpoint alerts.

  Improved normalization for Microsoft Defender for Endpoint alerts, msg_class: microsoft_defender_alerts.

• AELDEV-59870: Added a new content type to the Azure Event Hub connector.

  Updated the Azure Event Hub connector to add the Microsoft Graph Activity Log content type. See Configuring Azure Event Hub Connectors.

• AELDEV-59862: Added Base URL to the Cisco Meraki Firewall configuration.

  Added a configurable Base URL field to the configuration of the Cisco Meraki Firewall to specify regions. The default Base URL supports most regions such as US and Europe. For Canada, China, India, or US Government, you can enter different Base URLs. See Configuring Cisco Meraki Firewall Connectors.

• AELDEV-59685: Added Last Updated Comment field to InSyncs ServiceNow.

  Updated the Field Mapping tables for alerts and cases to add the Last Updated Comment field to InSyncs ServiceNow. See Using InSyncs.

• AELDEV-55063: Added support for Service Principal Sign-in Logs in the Microsoft Entra ID connector.

  Updated the Microsoft Entra ID connector to add the Service Principal Sign-in Logs content type. See Configuring Microsoft Entra ID (formerly Azure Active Directory) Connectors.

Parsers

New Features

• DATA-3096: Introduced a parser for ingesting ManageEngine PAM360 logs.

  Added a built-in parser for ingesting ManageEngine PAM360 logs in RFC 3164 syslog format on port 6062. Parsed events populate standard fields such as event_type, action, user, resource, result, src_ip, and dst_ip to enable search, correlation, and reporting. This parser improves visibility into privileged-access activity, enabling accurate correlation and reporting for PAM360 security events.

• DATA-3095: Introduced a parser for ingesting NetScout Omnis Cyber Intelligence logs.

  Added a built-in parser for ingesting NetScout Omnis Cyber Intelligence logs in CEF on port 6063. The parser supports NetScout-specific variations of CEF messages, including those that deviate from standard formatting, to ensure accurate field extraction. Parsed fields include event, network, and MITRE ATT&CK attributes such as technique, tactic, device, and initiator or responder details. This parser improves detection context and enriches network threat visibility for NetScout Omnis data.

• DATA-3092: Introduced a parser for ingesting SonicWall NSa logs.

  Added a built-in parser for ingesting SonicWall NSa logs in Common Event Format (CEF) on port 6064. The parser accounts for SonicWall-specific formatting variations, such as unescaped equal signs in request values, to prevent key-value parsing errors and ensure complete field extraction. This parser improves normalization accuracy and reliability for SonicWall NSa firewall telemetry.

• DATA-3091: Introduced a parser for ingesting Akamai WAF logs.

  Added a built-in parser for ingesting Akamai Web Application Firewall (WAF) logs in Common Event Format (CEF) on port 6060. The parser extracts traffic-related fields, including source and destination information, action, and severity, to improve normalization and visibility into web traffic security events. This parser enhances correlation and detection for application-layer threats originating from Akamai WAF sources.

• DATA-3085: Introduced a parser for ingesting KVH CommBox Edge Gateway logs.

  Added a built-in parser for ingesting KVH CommBox Edge Gateway logs in key-value pair (KVP) format on port 6059. The parser normalizes gateway telemetry fields to support accurate investigation and correlation of network data. This parser enhances visibility into satellite and maritime network traffic managed by KVH CommBox Edge Gateway systems.

• DATA-3080: Introduced a parser for ingesting PCI MVApp logs.

  Added a built-in parser for ingesting PCI MVApp (Postal Center International Mail Verification Application) logs in RFC 5424 syslog format on port 6061. The parser extracts structured-data elements into standard key-value pairs and normalizes core fields for search and detection. It supports multiple structured-data sections within a single event to ensure complete field extraction. This parser improves normalization accuracy and visibility for Postal Center International MVApp system activity.

• DATA-3045: Introduced a parser for ingesting Hisun Global Core Banking logs.

