Stellar Cyber 5.0.4 Release Notes

Updated August 29, 2023

The Stellar Cyber SaaS 5.0.4 release brings the following improvements to the Stellar Cyber Open XDR platform. For detailed information, refer to the Stellar Cyber online documentation.

Highlights

• Introduced the new Case Management feature that replaces the Incident feature. Case Management sets a new foundation for improved collaboration on correlated detections (now called Cases instead of Incidents), improved synchronization with outside systems, improved user experience, and improved correlation and context.

• Introduced a new table UI element throughout the platform that improves usability for better filtering and data visualization.

• Custom alerts created through Automated Threat Hunting (ATH) can now be correlated with Cases, formerly known as Incidents.

• Added 230+ rules covering Windows, Process Creation, and AWS threats.

Behavior Changes

• Case Management: The 5.0.4 release introduces Case Management as a replacement for Incidents. With Case Management, users are able to manage correlated events more effectively, add evidence to Cases, clearly understand important data faster, make comments, and track pertinent metrics for management.

• Incidents to Cases: With Case Management’s introduction, all existing Incidents will be migrated to Cases. All mentions of Incidents within the Stellar Cyber Platform are also changed to Case or Cases.

• Built-in Windows Sensor Profile: The template for Windows Detection Profile (Low Volume) has been updated to include new event IDs used by the 5.0.4 new alert types on Windows-related rules. If you would like to keep event ID coverage for all built-in Alert Types, you will need to update existing Sensor Profiles based on the old Detection Profile to the new Detection Profile.

Actions Required

Before upgrading modular sensors from 5.0.2 to 5.0.4, verify whether the sensors have the Port Relay feature enabled in the CLI. The following sensor CLI commands for Port Relay no longer work in 5.0.4 device sensors. Migrate the sensor CLI configuration to the Log Source configuration in the user interface. Refer to Ingesting Logs for details.

• set logforwarder device-ip

• unset logforwarder device-ip

Critical Bug Fixes

• Fixed: Fortigate connector test failure.

• Fixed: Crowdstrike connector not pulling assets.

• Fixed: Security Sensor in AWS not upgrading to 4.3.6.

• Fixed: Bar Charts without x-labels in 4.3.6.

Detection/ML Improvements

• Custom alerts created through Automated Threat Hunting (ATH) now have the ability to be correlated with Cases, formerly known as Incidents.

New Sigma Rule Engine and Rule Alert Types

• Added 120+ Windows-related rules focused on Identity threats through 11 new Alert Types.

  • These new Alert Types require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

• Added 50+ Process Creation-related rules through 2 new Alert Types.

• Added 60+ AWS-related rules through 11 new Alert Types.

New and Improved Third-Party Alert Integrations

• Introduced OCI CloudGuard Alert integration.

• Introduced AWS GuardDuty Alert integration.

New and Improved ML Alert Types

• Tuned User Login Location Anomaly to improve detection accuracy and consistency. Additionally, it will now prevent alerts in cases where Geo-IP location accuracy may have resulted in erroneous alerts before.

• Tuned External/Internal User Login Failure Anomaly on Windows pre-auth events to reduce false positives and the number of alerts per day.

• Added accurate success / failure counts from more than a single 5-minute interval in alerts from Account MFA Login Failure Anomaly, External/Internal Account Login Failure Anomaly, External/Internal Protocol Account Login Failure Anomaly, External/Internal User Login Failure Anomaly, and External/Internal URL Reconnaissance Anomaly to reflect the actual failure trend leading to such alerts. This new information is present in the new alert descriptions and metadata fields under the event_summary object.

Usability Improvements

• Refactored Tables: The 5.0.4 release introduces brand new tables throughout the platform. With these newly refactored tables, users are able to easily interact with the data in the table. Additionally, filtering and searching for filters is easier and more intuitive. Tables are now easier to read and manipulate to size.

