Stellar Cyber 5.1.0 Release Notes

Software Release Date: January 5, 2024
Release Note Updated: July 1, 2024

The Stellar Cyber 5.1.0 release brings the following improvements to the Stellar Cyber Open XDR platform. For detailed information, refer to the Stellar Cyber online documentation.

Highlights

Partner Summary

This is summary information. For technical details, refer to later sections.

Highlights

  • Individual Tenant Support and Device Sensor Monitoring: Users can now benefit from individual tenant support and improved device sensor monitoring within the System Action Center, enhancing the platform's versatility and performance.

  • Universal Webhook Responder: The introduction of a Universal Webhook Responder empowers users with templated responses and the ability to create custom responders, providing a more dynamic and tailored response mechanism.

  • Generic S3 Connector: The release incorporates a Generic S3 connector, facilitating flexible and customizable data ingestion from S3 buckets, streamlining data management processes.

Behavior Changes

  • Custom Alerts: Tailor your security alerts like never before. Now, custom alerts created through Automated Threat Hunting (ATH) can be correlated with Cases. Achieve a higher level of precision and context in your threat detection.

New and Improved ML Alert Types

  • The restructuring of Brute-Forced Successful User Login alerts into Source IP-Based and User ID-Based subtypes ensures a more accurate and nuanced understanding of potential security threats. By preventing the conflation of brute-forced logins and addressing erroneous linked failures, the system provides a more precise and actionable response to security incidents. The addition of a new enrichment field further refines the identification of brute-forced logins, enhancing the overall effectiveness of the security system.

  • The fine-tuning of the User Asset Access Anomaly alert is a substantial improvement. By significantly reducing false positives in anomaly alerts related to user and asset access, the platform becomes more reliable and trustworthy. This refinement not only improves the efficiency of security measures but also minimizes unnecessary disruptions for users, thereby enhancing the overall user experience.

  • The integration of Hitachi HIBUN into Internal Account Login Failure Anomaly and Login Time Anomaly adds another layer of value. This integration expands the platform's capabilities, allowing users to leverage Hitachi HIBUN's features within their existing security framework. The inclusion of a timezone setting for Login Time Anomaly ensures accurate tracking and analysis aligned with the specific needs of users in the Japan timezone (UTC+9).

  • The introduction of Mimecast and Acronis Cyber Protect alert integrations expands the platform's compatibility, allowing users to seamlessly incorporate alerts from these industry-leading solutions. The addition of general alert type descriptions for third-party alert integration streamlines the integration process, providing clarity and ease of use.

  • The integration of Proofpoint Targeted Attack Protection (TAP) and Varonis alert integrations further diversifies the sources of threat intelligence, offering users a more comprehensive view of potential security risks. Additionally, the inclusion of Acronis Cyber Protect Cloud and Mimecast alert integrations strengthens the platform's ability to handle alerts from cloud-based security solutions, catering to the evolving needs of modern cybersecurity.

  • To enhance the effectiveness of Microsoft 365 alert integration, the platform now correlates alerts with alert entities whenever entity information is available. This improvement results in alerts containing more detailed and actionable information, such as malicious URLs and related users, providing users with a clearer understanding of potential threats originating from Microsoft 365.

  • In response to specific licensing considerations, the Azure Active Directory risk detection alert integration now selectively reports alerts only for customers with an Azure AD Premium P2 license. This strategic decision ensures that alerts reported align with actionable and valuable information, optimizing the utility of the integration.

  • The inclusion of threat information in the Key Fields of the Windows Defender Antivirus alert integration adds another layer of detail to threat analysis. Users can now benefit from enriched data, enhancing their ability to respond effectively to potential security incidents.

Usability Improvements

  • Stellar Cyber has recently implemented a notable enhancement by introducing new email functionality within the Case Summary page. This improvement facilitates more efficient communication and collaboration, ultimately contributing to quicker incident response and increased user engagement.

  • In response to user feedback and industry demands, the platform now offers enhanced visualization of log filtering statistics. This upgrade empowers cybersecurity professionals with improved data visibility, streamlining the process of threat detection and identification for more effective security monitoring.

  • Recognizing the importance of streamlined incident response, Stellar Cyber has introduced the ability to download sensor phone home logs directly from the user interface. This feature simplifies access to critical logs for forensic analysis, enabling faster response times and strengthening the overall investigative capabilities of security teams.

  • To cater to diverse user needs and preferences, administrators now have the capability to set a unique home page for end-customer users. This customization option enhances user experience and workflow efficiency, making the platform more adaptable to the specific requirements of different organizations.

