Stellar Cyber 6.5.0s Release Notes

Highlights

Early Access Program Features

• Stellar Cyber MCP Server: Added an MCP server to connect AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP) to retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields.

• Parser Studio: Added Parser Studio to create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production log ingestion.

Detections/Machine Learning

• Successful Login After Brute Force: Added a detection for successful login activity from a new or previously unseen IP address shortly after brute-force login attempts targeting the same user account from different IP addresses, helping identify distributed or rotating-IP brute-force attacks.

• Suspicious AWS Configuration: Added built-in detection coverage for AWS Config events so configuration changes and compliance evaluation events can generate alerts and correlate with other AWS telemetry.

• Location-Based Detection Fidelity Scoring: Improved fidelity scoring for location-based detections by refining how new location, ASN, and user agent changes affect alert accuracy, helping reduce false positives and improve triage for User Login Location Anomaly and Impossible Travel Anomaly.

System

• ATH Rules Import/Export: Added ATH rule import and export functionality so you can move rules between environments, include referenced queries and lookups, validate dependencies before import, and resolve naming conflicts with skip, overwrite, or rename options.

• Query Execution Management: Enhanced ATH playbook status views with a Last Scheduled Run section that shows the most recent scheduled run attempt, including details about the input status, condition status, and action status.

Usability

• Dashboard Landing Page: Added a dashboard landing page called Dashboard Hub to centralize access to existing dashboards and charts so you can browse, open, and edit them from one place based on your current permissions.

• Alert Filters for a Fixed Period of Time: Added expiration settings for alert filters so you can apply filter actions temporarily during maintenance windows, planned changes, or other short-term events and have them deactivate automatically when the specified time period ends.

Integrations

• New Integrations: Expanded third-party integration coverage across network security, cloud and SaaS security, cyber asset and exposure monitoring, and XDR response platforms to improve data ingestion, broaden security visibility, and support more coordinated detection and response workflows.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• AELDEV-67120: Updated the login flow to avoid revealing whether a user exists before authentication completes. Failed login attempts now return the same result whether the username, password, or both are incorrect. All login flows also display the Continue with SSO button, and the tenant-specific logo that previously appeared after a user entered an email address now only appears after login. These changes help prevent attackers from using the login flow to identify valid accounts.

• DATA-3291: Updated the Trend Micro Interscan Messaging parser to use port 5684 instead of port 5678. Deployments that previously sent logs to port 5678 must be updated to send traffic on port 5684, including any related firewall policy changes. Logs that continue to arrive on port 5678 will no longer be ingested by the Trend Micro Interscan Messaging parser.

Deprecated Features

• Office 365 Reporting Web Service connector – Microsoft deprecated the Reporting Web Service for message trace collection on April 8, 2026. Stellar Cyber provides the Microsoft Graph Message Trace connector as the replacement for message trace collection. Migrate existing Reporting Web Service configurations to the new connector.

• Netskope Connector (API V1) – API V1 support was removed from the Netskope connector. API V2 is now the default option.

Detection/ML

New Features

• AELDEV-66509: Added alert type for Successful Login After Brute Force.

  Added a new alert type for Successful Login After Brute Force. The alert type detects when a successful login occurred from a new IP address after the user's account experienced brute force activity. You can customize the thresholds for unique IP addresses and the length of recent history in the Detection Management System. See All Alert Types by Name and Using the Detection Management System.

• AELDEV-64779: Moved alert suppression settings in the Detection Management System.

  Moved Alert Suppression in the Detection Management System from a global setting to a profile-based setting. Different profiles can now have different alert suppression settings. See Using the Detection Management System.

• AELDEV-64159: Added Sigma rules for AWS Config events.

  Added Sigma rules for Amazon Web Services (AWS) Config log data. The rule-based alert types are: AWS Default VPC Configuration, AWS IAM Policy with Wildcard Privileges, AWS S3 Bucket Missing Server-Side Encryption, AWS EC2 Security Group Deleted, AWS High-Risk Ports Exposed to Internet, and AWS S3 Bucket Policy with Public Access. Rules default to Silent and require manual enablement. See Rule-Based Alert Types.

• AELDEV-63312: Added Check Point Harmony Email alert integration.

  Added Check Point Harmony Email third-party alert integration. The integration ingests Security Events. See Integration of Third Party Native Alerts.

• AELDEV-53689: Added Group-IB alert integration.

  Added Group-IB third-party alert integration. The integration ingests Alerts. See Integration of Third Party Native Alerts.

• AELDEV-38459: Added Darktrace alert integration.

  Added Darktrace third-party alert integration. The integration ingests CEF format logs. See Integration of Third Party Native Alerts.

• AELDEV-38445: Added ExtraHop Reveal(x) 360 alert integration.

  Added ExtraHop Reveal(x) 360 third-party alert integration. The integration ingests Detections. See Integration of Third Party Native Alerts.

• AELDEV-35521: Added FortiEDR alert integration.

  Added FortiEDR third-party alert integration. The integration ingests Events. See Integration of Third Party Native Alerts.

Improvements

• AELDEV-68034: Improved SentinelOne threat event deduplication by using the alert creation time.

  Improved SentinelOne threat event deduplication by using the alert creation time (createdAt) instead of the identification time (identifiedAt). Late-reported threats from endpoints that were offline at detection time now generate alerts instead of being treated as duplicates.

• AELDEV-65821: Improved firewall and WAF detection to normalize policy rule action values.

  Improved firewall and WAF detections to treat both block and blocked as equivalent policy rule action values. Detection rules now fire consistently across vendors that use either value, which reduces missed alerts caused by variations in logged action text.

• AELDEV-65757: Improved correlation when the same user is identified in different fields.

