Stellar Cyber 4.3.7 Release Notes

Software Release Date: October 2, 2023
Release Note Updated: December 13, 2023

The Stellar Cyber 4.3.7 release brings the following improvements to the Stellar Cyber Open XDR platform. For detailed information, refer to the Stellar Cyber online documentation.

Highlights

• Introduced the new Case Management feature that replaces the Incident feature. Case Management sets a new foundation for improved collaboration on correlated detections (now called Cases instead of Incidents), improved synchronization with outside systems, improved user experience, and improved correlation and context.

• Introduced System Action Center, which provides in depth notifications for multiple items including Case Management, Data Storage, Data Sink, Cluster Health, and Connector Monitoring.

• Introduced a new table UI element throughout the platform that improves usability for better filtering and data visualization.

• Starting with 4.3.7, new device sensors (physical and virtual) are now deployed with Ubuntu 22.04.

• Custom alerts created through Automated Threat Hunting (ATH) can now be correlated with Cases, formerly known as Incidents.

• Added 230+ rules covering Windows, Process Creation, and AWS threats.

• Introduced Connector Event filtering to allow for streamlined ingestion.

• Introduced improved Sensor Windows Event Filtering for streamlined ingestion.

Partner Summary

This is summary information. For technical details, refer to later sections.

Highlights

Case Management:

• Revolutionize your security operations with Case Management. It's not just a replacement for Incidents; it's a game-changer. Collaborate seamlessly, sync with external systems effortlessly, enjoy a superior user experience, and elevate correlation and context in your detections. Empower your security teams like never before.

System Action Center:

• Gain unprecedented insights and control with the System Action Center. Get in-depth notifications for Case Management, Data Storage, Data Sink, Cluster Health, and Connector Monitoring. Stay ahead of issues, proactively address concerns, and ensure your security infrastructure operates at its best.

Table UI Element:

• Transform your data into actionable insights with our new table UI element. It's all about enhancing usability, enabling smarter filtering, and presenting data in a visually compelling way. Make data-driven decisions effortlessly.

New Device Sensors:

• Keep your security posture updated with the latest technology. Our new device sensors, deployed with Ubuntu 22.04, ensure you're equipped to tackle evolving threats and challenges. Future-proof your security infrastructure.

Custom Alerts:

• Tailor your security alerts like never before. Now, custom alerts created through Automated Threat Hunting (ATH) can be correlated with Cases. Achieve a higher level of precision and context in your threat detection.

Rule Additions:

• We've got your back with over 230 new rules covering Windows, Process Creation, and AWS threats. Stay one step ahead of threat actors with a broader and more comprehensive rule set.

Connector Enhancements:

• Streamline your data ingestion process with Connector Event filtering and improved Sensor Windows Event Filtering. Make data handling smoother and more efficient, ensuring you never miss a beat.

Behavior Changes

Case Management:

• Supercharge your event management with Case Management. It's not just a replacement; it's an upgrade. Elevate your ability to handle correlated events effectively, streamline evidence management, gain insights faster, and track metrics effortlessly.

Incidents to Cases:

• Seamlessly transition to the future of security operations. Your existing Incidents are now Cases, offering you enhanced functionality and clarity. It's more than a change in terminology; it's an improvement in your workflow.

System Action Center:

• Take control of your security infrastructure like never before. With the System Action Center, you're not just informed; you're empowered. Stay on top of critical notifications across multiple areas and ensure your security environment is resilient and responsive.

Built-in Windows Sensor Profile:

• Don't miss out on the latest in Windows Detection. Update your Sensor Profiles and ensure your organization is equipped to handle new threats effectively. It's about maintaining a cutting-edge security posture.

Microsoft 365 Alert Integration:

• Enhance your Microsoft 365 alerting strategy. Resolve alert duplication issues and gain more context with improved display names. It's about making your response more efficient and insightful.

DHCP Server Anomaly Alert:

• Elevate your network security to the next level. The DHCP Server Anomaly alert now utilizes advanced techniques for detection accuracy. Upgrade your sensors to ensure you're protected against the latest network threats.

Phishing Site Visit Alert:

• Reduce alert noise and focus on actionable threats. With the new deduplication mechanism, you'll receive relevant alerts without the clutter, optimizing your incident response.

Asset Vulnerability Enrichment:

• Optimize resource usage and improve performance. The increased interval for vulnerability score calculation reduces system strain while still providing essential insights.

Private IP Assignments:

• Gain greater control over IP assignments. Now, you can assign private IP ranges per tenant, ensuring more tailored and efficient network management, bringing about customization and scalability.

Tenant Name Change:

• Simplify your configurations with a more intuitive naming convention. The change from Root Tenant to All Tenants streamlines your setup and management processes.

Enhanced Rule Engine and Rule Alert Types

• Stellar Cyber introduces an advanced Sigma Rule Engine that revolutionizes threat detection. Tailor your security measures with highly customizable rules for precise threat identification, putting you in control of your security strategy.

• Over 120 Windows-related rules focused on Identity threats and 50+ Process Creation-related rules empower you to fortify your defenses. Ensure robust protection against identity-based vulnerabilities and suspicious process behaviors, reinforcing your security posture.