  • In response to the evolving needs of security practitioners, Stellar Cyber has introduced improved visualization to the Sensor Detail page. This enhancement provides security teams with better monitoring and analysis capabilities, contributing to enhanced situational awareness and more effective threat mitigation.

  • In a bid to improve user convenience and support interactions with the customer success team, Stellar Cyber has updated the licensing page. This update includes the Organization ID, simplifying license management and ensuring a smoother support experience for users.

Platform Enhancements

  • Stellar Cyber has introduced public API endpoints for creating and editing connector configurations, along with managing tenants, providing users enhanced flexibility in configuration control.

  • The Role-Based Access Control (RBAC) now allows Partner users to view and create other Partner users within the same Tenant group, fostering collaborative efforts within the platform.

  • Support for new regions in the OCI data sink feature and the addition of coarse-grained Data Sink storage in AWS and OCI with extended batch windows of up to 24 hours offer users expanded options for efficient data storage.

  • Streamlining the UI-based sensor upgrade process and refactoring the /connector API with a new scheme demonstrate Stellar Cyber's commitment to improving performance and user experience.

  • Additional features include timezone support for rectifying scheduling logic errors, API requests to the User Activity Log, and a public API feature for lookup table functionality, empowering users with comprehensive data management tools.

  • Improvements to the public API enable users to schedule reports, create and delete Connector Configurations, and utilize predefined templates for HIBUN Anomaly Time Handling rules, enhancing anomaly detection capabilities.

  • Security measures include server-side input validation for the /ui-settings API, a public API feature for password resets, and Global RBAC support for tailored account settings, emphasizing Stellar Cyber's dedication to user control and security.

  • The addition of a boolean field to alert filters, advanced ATH scheduling options excluding playbooks during specific time windows, and an RBAC option to hide the XDR Kill Chain landing page showcase Stellar Cyber's commitment to granular control and flexibility in automated response actions.

Sensor Improvements

  • Stellar Cyber has streamlined the installation process by introducing Self Contained Installations for Debian, Suse 15, and Centos 7/8, offering users a more efficient deployment experience.

  • In data recording, the msg_origin.category has been introduced as traffic into the record generated by aella_flow, providing valuable insights into network activities.

  • For Windows environments, all files under configuration have been included in phone home logs, enhancing the comprehensiveness of data collected.

  • Tailoring to specific environments, a self-contained sensor package has been introduced for SUSE12, while Linux agent installation support has been extended to Ubuntu versions 18.04, 20.04, 21.04, and 22.04, with new device sensors deployed in Ubuntu 22.04.

  • Agent installation support has been expanded to Oracle 8.5, Alma Linux 9, and improved compatibility with RedHat Linux versions 7, 8, and 9.

  • Functionalities like File Integrity Monitoring (FIM) support for PCI audit on Linux server sensors and support for sensor encryption in the AWS environment have been introduced to enhance security measures.

  • User experience improvements include additional information during the Windows agent upgrade process, streamlined image use for upgrades and fresh installations, and darksite functionality support in the Linux agent.

  • Technical enhancements involve resolving issues like an empty aella_winlog.yaml file and cleaning up source files in the Windows MSI installer for improved performance and stability.

  • Advanced features include introducing support for Nessus debug log, implementing a memory percentage limit for td-agent, and a new dynamic mapping system ensuring Winlogbeat support for Windows Events from various locales.

  • In the Linux agent, the dependency on netcat has been removed to improve performance and reliability, and Log Forwarder now reports log filter statistics for enhanced visibility and monitoring.

  • Security measures include addressing pentest vulnerabilities in the Network Sensor and introducing a Sensor CLI feature to convert from NDS/SDS to unauthorized MDS for Virtual and Photon Models.

  • To improve Windows server sensor enrichment, the msg_origin.processor field has been added, identifying the sensor service that produces the record, such as Aella_flow, maltrace, winlogbeat, Aella_audit, and FIM.

Connector Enhancements

  • Stellar Cyber has bolstered response capabilities by implementing the Universal Webhook Responder, providing users with enhanced tools for managing and responding to security events effectively.

  • For flexible data ingestion, the platform has introduced a Generic S3 Connector, allowing users to customize the ingestion process from S3 buckets according to their specific requirements.

  • Stellar Cyber has expanded its integration capabilities by implementing support for Netskope V2 APIs, ensuring users can seamlessly incorporate Netskope data into their cybersecurity workflows.

