Stellar Cyber 5.2.0 Release Notes

Highlights

The 5.2.0 release introduces several key features and improvements that enhance the Stellar Cyber Open XDR platform:

Alert Enrichment and Detection

• Enhanced alert enrichment for SMB traffic: Provides deeper insights into SMB Read/Write Anomalies.

• Detailed IDS rule enrichment: Adds comprehensive threat intelligence for various exploit anomalies.

• New ML alert type for abnormal Windows account password resets: Enables proactive security measures.

• Customizable time ranges for correlation: Provides customization of the correlation window in which new events are associated with an existing case, allowing more granular tuning of alerts and notifications and improved detection of slow-rate attacks and short-term user accounts.

• File Hash Enrichment: Provides more details on file hashes for Threat Intelligence.

Reporting and Visualization

• Faster alert reporting: Improves response times for Impossible Travel Anomaly and User Login Location Anomaly.

• Enhanced case analysis graphs: Offers clearer visualization of complex attack scenarios.

• Refined correlation strategy: Ensures every alert is assigned to a case.

Integrations and Standards

• Third-party alert integrations: Expands capabilities with Netskope, Sophos, Defender for Cloud, and Huntress.

• InSync Integrations: Introduces bi-directional integration with ServiceNow^® and the Stellar Cyber case management system, enabling customers to collaborate across platforms and integrate seamlessly with existing workflows.

• MITRE framework update: Aligns threat intelligence with the latest industry standards.

Usability Enhancements

• Usability enhancements: Includes new case management dashboards, bulk actions, visibility into enriched fields, and enhanced observable insights, enabling faster triage and investigation of alerts as part of a case.

• Data visibility improvements: Features human-readable JSON timestamps and automatic log parser sync.

• Field Customization: Introduces key field customization for alerts created from Automated Threat Hunting (ATH) rules, empowering analysts with easier access to critical context information.

Platform and Infrastructure

• Product Roadmap Portal: Introduces a new product roadmap portal where you can request features and bug fixes, view and comment on others' requests, and vote for features you want to prioritize.

• Platform enhancements: Adds new API endpoints and single sign-on with Rippling to automate tasks and simplify user management.

• Sensor and connector enhancements: Introduces new ingestion ports and expanded connector support.

• System Action Center: Enhances the System Action Center with Slack responses and many new rule types.

Data Processing and Parsers

• Data processor improvements: Offers tailored threat detection and increased context accuracy.

• New and improved parsers: Broadens the range of log sources monitored for more accurate threat detection and comprehensive security solutions.

Actions Required

• If you're using the Duo Security connector, update any custom Automated Threat Hunting (ATH) rules that use Duo Security fields to instead use the "duosecurity" namespace. For more information, see AELDEV-45957 in Improvements: Connectors.

• Update any egress firewall rules to allow Network Time Protocol (NTP) traffic on UDP port 123 to the updated list of NTP servers.

• Update any configurations with field changes noted in the Behavior Changes section.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• If any uses of the public API rely on the API layer to add parameters automatically (such as global case settings, for example), they must be updated.

• The srcip_type and dstip_type fields in documents might have a change of value based on srcip and dstip MAC address values.

• The alert types with Azure AD have been renamed to Microsoft Entra ID. This change only applies to the display name of the affected alert types (xdr_event.display_name). The internal event name (xdr_event.name) remains unchanged. The following alert types have this name change: Azure AD Apps Modified To Allow Multi-Tenant Access → Microsoft Entra Apps Modified To Allow Multi-Tenant Access, Azure AD Custom Domains Changed → Microsoft Entra Custom Domains Changed, and AzureADRiskDetection → Microsoft Entra RiskDetection (third-party alert integration) This name change also applies to alert descriptions and other display strings in alerts and rules.

• Trend Micro Apex Central CEF parser – deviceprocessname is moved from msg_data to the vendor field.

• McAfee Firewall parser – Unsupported values in the protocol field are moved into vendor namespace while those with supported values are still normalized as proto.

• Netflow parser: This parser no longer puts all the fields into msg_data. Except for the srcip, dstip, srcport, dstport, proto, inbytes_delta, and inpkts_delta fields, all other fields are now under netflow.

• Barracuda Firewall parser – proto_name is normalized into proto when possible.

• Mako Networks Firewall parser – A proto: <proto-name> key-value pair is parsed as proto: <proto-name> when the value is icmp, igmp, tcp, or udp. Any other value is stored under vendor namespace.

• Mako Networks Firewall parser – The action field moved from the msg_data to the top level.

• Ubiquiti UAP-AC-Pro parser – The whole message part is kept in the log.event_description field for wcad logs.

• Ubiquiti UAP-AC-Pro parser – The ubiquiti.wevent_type field is renamed as ubiquiti.event_type.