• Additionally, 60+ AWS-related rules provide unprecedented visibility into your cloud environment's security. Detect AWS-specific threats promptly, bolstering cloud security and compliance.

Third-Party Alert Integrations

• Stellar Cyber introduces key third-party alert integrations such as OCI CloudGuard, AWS GuardDuty, Proofpoint Targeted Attack Protection (TAP), Varonis, and Acronis Cyber Protect Cloud. These integrations expand your threat detection capabilities, demonstrating your commitment to safeguarding critical assets across various platforms.

• Improved Microsoft 365 alert integration enhances your ability to correlate alerts with entities, delivering more actionable information and strengthening your response to potential threats.

• In addition, our integration with Azure Active Directory ensures you are reporting alerts effectively for customers with Azure AD Premium P2 licenses, optimizing your security efforts.

Enhanced ML Alert Types

• Our Machine Learning (ML) alert types have been fine-tuned to provide higher detection accuracy and reduce false positives. This means you can spend more time addressing real threats and less time on investigating non-issues, improving your overall security efficiency.

• With advanced alert types that deduplicate similar events and provide nuanced insights, you can quickly identify and respond to threats, demonstrating your agility in safeguarding your organization's assets.

• Furthermore, improvements in alert descriptions enhance the clarity of threat information, making it easier to understand and act upon alerts. This ensures that your team can efficiently respond to threats, reducing potential risks.

Platform Enhancements

• Stellar Cyber extends support for new regions in the OCI data sink feature, enhancing your ability to manage data efficiently and ensuring data sovereignty compliance.

• Improvements in the format for UI-based sensor upgrades provide a smoother and more user-friendly experience. This means you can effortlessly keep your security infrastructure up-to-date, minimizing downtime and operational disruptions.

• The refactored /connector API using a new scheme elevates performance and maintainability, ensuring that you have a responsive and resilient security system in place.

• Introduction of timezone support rectifies scheduling logic errors in reporting, allowing for more accurate and timely data analysis. This enhancement improves the reliability of your security insights.

• The addition of API requests to the User Activity Log (Audit Logs) in the SaaS environment enhances your visibility into user actions, promoting better monitoring and governance.

• With the introduction of a public API feature for lookup table functionality, you gain greater flexibility in customizing threat detection, tailoring it to your unique environment.

• Enhanced scheduling of reports through the public API (Report Config) streamlines your reporting processes, facilitating better decision-making based on real-time insights.

• The ability to create and delete Connector Configurations using the public API empowers you to adapt your security settings swiftly and efficiently.

• Provided pre-defined templates for HIBUN Anomaly Time Handling rules simplify rule creation and fine-tuning, saving you time and effort in rule management.

• Implementation of server-side input validation for the /ui-settings API enhances security, ensuring that your configurations are protected against unauthorized changes.

• The added functionality to reset a user's password using the public API simplifies user account management and enhances overall security hygiene.

• Introduction of Global RBAC Support for removing ? Help Settings from Partner Accounts offers improved partner management and streamlined access control.

• The RBAC option to hide the XDR Kill Chain landing page enhances your customization capabilities, allowing you to focus on the most relevant information for your organization.

• The addition of a boolean field to alert filters provides more granularity in filtering and customizing alerts, enabling you to focus on the most critical threats.

• Enhanced ATH scheduling enables you to fine-tune your automated response strategies during specific time windows, improving overall security efficiency.

Sensor Improvements

• Stellar Cyber enhances sensor capabilities by providing more information during the Windows agent upgrade process, ensuring smooth upgrades with minimal disruptions.

• Support for darksite functionality in the Linux agent enhances your security coverage in diverse network environments, improving threat detection.

• Resolution of an issue with the aella_winlog.yaml file eliminates manual recovery steps, reducing administrative overhead and ensuring smoother agent deployments.

• Cleaning up source files in the Windows MSI installer results in improved performance and stability, ensuring that your security infrastructure operates seamlessly.

• Introduction of support for sensor encryption in the AWS environment enhances data protection, safeguarding sensitive information in the cloud.

• Improved log rotation speed for td-agent ensures efficient log management, optimizing resource utilization.

• Updated CA certificates enhance security by ensuring that your communication channels remain secure and compliant with industry standards.

• The addition of a Nessus debug log improves troubleshooting and diagnostics, streamlining issue resolution and minimizing downtime.

• Implementation of a memory percentage limit for td-agent ensures efficient resource management, promoting system stability.

• Introduction of a new dynamic mapping system for Winlogbeat ensures broader support for Windows Events across various locales, enhancing threat detection accuracy.

• Removal of the dependency on netcat for the Linux agent improves agent performance and reliability, ensuring consistent threat detection.

• Transitioning to using one image per OS type for upgrades and fresh installations simplifies the deployment process, saving time and effort.

• Introduction of a binary Linux installation package tailored for Amazon Linux 2 streamlines agent installation, improving deployment efficiency.

• Extension of Linux agent support to include Alma Linux 9 expands your compatibility options, allowing you to cover more platforms.

• Enhanced compatibility with RedHat Linux versions 7, 8, and 9 ensures a seamless integration with your existing infrastructure.