  Improved correlation when the same user appears in different fields across source data. Correlation views now identify that user consistently during case graph construction and related analysis, which reduces duplicate user entities and improves accuracy in case details, detections, timelines, and pivots.

• AELDEV-65755: Added automatic case score updates when alert filters change alert scores.

  Added automatic case score updates when an alert filter changes an alert score. Open cases now recalculate their scores to reflect the updated alert scores, and new cases use the adjusted alert scores when they are created.

• AELDEV-65754: Extended process-creation detections to include Windows event 4688.

  Extended existing Windows process-creation detections to consume event ID 4688 in addition to Sysmon event ID 1. This lets process-creation detections continue to work on hosts where Sysmon is not deployed, which reduces coverage gaps by using native Windows Security logs as an additional source.

• AELDEV-64761: Improved case score calculation and graph-building performance.

  Improved case performance by skipping redundant score and graph recomputation when pre-populated values remain valid across versions. Case views load faster and large case updates consume fewer resources, with no configuration changes required.

• AELDEV-64414: Added configurable suppression of platform alert creation for Microsoft Defender ATP alerts based on third-party status.

  Enhanced the Microsoft Defender ATP alert integration to suppress the creation of Stellar Cyber alerts for Microsoft Defender alerts already in a Resolved status. This reduces alert noise and avoids duplicate cases from third-party resolved incidents. Suppression applies only to new incoming events; existing alerts are not modified.

• AELDEV-63693: Improved User Login Location Anomaly fidelity scoring with ASN and user-agent signals.

  Improved the User Login Location Anomaly detection fidelity score by incorporating Autonomous System Number (ASN) and user-agent signals in addition to geo-IP data. Scores reflect a wider range of triage context, producing fewer false positives on benign traveler or VPN logins.

Stellar Cyber Platform

New Features

• AELDEV-67615: Improved configuration synchronization from the Stellar Cyber Platform to sensors in SaaS deployments.

  Improved configuration synchronization from the Stellar Cyber Platform to sensors in SaaS deployments. Configuration changes are now delivered more efficiently while still reaching sensors within the normal update window, reducing overhead in larger environments.

• AELDEV-66369: Added metrics and error reporting for the Snowflake data sink.

  Added visibility into Snowflake data sink performance and errors in the Snowflake data sink details view. You can navigate to the System | DATA MANAGEMENT | Data Sinks page and select the entry for a Snowflake data sink to monitor throughput, success and failure counts, export latency, queue depth, and reported errors for the sink, making it easier to identify export issues and troubleshoot failed data transfers.

• AELDEV-66233: Added alerts when detections from a data source are delayed.

  Added support for alert rules that notify you when detections from a specific data source are delayed. You can now be alerted when suspicious activity identified from ingested events takes longer than expected to appear as a detection, such as when the delay exceeds one day. This helps you identify ingestion or detection pipeline issues sooner.

• AELDEV-64816: Added alerts for decreases in licensed device and user counts in the System Action Center.

  Added a System Action Center alert policy that detects unexpected drops in licensed device and user counts for selected metrics and tenants. You can now configure a Licensing Asset Drop policy, choose the metric and tenants to monitor, set the drop threshold and evaluation interval, and receive email and in-product notifications when a drop occurs. This helps you identify licensing, reporting, or data collection issues sooner and review the resulting alert records for faster investigation.

• AELDEV-64778: Added indexing status to alert details for Automated Threat Hunting alerts.

  Added alert record indexing status to alert details for Automated Threat Hunting alerts. You can now see whether an alert was successfully indexed or if indexing failed, making it it easier to track alert processing and troubleshoot issues.

Improvements

• AELDEV-65662: Improved correlation rule reliability for Automated Threat Hunting.

  Improved correlation rule evaluation in Automated Threat Hunting so rules can complete more reliably when processing large result sets and complex chained queries. Long-running rules are now less likely to stop before finishing in high-volume environments or with longer lookback windows, which helps reduce missed matches.

• AELDEV-40606: Added support for alert filters that expire automatically.

  Added support for configuring alert filters to remain active only for a specified period of time. You can now set an expiration for an alert filter so it applies during a maintenance window, planned change, incident mitigation period, or other temporary need, and then deactivates automatically. This helps you avoid leaving temporary alert filter changes in place longer than intended.

Sensors

New Features

• AELDEV-68440:Validated and documented steps to use Modular Sensor with Azure VTAP

  Created a comprehensive Knowledge Base article detailing the step-by-step procedure for configuring Azure Virtual Network TAP to mirror network traffic to Stellar Cyber Modular Sensors, either with or without a load balancer.

• AELDEV-66767: Added SMB session IDs to deep packet inspection output.

  Added Server Message Block (SMB) session IDs (session_id) metadata to deep packet inspection output on the sensor. This update gives you more context for correlating related SMB activity within the same session across flows, improving investigations of file-sharing and lateral-movement events.

• AELDEV-63846: Added NFS file assembly for malware inspection.

  Added Network File System (NFS) file assembly on the sensor so files transferred over NFS can be reconstructed and forwarded to Sophos for malware inspection. This update supports NFSv3 and NFSv4 and lets you inspect files moving across NFS shares as part of your broader malware detection workflow.

Improvements

• AELDEV-69059: Defined the minimum Linux kernel version for large traffic filters.

  Defined Linux kernel 5.2 as the minimum version for Modular Sensor hosts that use large pre-DPI traffic filters for network traffic processing. Earlier kernels can fail to load complex filter expressions when the Modular Sensor switches from classic BPF to extended Berkeley Packet Filter (eBPF) processing, which can return an “Argument list too long” error. This requirement helps you avoid traffic filter load failures on Modular Sensors.