  • To enhance vulnerability management, the CyberCNS Vulnerability Scanner has been introduced, providing users with an additional layer of protection by identifying and addressing potential vulnerabilities.

  • The platform has integrated with LimaCharlie, introducing a connector to enhance compatibility and streamline the utilization of LimaCharlie's features within the Stellar Cyber ecosystem.

  • In a naming update, Azure AD is now referred to as Microsoft Entra ID, ensuring clarity and alignment with the latest nomenclature.

  • Improving flexibility in event querying, the LastPass connector now includes Query Delay (min), allowing users to configure a delay to account for latency associated with querying events. This feature is particularly useful for scenarios where some data may not be available for querying from LastPass for up to 60 minutes.

  • To further enrich AWS content integration, support for AWS WAF content has been implemented in the AWS CloudWatch connector, ensuring a comprehensive approach to monitoring and managing AWS resources.

  • Simplifying configuration processes, an asterisk (*) has been added to denote all required connector configuration fields, providing users with clear guidance on essential setup parameters.

Parser Improvements

  • Stellar Cyber has continuously improved parsing capabilities by enhancing the FortiEDR parser to handle extra fields, supporting log source limits based on sensor memory, and introducing additional fields for msg_origin.source and msg_class on the parser side.

  • The parsing process for VMware Esxi and Cisco router and switch parsers has been refined to address missing fields, while the Cisco ASA parser underwent improvements to correct connection direction for many connections.

  • The parsing capabilities have been extended with msg_origin.source and msg_class enrichment for non-enriched parsers and enhanced parsing of Symantec DLP technology events 5143. This includes the introduction of normalized fields such as symantec.blocked, symantec.application_name, and others.

  • Updates to various parsers include improved handling of TCP multi-lined logs for BeyondTrust BeyondInsight Parser, support for additional fields in Interflow messages, and the addition of msg_origin.processor to store information on the processor parsing the log.

  • The CEF/LEEF parser has been enhanced, and various parsers have been updated to align with vendor-specific naming conventions, such as Fortinet Fortigate, SonicWall, Trend Micro, and Palo Alto Networks Firewall.

  • New built-in log parsers have been introduced for Ruijie switch, Kubernetes (via FluentD), Citrix Access Gateway, Kemp Load Balancer, VMware Horizon, Secureki, Meraki switch, IronScales, VMware VeloCloud SD-WAN, Avanan (pending multi-tenancy support), Dell EMC PowerStore, Forticloud - FortiClient EMS Cloud Endpoint Management Services, Aruba Clearpass NAC, Array LB APV, Audit Plus, Thales Group Ciphertrust, Alcatel Lucent Switch, Varonis, and more.

  • Requests for parsers have been submitted for VMware VeloCloud SD-WAN (version 5.1) and multi-tenancy support for Avanan. Additionally, new parsers have been introduced for CyberCNS Vulnerability Scanner, LimaCharlie connector, and Cisco Firepower custom parser.

Actions Required

  • Incident APIs will be forwarded to use Case APIs. Please update existing and new integrations to use the new Case APIs.

  • The schema for the incident_score_change record in the syslog index changed format as part of the move from Incidents to Cases. If you have any existing automations that rely on the old schema, you will need to reconfigure them to use the new format. A common example of this is a notification configured to trigger when an incident (now case) enters the system with a score greater than a specified threshold. In previous releases, this threshold was configured using the metadata.incident_score field in the incident_score_change record in the syslog index. That field is renamed to metadata.score in this release. You must reconfigure any automations based on this field accordingly. Refer to ATH Example: Notifications for Case Scores for an example.

    Alternatively, you can use the new Case Management rules in the System Action Center to get notifications regarding a variety of events related to cases.

  • The DHCP Server Anomaly alert type now uses metadata.response.server_ip instead of dstip to improve detection accuracy in more sophisticated network architectures. The metadata.response.server_ip field is added in the 4.3.7 sensor, and all sensors need to be upgraded to 4.3.7 for the improved DHCP Server Anomaly alert type to work. For older sensors prior to 4.3.6, the detection will still use dstip.

  • Built-in Windows Sensor Profile. The template for Windows Detect Profile (Low Volume) has been updated to include new event IDs used by the new 4.3.7 alert types on Windows-related rules. If you would like to keep event ID coverage for all built-in alert types, you will need to update existing Sensor Profiles based on the old Windows Detect Profile to the new Windows Detect Profile.

  • The following four SA alert types are deprecated and removed in 4.3.7. They are replaced by Microsoft 365 alert integration. In addition, the alert deduplication is now based on AlertId instead of srcip_usersid. If you have exported these alert types, please update your external systems, such as your SOAR/playbooks pipeline.