• Added port relay configuration to the System | Collection | Log Sources page in the user interface so that logs from multiple products can be received and parsed on a single TCP/UDP port in a Stellar Cyber device sensor.

Platform Enhancements

• Improved Case / Incident API to accept more parameters.

• Introduced a new Log Filter API to query the configuration and hits of filters.

• Introduced a new Platform User Activity Logs API to query the activity of Stellar Cyber users via the API.

Sensor Improvements

The following enhancements were introduced in 4.3.6 and now are available in 5.0.4.

• Introduced File Integrity Monitoring by Windows server sensors.

• Increased data fidelity and visibility in SMB traffic metadata by adding the ability to collect additional metadata filename and path information for SMB traffic. You may notice a small increase in ingestion as part of this enhancement.

• Added Windows event channels PortalGuard and DNS-Server/Analytical in Other Channels in the Windows server sensor profile configuration.

• Enhanced the modular sensors to support Packet Mirroring in AWS, GCP, and OCI.

• Introduced Linux server sensor support for the following:

  • Oracle Linux 8.5

  • SUSE Linux 15 SP4

• Enhanced the Linux server sensor to monitor bonded interfaces.

Connector Enhancements

• Added more memory to connector resource storage for users with a high quantity of connectors.

• Added the ability to filter on DeviceProperties for Office365.

• Added additional parsing for the requestParameters object in AWS CloudTrail.

• Added host.name normalization to the SonicWall Capture Client connector.

• Added Content Type to statistic summary for most collectors except MySQL, Broadcom (Blue Coat / Symantec) Web Security Services (WSS), and Azure Event Hub. In the Crowdstrike collector, it is added, but may not always be the right one.

• Added new message classes for the Oracle Cloud Infrastructure (OCI) connector: oracle_cloud_guard, oracle_cloud_audit, and oracle_cloud_log.

Parser Improvements

The following enhancements were introduced in 4.3.6 and now are available in 5.0.4.

• Introduced a new built-in log parser for Extreme Controller NX 7500.

• Introduced a new built-in log parser for ServiceNow NowPlatform.

• Introduced a new built-in log parser for Ruckus ZoneDirector 1200.

• Introduced a new built-in log parser for Peplink.

• Introduced a new built-in log parser for Centos Audit Log.

• Introduced a new built-in log parser for Perception Point X-Ray.

• Introduced a new built-in log parser for Apache HTTP Server.

• Introduced a new built-in log parser for Oracle Solaris Syslog.

• Introduced a new built-in log parser for Impero Software Solutions ContentKeeper.

• Introduced a new built-in log parser for OPNsense.

• Introduced a new built-in log parser for Array Networks ASF.

• Introduced a new built-in parser for Fortinet FortiEDR 5.2.0.

• Introduced a new built-in parser for Trend Micro Tipping Point.

• Introduced a new built-in log parser for Fortinet FortiAuthenticator.

• Introduced a new built-in log parser for HanDreamnet VIPM.

• Introduced a new built-in log parser for Trend Micro Interscan Messaging. Currently the parser only supports the following log formats: msgtra.imss.xxxx, Polevt.imss.xxxx, sysevt.imss.xxxx, and others.

• Enhanced the CEF parser as follows:

  • Moved fields clapp, sourceservicename, requestclientapplication, requestmethod, and postbody to vendor-specific in Incapsula CEF log parsing.

  • In the Imperva/Incapsula CEF log parsing, when the Vendor and Product of the CEF headers are Incapsula and SIEMintegration, the fields dev_type, msg_origin.source, are changed from incapsula to imperva, the dev_class and msg_class are changed from incapsula to imperva_security_logs. When the cef_name is Normal and the cef_severity is 0, the dev_class and msg_class will be imperva_access_logs.

• Enhanced the Aqtronix Webknight parser to support new log formats.

• Enhanced the Cisco Meraki parser with IDS event detection enrichment.

• Enhanced the Hillstone parser to support new log formats.

• Updated the Wazuh parser as follows:

  • Normalized wazuh.agent.ip to hostip.