• AELDEV-68180: Added Linux Server Sensor support for Alma Linux 9 and Oracle Linux 7, 8, and 9.

  Added support for installing and upgrading the Linux Server Sensor on Alma Linux 9 and Oracle Linux 7, 8, and 9. You can use the standard installer and registration workflow to deploy the sensor on these Linux versions.

• AELDEV-67641: Added Linux Server Sensor support for SUSE Linux Enterprise Server 16.

  Added support for installing and running the Linux Server Sensor on SUSE Linux Enterprise Server 16. You can use the existing installer and registration procedure to deploy the sensor on this Linux version without additional configuration.

• AELDEV-67371:Added eBPF fallback for large packet filter expressions on Modular Sensors.

  Added automatic fallback to the extended Berkeley Packet Filter (eBPF) when the classic Berkeley Packet Filter (cBPF) cannot compile large packet filter expressions. These packet filters define which network traffic a Modular Sensor captures and processes. This update lets complex filter sets continue to load instead of preventing the sensor service from starting, which improves reliability in more complex deployments.

• AELDEV-67050: Added the ability to reset the UUID of Tenable Nessus scanners installed on Modular Sensors.

  Added the exec tenable reset uuid command to the Sensor CLI so you can regenerate the Tenable Nessus product UUID on the Modular Sensor. You can install a Tenable Nessus vulnerability scanner on a Modular Sensor and link it to your tenable.io account through the Modular Sensor profile to allow the tenable.io platform to initiate and monitor scans. This update helps prevent cloned Modular Sensor images from reusing the same UUID as the original sensor, reducing registration conflicts and simplifying redeployment from a golden image.

• AELDEV-65742: Improved sensor uninstallation status and error handling.

  Added a Deleting status for sensors pending uninstallation and updated the workflow to wait for the uninstall result before removing the sensor record. If an uninstallation fails, the sensor now remains visible with a message that says Sensor uninstallation failed plus options to Retry or Delete Anyway, allowing you to respond to failed uninstallation attempts.

Connectors

New Features

• AELDEV-68345: Introduced the Microsoft Graph Message Trace connector due to deprecation of Office 365 Reporting Web Service.

  Added the Microsoft Graph Message Trace connector to replace the Office 365 Reporting Web Service connector. The Microsoft Graph Message Trace connector integrates with the messageTraces API to query email flow data (Message Trace). The legacy Message Trace support using the Office 365 Reporting Web Service is deprecated by Microsoft.

  It is recommended that you migrate any existing Office 365 Reporting Web Service connectors in Stellar Cyber to Microsoft Graph Message Trace connectors. See Configuring Microsoft Graph Message Trace Connectors.

• AELDEV-65334: Introduced the NordStellar connector.

  Added the NordStellar connector to pull events for a specific project through the NordStellar Platform Integrations API. See Configuring NordStellar Connectors.

• AELDEV-63122: Introduced the Manage Engine Endpoint Central connector.

  Added the Manage Engine Endpoint Central connector to ingest Audit Logs through the Audit Logs API. See Configuring Manage Engine Endpoint Central Connectors.

• AELDEV-62839: Introduced the Firewalla Managed Security Portal connector.

  Added the Firewalla Managed Security Portal connector to ingest device and network flow data through the Firewalla API. See Configuring Firewalla Managed Security Portal Connectors.

Improvements

• AELDEV-66439: Improved Trend Micro Cloud App Security ingestion to populate observables with the filename.

  Improved Trend Micro Cloud App Security ingestion so file observables now show the file name instead of the full file path in graph and detection views. File paths are also normalized to include the full path and filename, which makes file-related alerts easier to review and search.

• AELDEV-66284: Enhanced the Generic S3 connector to support AWS Config (JSON).

  Added a new msg_class for AWS Config (JSON) to the Generic S3 connector to support AWS Config as a log source. See Configuring Generic S3 Connectors.

• AELDEV-65427: Removed the V1 API option from Netskope due to deprecation.

  Netskope deprecated the V1 API support. The Netskope connector configuration is updated to remove the V1 API option and select the V2 API option by default. See Configuring Netskope Connectors.

• AELDEV-64883: Added Oracle Cloud Infrastructure SIP record normalization.

  Added normalization for Session Initiation Protocol (SIP) records from Oracle Cloud Infrastructure (OCI) custom logs.

• AELDEV-64813: Enhanced the Netskope connector with responders that use webhook templates.

  Enhanced the Netskope connector with responders that use webhook templates that support actions. The webhook actions can be triggered manually or can enhance Automated Threat Hunting (ATH) actions. The actions are: Netskope Add Destination To Block List, Netskope Quarantine User From Private Application, Netskope Quarantine User From Web Application, Netskope Release Quarantine For User From Private Application, Netskope Release Quarantine For User From Web Application, and Netskope Remove Destination From Block List. See Configuring Netskope Connectors.

• AELDEV-64495: Added the Incident content type to the Netskope connector.

  Added the Incident content type to the Netskope connector to ingest incident records. The endpoint is /api/v2/events/datasearch/incident. See Configuring Netskope Connectors.

• AELDEV-64156: Enhanced the Trend Micro Vision One connector with responders that use webhook templates.

  Enhanced the Trend Micro Vision One connector with responders that use webhook templates that support actions. The webhook actions can be triggered manually or can enhance Automated Threat Hunting (ATH) actions. The actions are: Trend Vision One Add To Block List, Trend Vision One Isolate Endpoint, Trend Vision One Quarantine Email Message, Trend Vision One Remove From Block List, and Trend Vision One Restore Endpoint Connection. See Configuring Trend Micro Vision One Connectors.

• AELDEV-63690: Added normalization for the Mimecast recipient field.