    • Office 365 Access Governance Anomaly is replaced by Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation

    • Office 365 Blocked User is replaced by Microsoft 365: Valid Accounts (Initial Access)

    • Office 365 Data Exfiltration Attempt Anomaly is replaced by Microsoft 365: Exfiltration Over Web Service

    • Office 365 Data Loss Prevention is replaced by Microsoft 365: Exfiltration Over Web Service

  • The Mimecast connector was updated. Change msg_class: mimecast_email to msg_origin.source: mimecast_email in existing queries.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Enhanced the CEF/LEEF parser to correct msg_origin and msg_class.

    • In CrowdStrike CEF parser, default vendor name, msg_origin.source, and msg_class are now set to crowdstrike.

    • In Trend Micro CEF parser, default vendor name and msg_origin.source is set to trendmicro. If product is Apex Central, the msg_origin.source and msg_class will be set to trendmicro_apex_central.

    • In Fortinet Fortigate CEF parser, msg_origin.source is now set to fw_fortigate.

    • In SonicWall CEF parser, vendor is now set to sonicwall. When product is NSA, msg_origin.source is set to sonicwall_nsa.

    • In Trend Micro LEEF parser, when product is DSA, the vendor name is set to trendmicro and msg_origin.source and msg_class are set to trendmicro_dsa.

  • The Status LEDs in the Sensor Details page are now synchronized with those in the parent Sensor List, preventing situations where the same Sensor could appear with a warning LED in the Sensor List and a green LED in its detail page. This could happen in previous releases because the two LEDs monitored different conditions.

  • You can no longer edit a Recipient's Message Type in the System | Recipients page. Create a new recipient of the desired type instead.

Deprecations

  • The predefined Company Trends dashboard is no longer available.

  • The following four SA alert types are deprecated and removed in 4.3.7. They are replaced by Microsoft 365 alert integration. In addition, the alert deduplication is now based on AlertId instead of srcip_usersid.

    • Office 365 Access Governance Anomaly is replaced by Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation

    • Office 365 Blocked User is replaced by Microsoft 365: Valid Accounts (Initial Access)

    • Office 365 Data Exfiltration Attempt Anomaly is replaced by Microsoft 365: Exfiltration Over Web Service

    • Office 365 Data Loss Prevention is replaced by Microsoft 365: Exfiltration Over Web Service

Critical Bug Fixes

  • Fixed: Uncommon Process Anomaly display issue.

  • Fixed: User Process Usage Anomaly alert type preferring 4688 instead of 1.

  • Fixed: Case management service hung.

  • Fixed: SentinelOne Asset displays less than customer sees in S1 console.

  • Fixed: Manually created case is missing some detail compared to auto case.

  • Fixed: Design consistency for connector configuration required fields.

  • Fixed: Connector Azure EventHub not pulling data.

  • Fixed: Fortigate Respond connector: ccsrtoken parsing issue.

  • Fixed: LastPass connector configuration change.

  • Fixed: Missing logs from 2023-10-18 no "file Deletion" events.

  • Fixed: JumpCloud connector Test UI button.

  • Fixed: Tenable.sc connector checkpoint issue.

  • Fixed: Netskope connector V2 API selector defaulting to V1 API.

  • Fixed: Mitigate CVE-2023-38545 on DP running 4.3.7.

  • Fixed: VM unable to get online during OCI restart migration.

  • Fixed: AIO System Action Center failed to communicate to cluster manager.

  • Fixed: Cisco Meraki Log Filter not working.

  • Fixed: Windows agent upgrade failed from 5.0.2 to 5.0.4.

  • Fixed: Windows GPO package missing MSI installer.

  • Fixed: Ubuntu 20.04 Linux agent for NG-SaaS.

  • Fixed: Linux agent created excessive files and folders under /tmp.

  • Fixed: Tenable agent continuously relinking.

  • Fixed: Updated Fortinet parser to correct the application information.

  • Fixed: VMware SDWAN Parser error.

  • Fixed: CiscoVPN parser: srcport added as top field.

  • Fixed: Upgrading to amazonlinux-2.

  • Fixed: Incident Alert user enrichment error.

  • Fixed: The event score of an alert could be incorrect if the raw data already has a severity field.

  • Fixed: Specific asset hostnames will be rejected by Mongodb.

  • Fixed: Validation error on scheduled report configuration.

  • Fixed: In order to add an email recipient to a report, user RBAC must have Recipients permission enabled (changed behavior).