• Log Forwarder reporting log filter statistics improves visibility and monitoring, allowing you to assess the effectiveness of your threat detection rules.

• Addressing pentest vulnerabilities in the Network Sensor enhances security, reducing the risk of unauthorized access.

• Introduction of a Sensor CLI feature for conversions enhances flexibility and control over your security configurations, enabling you to adapt to changing requirements.

• Introduction of a self-contained sensor package for SUSE12 environments ensures compatibility with a wider range of setups, simplifying deployments.

• Self-contained installation support for Linux agents on various Ubuntu versions streamlines agent deployment, saving time and effort.

• Introduction of support for Oracle 8.5 for agent installation provides flexibility and compatibility with different database environments.

• Introduction of FIM support for PCI audit on Linux strengthens compliance measures, ensuring data protection and adherence to industry standards.

• Improved Windows sensor enrichment enhances your ability to correlate and analyze security events, providing more comprehensive threat insights.

• Improve performance issues on the Alert page.

Connector Improvements

• Updated connector code for improved performance and compatibility, ensuring seamless integration with a wide range of systems and reducing potential disruptions for customers.

• Enhanced exception handling with HTTP code 400 for better error reporting, facilitating quicker issue resolution and improving customer satisfaction.

• Optimized resource usage for Google Workspace, SentinelOne and Cloudflare connectors, resulting in cost savings for customers by minimizing resource consumption.

• Active Directory connector now supports username@domain.tld format for user management, simplifying user administration and aligning with modern identity standards.

• Resolved errors in the SentinelOne connector for smoother integration, reducing operational disruptions and enhancing threat detection capabilities.

• Improved data ingestion from MySQL with broader data source support, enabling customers to gain more insights from their data.

• Salesforce connector no longer requires user credentials, streamlining setup and enhancing security by reducing credential exposure.

• Enhanced connector ID in ADE records for more accurate enrichment, ensuring customers have more context for their alerts.

• Added new connectors like Acronis Cyber Protect Cloud, LastPass, Proofpoint TAP, Imperva Incapsula, and HIBUN, expanding integration options and offering customers more choices.

• Streamlined alert normalization for Cyberreason, improving the accuracy and consistency of threat alerts.

• Improved handling of login failure amplification in Office365 alerts, reducing alert fatigue and ensuring more meaningful notifications.

• Augmented raw data in Office365 alarms for more comprehensive insights, enabling customers to make more informed decisions.

• Added response actions for Azure Active Directory, improving incident management and helping customers respond more effectively to security threats.

• Implemented an event filter for connectors, enhancing customization and enabling customers to tailor their security operations to their specific needs.

• Enhanced Office365 enrichment for more detailed context, enabling customers to understand the full scope of security incidents.

• Added a field for processor information in connector records, providing more data for customers to analyze and optimize their security processes.

• Improved timestamp handling in Google Workspace connector for precise data analysis, ensuring customers have accurate information for their investigations.

Parser Improvements

• Introduced new built-in parsers for various log sources, such as FortiEDR, Solarwind, IronScales, and more, expanding log source compatibility and enabling customers to consolidate their log management.

• Supported log source limits based on sensor memory, ensuring efficient resource usage and helping customers optimize their infrastructure.

• Added support for msg_origin.source and msg_class on the parser side, providing more data categorization options and enabling customers to organize and analyze their logs more effectively.

• Enhanced existing parsers like Cisco ASA, Symantec DLP, and Cisco Firepower for better log parsing, improving the accuracy of threat detection and reducing false positives.

• Introduced additional fields and enrichment for Symantec DLP events, improving data context and enabling customers to better understand security incidents.

• Improved parsing process, moving values to more appropriate fields for clarity, making it easier for customers to work with log data.

• Introduced a new custom log parser for FluentD and other log sources, expanding log source compatibility and allowing customers to ingest and analyze a wider range of data.

• Requested parsers for specific log sources like VMware VeloCloud SD-WAN and Avanan for enhanced compatibility, giving customers the flexibility to integrate with the technologies they use.

• Streamlined parsers for network devices and security solutions like Citrix Access Gateway, Kemp Load Balancer, and Secureki, enhancing log parsing accuracy and simplifying log management.

• Supported additional fields and normalization for various log formats like CEF/LEEF, improving log data quality and enabling customers to gain more insights from their logs.

• Introduced a new built-in parser for Alcatel Switch, expanding compatibility with network devices and helping customers monitor their network security.

• Enhanced endpoint category parsers to report host IP, providing better contextual data for customers to investigate security incidents.

• Improved parser request handling for greater flexibility, allowing customers to request and customize parsers to suit their specific needs.

• Introduced a new built-in parser for Varonis as CEF parser, expanding integration options and enabling customers to monitor Varonis logs for security insights.

Actions Required

• Incident APIs will be forwarded to use Case APIs. Please update existing and new integrations to use the new Case APIs.