  Added normalization for the Mimecast mimecast.recipient field alongside the existing mimecast.recipients field. Recipient data from Mimecast alerts populates the expected Stellar Cyber fields regardless of which field name the Mimecast tenant emits.

• AELDEV-61660: Improved normalization for Microsoft Defender for Endpoint.

  Improved IP normalization for Microsoft Defender for Endpoint logs in asset tracking.

• AELDEV-57413: Added multi-tenant management for generic webhook ingestion.

  Added multi-tenant management for generic webhook ingestion with tenant-specific webhook configuration, visibility, and access controls. This lets you manage webhooks separately for each tenant and reduces the risk of cross-tenant misconfiguration.

• AELDEV-56379: Added an optional timestamp to the XDR Connector.

  Added an optional timestamp to the XDR Connector configuration. If you specify an optional timestamp, the event timestamp is extracted and set using the Timestamp Path and Timestamp Format fields. If you do not specify an optional timestamp, the time event of ingestion is used as the event's timestamp. The Timestamp Path is a dot-notation path to the timestamp field in your JSON data. Several timestamp formats are supported including epoch time in seconds or milliseconds, ISO 8601, and Syslog. See Configuring XDR Connector.

• AELDEV-55710: Improved Generic S3 connector handling of missing objects.

  Improved the Generic S3 connector to remove an Amazon Simple Queue Service (SQS) message when the referenced Amazon Simple Storage Service (Amazon S3) object cannot be retrieved or another exception occurs. This prevents a single bad message from blocking subsequent ingestion and helps the connector continue processing normally.

• AELDEV-53408: Improved AWS GuardDuty connector testing for empty Findings.

  Improved the AWS GuardDuty connector test so an empty Findings response is treated as a successful connection instead of a failure. Accounts with no current Findings can now validate successfully, while authentication, permission, and parameter errors still return failure details.

• AELDEV-52318: Improved Active Directory connector testing.

  Improved the Active Directory connector testing. The test success criteria was revised for the connector when the Computers content type is selected. The connection test for the Active Directory (AD) connector was updated to validate multiple computer hostnames and report success when any hostname validates.

Parsers

New Features

• AELDEV-63567: Introduced a modular built-in parser for ingesting NetScout Omnis logs in Parser Studio.

  Early Access Program participation is required to use this parser with Parser Studio. Contact your Stellar Cyber representative for information.

  Added a modular built-in NetScout Omnis parser for Parser Studio. This parser handles priority-prefixed messages with Common Event Format (CEF) headers and extracts CEF header fields and extension key-value pairs. You can clone this parser and customize it in Parser Studio. Normalization closely matches the existing NetScout Omnis parser to preserve compatibility for detections and dashboards while providing the performance benefits of the modular parser framework.

• AELDEV-33182: Added Parser Studio for creating and managing custom parsers.

  Early Access Program participation is required to use Parser Studio. Contact your Stellar Cyber representative for information.

  Added Parser Studio as a management workspace for creating and managing custom parsers for data ingestion. With Parser Studio, you can view built-in and custom parsers, create new custom parsers by cloning modular built-in parsers (Fortinet Fortigate and NetScout Omnis in this release) and previously created custom parsers, test parser behavior before deployment, and activate parsers for production use.

• DATA-3380: Expanded field coverage for the Zscaler ZIA Firewall parser.

  Expanded the Zscaler Internet Access (ZIA) Firewall parser to support the 38-field CSV log format used by default in some Nanolog Streaming Service (NSS) server configurations. The parser now extracts and normalizes additional fields from this format, including user, network, session, byte-count, threat, and device metadata. This improvement lets you ingest and search these Zscaler ZIA Firewall logs without requiring an alternative export format when the 38-field layout is used.

• DATA-3363: Introduced a parser for ingesting Cato Networks Cato Security logs.

  Added a built-in parser for ingesting Cato Networks Cato Security logs in custom JSON format over HTTP POST on port 6094. This parser normalizes Cato security events received through a Splunk HEC-compatible log stream. It expands visibility into Cato-delivered security telemetry and improves correlation of cloud security events in Stellar Cyber.

• DATA-3358: Introduced a parser for ingesting Citrix ADC logs.

  Added a built-in parser for ingesting Citrix ADC (Application Delivery Controller) logs in RFC 5424 syslog format on port 6095. This parser extracts syslog header fields and Citrix ADC event data for administrative actions, VPN sessions, and network connection activity, providing information about users, IP addresses, ports, protocols, and traffic volume. This parser improves visibility into Citrix ADC administrative and VPN activity and supports more consistent traffic analysis and investigation.

• DATA-3349: Introduced a parser for ingesting Palo Alto Networks Prisma Access logs.

  Added a built-in parser for ingesting Palo Alto Networks Prisma Access logs in Log Event Extended Format (LEEF) on port 5522. This parser normalizes Prisma Access traffic and threat events, maps key network, user, file, email, and severity fields, and routes threat-category events to the IDPS/Malware Sandbox Events data domain while routing qualifying network events to Traffic. This parser improves visibility into Prisma Access activity and supports more accurate analysis of firewall traffic and threat detections.

• DATA-3325: Introduced a parser for ingesting WordPress logs.

  Added a built-in parser for ingesting WordPress logs in key-value pair format on port 6093 over UDP. This parser classifies WordPress web application events under the weblogs category. It improves visibility into WordPress web activity and supports broader analysis of web application security events.

• DATA-3318: Introduced a modular built-in parser for ingesting Fortinet Fortigate logs in Parser Studio.

  Early Access Program participation is required to use this parser with Parser Studio. Contact your Stellar Cyber representative for information.