  • Fixed: 5.0.4: Scheduled report failed.

  • Fixed: Created custom Role from any except super Admin risk to give RBAC option to the user.

  • Fixed: The Filter by status option does not ignore global filter.

  • Fixed: Alert filter throws out validation error.

  • Fixed: Bulk sensor profile assignment missing in NG-SaaS.

  • Fixed: Critical alert not listed when using the filter from the Kill Chain propagation.

  • Fixed: Workflow issue on case management.

  • Fixed: RBAC bug, can't create Sensor token even if allowed in RBAC.

  • Fixed: "All Tenants" queries viewable from single tenant view if Configuration > Queries RBAC enabled.

  • Fixed: Missing acknowledged field in the case column selection.

  • Fixed: SSO on NG-SaaS not working.

  • Fixed: Critical flow in the login page.

  • Fixed: Search incident ticket ID does not return the result.

  • Fixed: Consistent alignment of inline buttons in the Alert table under Incident page.

  • Fixed: Missing username on Chart.

  • Fixed: Alert page - Refresh button above the table missing animation.

Detection/ML Improvements

Case Management

  • Custom alerts created through Automated Threat Hunting (ATH) now have the ability to be correlated with Cases.

  • Alerts from Exploited Vulnerability and Exploited C&C Connection are now correlated into Cases.

New and Improved ML Alert Types

  • Restructured External / Internal Brute-Forced Successful User Login alert type such that two types of brute-forced logins, one from source IP addresses and the other on specific user accounts, will no longer be conflated, resulting in erroneous linked login failures and brute-forced successful logins. Now External / Internal Brute-Forced Successful User Login has two subtypes: Source IP-Based and User ID-Based, in which the former subtype indicates a source IP address (srcip) as a brute forcer, linked to a User Login Anomaly alert; and the latter subtype indicates an account (srcip_usersid) being brute-forced potentially from multiple source IP addresses, linked to an Account Login Failure Anomaly alert. We also added a new enrichment field login_result_source when login_result is success_brute_forced to indicate whether the enriched brute-forced login is Source IP-Based (login_result_source is srcip) or User ID-Based (login_result_source is srcip_usersid).

  • Tuned User Asset Access Anomaly to reduce false positives by an improved modeling of user and asset relationships.

  • Integrated Hitachi HIBUN into Internal Account Login Failure Anomaly and Login Time Anomaly. (Login Time Anomaly has timezone set to UTC+9, Japan.)

New Sigma Rule Engine and Rule Alert Types

  • 5.1.0 Sigma Rule Release has the following new rule-based alert types:

    • Suspicious AWS EBS Activity

    • Suspicious AWS ELB Activity

    • Suspicious AWS SSL Certificate Activity

    • Suspicious AWS VPC Mirror Session

    • Account MFA Login Failure Anomaly (with AWS-related Alert Subtype)

  • For alerts from rule-based alert types, added a new Rules tab to the alert panel, showing the details of the Sigma rule triggered.

New and Improved Third-Party Alert Integrations

General Improvements

  • Improved integration of the built-in Exploited Vulnerability and Exploited C&C Connection ATH correlation detections. Cases can now use these alerts and correlate them based on the assets involved. Similarly, asset tracking can now identify the assets involved in the alerts.

Usability Improvements

Platform Enhancements

  • Added a Public API endpoint for creating connector configurations.

  • Added a Public API endpoint for editing connector configurations.

  • Added Public API endpoints for managing tenants.

  • RBAC updated to allow Partner users to see and create other Partner users in the same Tenant group.

  • Added support for new regions in the OCI data sink feature accessible through the user interface.

  • Added support for coarse-grained Data Sink storage in AWS and OCI with batch windows of up to 24 hours.

    Note that after upgrading to 4.3.7, existing AWS and OCI data sinks with a Batch Window greater than 60 seconds are converted to the nearest available selection expressed in minutes or hours.

  • Added support for imports of large objects from S3/OCI cloud storage.

  • Improved the format for UI-based sensor upgrades for a better user experience.

  • Refactored the /connector API using a new API scheme to enhance performance and maintainability.

  • Introduced timezone support to rectify scheduling logic errors in reporting.

  • Added API requests to the User Activity Log (Audit Logs).

  • Added a public API feature for lookup table functionality.

  • Enhanced the public API to allow the scheduling of reports (Report Config).

  • Added the ability to create and delete Connector Configurations using the public API.

  • Provided predefined templates for HIBUN Anomaly Time Handling rules.

  • Implemented server-side input validation for the /ui-settings API to enhance security.