• The schema for the incident_score_change record in the syslog index changed format as part of the move from Incidents to Cases. If you have any existing automations that rely on the old schema, you will need to reconfigure them to use the new format. A common example of this is a notification configured to trigger when an incident (now case) enters the system with a score greater than a specified threshold. In previous releases, this threshold was configured using the metadata.incident_score field in the incident_score_change record in the syslog index. That field is renamed to metadata.score in this release. You must reconfigure any automations based on this field accordingly. Refer to ATH Example: Notifications for Case Scores for an example.

  Alternatively, you can use the new Case Management rules in the System Action Center to get notifications regarding a variety of events related to cases.

• The DHCP Server Anomaly alert type now uses metadata.response.server_ip instead of dstip to improve detection accuracy in more sophisticated network architectures. The metadata.response.server_ip field is added in the 4.3.7 sensor, and all sensors need to be upgraded to 4.3.7 for the improved DHCP Server Anomaly alert type to work.

• Built-in Windows Sensor Profile. The template for Windows Detection Profile (Low Volume) has been updated to include new event IDs used by the 4.3.7 new alert types on Windows-related rules. If you would like to keep event ID coverage for all built-in alert types, you will need to update existing Sensor Profiles based on the old Detection Profile to the new Detection Profile.

• The following four SA alert types are deprecated and removed in 4.3.7. They are replaced by Microsoft 365 alert integration. In addition, the alert deduplication is now based on AlertId instead of srcip_usersid. If you have exported these alert types, please update your external systems, such as your SOAR/playbooks pipeline.

  • Office 365 Access Governance Anomaly is replaced by Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation

  • Office 365 Blocked User is replaced by Microsoft 365: Valid Accounts (Initial Access)

  • Office 365 Data Exfiltration Attempt Anomaly is replaced by Microsoft 365: Exfiltration Over Web Service

  • Office 365 Data Loss Prevention is replaced by Microsoft 365: XDR Anomaly

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• Case Management: The 4.3.7 release introduces Case Management as a replacement for Incidents. With Case Management, users are able to manage correlated events more effectively, add evidence to Cases, clearly understand important data faster, make comments, and track pertinent metrics for management.

• Incidents to Cases: With Case Management’s introduction, all existing Incidents will be migrated to Cases. All mentions of Incidents within the Stellar Cyber Platform are also changed to Case or Cases.

• System Action Center: The 4.3.7 release introduces the System Action Center, which provides in depth notifications for multiple items including Case Management, Data Storage, Data Sink, Cluster Health, and Connector Monitoring.

• Built-in Windows Sensor Profile: The template for Windows Detection Profile (Low Volume) has been updated to include new event IDs used by the 4.3.7 new alert types on Windows-related rules. If you would like to keep event ID coverage for all built-in alert types, you will need to update existing Sensor Profiles based on the old Detection Profile to the new Detection Profile.

• Improved alert type display names (xdr_event.display_name) for Microsoft 365 alert integration by adding the tactic names to the display names. For technique names that map to multiple tactic names, the alert name will be Microsoft 365: with the assigned Technique and the assigned (Tactic), for example, Microsoft 365: Valid Accounts (Privilege Escalation). This is to resolve an issue that some previous alert types, representing different tactics, may appear to be duplicated with the same display name. The xdr_event.name is not affected by this change as it already includes the tactics.

• The DHCP Server Anomaly alert type now uses metadata.response.server_ip instead of dstip to improve detection accuracy in more sophisticated network architectures. The metadata.response.server_ip field is added in the 4.3.7 sensor, and all sensors need to be upgraded to 4.3.7 for the improved DHCP Server Anomaly alert type to work.

• Added a deduplication mechanism to the Possible Phishing Site Visit alert type from email alerts. Now every srcip and dstip pair will generate only one alert per 24 hours.

• Changed asset vulnerability enrichment and vulnerability score calculation interval to every 2 hours (up from every 10 minutes) to reduce system resource usage.

• Private IP assignments have moved from the System | Data Analyzer Profile page to the System | Enrichments page, allowing for per-tenant assignment of private IP ranges. If you are upgrading from 4.3.6, your private IP assignments are preserved and visible in the Data Analyzer Profile page. However, all new assignments must be made through the Enrichments page.

• In System | Configurations | Recipients, the Tenant Name is changed from Root Tenant to All Tenants.

Deprecations

The following features are going to be deprecated or have been removed.

• The following four SA alert types are deprecated and removed in 4.3.7. They are replaced by Microsoft 365 alert integration. In addition, the alert deduplication is changed from srcip_usersid based to AlertId based.

  • Office 365 Access Governance Anomaly is replaced by Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation

  • Office 365 Blocked User is replaced by Microsoft 365: Valid Accounts (Initial Access)

  • Office 365 Data Exfiltration Attempt Anomaly is replaced by Microsoft 365: Exfiltration Over Web Service

  • Office 365 Data Loss Prevention is replaced by Microsoft 365: XDR Anomaly

• The Enrichments page has been simplified and streamlined and now allows for per-tenant assignment of private IP ranges. The old interface is still available in the Enrichments (deprecated) tab.

• Stellar Cyber has paused development of the Stellar Cyber Central feature. At this time, we recommend that you do not begin using the Stellar Central feature unless you are already actively using it. As an alternative, we recommend that you use Single Sign On to pivot quickly to different Stellar Cyber systems without signing in separately.