  Added a built-in parser for ingesting Hisun Global Core Banking logs on port 6058. The parser supports financial transaction and audit events in product-specific message and JSON formats, including DCP_payment operations. It normalizes inconsistent field names and handles duplicate or nested data structures to ensure consistent field mapping. This parser improves the accuracy and reliability of transaction log ingestion from banking systems, enabling more complete visibility into core-banking activity.

• DATA-3002: Introduced a parser for ingesting Tenable AD logs.

  Added a built-in parser for ingesting Tenable AD logs in RFC 3164 format on port 5955. The parser converts visual indicators such as checkbox and list symbols to standardized boolean or empty values and parses complex fields like DangerousAceList as structured data. This parser improves the accuracy and readability of Active Directory audit data, ensuring consistent normalization for security analytics and reporting.

• DATA-2881: Introduced a parser for ingesting Trend Micro Deep Security logs.

  Added a built-in parser for ingesting Trend Micro Deep Security logs in Log Event Extended Format (LEEF) on port 5956. The parser supports both Deep Security Manager and Deep Security Agent and uses the product header to populate key attributes, including dev_type, dev_class, msg_origin.source, and msg_class. Event categories derive from defined event ID ranges for intrusion prevention, firewall, integrity monitoring, log inspection, anti-malware, web reputation, application control, and device control.

• DATA-2548, DATA-3018: Introduced a parser for ingesting Fortinet FortiGate Firewall (Windows Agent Filebeats) logs.

  Added a built-in parser for ingesting Fortinet FortiGate Firewall (Windows Agent Filebeats) logs in Beats format on ports 5957–6057. The parser extracts key firewall fields including logid, subtype, sessionid, policyid, and action, and maps them to standard attributes. The update also adds normalization for login events, extracting and standardizing fields such as user, src_ip, dst_ip, src_port, dst_port, result, event_type, and reason from authentication records. This parser improves processing efficiency and accuracy for FortiGate logs forwarded through Windows Filebeat agents, ensuring consistent field normalization and visibility in firewall traffic analysis.

Improvements

• DATA-3110: Improved field normalization in the Forcepoint Data Loss Prevention (CEF) parser.

  Updated field normalization in Forcepoint Data Loss Prevention (DLP) Common Event Format (CEF) parser. The parser maps duser to dstip_username and sourceHost to srcip_host so that they align with the normalized data model. The existing mapping from destinationHosts to dstip_host remains available. Queries, dashboards, and detection rules now use dstip_username and srcip_host in place of legacy field names. No configuration changes are required, and these fields populate automatically when present in incoming CEF messages.

• DATA-3097: Improved parsing for Infoblox Data Connector (CEF) logs.

  Enhanced the Infoblox Data Connector parser for CEF logs on ports 5143 and 5870. The update supports long extension keys and Infoblox-specific field names, improving KVP regex handling to correctly parse quoted values and escaped characters. These changes eliminate key-length errors that previously caused dropped fields. Parsed fields such as InfobloxAnCount, InfobloxB1Network, and InfobloxB1DHCPFingerprint now populate reliably for search and analytics. Existing syslog integrations require no configuration changes.

• DATA-3090, DATA-3089: Added CSV format support for Zscaler Internet Access Firewall and Web logs.

  Added support for ingesting Zscaler Internet Access (ZIA) Firewall and Web logs in CSV format. The ZIA Firewall parser accepts quoted, comma-delimited records with up to 39 fields, and the ZIA Web parser supports up to 34 fields. Field values map to standardized network, application, and policy attributes for analytics and correlation. Headerless records parse when the field order matches the ZIA CSV export. This enhancement expands log format coverage for ZIA data while maintaining compatibility with existing JSON ingestion.

• DATA-3086: Added normalization for Sophos firewall connection events.

  Added normalization for Sophos firewall logs so that the parser takes log entries where the msg_data.name field equals connevent and maps the associated string value into the normalized sophos.connevent field. This enables consistent representation of connection lifecycle values such as Start and End. These normalized values can be used in searches, correlation rules, and dashboards to analyze firewall session activity. No configuration changes are required.

• DATA-3074: Expanded field extraction in the Infoblox CEF parser.