  • Added functionality to reset a user's password using the public API.

  • Introduced Global RBAC Support for removing ? Help Settings from Partner Accounts.

  • Introduced RBAC option to hide the XDR Kill Chain landing page.

  • Added a boolean field to alert filters.

  • Enhanced ATH scheduling so that a playbook can be excluded from running during specific time windows.

  • To continuously better the platform, we will collect heartbeat data of third-party-integration alerts.

Sensor Improvements

  • Introduced self-contained installation for Debian.

  • Introduced self-contained installation for SUSE 15.

  • Introduced self-contained installation for for Centos 7 8.

  • Introduced msg_origin.category as traffic into the record generated by aella_flow.

  • Added all files under configuration to phone home logs on Windows.

  • Introduced a self-contained sensor package specifically designed for SUSE12 environments.

  • Introduced self-contained installation support for Linux agents on Ubuntu versions 18.04, 20.04, 21.04, and 22.04.

  • New device sensors will be deployed with Ubuntu 22.04.

  • Introduced support for Oracle 8.5 for agent installation.

  • Extended Linux agent support to include Alma Linux 9.

  • Enhanced compatibility with RedHat Linux versions 7, 8, and 9.

  • Introduced FIM support for PCI audit on Linux server sensors.

  • Added more information during the Windows agent upgrade process.

  • Transitioned to using one image per OS type for both upgrades and fresh installations, streamlining the process.

  • Added support for darksite functionality in the Linux agent.

  • Introduced a binary Linux installation package tailored for Amazon Linux 2.

  • Resolved an issue where the aella_winlog.yaml file was empty and had to be manually recovered by copying from another agent.

  • Cleaned up source files in the Windows MSI installer for improved performance and stability.

  • Introduced support for sensor encryption in the AWS environment.

  • Improved log rotation speed for td-agent.

  • Updated CA certificates for enhanced security.

  • Added Nessus debug log for improved troubleshooting and diagnostics.

  • Implemented a memory percentage limit for td-agent to manage resource utilization efficiently.

  • Introduced a new dynamic mapping system that ensures Winlogbeat support for Windows Events from any locale. Verified with Korean, Persian, English (US), and Tatar on Windows Server versions back to 2008 R2.

  • Removed the dependency on netcat for the Linux agent, improving agent performance and reliability.

  • Enabled Log Forwarder to report log filter statistics for improved visibility and monitoring.

  • Addressed pentest vulnerabilities in the Network Sensor to enhance security.

  • Introduced a Sensor CLI feature to convert from NDS/SDS (Network Detection System/Security Data Server) to unauthorized MDS (Master Data Server) for Virtual and Photon Models.

  • Improved Windows server sensor enrichment.

  • Added field msg_origin.processor to identify the sensor service that produces the record. There are multiple sensor components, such as: Aella_flow, maltrace, winlogbeat, Aella_audit, and FIM.

  • The show metalist command has been improved to include a Tenant column, as well as protocols white-listed as part of the sensor profile but not taking effect. This can happen when a custom application is defined both for a specific tenant and All Tenants.

Connector Enhancements

The follow enhancements were introduced in 5.1.0:

The follow enhancements were introduced in 4.3.7 and are now available in 5.1.0:

  • Implemented the change to the connector code to use the new framework in version 4.3.7.

  • Improved exception handling by adding HTTP code 400 when catching exceptions.

  • Implemented the optimization of log-collector resources usage for Google Workspace connector.

  • Implemented the optimization of log-collector resources usage for Cloudflare.

  • Implemented the ability to block or allow the Active Directory connector to disable users in the username@domain.tld format.

  • Resolved the SentinelOne connector error 503.

  • Improved the ingestion of data from MySQL with more data sources and epoch date time column support.

  • Enhanced the connector ID in the ADE record for enrichment.

  • Implemented Acronis Cyber Protect Cloud connector.

  • Implemented LastPass connector.

  • Modified the GCP Audit Logging connector to include the Requests log name.

  • Added a field into the Interflow message to indicate which Stellar Cyber component generated the message.

  • Implemented the optimization of log-collector resources usage for SentinelOne.

  • Improved the AWS CloudTrail connector to relax or remove prefix requirements.

  • Added support for AWS Cloudtrail Gov Cloud regions.

  • Implemented the Imperva Incapsula connector.

  • Implemented Proofpoint Targeted Attack Protection (TAP) connector.

  • Implemented the HIBUN connector.

  • Improved Cyberreason alert normalization.