• ProofPoint parser – The following key list was added: ["process_name", "process_id", "s", "m", "x", "mod", "cmd", "rule", "dkimresult", "spfresult", "duration", "value", "routes", "rcpt_routes", "rcpt_notroutes", "data_routes", "data_notroutes", "to", "delay", "xdelay", "mailer", "tls_verify", "tls_version", "cipher", "pri", "relay", "dsn", "stat", "from", "size", "class", "nrcpts", "msgid", "proto", "daemon", "auth", "version", "verify", "bits", "reply", "ctladdr", "STARTTLS", "msg"]

• Any fields that come from key-value pairs that aren't in the list are stored in msg_data.

• Sophos Firewall parser – device is normalized into sophos.device.

• Cisco Meraki parser – device is normalized into cisco.device.

• The schema for the PUT /connect/api/v1/users/{id} API endpoint no longer requires the name field as of the 5.2.0 release. Existing API requests that include the name field will not break in 5.2.0. The name field is simply ignored if included in a PUT or PATCH request to the users API endpoint.

• Users should no longer be configured with duplicate email addresses. Currently, the username and email addresses are discrete fields, with the former being the unique identifier. In an upcoming release, these fields will be consolidated with the email address field becoming the unique identifier for a user. Administrators should begin updating their user accounts to ensure no two users have the same email address.

• In previous releases, the names of applications and protocols appeared in the user interface in uppercase, mixed case, and lowercase formats, sometimes resulting in multiple similar entries differing only by case. For example, syslog, SYSLOG, Sylog, SysLog. To reduce the number of entries, Stellar Cyber now combines them into one entry with a lowercase name: syslog, SYSLOG, Sylog, SysLog → syslog. A possible exception to the use of lowercase application names is user-configured custom applications (System | Traffic Filters | Custom Applications). For custom applications, Stellar Cyber displays the name in whatever case the user defined it

Deprecations

• The Company Trends page is no longer available.

• Azure Security Center was renamed and this content type is deprecated from Azure Event Hub connector.

• The Sophos alert type for Malware on Disk, which also has a detection for Windows Defender for Endpoint, is deprecated. The new Sophos alert integration covers the same alerts.

• The normalization fields sha256, group, and threat are deprecated and will be changed in a future release.

Critical Bug Fixes

• AELDEV-46016: Updated the OpenSSH package to mitigate CVE-2024-638.

  The OpenSSH version that was previously packaged with several software components for Stellar Cyber sensors was vulnerable to CVE-2024-6387. The packaged version has been updated to a version that is not susceptible to this vulnerability.

• AELDEV-45953: Resolved an issue where duplicated cases were for the same alert.

  Fixed an issue where, in certain scenarios, duplicate cases were created for the same alert. This enhancement ensures that the case management system correctly handles alerts to avoid duplication, providing more accurate and streamlined case tracking.

• AELDEV-45924: Fixed an issue with data parsing to make sure sensor notifications are sent correctly.

  Fixed an issue to resolve sensor notification failures caused by a data parser error.

• AELDEV-45880: Fixed enrichment logic for the username and Security Identifier (SID) used during Windows logon events.

  Fixed the logic for enriching srcip_username and srcip_usersid in Windows Server Sensors for events with event ID 4624 and Logon Types 2 and 7. Now, the enrichment uses TargetUserSid and TargetUserName unconditionally, ensuring accurate data matching for those fields.

• AELDEV-45703: Enhanced Sigma rule detection for Windows events by implementing case-insensitive matching on critical fields.

  Improved case-insensitive matching for multiple critical fields in the Windows event Sigma rule processing pipeline. This enhancement covers a range of important event data, including process names, target identifiers, application details, user information, computer names, and service-related fields. This improves the Sigma rule detection without requiring changes to existing rules or additional user configuration.

• AELDEV-45444: Resolved errors with Syslog index string searches in the Stellar Cyber UI and Kibana.

  Resolved an issue that caused errors when performing basic string searches in the Stellar Cyber UI and Kibana by increasing the search limit to accommodate larger queries.

• AELDEV-45146: Addressed an issue that resulted in false positives during Mimikatz Credential Dump detection.

  Resolved an issue with detection filter matching so that legitimate software operations are not misidentified as malicious activities.

• AELDEV-45126: Addressed an issue where enabling Rule Detection entered an "in progress" state and failed to complete.

  Enhanced the Stellar Cyber Platform to support hosts that do not have the SSSE3 instruction set extension. This adjustment ensures that rule-based detection can operate efficiently across a wider range of hardware environments.

• AELDEV-45043: Enabled an ingestion target limit in the ngSaaS portal.

  The ingestion limit line functionality in the license page was enabled in the ngSaaS portal.

• AELDEV-44987: Fixed false positives in Internal Password Spraying alert.