  Added a modular built-in Fortinet Fortigate parser for Parser Studio on port 8517. his parser handles priority-prefixed messages with Common Event Format (CEF) headers, extracts CEF header fields and extension key-value pairs. You can clone this parser and customize it in Parser Studio. Normalization closely matches the existing Fortinet FortiGate parser to preserve compatibility for detections and dashboards while providing the performance benefits of the modular parser framework.

• DATA-3316: Introduced a parser for ingesting Salt Security logs.

  Added a built-in parser for ingesting Salt Security logs in RFC 5424 syslog and Common Event Format (CEF) on port 6088. This parser normalizes source and destination IP addresses into top-level network fields. It improves visibility into API security activity and enables more reliable correlation, search, and firewall response actions for Salt Security events.

• DATA-3314: Introduced a parser for ingesting DefensX logs.

  Added a built-in parser for ingesting DefensX logs in Common Event Format (CEF) on port 5143. This parser extracts DefensX event attributes from name and value pairs in the message data, including risk score, category key, source, request context, device identifier, and external device identifier, and maps them to searchable fields. This parser improves visibility into DefensX activity and supports more effective filtering, correlation, and investigation.

• DATA-3305: Introduced a parser for ingesting Fortra GoAnywhere MFT logs.

  Added a built-in parser for ingesting Fortra GoAnywhere MFT logs in vendor custom format with RFC 5424 syslog on port 6091. This parser classifies managed file transfer activity. It improves visibility into managed file transfer operations and supports analysis of file movement activity across the environment.

• DATA-3304: Introduced a parser for ingesting Zecurion - DLP (CEF) logs.

  Added a built-in parser for ingesting Zecurion - DLP (CEF) logs in Common Event Format (CEF) on port 5143. This parser captures additional Zecurion DLP extension fields and populates normalized event attributes for search, correlation, and reporting. This parser improves visibility into data loss prevention events and makes Zecurion DLP activity easier to analyze and report on.

• DATA-3303: Introduced a parser for ingesting OpenText - Open Enterprise Server logs.

  Added a built-in parser for ingesting OpenText -Open Enterprise Server logs in Common Event Format (CEF) on ports 5143 or 5870 over TCP. This parser normalizes file access activity from Open Enterprise Server, including user identity, file path, process, outcome, and connection information, to make these events easier to search and analyze. This parser improves visibility into file access operations and supports more effective investigation of file activity on OpenText - Open Enterprise Server systems.

• DATA-3300: Introduced a parser for ingesting ManageEngine OpManager Plus logs.

  Added a built-in parser for ingesting ManageEngine OpManager Plus logs in RFC 5424 syslog format on port 6090. This parser extracts ManageEngine OpManager Plus events and preserves unmapped message elements in searchable custom value fields for correlation and investigation. This parser improves visibility into infrastructure monitoring activity and makes OpManager Plus events more useful for search and analysis.

• DATA-3299: Introduced a parser for ingesting SoftEther VPN Server logs.

  Added a built-in parser for ingesting SoftEther VPN Server logs in SoftEther custom format on port 6089. This parser covers SECURITY_LOG and SERVER_LOG messages and normalizes authentication, connection, and management events into standard fields for correlation and detection. This parser improves visibility into VPN activity and supports more effective analysis of remote access and administrative events.

• DATA-3296: Introduced a parser for ingesting Devolutions Remote Desktop Manager logs.

  Added a built-in parser for ingesting Devolutions Remote Desktop Manager logs in vendor custom JSON format on port 6087. This parser normalizes remote session lifecycle data, including Remote Desktop Protocol and Secure Shell connections, credential viewing activity, usernames, remote hosts, machine names, connection types, and session identifiers into searchable attributes. This parser improves visibility into privileged remote access activity and strengthens investigation of administrative sessions and identity-based events.

• DATA-3295: Introduced a parser for ingesting Spica Access Control logs.

  Added a built-in parser for ingesting Spica Access Control logs in vendor custom format with JSON on port 6092. This parser extracts physical access control events, normalizes access results and user identity attributes, and classifies access-granted, access-denied, and badge-registration activity for consistent analysis. This parser improves visibility into physical access events and supports stronger correlation with identity, VPN, and directory activity.

• DATA-3293: Introduced a parser for ingesting IIJ SWG logs.

  Added a built-in parser for ingesting IIJ SWG (Internet Initiative Japan Secure Web Gateway) logs in Internet Initiative Japan custom format on port 6086. This parser extracts client address, timestamp with timezone offset, request method, protocol version, target host and port, response status, bytes sent and received, and request duration when present, with full support for CONNECT requests. This parser improves visibility into secure web gateway activity and supports more consistent analysis of proxy traffic.

Improvements

• AELDEV-67025: Improved parser configuration redeployment when tenant assignment changes.

  Improved parser configuration propagation so modular parser settings are automatically redeployed to the data sensor when the Configuration Manager reassigns the sensor to a different tenant. Parsing remains aligned with the new tenant context without requiring a manual sensor restart or user action.

• AELDEV-66370: Added support for mapping a single raw field to multiple Stellar Cyber schema fields.

  Added support in Parser Studio for mapping the value in a single raw field to multiple Stellar Cyber schema fields when you configure a custom parser. This improvement gives you more flexibility during normalization and reduces the need for workarounds when one parsed value needs to populate more than one top-level field.

• DATA-3357: Updated the Fortinet FortiAnalyzer parser to populate additional Fortinet virus and file fields.

  Updated the Fortinet FortiAnalyzer parser to normalize additional Fortinet antivirus and file-related fields, including virus, file hash, file name, destination user, and ICMP type fields. The update also corrected normalization of rcvddelta and sentdelta to inbytes_delta and outbytes_delta. This improvement expands FortiAnalyzer field coverage and keeps detections and investigations more consistent.