  • Enhanced the handling of login failure amplification in Office365 login failure alert types.

  • Augmented the raw data portion of Office365 alarms.

  • Implemented Confirm Compromised and Dismiss Risk response actions in Azure Active Directory connector.

  • Implemented an event filter for connectors.

  • Improved Office365 enrichment.

  • Added a field msg_origin.processor to records sent from connectors running on the data processor or sensor.

  • Implemented gsuite.id.time as the timestamp of the data sent from the Google Workspace connector.

Parser Improvements

The following enhancements were introduced in 4.3.7 and now are available in 5.1.0.

  • Enhanced FortiEDR parser to parse extra fields.

  • Supported log source limit based on sensor memory.

  • Supported fields for msg_origin.source and msg_class on the parser side.

  • Enhanced the missing fields on VMware Esxi and Cisco router and switch parsers.

  • Improved the Cisco ASA parser, focusing on parser improvements to correct direction for many connections.

  • Added msg_origin.source and msg_class enrichment to non-enriched parsers.

  • Enhanced Cisco ASA Built Teardown when uploading customized_cisco_asa using the user interface.

  • Enhanced parsing of Symantec DLP technology events 5143. Now, msg_class and msg_origin.source will be set to symantec_dlp, msg_origin.category will be set to dlp, and the field and their normalized name will be:

    • blocked => symantec.blocked

    • application_name => symantec.application_name

    • attachment_filename => symantec.attachment_filename

    • dataowner_name => symantec.dataowner_name

    • dataowner_email => symantec.dataowner_email

    • endpoint_device_id => symantec.endpoint_device_id

    • endpoint_location => symantec.endpoint_location

    • endpoint_machine => symantec.endpoint_machine

    • path => symantec.path

    • parent_path => symantec.parent_path

    • incident_id => symantec.incident_id

    • incident_snapshot => symantec.incident_snapshot

    • match_count => symantec.match_count

    • occurred_on => symantec.occurred_on

    • rules => symantec.rules

    • protocol => symantec.protocol

    • recipients => symantec.recipients

    • reported_on => symantec.reported_on

    • scan => symantec.scan

    • sender => symantec.sender

    • monitor_name => symantec.monitor_name

    • severity => symantec.severity

    • status => symantec.status

    • subject => symantec.subject

    • target => symantec.target

    • user_justification => symantec.user_justification

    • destination_ip => dstip

    • machine_ip => srcip

    • endpoint_username => srcip_username

    • url => url

    • application_user => user.name

    • file_name => file.name

  • Supported additional field into Interflow messages to indicate the Stellar Cyber component that generated the message in the LogForwarder.

    • Added field msg_origin.processor to store the information of the processor to parse the log.

  • Enhanced the CEF/LEEF parser to correct msg_origin and msg_class.

    • In Crowd Strike CEF parser, default vendor name, msg_origin.source, and msg_class are now set to crowdstrike.

    • In Trend Micro CEF parser, default vendor name and msg_origin.source is set to trendmicro. If product is Apex Central, the msg_origin.source and msg_class will be set to trendmicro_apex_central.

    • In Fortinet Fortigate CEF parser, msg_origin.source is now set to fw_fortigate.

    • In SonicWall CEF parser, vendor is now set to sonicwall. When product is NSA, msg_origin.source is set to sonicwall_nsa.

    • In Trend Micro LEEF parser, when product is DSA, the vendor name is set to trendmicro and msg_origin.source and msg_class are set to trendmicro_dsa.

  • Supported TCP multi-lined logs for BeyondTrust BeyondInsight parser.

  • Updated Linux Syslog parser to support key-value pairs parsing in the payload when the appname is dockerd and a new header format forwarded by Solarwinds.

  • In Fortinet CEF parser, the following fields are moved out of msg_data and put under fortinet: ad.itime, ad.msg_id, ad.main_type, ad.trigger_policy, ad.http_method, ad.http_url, ad.http_host, ad.signature_subclass, ad.signature_id, ad.signature_cve_id, and ad.user_name.

  • Enhanced the Palo Alto Networks Firewall parser as follows:

    • Improved the parser to support all types of logs on version 11.0.

    • Fixed the typo of the field name from http_ 2_connection to http_2_connection for the Threat log on version 10.1.

    • Improved the parser to support both the customized and default formats of the CONFIG logs.

    • Added check of the value of the fields that will be normalized to srcmac, dstmac, and hostip. When they are not valid MAC/IP addresses, they will be moved into the vendor namespace instead.

    • Renamed the field log.syslog.structured_data to log.syslog.structured_data_str.