  The Internal Password Spraying alert detection was updated to consider the number of unique usernames experiencing login failures, rather than the total count of failures. This change addresses the false positives caused by machine (computer) accounts with $ in their name. This enhancement improves the detection accuracy by focusing on distinct user login attempts.

• AELDEV-44808: Resolved an issue with CPU spikes on Windows Server Sensors.

  This update addresses a CPU usage spike on Windows Server Sensors. The fix mitigates server freeze issues experienced in high memory usage scenarios. The new setting is applied automatically and no user intervention is required unless manual monitoring is needed.

• AELDEV-44659: Resolved an issue with the UI running out of memory when viewing Generic S3 logs.

  Addressed an issue where the UI consumed excessive amounts of memory when View Events was selected for Generic S3 logs. Improvements were made to ensure a smoother user experience while viewing logs.

• AELDEV-44530: Resolved an issue with the rule parent_child_55 causing false positives for legitimate system operations.

  Corrected the rule parent_child_55 "Unusual Parent-Child Relationship" to prevent false positive alerts when the Windows system process smss.exe is legitimately initiated by the system. This adjustment ensures that normal Windows operations involving smss.exe do not trigger security alerts, improving the accuracy of Stellar Cyber threat detection mechanisms.

• AELDEV-44506: Fixed an issue with assignee filter queries.

  Resolved an issue where the assignee filter did not behave correctly when the assignee's name contained special characters. The fix ensures that filter results now accurately reflect the selected assignee.

• AELDEV-44504: Adjusted Port Scan Anomaly alert type to reduce false positives.

  Fixed a bug that sometimes caused firewall data to incorrectly trigger Port Scan Anomaly alerts with the subtype "Connection Failure Anomaly (Sensor Traffic)".

• AELDEV-44478: Resolved an issue in which the query builder didn't save pasted content.

  Addressed a bug where the query builder remained empty after attempting to paste content using the right-click mouse method. This was solved by making modifications that ensured content pasted via right-clicking is now correctly recognized and saved.

• AELDEV-44356: Resolved a Windows Server sensor connection issue, ensuring that processes use the correct Stellar Cyber Platform port.

  Corrected the behavior of Windows Server sensor processes download_image.exe and post_file.exe to ensure only post_file.exe initiates connections to the Stellar Cyber Platform on TCP port 443. This correction prevents other processes from unnecessarily attempting connections, enhancing system efficiency and security compliance.

• AELDEV-44270: Reduced false positives for two security rules.

  Two security rules, identified as windows_security_169 and process_creation_commandline_15, were updated to minimize false positives. The windows_security_169 rule now leverages the latest SigmaHQ version with additional process name filters. For the process_creation_commandline_15 rule, detection is now based solely on hostip, addressing the high variability in command lines.

• AELDEV-44198: Resolved an issue that prevented global settings adjustments due to a session timeout validation error.

  Fixed a regression where the system enforced an invalid session timeout setting, preventing modifications to global settings. Session timeouts configured to 0 are now automatically updated to 60 to comply with the new validation rules, ensuring configurations can be updated without errors.

• AELDEV-43990: Resolved an issue where the expiration date shown in the System | License page did not update.

  Addressed an issue where the license expiration date shown in the System | License page did not update when a new license was applied..

• AELDEV-43985: Resolved an issue with reverting isolation actions in Defender for Endpoint integrations.

  Fixed the revert action functionality for Defender for Endpoint by ensuring the action_type parameter is correctly included in revert requests. This adjustment rectifies the inability to revert isolation actions on endpoints, ensuring operational consistency and reliability.

• AELDEV-43922: Corrected an error with Office 365 connectors where start and end times were not properly specified.

  Resolved an issue causing Office 365 connectors to fail when fetching data due to the incorrect handling of start and end times. This was done by ensuring that time intervals are less than 24 hours apart and modifyiung time-split logic to prevent overlap issues, thus eliminating "Start time and End time must both be specified" errors.

• AELDEV-43913: Resolved an issue where the min_score parameter in the Cases API wasn't returning expected results.

  Addressed an issue in the Cases API where the min_score argument incorrectly returned at most one case despite higher limit settings or it failed to return any results. The min_score argument now functions as intended, properly filtering cases by minimum score.

• AELDEV-43889: Resolved a decode issue with the generic S3 connector that prevented correct data parsing.

  Addressed a decoding error in the generic S3 connector that prevented it from properly downloading and parsing S3 object data due to a UTF-8 codec incompatibility. Modified error handling and decoding processes to ensure compatibility with diverse data formats, resulting in successful data retrieval and display in the Threat Hunting module.

• AELDEV-43871: Correctly enriched IPv6 addresses as public or private.