• DATA-3356: Expanded log format support for the BlueCoat Proxy SG parser.

  Enhanced the BlueCoat Proxy SG parser to support RFC 3164 syslog messages and additional message_id patterns for newer log content. This improvement expands log format coverage for BlueCoat Proxy SG events and improves parsing reliability for updated message variants.

• DATA-3347: Added JSON-format support to the Zscaler ZIA firewall parser.

  Added JSON-format support to the Zscaler Internet Access (ZIA) firewall parser on port 5549. The parser now auto-detects and processes both JSON and CSV firewall logs concurrently, including mixed-format streams. This improvement expands Zscaler ZIA firewall log format coverage and lets customers ingest JSON and CSV logs through the same listener.

• DATA-3336: Expanded field coverage for the F5 BIG-IP ASM parser.

  Expanded the F5 BIG-IP Application Security Manager (ASM) parser to capture additional Bot Defense-specific fields from F5 BIG-IP ASM events. The update adds support for fields such as bot name and related Bot Defense attributes. This improvement gives you better visibility into bot classifications and mitigation outcomes in F5 BIG-IP ASM events, making it easier to identify suspicious automated traffic and investigate how Bot Defense handled each request.

• DATA-3330: Added TCP multi-line support to the Fortinet FortiAnalyzer parser.

  Added TCP multi-line support to the Fortinet FortiAnalyzer parser on TCP port 5542. The parser now recognizes a leading priority marker followed by a key-value string as a new event and preserves event boundaries across TCP segments. This improvement expands FortiAnalyzer ingestion support for TCP forwarding and helps maintain reliable parsing when FortiAnalyzer logs are sent over TCP instead of UDP.

• DATA-3328: Extended the ESET parser to interpret the event timezone.

  Extended the ESET parser to derive event.timestamp from log.syslog.timestamp, honoring the Z designator and numeric offsets in the syslog header. The occured payload field no longer overrides event.timestamp when it omits a timezone, and its original string remains available for reference. This improvement prevents offset errors on sensors configured with non-UTC time zones and preserves more accurate event timing.

• DATA-3322: Extended the ThreatER Enforce parser for syslog timestamps without a timezone.

  Extended the ThreatER Enforce parser to normalize syslog timestamps that omit a timezone indicator. Parsing now accepts ISO 8601 timestamps with or without a trailing Z or numeric offset, and when no indicator is present, the parser assumes the sensor time zone. This improvement prevents future-dated events and preserves event ordering during ingestion.

• DATA-3317: Extended the BIG-IP i2600 parser to handle XML-formatted requests.

  Extended the F5 BIG-IP i2600 parser to parse XML-formatted payloads in f5-full_request in addition to JSON. The parser automatically detects JSON or XML and normalizes elements, attributes, and text into fields, with nested structures mapped to dotted field names and repeated elements represented as arrays. This improvement makes extracted request data available for queries, dashboards, and detection policies across both payload formats.

• DATA-3315: Improved the Fortinet Fortigate (CEF) parser to extract the username from IPSec VPN events.

  Improved the FortiGate CEF parser to expand extraction for event:vpn logs and populate additional Fortinet fields from msg_data, including the authenticated user, VPN tunnel name, tunnel type, tunnel identifier, tunnel IP address, assigned IP address, authentication group, alternate user value, and request cookies. This improvement expands field coverage for IPsec VPN tunnel events and makes user and tunnel details easier to search and analyze.

• DATA-3309: Improved parsing for Tait Communications RFSS Controller audit logs.

  Improved the Tait Communications Radio Frequency Subsystem (RFSS) Controller parser to handle audit syslog messages that append a dot-delimited port number to the source IP address. The parser now separates the source IP address and source port, and extracts fields such as username, authentication method, access level, and login result from TaitNet-audit login events. This improvement makes Tait RFSS Controller login activity easier to search and investigate, especially when reviewing how users authenticated and whether access attempts succeeded.

• DATA-3306: Extended FortiAnalyzer parsing for forwarded FortiMail, FortiGuard, and FortiWeb logs.

  Extended the FortiAnalyzer parser to extract additional fields from FortiMail, FortiGuard, and FortiWeb logs forwarded through syslog on port 5542. The parser now captures more values from msg_data and normalizes common attributes for search and correlation. This improvement makes forwarded Fortinet product logs more useful for investigation and helps preserve visibility when these events are sent through FortiAnalyzer instead of directly from the original device.

• DATA-3302: Improved FortiADC and FortiWeb parser field coverage.

  Improved the FortiADC parser to support whitespace-delimited key-value logs while continuing to support comma-delimited records. The update also expands extraction for device details, severity, virtual domain, service, source and destination addresses and ports, policy, action, and additional Web Application Firewall (WAF) request fields. This improvement increases FortiADC log coverage and makes FortiADC and WAF events easier to search and analyze.

• DATA-3301: Added RFC 5424 syslog header support for the Citrix NetScaler parser.

  Added RFC 5424 syslog header parsing to the Citrix NetScaler parser so SSL handshake events such as SSL_HANDSHAKE_SUCCESS can be parsed alongside previously supported formats. The update parses fields such as SPCBId, ClientIP, ClientPort, VserverServiceIP, VserverServicePort, ClientVersion, and CipherSuite. This improvement expands Citrix NetScaler log format coverage while preserving compatibility with existing sources.

• DATA-3291: Reassigned the Trend Micro Interscan Messaging parser to port 5684.