  Enhanced the Infoblox Common Event Format (CEF) parser to extract additional fields from msg_data. The parser now parses and normalizes infobloxb1dnstags (event categories), dvchost (source hostname), infobloxb1policyname (policy name), infobloxb1threatindicator (indicator of compromise), and infobloxthreatlevel (threat severity). Parsed values populate the infoblox.* namespace, while dvchost remains available at the top level. The infobloxthreatlevel field parses as an integer (0–100) to support threshold-based detection and filtering. These improvements enhance search accuracy, correlation, and dashboard analytics for Infoblox events.

• DATA-3073: Improved the Fortinet FortiClient EMS Cloud log parser to support additional formats.

  Improved the parser for Fortinet FortiClient Endpoint Management Server (EMS) Cloud logs to support additional log formats. The parser now recognizes more message variants and timestamp patterns and maps fields to the standard schema for analytics and detection. No action is required for existing log sources.

• DATA-3047: Enhanced parsing for Ubiquiti UniFi Dream Machine Pro logs.

  Improved parsing for Ubiquiti UniFi Dream Machine Pro (UDM Pro) logs to support additional message types and Common Event Format (CEF) events. The update enables parsing of Netfilter entries even when IN or OUT fields are empty, with extraction of fields such as PROTO, SPT, DPT, UID, GID, and MARK. It also adds normalization for UniFi-specific CEF attributes including UNIFIclientIp, UNIFIclientMac, UNIFIwifiName, UNIFIlastConnectedToDeviceName, UNIFIwifiChannel, UNIFInetworkVlan, and UNIFIduration. These improvements ensure accurate field extraction and consistent correlation for both Netfilter and CEF-based events.

• DATA-3040: Standardized sequence field normalization across network and firewall parsers.

  Unified normalization of the seq (sequence) field across multiple parsers to ensure consistent event representation and prevent TCP misclassification in ICMP and vendor-specific logs. Sequence values now normalize to vendor-specific namespaces, as shown below:

  • Airgap Ransomware Kill Switch: airgap_ransomware_kill_switch.seq

  • Aviatrix Firewall: aviatrix_firewall.seq

  • Ericsson Cradlepoint Router: ericsson_cradlepoint_router.seq

  • Mako Firewall: mako_fw.seq

  • Netfilter: netfilter.seq

  • Ubiquiti: ubiquiti.seq

  • Ubiquiti USG: ubiquiti_usg.seq

  • VMware NSX Edge Firewall: vmware_nsx_edge_firewall.seq

  This update improves event consistency, parsing accuracy, and correlation reliability for ICMP and other non-TCP network activity across these devices.

• DATA-3029: Expanded normalization for Forcepoint DLP events.

  Expanded normalization in the Forcepoint Data Loss Prevention (DLP) Common Event Format (CEF) parser. The parser now maps fields such as sourceservicename, analyzedby, severitytype, productversion, maxmatches, and eventid to the forcepoint namespace, and promotes sourceip and destinationhosts to the top-level fields srcip and dstip_host. These improvements ensure consistent field naming and allow Forcepoint DLP data to be searched, visualized, and correlated alongside other security event types.

• DATA-2986: Corrected event category mapping in the Cynet 360 (CEF) parser.

  Corrected the msg_origin.category mapping in the Cynet 360 parser for Common Event Format (CEF). The parser assigns endpoint rather than xdr to align with the Stellar Cyber taxonomy and ensure consistent filtering, dashboards, and correlation. Saved searches, reports, dashboards, and custom content that reference msg_origin.category:xdr need to be updated to use endpoint. Existing detections remain unaffected.

• DATA-2966: Normalized vendor-derived identifiers in Common Event Format (CEF) parser output.

  Implemented strict normalization for vendor-derived identifiers generated by the CEF parser. Normalization now permits only lowercase letters, digits, and underscores, requiring a starting letter or underscore. Values beginning with a digit are prefixed with cef, and invalid characters such as periods are removed. This ensures valid field naming for msg_origin.source, msg_class, dev_type, and dev_class, preventing ingestion errors and maintaining consistent source naming across correlated data.