  • Normalized wazuh.agent.name to hostip_host.

  • Normalized event_data.parentImage to parent_proc_name when event_id is 1.

  • Normalized event_data.user to srcip_username and hostip_username when event_id is 1.

  • Normalized data.win.IpAddress to srcip.

  • Normalized agent.ip to srcip if data.win.IpAddress does not exist.

  • Normalized agent.ip to dstip.

• Enhanced the Fortinet Fortigate parser to support new log formats.

• Enhanced the Barracuda Web firewall parser to support new log formats.

• Enhanced the NXLog parser to support new log formats for Apache Tomcat Server logs.

• Updated the Cisco Firepower parser as follows:

  • Added new log format support.

  • Normalized protocol and proto_name field to proto.

  • Removed the multi-line log support through TCP.

• Updated the Cisco ASA parser by normalizing the severity field to cisco.severity.

• Updated the Mikrotik parser as follows:

  • Supported the new log formats.

  • Normalized protocol to proto.

  • Normalized log.syslog.event_description to log.event_description.

• Updated the Hillstone parser as follows:

  • Normalized the field data_time to log.syslog.timestamp.

  • Moved vsys, log_msg_id, src_interface, and dst_interface, whole_flag, custom_value_1 to Hillstone namespace.

• Updated the Zscaler ZIA normalization for more accurate alerts as follows:

  • Normalized the field nwapp to appid_name.

  • Normalized the field rule_label to fw_policy_id.

• Updated the Cylance parser as follows:

  • Normalized the field Event Id to cylance.event_id.

  • Normalized the field Instigating Process ImageFileSha256 to instigating_process_imagefilesha256.

  • Normalized the field Event Timestamp to event.timestamp.

  • Normalized the field Target Process Command Line to process.command_line.

• Updated the Cisco CUCM parser as follows:

  • Normalized the field pri to log.syslog.priority.

  • Normalized the field syslog_time to log.syslog.timestamp.

  • Normalized the field event_description to log.event_description.

  • Normalized the field event_time to event.timestamp.

  • Normalized the field username to user.name.

  • Normalized the field protocol to proto.

  • Moved the field hostname to msg_data instead of being dropped when log_hostname exists.

• Updated the Fortinet Fortigate parser as follows:

  • Supported new log formats.

  • Normalized the field ad.utmaction to fortinet.ad.utmaction.

• Enhanced the Syslogjson parser to support winlogbeat logs.

• Enhanced regex in the Barracuda Firewall parser to support new log formats.

• Improved the Juniper Switch parser to support new log formats.

• Updated the pfSense firewall parser as follows:

  • Supported Snort logs.

  • Normalized the field proto_name to proto when its value is icmp, igmp, tcp, udp, or their corresponding Protocol Numbers. Invalid proto_name will be moved into the vendor namespace.

  • Added check for the fields srcip, dstip, srcport, and dstport. They will be moved into the vendor namespace when their value is invalid.

  • Renamed vendor fields tos, ttl, and offset to tos_str, ttl_str, and offset_str.

Known Issues

• When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search Column set to its default value of All do not work correctly. This will be fixed in a later release.

• The Cylance responder is unable to perform the Contain Host action due to a limitation from the Cylance REST API. All requests return a 500 Internal Server Error response.

• Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.

• Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it is not installed already. If the installation of Visual C++ fails, the Windows Server Sensor may be unable to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber cloud. If this happens, use the following steps to proceed:

  1. Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.

  2. Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.

• Log Forwarder only collects statistics for up to 100 different log source IPs per Log Forwarder worker. If the total number of log source IPs exceed 100, statistics for the additional log source IPs are aggregated into the catch-all IP address of 0.0.0.0.

• When multiple traffic filters are defined for a tenant with the same combination of IP, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade sensors in batches instead of all at once.

• For Server Sensors:

  • Upgrade a small set of sensors that cover non-critical assets.

  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.

  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

  • If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.