Stellar Cyber 6.6.0 Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.6.0 release delivers the following updates to the Stellar Cyber Open XDR platform.

The release notes are organized into the following sections:

Highlights

Autonomous SOC / Auto Triage

  • Auto Triage Verdict Visibility: Auto Triage verdicts now appear as filterable columns in the Alert Table and Threat Hunting views. In addition, a response action panel was added to the Auto Triage alert page (including phishing email alerts) so analysts can see and act on triage outcomes without opening individual cases.

System / Platform

  • Platform Health Monitoring in the System Action Center (Early Access Program): Centralized platform health monitoring alerts in the System Action Center for improved visibility and faster response to platform issues.

  • License Enforcement and Usage Notifications: Added API actions for license enforcement and usage notifications.

Detections/Machine Learning

  • Improved Login Anomaly Fidelity: Alert suppression for Impossible Travel Anomaly and User Login Location Anomaly is now customizable, Impossible Travel prioritizes records with usernames, and ASN enrichment fields were added to Impossible Travel Anomaly alerts.

  • Improved User Counting Accuracy: Improved the accuracy of license user counting by integrating external data sources for Microsoft Entra ID.

Integrations

Usability

  • Watchlists for All Alert Fields: Enabled Add to Watchlistfor all alert fields.

  • Selective Parser Port Activation: Parser ingestion ports can now be enabled on-demand and parsers added after 6.5.0 are inactive by default, reducing false alerts from unused listeners.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-3412: The totalbytes field in the Fortinet FortiAnalyzer parser is now calculated as the sum of inbytes_total and outbytes_total, consistent with how other parsers calculate this field. Previously, the FortiAnalyzer parser calculated totalbytes as the sum of inbytes_delta and outbytes_delta, which significantly underreported session volume when delta values differed from totals. Dashboards, detections, or queries that rely on totalbytes from FortiAnalyzer data may return different values after this change.

  • AELDEV-71104: Built-in legacy parsers added in 6.5.0 and later releases are now inactive by default for new tenants and must be explicitly activated in Parser Studio before use. Previously added legacy parsers retain their existing active status and are not affected by this change. You can activate or deactivate any individual parser at any time from Parser Studio, and the configuration is applied to sensors on the next deployment.

  • AELDEV-64683: The Google Workspace log collector no longer maps the metadata.customerId field to user.id. The customerId value is a Google account identifier for the organization, not a user identifier, so this mapping was incorrect and caused confusion in alert context. Existing events already indexed with this normalization are not affected. Newly ingested Google Workspace events no longer populate user.id from this field.

Deprecated Features

There are no deprecated features in this release.

Autonomous SOC

Improvements

Detection/ML

Improvements

Stellar Cyber Platform

New Features

Improvements

Sensors

New Features

Improvements

Connectors

New Features

Improvements

Parsers

New Features

Improvements

Usability

New Features

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP features are in this release:

AI Assistant

Exportable Dashboards — Report Integration

Exportable Dashboards lets you schedule dashboards created with the Dashboard Builder as recurring PDF reports. The schedule form includes a new Default PDF type that renders the dashboard as it appears in the Dashboard Builder, along with options to control table row counts, chart color palettes, and optional CSV exports. This capability lets you generate consistent, configurable reports from new dashboards while preserving the settings and PDF types used by existing scheduled reports.

MCP Server

The Stellar Cyber MCP Server connects supported AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP). The MCP server lets AI clients retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields. This capability helps teams extend AI-assisted investigations by giving approved clients structured access to operational security data and workflows.

Parser Studio

Parser Studio lets you create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production use. This capability helps you accelerate onboarding of custom log sources while reducing parser development effort and improving validation before live ingestion.

XDR Connector Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the Early Access Program and begin testing these features, contact your Stellar Cyber Customer Success representative.

Resolved Issues

The following issues have been resolved in this release.

Known Issues

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the cluster nodes required by your expected daily ingestion volume.

Refer to Stellar Cyber Platform (DP) System Requirements and Capacity Planning for details on the quantities of cluster nodes required for different daily ingestion volumes, as well as the system resources you must provision for their virtual machines.

Keep in mind the following:

  • Each VM  must be thick-provisioned.

  • You can install all of the VMs in the same datastore if there is sufficient space for both the VMs and the disk space required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 6.4.0 or later to 6.6.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 6.6.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Due to additional functionality and features, resource utilization (CPU and memory) might increase depending on your usage patterns. You can keep tabs on the platform's CPU and disk usage by clicking the Node List button in the System | Data Management | Data Analyzer page. If necessary, you can scale up your platform by adding DA and DL worker nodes, as described here for AWS, GCP, and OCI.

Important Note for Air-Gapped Environments: The 6.6.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where externasl network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.6.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.6.0

To upgrade the Stellar Cyber Platform to 6.6.0 from a version earlier than 6.4.0, first upgrade to 6.4.0.
  1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

  2. Choose 6.6.0.

  3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

Depending on the type of server sensor, upgrade your sensors to version 6.6.0 as follows:

  • Linux Server Sensors: Upgrade directly to 6.6.0 from either of the two previous releases: 6.4.0 or 6.5.0.

  • Windows Server Sensors: Upgrade directly to 6.6.0 from an extended range of previous releases: 5.1.0 through 6.5.0.

    If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.