Stellar Cyber 4.2.2 Release Notes

The Stellar Cyber 4.2.2 release consists solely of updates for the Windows Server Sensor. All other sensor and DP software remains at the 4.2.1 release. See below for new features, improvements, enhancements, key fixes, and known issues. Upgrade instructions follow all of that great information.

Refer to the Stellar Cyber 4.2.1 Release Notes and Stellar Cyber 4.2.0 Release Notes for information on the parent 4.2.1 and 4.2.0 releases, including a video highlighting new features.

Windows Server Sensor Deprecations

• Starting from 4.2.2, Windows Server Sensor installation does not automatically install the Windows Sysmon utility. Customers are encouraged to install the software separately using the instructions in Installing a Windows Server Sensor . The Windows Server Sensor is still able to collect Sysmon logs.

Windows Server Sensor Enhancements

• Allow data filtering based on Windows event IDs.

• Redesigned the Windows Server Sensor installation process.

• Improved Windows Server Sensor stability.

Critical Bug Fixes

• Windows event ID 4616 is now ingested..

Known Issues

• Use the System | Sensors | Manage | Software Upgrade feature to upgrade Windows Server Sensors running 3.7.x and later to 4.2.2. Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and reinstallations and not for upgrades.

• A modular sensor upgrade fails when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

• Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

• The proxy settings do not work in the following connectors: Cisco Umbrella, VMware Carbon Black, Duo Security, Tenable.io, Prisma Cloud, AWS Cloudtrail, BlueCoat WSS, and Azure Event Hub.

• When multiple traffic filters are defined for a tenant with the same combination of ip, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions among filters.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

Upgrading

Only the Windows Server Sensor is updated in the 4.2.2 release; all other Stellar Cyber software remains at 4.2.1.

You can upgrade the Windows Server Sensor from the 3.11.x release and later. The procedure is as follows:

• Prepare for the upgrade

• Upgrade the DP if it is not already running 4.2.1 (the minimum release required to manage 4.2.2 Windows Server Sensors)

• Upgrade the Windows Server Sensors

• Verify the upgrade

Please refer to the online documentation section Upgrading Software for more detailed instructions.

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 4.2.1

The 4.2.2 Windows Server Sensor requires a DP running a minimum release of 4.2.1. If you have not already upgraded your DP to 4.2.1, use the following instructions to do so.

Note: DP upgrades to 4.2.1 are supported from 4.1.5 or 4.2.0.

1. Click Admin | Software Upgrade.

2. If your DP is not already running 4.1.5 or 4.2.0, choose one of those releases for the first upgrade.

3. Click Start Upgrade.

4. After this base upgrade is completed, repeat the upgrade process and select 4.2.1.

 Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

Upgrading Sensors

Only the Windows Server Sensors are updated in 4.2.2. The Data Processor, Network Sensors, Security Sensors and Linux Server Sensors do not need to be updated.

To upgrade Windows Server Sensors:

1. Click Collect | Sensor Overview. The Data Sensor List appears.

2. Click Software Upgrade in the Manage dropdown. The Data Sensor Software Upgrade page appears.

3. Choose the target software version.

4. Choose the target sensors.

5. Click Submit.

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• For Windows Server sensors:
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

For fresh installation, the software can be downloaded from the production server directly by using the URLs below. ​​Contact Stellar Cyber Customer Success for access credentials.

• For 64-bit Windows:

  https://acps.stellarcyber.ai/release/4.2.2/datasensor/windows-x64.msi

  https://acps.stellarcyber.ai/release/4.2.2/datasensor/windows-x64.msi.sha1

Windows Server Sensor Upgrades and Sysmon

Releases from 4.2.2 onwards do not download and install the stellar_syswatcher (Microsoft Sysmon64) service due to potential system crashes in certain older operating systems (Windows 2008R2 and 2012, although possibly others).

Note the following:

• Upgrades of Windows Server Sensors leave the existing version of stellar_syswatcher intact and do not upgrade it. You can continue to use the existing Sysmon service safely.

• You can install the latest version of Sysmon (v15.14 at this writing) manually if you want the Windows Server Sensor to report Sysmon events to the DP. This is recommend for improving visibility on Windows systems. However, Stellar Cyber strongly recommends that you test your installation in a non-production environment to verify operations before moving to production.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.