Critical Bug Fixes

• Fixed: Sensor status shows red but still receiving data.

• Fixed: Log Source added in user interface, but not in port_ingestion.conf on sensor until full sensor reboot.

• Fixed: Custom RBAC users cannot be created by any profile other than super_admin.

• Fixed: CM-Master memory leak caused 502 error on user interface.

• Fixed: No data received in AWS CloudTrail connector.

• Fixed: CrowdStrike 4.3.5 API connector only pulling hosts, even after 4.3.5 patch.

• Fixed: Windows Agent not upgrading to 4.3.6.

• Fixed: Maltrace/Suricata keeps restarting and there are far fewer ML-IDS events.

• Fixed: Windows Agent Sensor Logbeat service terminated unexpectedly.

• Fixed: Stellar Cyber API Endpoint connect/api/update_ser appends HTTP status code to JSON.

• Fixed: Azure Active Directory B2C throwing SSO exceptions in 4.3.6.

• Fixed: Unable to upgrade Windows agent to 4.3.5.

• Fixed: Fresh install Linux agent on centOS is not staying connected, then disconnects.

• Fixed: Scheduling for weekly reports now works as expected.

• Fixed: FIM with not enabled path and disable function not working.

• Fixed: FIM service cannot be stopped; impacts upgrade or FIM function.

• Fixed: DHCP data cannot be filtered out.

• Fixed: Linux sensor upgrade issue.

• Fixed: Issue with service stopping checking logic for functional restart.

• Fixed: Volume and license issue with data filter.

• Fixed: Tenants can no longer create reports with All Tenants as a recipient (for example, by cloning).

Detection/ML Improvements

New Sigma Rule Engine and Rule Alert Types

• For alerts from rule-based alert types, added a new Rules tab to the alert panel, showing the details of the Sigma rule triggered.

• Added 120+ Windows-related rules focused on Identity threats through 11 new alert types.

  • These new alert types require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

• Added 50+ Process Creation-related rules through 2 new alert types.

• Added 60+ AWS-related rules through 11 new alert types.

• The new rule-based alert types are:

  • Potentially Malicious AWS Activity

  • Suspicious AWS Bucket Enumeration

  • Suspicious Modification of AWS CloudTrail Logs

  • Suspicious AWS EC2 Activity

  • Suspicious AWS IAM Activity

  • Suspicious Modification of AWS Route Table

  • Suspicious Modification of S3 Bucket

  • Suspicious AWS RDS Event

  • Suspicious AWS Root Account Activity

  • Suspicious AWS Route 53 Activity

  • Suspicious AWS VPC Flow Logs Modification

  • Sensitive Windows Active Directory Attribute Modification

  • Suspicious Windows Active Directory Operation

  • Potentially Malicious Windows Event

  • Suspicious Access Attempt to Windows Object

  • Sensitive Windows Network Share File or Folder Accessed

  • Suspicious Activity Related to Security-Enabled Group

  • Suspicious Connection to Another Process

  • Suspicious Handle Request to Sensitive Object

  • Suspicious Windows Logon Event

  • Suspicious Windows Service Installation

  • Suspicious Windows Process Creation

New and Improved Third-Party Alert Integrations

• Introduced OCI CloudGuard alert integration.

• Introduced AWS GuardDuty alert integration.

• Introduced Proofpoint Targeted Attack Protection (TAP) alert integration.

• Introduced Varonis alert integration.

• Introduced Acronis Cyber Protect Cloud alert integration.

• Improved alerts from Microsoft 365 alert integration by correlating the alerts with alert entities whenever the entity information is available. The resulting alerts contain more useful and actionable information such as malicious URLs and related users.

• Azure Active Directory risk detection alert integration will not report alerts for customers without an Azure AD Premium P2 license as the alerts reported by Azure AD without a proper license do not contain any useful information.

• Added threat to the Key Fields in Windows Defender Antivirus alert integration.

New and Improved ML Alert Types

• Tuned User Login Location Anomaly to improve detection accuracy and consistency. Additionally, it will now prevent alerts in cases where Geo-IP location accuracy may have resulted in erroneous alerts before.

• Tuned External/Internal User Login Failure Anomaly on Windows pre-auth events to reduce false positives and the number of alerts per day.

• Tuned External User Login Failure Anomaly and External User Account Login Failure Anomaly on Office 365 / Azure AD login events to reduce false positives caused by duplicated login events that have identical login IDs reported by Microsoft. The improved detections now deduplicate such duplicated events and only trigger on unique login events.

• Restructured External / Internal Brute-Forced Successful User Login alert type such that two types of brute-forced logins, one from source IP addresses and the other on specific user accounts, will no longer be conflated, resulting in erroneous linked login failures and brute-forced successful logins. Now External / Internal Brute-Forced Successful User Login has two subtypes: Source IP-Based and User ID-Based, in which the former subtype indicates a source IP address (srcip) as a brute forcer, linked to a User Login Anomaly alert; and the latter subtype indicates an account (srcip_usersid) being brute-forced potentially from multiple source IP addresses, linked to an Account Login Failure Anomaly alert. We also added a new enrichment field login_result_source when login_result is success_brute_forced to indicate whether the enriched brute-forced login is Source IP-Based (login_result_source is srcip) or User ID-Based (login_result_source is srcip_usersid).