  Reassigned the Trend Micro Interscan Messaging parser to port 5684 and disabled ingestion on port 5678. Trend Micro events are now accepted only on port 5684, which prevents unrelated syslog traffic such as MikroTik logs from being misclassified as Trend Micro data. If your deployment previously sent Trend Micro logs to port 5678, update sender and firewall configurations to allow traffic on port 5684.

• DATA-3289: Expanded log format support for the Zscaler ZIA Web parser.

  Expanded the Zscaler Internet Access (ZIA) Web parser to support RFC 5424 syslog headers wrapped around vendor JSON payloads and the 34-field comma-separated values (CSV) export format. The update also corrected field extraction and key-to-value alignment so important ZIA web log attributes are mapped consistently to normalized fields. This improvement broadens ZIA Web log format coverage and makes parsed events more reliable for search and investigation.

• DATA-3283: Added source and destination IP address normalization for Sysmon Event ID 3.

  Added normalization for Microsoft Sysmon Event ID 3 network connection events to populate the normalized source and destination IP address fields from the raw event values. The update applies to events ingested through both the Windows Server Sensor and NXLog while preserving the original raw fields. This improvement makes endpoint network connection events easier to investigate with IP-based watchlists, subnet filters, and correlation.

• DATA-3282: Expanded log coverage for the Ubiquiti UDM Pro parser.

  Expanded the Ubiquiti UDM (UniFi Dream Machine) Pro parser to support intrusion detection and intrusion prevention logs from UniFi OS 5.0.12 and UniFi Network Application 10.1.85, including messages with or without a syslog timestamp and with bracketed zone tags. The update extracts additional network and interface fields and normalizes source and destination addresses, ports, and protocol values. This improvement expands coverage for newer Ubiquiti IDS and IPS log formats and makes these events more useful for search, dashboards, and detections.

• DATA-3281: Expanded the ESET parser to handle recent heartbeat and status messages.

  Expanded the ESET PROTECT parser to support additional non-JSON message formats, including RFC 5424 heartbeat events. The parser now extracts standard syslog headers and ESET event content while continuing to support existing JSON-based events. This improvement prevents parse errors on newer ESET heartbeat and status messages and preserves consistent ingestion across supported formats.

• DATA-3276: Broadened field coverage for the Trend Micro Deep Discovery Email Inspector CEF parser.

  Broadened the Trend Micro Deep Discovery Email Inspector Common Event Format (CEF) parser to extract additional email and threat-related fields, including device MAC address, message UUID, recipient email address, message ID, latest status, translated device address, rule criteria, rule name, threat type, file type, file size, and message size. This improvement increases visibility into email inspection activity and makes these events more useful for search, dashboards, and detections.

• DATA-3258: Added normalization for the CrowdStrike (CEF) alert integration.

  Added normalization and enrichment for the CrowdStrike Common Event Format (CEF) parser in Alert Integration. Events now map process, file, host, user, and network attributes to Stellar Cyber canonical fields for consistent correlation and analytics. This improvement makes CrowdStrike alerts more useful in correlation, analytics, and case workflows without requiring configuration changes.

• DATA-3225: Expanded structured field extraction for the Fortinet FortiEDR parser.

  Expanded the Fortinet FortiEDR parser to extract structured fields from supported audit log patterns instead of leaving key details only in the Fortinet description field. The update adds parsing for events such as login, logout, failed login, two-factor authentication, classification changes, exceptions, archived events, resolved applications, and events marked as read. This improvement makes FortiEDR audit events easier to filter, sort, dashboard, and automate.

• DATA-3041: Added parsing for the Deciso OPNsense filterlog parser.

  Added parsing for Deciso OPNsense filterlog messages. The parser extracts source and destination addresses and ports, protocol, action, interface, rule number, tracker, and related protocol attributes, and classifies the events as firewall activity. This improvement makes OPNsense filterlog events available for firewall analytics, detections, and investigation.

Usability

New Features

• AELDEV-67008: Added a Cortex XDR endpoint isolation action in Cases.

  Added a Palo Alto Networks Cortex XDR endpoint isolation action to the Response tab in Cases. This lets you isolate an endpoint directly from a case so you can take containment action faster without leaving your investigation workflow.

• AELDEV-66793: Added the ability to import and export ATH playbooks.

  Added options to import and export Automated Threat Hunting (ATH) playbooks so you can move them between environments more easily. This helps you reuse playbooks across deployments, simplify backup and migration workflows, and bring related components into the target environment with less manual rework.

• AELDEV-66353: Extended the System Action Center public API with tenant exclusions.

  Added support for tenant exclusions in the System Action Center public API so you can define monitoring rules more precisely through automation. This helps you apply rules across broad environments while excluding specific tenants that should not be included.

• AELDEV-65817: Expanded the System Action Center public API with full rule management support.

  Expanded the System Action Center public API to support the full lifecycle of monitoring rules. You can now create, view, update, and delete supported rules programmatically, which makes it easier to automate rule management and keep configurations consistent across environments.

• AELDEV-65541: Added a Sensor Profile option to retain raw Windows Event Log messages.

  Added a Sensor Profile option to retain the original Windows Event Log message with ingested events. This helps you preserve the raw event content for investigations, validation, and other workflows that require the original log text.

• AELDEV-64392: Added Early Access support for the Stellar Cyber MCP Server.

  Added Early Access support for the Stellar Cyber Model Context Protocol (MCP) Server so you can connect an AI client to the Stellar Cyber Platform and work with security operations data through an MCP-compatible interface. In this release, the MCP server lets you retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields.

  Early Access Program participation is required to use the Stellar Cyber MCP Server. Contact your Stellar Cyber representative for information.

• AELDEV-64220: Added the ability to insert watchlist entries from Key Fields in Alert Details.