Usability

New Features

• AELDEV-57302: Added a Show All control in the Tasks widget.

  Added a Show All control to the Tasks widget that opens the Task Management page in list view. The control lets you view all tasks in one place, improving navigation efficiency when managing multiple tasks. You can also display the same page by selecting System | Task Management from the main menu.

• AELDEV-49273: Introduced an option to add IP addresses, file hashes, URLs, and domain names to watchlists from the Alert Details page.

  Introduced an Add to Watchlist option on the Alert Details page so you can add values to a watchlist without having to navigate away from Alert Details to the Watchlists page in the UI. Simply select Add to Watchlist for a value and choose an existing watchlist filtered by compatible type or create a new list. Supported inputs include IP addresses, file hashes (MD5, SHA-1, SHA-256), URLs, and domain names.

• AELDEV-36890: Added cross-instance exports and imports of saved queries.

  Introduced the ability to export and import saved queries in Query Builder for use across instances and tenants. The enhancement lets you export queries, including associated watchlists, as JSON files that can be imported into another Stellar Cyber instance or tenant. During import, you can choose how to handle matching watchlists by overwriting, merging, or retaining existing ones. This capability streamlines collaboration across environments and ensures consistency of queries without requiring manual recreation.

Improvements

• AELDEV-62269: Improved reliability and performance of CSV exports for reports and dashboards.

  Optimized CSV report exports to include only the fields required for each dataset. The improvement reduces memory usage and prevents export failures when processing large reports. Scheduled reports and exportable dashboards now complete more consistently, improving performance and reliability for CSV downloads and emailed report outputs.

• AELDEV-61668: Enabled user-scoped API token support for data retrieval API endpoints.

  Implemented user-scoped API token support for the /connect/api/data/{index}/_search and /connect/api/data/{index}/_count endpoints. User-scoped tokens enforce Role-Based Access Control and tenant scope to ensure that users can retrieve only data permitted by their assigned roles. Queries support time-range filters and Lucene syntax for flexible search. Access applies to indices such as traffic, assets, syslog, and alerts. Direct document reads via /connect/api/data/{index}/_doc remain restricted when using user-scoped tokens, while legacy API key methods continue to function for backward compatibility.

• AELDEV-60765: Improved report generation accuracy for time range handling.

  Enhanced report generation to use absolute timestamps for time range calculations, ensuring that retriggered reports reproduce the same dataset as the original run. When a report runs, Stellar Cyber now records both the selected relative range and the resolved absolute start and end times. Templates that specify relative ranges continue to convert automatically at generation time.

• AELDEV-59550, AELDEV-57666: Introduced a historical listing of previously run reports per-tenant with the option to rerun them.

  Added a historical listing of reports that lets you view details for each time a report was run, including configuration, start time, duration, status, request ID, and retention information. Report history tracks jobs per tenant, letting you view and rerun reports for individual tenants without regenerating all tenant reports. You can filter the history by report ID or status, view entries, and rerun selected reports. Failed reports now retry automatically after interruptions such as process restarts or memory errors, and queued jobs resume in order once earlier tasks finish. This enhancement lets you track past report activity and rerun reports directly from one place.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following are the EAP features in this release:

XDR Connect Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Operational Notes

There are no operational notes in this release.

Resolved Issues

• AELDEV-65612: Fixed the numeric threshold in the Condition Configuration section of an ATH playbook.

  Fixed the rejection of numeric values greater than 10 in the Comparison settings in the Condition Configuration section of a Automated Threat Hunting (ATH) playbook. The field now supports the full valid range of numeric thresholds, enabling more flexible condition logic in automation rules. Existing configurations were preserved and require no update.
• AELDEV-65320: Resolved inability to remove Saved query in Threat Hunting filters.

  Fixed removal of Saved query from Threat Hunting filters. Changing or deselecting the Saved query now updates the filter state immediately. Users can clear the applied Saved query without using Clear all. Navigate to Threat Hunting | Filters and adjust Saved query as needed; results refresh to reflect the current selection.