• Tuned PowerShell Remote Access alert type to reduce false positives caused by IP-like version strings.

• Integrated Hitachi HIBUN into Internal Account Login Failure Anomaly and Login Time Anomaly. (Login Time Anomaly has timezone set to UTC+9, Japan.)

• Added accurate success / failure counts from more than a single 5-minute interval in alerts from Account MFA Login Failure Anomaly, External/Internal Account Login Failure Anomaly, External/Internal Protocol Account Login Failure Anomaly, External/Internal User Login Failure Anomaly, and External/Internal URL Reconnaissance Anomaly to reflect the actual failure trend leading to such alerts. This new information is present in the new alert descriptions and metadata fields under the event_summary object.

• Improved User Process Usage Anomaly on Windows process creation events to use user.identifier instead of srcip_usersid to indicate the actual user that started the alerted process.

• Improved days_silent calculation used in alert enrichment and descriptions to reflect a more accurate per-tenant number.

• Improved the readability of alert descriptions for Application Usage Anomaly.

• Improved alert descriptions for Malware Sandbox alert types to emphasize that the behaviors / signatures observed happen in the Sandbox instead of the host.

• Improved alert descriptions of External / Internal Credential Stuffing alerts on Windows Active Directory authentication events to emphasize that the alerted credential stuffing is observed in a particular Active Directory domain instead of a service.

Usability Improvements

• Refactored Tables: The 4.3.7 release introduces brand new tables throughout the platform. With these newly refactored tables, users are able to easily interact with the data in the table. Additionally, filtering and searching for filters is easier and more intuitive. Tables are now easier to read and manipulate to size.

• System Action Center: The 4.3.7 release introduces the System Action Center, which provides in depth notifications for multiple items including Case Management, Data Storage, Data Sink, Cluster Health, and Connector Monitoring.

Platform Enhancements

• Added support for new regions in the OCI data sink feature accessible through the user interface.

• Added support for coarse-grained Data Sink storage in AWS and OCI with batch windows of up to 24 hours.

  Note that after upgrading to 4.3.7, existing AWS and OCI data sinks with a Batch Window greater than 60 seconds are converted to the nearest available selection expressed in minutes or hours.

• Added support for imports of large objects from S3/OCI cloud storage.

• Improved the format for UI-based sensor upgrades for a better user experience.

• Refactored the /connector API using a new API scheme to enhance performance and maintainability.

• Introduced timezone support to rectify scheduling logic errors in reporting.

• Added API requests to the User Activity Log (Audit Logs).

• Added a public API feature for lookup table functionality.

• Enhanced the public API to allow the scheduling of reports (Report Config).

• Added the ability to create and delete Connector Configurations using the public API.

• Provided predefined templates for HIBUN Anomaly Time Handling rules.

• Implemented server-side input validation for the /ui-settings API to enhance security.

• Added functionality to reset a user's password using the public API.

• Introduced Global RBAC Support for removing ? Help Settings from Partner Accounts.

• Introduced RBAC option to hide the XDR Kill Chain landing page.

• Added a boolean field to alert filters.

• Enhanced ATH scheduling so that a playbook can be excluded from running during specific time windows.

Sensor Improvements

• Introduced a self-contained sensor package specifically designed for SUSE12 environments.

• Introduced self-contained installation support for Linux agents on Ubuntu versions 18.04, 20.04, 21.04, and 22.04.

• New device sensors will be deployed with Ubuntu 22.04.

• Introduced support for Oracle 8.5 for agent installation.

• Extended Linux agent support to include Alma Linux 9.

• Enhanced compatibility with RedHat Linux versions 7, 8, and 9.

• Introduced FIM support for PCI audit on Linux server sensors.

• Added more information during the Windows agent upgrade process.

• Transitioned to using one image per OS type for both upgrades and fresh installations, streamlining the process.

• Added support for darksite functionality in the Linux agent.

• Introduced a binary Linux installation package tailored for Amazon Linux 2.

• Resolved an issue where the aella_winlog.yaml file was empty and had to be manually recovered by copying from another agent.

• Cleaned up source files in the Windows MSI installer for improved performance and stability.

• Introduced support for sensor encryption in the AWS environment.

• Improved log rotation speed for td-agent.

• Updated CA certificates for enhanced security.

• Added Nessus debug log for improved troubleshooting and diagnostics.

• Implemented a memory percentage limit for td-agent to manage resource utilization efficiently.

• Introduced a new dynamic mapping system that ensures Winlogbeat support for Windows Events from any locale. Verified with Korean, Persian, English (US), and Tatar on Windows Server versions back to 2008 R2.

• Removed the dependency on netcat for the Linux agent, improving agent performance and reliability.

• Enabled Log Forwarder to report log filter statistics for improved visibility and monitoring.

• Addressed pentest vulnerabilities in the Network Sensor to enhance security.