  Added an Add to Watchlist option in the Key Fields section of Alert Details for IP addresses, file hashes, URLs, and domains. You can append values to an existing watchlist or create a new one without leaving the investigation workflow.

• AELDEV-63296: Added API token management to the User Profile panel.

  Added API token generation and management controls to the User Profile panel for users with API access. Display the User Profile panel by selecting your user icon in the upper right of the UI and then selecting Profile. This lets you generate a token directly from your own profile, making API access easier to manage without switching to User Management.

• AELDEV-61809: Added the Dashboard Hub as a central landing page for dashboards.

  Added the Dashboard Hub as a central place to browse, open, and manage dashboards and charts. This helps you find dashboard content more easily and work from a single starting point instead of navigating through separate dashboard views.

• AELDEV-60428: Added quick filters to the Sensor Management page.

  Added quick filters to the Sensor Management page so you can narrow sensor lists faster using common attributes such as mode, status, version, and site. This helps you find agent (server) and non-agent sensors more easily and refine large sensor inventories without building filters from scratch.

• AELDEV-54199: Added the ability to build a query from active filters.

  Added the ability to build a query from active search or alert filters. This helps you turn investigation work into a reusable query more quickly instead of rebuilding the same logic manually in Query Builder.

Improvements

• AELDEV-69094: Updated Cases bulk action messaging for asynchronous status changes.

  Updated the Cases bulk action message to clarify that case status changes are processed asynchronously and can take several minutes to appear. The Task List in the top navigation bar now lets you track progress for bulk status update tasks, which makes it easier to understand when the update is still running and when you should refresh the Cases table or reapply filters to see the latest status.

• AELDEV-68718: Expanded date range options and queue behavior for case queues.

  Added support for custom date ranges in case queues. Custom queues now default to this past week and provide expanded date range options from last 15 minutes through this past month. Predefined queues are now read-only and use a fixed date range of the past year. When viewing queue contents, you can also define a custom display range by using Fixed, Since, or Last.

• AELDEV-68496: Extended the default Case Queue evaluation range to one year.

  Added support for custom date ranges in case queues. Custom queues now default to this past week and provide expanded date range options from last 15 minutes through this past month. Predefined queues are now read-only and use a fixed date range of the past year. When viewing queue contents, you can also define a custom display range by using Fixed, Since, or Last.

• AELDEV-67540: Improved the identification of ASN enrichment fields in the UI.

  Extended the default Case Queue evaluation range to one year. Default queues now evaluate cases from the past 12 months and cannot be modified, which lets you view and work with older cases in the user interface instead of being limited to the most recent month. Custom queues can use configurable evaluation ranges to support different investigation needs.

• AELDEV-67120: Updated the login flow to avoid revealing if a user account exists.

  Updated the login flow to return the same result whether the username, password, or both are incorrect. All login flows now also display the Continue with SSO button, and the tenant logo no longer appears after a user enters an email address. All tenant-specific branding now appears only after login. These changes help prevent attackers from using login behavior to identify valid user accounts.

• AELDEV-66899: Enabled the configuration of alert filter actions in Alert Details.

  Added support for configuring actions when you create an alert filter from the Alert Details panel. This brings the panel workflow in line with the Filters page and lets you define filter conditions and actions in one place without leaving the alert context.

• AELDEV-65797: Added real-time triage status updates in Cases.

  Added real-time triage status updates on the Case Details page so you can track analysis progress without refreshing the page. This helps you follow case analysis more easily and see when the AI-generated summary is ready.

• AELDEV-64013: Added the option to disable automatic query execution in Threat Hunting.

  Added an option to disable automatic query execution in Threat Hunting. This lets you adjust indexes, filters, and time settings before running a search, which helps you avoid unnecessary long-running queries and gives you more control over the hunting workflow.

• AELDEV-63617: Added last run details to ATH playbook status views.

  Added status details about when an Automated Threat Hunting (ATH) playbook last ran. This lets you see the most recent playbook execution separately from the last time the playbook triggered an action and helps you understand whether a playbook ran successfully, even when no action was triggered.

• AELDEV-63604: Replaced sensor platform lists in downloads with a Knowledge Base link.

  Improved the Download Image tab on the Sensor Installation page (System | DATA SOURCE MANAGEMENT | Sensors | Sensor Installation) by replacing the hard-coded list of supported versions, distributions, and hypervisors with a link to the Knowledge Base. Supported platforms are now maintained in a single location, which reduces drift between the Stellar Cyber UI and published documentation.

• AELDEV-62723: Added support for sending separate ATH email notifications for each matching record.

  Added a Run for each record option for Automated Threat Hunting (ATH) email actions so you can send a separate email for each matching record. This helps you deliver more targeted notifications for individual events, while warning you when this option could increase processing time and message volume.

• AELDEV-62339: Improved tenant selection in InSyncs.

  Improved tenant selection in InSyncs configuration to distinguish tenants from tenant groups in the list of tenants. In the Tenant field, Tenant Groups are now prefixed with Group.

• AELDEV-58895: Improved homepage selection based on role-based access checks.

  Improved the user home-page settings to perform role-based access control (RBAC) validation when users select a landing page. Configuration now relies on backend-validated role mappings instead of client-side lists, which keeps the selected home page consistent with the user role.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP features are in this release:

MCP Server

The Stellar Cyber MCP Server connects supported AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP). The MCP server lets AI clients retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields. This capability helps teams extend AI-assisted investigations by giving approved clients structured access to operational security data and workflows.

Parser Studio

Parser Studio lets you create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production use. This capability helps you accelerate onboarding of custom log sources while reducing parser development effort and improving validation before live ingestion.

XDR Connector Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

• Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

• Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

• Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the Early Access Program and begin testing these features, contact your Stellar Cyber Customer Success representative.