• AELDEV-65319: Fixed query testing and save behavior for specific filter conditions.

  Resolved an issue in Threat Hunting where certain filter conditions returned incorrect results when using the is, starts with, or ends with operators. The fix corrects how condition values are parsed so that query testing and the Save as function now preserve complete values and produce accurate results. Queries that were previously saved with truncated values should be reviewed and updated to restore the full conditions.

• AELDEV-65293: Corrected button text in confirmation dialog boxes for unsaved changes .

  Fixed an issue that caused incorrect button labels to appear in unsaved changes confirmation dialog boxes after performing other actions, such as tenant deletion. Each confirmation now displays the correct label for its context, ensuring that prompts for unsaved changes show accurate options and operate independently across pages.

• AELDEV-65160: Resolved upgrade failures on low-memory Modular Sensor nodes.

  Improved the upgrade process for Modular Sensors deployed on resource-constrained hosts. The upgrade now manages memory usage more efficiently and prevents Out-of-Memory (OOM) terminations during package installation. Sensors configured for log forwarding proceed without restarting packet inspection components, allowing upgrades to complete successfully on low-memory virtual machines. For environments with one vCPU or limited memory, Stellar Cyber recommends enabling only log forwarding before upgrade or allocating additional memory to avoid service disruption. The upgrade status and running services can be verified on the Sensor Details page. This improvement applies to current and future upgrades and does not change existing configuration defaults.
• AELDEV-65155: Improved the Alert Filters page responsiveness for large datasets.

  Added virtual scrolling for the Name column filter list to prevent rendering thousands of options in large environments. The Alert Filters page now responds promptly when listing, searching, and editing filters. No configuration changes are required. Performance scales with high filter counts and remains consistent during pagination and column filter interactions.

• AELDEV-64594: Fixed incorrect distance values in Login Location Anomaly alerts.

  Resolved an issue where some Login Location Anomaly alerts displayed a distance value of “–1” or referenced an invalid prior login location. The fix ensures that distance is calculated only when a valid previous login exists within the configured reset window. If no recent location is available, the login initializes a new baseline instead of generating an inaccurate alert. This change improves the accuracy of distance-based anomaly detection and reduces false positives for accounts with infrequent logins.

• AELDEV-64346: Added the per-organization retention of user records in the Activity Log.

  Added the per-organization storage for user records in the Activity Log (System | ORGANIZATION MANAGEMENT | Users | Activity Log). Stellar Cyber automatically retains the latest two million entries for each organization, pruning older records on a weekly schedule at 02:00 UTC on Sunday. In multi-tenant deployments,Stellar Cyber now isolates records by organization to avoid cross-tenant volume constraints..
• AELDEV-63841: Fixed asset counting in multi-tenant environments.

  Fixed underreporting of assets in multi-tenant inventories. Asset inventory now shows accurate totals per tenant and across tenants. Dashboards and reports reflect consistent counts, ensuring accurate visibility of asset distribution.

• AELDEV-63745: Fixed asset ID enrichment for alerts.

  Improved resilience of asset-to-alert synchronization for consistent enrichment and risk scoring. The enrichment pipeline now auto-recovers after cache disconnects and exposes a synchronization health check. Alerts populate asset_id when an IP address, MAC address, or hostname matches known assets, enabling accurate risk calculations.

• AELDEV-59772: Resolved an intermittent display failure on the Stellar Cyber API Reference page.

  Resolved an intermittent display failure that prevented the API documentation from loading correctly on the Stellar Cyber API Reference page (Help | API Docs), causing an Unable to render this definition message to appear. The API Reference page now loads consistently on first access.
• AELDEV-57408: Fixed an issue where ATH rules failed to generate alerts when conditions were met.

  Fixed an issue that prevented ATH rules from generating alerts when conditions were met, including when hit counts fell within specific ranges such as zero. The correction ensures alerts now trigger reliably according to configured thresholds.

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

• Amazon Web Services

• Google Cloud Platform

• Oracle Cloud Infrastructure

• Dedicated VMware ESXi (see below)

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

• Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

• You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

• With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

• With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.