• Introduced a Sensor CLI feature to convert from NDS/SDS (Network Detection System/Security Data Server) to unauthorized MDS (Master Data Server) for Virtual and Photon Models.

• Improved Windows server sensor enrichment.

• Added field msg_origin.processor to identify the sensor service that produces the record. There are multiple sensor components, such as: Aella_flow, maltrace, winlogbeat, Aella_audit, and FIM.

Connector Enhancements

• Implemented the change to the connector code to use the new framework in version 4.3.7.

• Improved exception handling by adding HTTP code 400 when catching exceptions.

• Implemented the optimization of log-collector resources usage for Google Workspace connector.

• Implemented the optimization of log-collector resources usage for Cloudflare.

• Implemented the ability to block or allow the Active Directory connector to disable users in the username@domain.tld format.

• Resolved the SentinelOne connector error 503.

• Improved the ingestion of data from MySQL with more data sources and epoch date time column support.

• Implemented the Salesforce connector without the need for user credentials.

• Enhanced the connector ID in the ADE record for enrichment.

• Implemented Acronis Cyber Protect Cloud connector.

• Implemented LastPass connector.

• Modified the GCP Audit Logging connector to include the Requests log name.

• Added a field into the Interflow message to indicate which Stellar Cyber component generated the message.

• Implemented the optimization of log-collector resources usage for SentinelOne.

• Improved the AWS CloudTrail connector to relax or remove prefix requirements.

• Added support for AWS Cloudtrail Gov Cloud regions.

• Implemented the Imperva Incapsula connector.

• Implemented Proofpoint Targeted Attack Protection (TAP) connector.

• Implemented the HIBUN connector.

• Improved Cyberreason alert normalization.

• Enhanced the handling of login failure amplification in Office365 login failure alert types.

• Augmented the raw data portion of Office365 alarms.

• Implemented Confirm Compromised and Dismiss Risk response actions in Azure Active Directory connector.

• Implemented an event filter for connectors.

• Improved Office365 enrichment.

• Added a field msg_origin.processor to records sent from connectors running on the data processor or sensor.

• Implemented gsuite.id.time as the timestamp of the data sent from the Google Workspace connector.

Parser Improvements

• Enhanced FortiEDR parser to parse extra fields.

• Supported log source limit based on sensor memory.

• Supported fields for msg_origin.source and msg_class on the parser side.

• Enhanced the missing fields on VMware Esxi and Cisco router and switch parsers.

• Improved the Cisco ASA parser, focusing on parser improvements to correct direction for many connections.

• Added msg_origin.source and msg_class enrichment to non-enriched parsers.

• Enhanced Cisco ASA Built Teardown when uploading customized_cisco_asa using the user interface.

• Enhanced parsing of Symantec DLP technology events 5143. Now, msg_class and msg_origin.source will be set to symantec_dlp, msg_origin.category will be set to dlp, and the field and their normalized name will be:

  • blocked => symantec.blocked

  • application_name => symantec.application_name

  • attachment_filename => symantec.attachment_filename

  • dataowner_name => symantec.dataowner_name

  • dataowner_email => symantec.dataowner_email

  • endpoint_device_id => symantec.endpoint_device_id

  • endpoint_location => symantec.endpoint_location

  • endpoint_machine => symantec.endpoint_machine

  • path => symantec.path

  • parent_path => symantec.parent_path

  • incident_id => symantec.incident_id

  • incident_snapshot => symantec.incident_snapshot

  • match_count => symantec.match_count

  • occurred_on => symantec.occurred_on

  • rules => symantec.rules

  • protocol => symantec.protocol

  • recipients => symantec.recipients

  • reported_on => symantec.reported_on

  • scan => symantec.scan

  • sender => symantec.sender

  • monitor_name => symantec.monitor_name

  • severity => symantec.severity

  • status => symantec.status

  • subject => symantec.subject

  • target => symantec.target

  • user_justification => symantec.user_justification

  • destination_ip => dstip

  • machine_ip => srcip

  • endpoint_username => srcip_username

  • url => url

  • application_user => user.name

  • file_name => file.name

• Supported additional field into Interflow messages to indicate the Stellar Cyber component that generated the message in the LogForwarder.

  • Added field msg_origin.processor to store the information of the processor to parse the log.

• Enhanced the CEF/LEEF parser to correct msg_origin and msg_class.

  • In Crowd Strike CEF parser, default vendor name, msg_origin.source, and msg_class are now set to crowdstrike.

  • In Trend Micro CEF parser, default vendor name and msg_origin.source is set to trendmicro. If product is Apex Central, the msg_origin.source and msg_class will be set to trendmicro_apex_central.

  • In Fortinet Fortigate CEF parser, msg_origin.source is now set to fw_fortigate.

  • In SonicWall CEF parser, vendor is now set to sonicwall. When product is NSA, msg_origin.source is set to sonicwall_nsa.

  • In Trend Micro LEEF parser, when product is DSA, the vendor name is set to trendmicro and msg_origin.source and msg_class are set to trendmicro_dsa.

• Supported TCP multi-lined logs for BeyondTrust BeyondInsight Parser.

• Updated Linux Syslog parser to support key-value pairs parsing in the payload when the appname is dockerd and a new header format forwarded by Solarwinds.