    • Enhanced the parsing process. Some values will be moved to more proper fields.

  • Enhanced the Imperva parser to parse additional fields.

    • In Incapsula CEF parser, the following field now will be parsed and moved to the vendor field: siteid, suid, devicefacility, dproc, ccode, cicode, customer, request, ref, cn1, deviceexternalid, sip, xff, cpt, ver, end, cap_support, javascript_support, co_support, vid, clappsig, latitude, and longitude.

    • In CEF parser, the field end will be normalized into event.end and the value will be converted to epoch ms time. If the conversion fails, it will be put into msg_data.

    • In CEF parser, the field start will be normalized into event.start and the value will be converted to epoch ms time. If the conversion fails, it will be put into msg_data.

  • Introduced a new HTTP JSON parser for logs from Kubernetes (via FluentD).

  • Introduced a new built-in log parser for Ruijie switch.

  • Enhanced the Cisco Firepower custom parser.

    • Extracted fields built and teardown as action on the top level.

    • Changed cisco.connection_id to cisco.connid.

    • Swapped srcip, srcport, src_interface, src_idfw_user, outbytes_total, mapped_srcip, and mapped_srcport with dstip, dstport, dst_interface, dst_idfw_user, inbytes_total, mapped_dstip, and mapped_dstport respectively when cisco.direction is outbound.

  • Introduced a new custom log parser for BeyondTrust PasswordSafe.

  • Enhanced Cylance parser.

    • Parsed out Tenant Name to vendor namespace for Cylance parser.

  • Introduced a new built-in log parser for Citrix Access Gateway.

  • Introduced a new built-in log parser for Kemp Load Balancer.

  • Introduced a new built-in log parser for VMware Horizon Syslog.

  • Introduced a new built-in log parser for Secureki.

  • Introduced a new built-in log parser for Meraki switch parser.

    • Supported proto value equals to 6 when the device_event_category is urls and request_url starts with http or https for Cisco Meraki parser.

  • Introduced a new built-in log parser for IronScales parser. In IronScales CEF parser, msg_class and msg_origin.source will be set to ironscales_irontraps, msg_origin.category will be set to email, and the field and their normalized name will be:

    • outcome => ironscales.outcome

    • source_user_name => ironscales.source_user_name

    • suid => ironscales.suid

    • duid => ironscales.duid

    • dpriv => ironscales.dpriv

    • report_id => ironscales.report_id

    • message-id => ironscales.message_id

    • report_state => ironscales.report_state

    • reason => ironscales.reason

  • Requested a parser for VMware VeloCloud SD-WAN (version 5.1).

  • Made a parser request for multi-tenancy support for Avanan.

  • Introduced a new built-in log parser for Dell EMC PowerStore parser.

  • Introduced a new built-in log parser for Forticloud - FortiClient EMS Cloud Endpoint Management Services.

  • Introduced a new built-in log parser for Aruba Clearpass NAC.

    • Moved the fields error_code, auth_source, system_posture_token, destinationservicename, dpriv, requestmethod, outcome, and reason to vendor namespace in Aruba Network CEF log ingestion.

  • Introduced a new built-in log parser for Array LB APV.

  • Introduced a new built-in log parser for Audit Plus.

  • Introduced a new built-in log parser for Thales Ciphertrust Log parser.

  • Introduced a new built-in log parser for Alcatel Switch.

  • Enhanced parsers in the endpoint category to report host ip.

  • Introduced a new built-in log parser for Varonis as CEF parser.

Operational Notes

  • Keep in mind that the global Status filters available at the left of most Stellar Cyber tables (All Open, New, In Progress, Ignored, and Closed) apply only to security events (alerts). They do not apply to cases. You can apply Status filters to cases, too, but only from the Cases interface itself. The names of the Status filters for cases are also slightly different than those available for alerts.

Known Issues

  • When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search Column set to its default value of All do not work correctly. This will be fixed in a later release.

  • The Cylance responder is unable to perform the Contain Host action due to a limitation from the Cylance REST API. All requests return a 500 Internal Server Error response.

  • Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.

  • Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it is not installed already. If the installation of Visual C++ fails, the Windows Server Sensor may be unable to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber cloud. If this happens, use the following steps to proceed:

    1. Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.

    2. Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.

  • Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, statistics for the additional log source IPs are aggregated into the catch-all IP address of 0.0.0.0.

  • When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

  • If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors in batches instead of all at once.

  • For Server Sensors:

    • Upgrade a small set of sensors that cover non-critical assets.

    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.

    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

    • If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.