• In Fortinet CEF parser, the following fields are moved out of msg_data and put under fortinet: ad.itime, ad.msg_id, ad.main_type, ad.trigger_policy, ad.http_method, ad.http_url, ad.http_host, ad.signature_subclass, ad.signature_id, ad.signature_cve_id, and ad.user_name.

• Enhanced the Palo Alto Networks Firewall parser as follows:

  • Improved the parser to support all types of logs on version 11.0.

  • Fixed the typo of the field name from http_ 2_connection to http_2_connection for the Threat log on version 10.1.

  • Improved the parser to support both the customized and default formats of the CONFIG logs.

  • Added check of the value of the fields that will be normalized to srcmac, dstmac, and hostip. When they are not valid MAC/IP addresses, they will be moved into the vendor namespace instead.

  • Renamed the field log.syslog.structured_data to log.syslog.structured_data_str.

  • Enhanced the parsing process. Some values will be moved to more proper fields.

• Enhanced the Imperva parser to parse additional fields.

  • In Incapsula CEF parser, the following field now will be parsed and moved to the vendor field: siteid, suid, devicefacility, dproc, ccode, cicode, customer, request, ref, cn1, deviceexternalid, sip, xff, cpt, ver, end, cap_support, javascript_support, co_support, vid, clappsig, latitude, and longitude.

  • In CEF parser, the field end will be normalized into event.end and the value will be converted to epoch ms time. If the conversion fails, it will be put into msg_data.

  • In CEF parser, the field start will be normalized into event.start and the value will be converted to epoch ms time. If the conversion fails, it will be put into msg_data.

• Introduced a new HTTP JSON parser for logs from Kubernetes (via FluentD).

• Introduced a new built-in log parser for Ruijie switch.

• Enhanced the Cisco Firepower custom parser.

  • Extracted fields built and teardown as action on the top level.

  • Changed cisco.connection_id to cisco.connid.

  • Swapped srcip, srcport, src_interface, src_idfw_user, outbytes_total, mapped_srcip, and mapped_srcport with dstip, dstport, dst_interface, dst_idfw_user, inbytes_total, mapped_dstip, and mapped_dstport respectively when cisco.direction is outbound.

• Introduced a new custom log parser for BeyondTrust PasswordSafe.

• Enhanced Cylance parser.

  • Parsed out Tenant Name to vendor namespace for Cylance parser.

• Introduced a new built-in log parser for Citrix Access Gateway.

• Introduced a new built-in log parser for Kemp Load Balancer.

• Introduced a new built-in log parser for VMware Horizon Syslog.

• Introduced a new built-in log parser for Secureki.

• Introduced a new built-in log parser for Meraki switch parser.

  • Supported proto value equals to 6 when the device_event_category is urls and request_url starts with http or https for Cisco Meraki parser.

• Introduced a new built-in log parser for IronScales parser. In IronScales CEF parser, msg_class and msg_origin.source will be set to ironscales_irontraps, msg_origin.category will be set to email, and the field and their normalized name will be:

  • outcome => ironscales.outcome

  • source_user_name => ironscales.source_user_name

  • suid => ironscales.suid

  • duid => ironscales.duid

  • dpriv => ironscales.dpriv

  • report_id => ironscales.report_id

  • message-id => ironscales.message_id

  • report_state => ironscales.report_state

  • reason => ironscales.reason

• Requested a parser for VMware VeloCloud SD-WAN (version 5.1).

• Made a parser request for multi-tenancy support for Avanan.

• Introduced a new built-in log parser for Dell EMC PowerStore parser.

• Introduced a new built-in log parser for Forticloud - FortiClient EMS Cloud Endpoint Management Services.

• Introduced a new built-in log parser for Aruba Clearpass NAC.

  • Moved the fields error_code, auth_source, system_posture_token, destinationservicename, dpriv, requestmethod, outcome, and reason to vendor namespace in Aruba Network CEF log ingestion.

• Introduced a new built-in log parser for Array LB APV.

• Introduced a new built-in log parser for Audit Plus.

• Introduced a new built-in log parser for Thales Ciphertrust Log parser.

• Introduced a new built-in log parser for Alcatel Switch.

• Enhanced parsers in the endpoint category to report host ip.

• Introduced a new built-in log parser for Varonis as CEF parser.

Known Issues

• The Sensor content type for Cybereason's connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.

• Due to an ongoing issue with Cybereason's Query Sensors API, the Cybereason connector may not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete incident correlation.

• The Cylance responder is unable to perform the Contain Host action due to a limitation from the Cylance REST API. All requests return a 500 Internal Server Error response.

• When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.

• If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

• Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

• Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, the additional log source IPs' statistics will be aggregated into a catch-all IP 0.0.0.0.

• When a modular sensor is configured as a Log Forwarder only sensor (Network Traffic and other features are not enabled), the Log Forwarder may restart periodically if there is not enough sensor memory. recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.

• A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

• When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

• If you configure a sensor's aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.

• Deleting the Root Tenant's ES data in the System | Data Processor | Data Management | Advanced tab, deletes unexpected tenant's data.