  The enrichment process for IPv6 addresses has been updated. Previously, certain IPv6 addresses were mistakenly enriched as multicast. The process now correctly identifies and enriches IPv6 addresses as either public or private. Specifically, IPv6 multicast addresses are identified by the FF00::/8 prefix, and private IPv6 addresses fall within the fc00::/7 range. This change ensures accurate classification in the srcip_type field.

• AELDEV-43794: Resolved an issue where modifications to the Log Source configuration required manual restarts to take effect.

  Addressed an issue where the Log Source configuration would not update after new rules were added or existing ones were modified until aella_conf was manually restarted. Safeguards were added and log outputs were improved for better troubleshooting, ensuring configurations update as expected without the need for manual service restarts.

• AELDEV-43793: Corrected key usage for Event_ID 4703, enabling Token Right Adjusted Event reporting after upgrading to 5.1.1.

  Previously, Windows Server sensors failed to report Event_ID 4703 (Token Right Adjusted Events/Non Sensitive Privilege Use/User / Device Claims) due to incorrect key configurations. The 5.1.1 upgrade involved fixing these keys, thereby restoring and enabling accurate event reporting. This adjustment addresses a reporting gap experienced before the upgrade, ensuring comprehensive event coverage and visibility.

• AELDEV-43732: Fixed an issue preventing proper loading of dashboards and charts with certain RBAC settings.

  Resolved a problem where dashboards, charts, queries, and correlations failed to load correctly for users with specific RBAC settings. This was particularly noticeable when any of these components were disabled. The update ensures all components load correctly regardless of RBAC configurations.

• AELDEV-43602: The Revert User Action now visible for all successful Disable User actions

  On the Respond | Actions | User Actions page, the Revert option was not shown in the Actions column for all successful Disable User actions. The Revert option is now consistently visible for all applicable actions, ensuring comprehensive user management and corrective capabilities.

• AELDEV-43451: Resolved an issue preventing case creation from pre-upgrade alerts.

  Fixed a bug where cases could not be created from alerts generated before the 5.1.1 upgrade due to incorrect 'stellar_index_id' values. The solution involves a check to ensure the correct index value is used, allowing case creation from any alert, ensuring seamless operations post-upgrade.

• AELDEV-43409: The SentinelOne connector now uses updated credentials after configuration adjustments.

  Resolved an issue where the SentinelOne connector failed to utilize the most recently updated credentials, resulting in erroneous 401 Unauthorized errors during data pulls. The fix ensures credentials are refreshed appropriately upon connector configuration updates, mitigating credential mishandling and data retrieval issues.

• AELDEV-43407: Corrected the threat intelligence feed name from abuse.sh to abuse.ch.

  We identified and corrected a typographical error in our threat intelligence feed name, updating it from abuse.sh to the correct abuse.ch. This ensures accurate corroboration of malicious URLs using the appropriate threat intelligence source.

• AELDEV-43403: Restored the Operation field to the Interflow Dictionary.

  Restored the Operation field to the Interflow Dictionary. From 5.1.1, this field was replaced by office365.Operation and event_data.Operation, which contained different information. Additionally, Windows Operation appeared under documents in user searches but wasn't included in the Interflow Dictionary. These on-premises fields have been added back in 5.2.0.

• AELDEV-43402: Resolved a traceback issue in aella_cli on Amazon Linux 2023 that led to repeated cron emails.

  Addressed an exception in aella_cli, where sorting processes by CPU usage could crash due to NoneType comparisons with floats, causing cron to send repeated error emails. The fix ensures stability by handling None values appropriately, mitigating the issue without disrupting the cron's operational efficiency.

• AELDEV-43398: Adjusted the GET /cases API call to return results based on client-specified parameters

  The GET /cases API was modified to return results solely based on parameters passed by the client, ensuring transparency in API interactions and consistency with client settings. All automatic parameter settings in the API layer have been removed. This change requires clients to explicitly pass necessary parameters for their queries.

• AELDEV-43396: Disabled remote access to Nessus management port 8834.

  In the latest update, Nessus management port 8834 on modular sensors is no longer remotely accessible, enhancing system security. This change addresses potential vulnerabilities associated with external access to the Nessus webserver. If you use this port for direct Nessus webserver access, note that this functionality is deprecated.

• AELDEV-43395: Resolved an issue with Windows Server sensor 4.3.7 being incorrectly flagged as malicious by Google and Ikarus.

  4.3.7 Windows Server sensors were mistakenly identified as malicious by Google and Ikarus due to an outdated version of the installer. Upgrading to the latest installer version addressed the false positives, ensuring no vulnerabilities are detected, and maintaining the integrity of Stellar Cyber software.

• AELDEV-43296: Addressed incidents and alerts triggered by old events due to Office 365 API delays.

  Resolved an issue where incidents and alerts were erroneously triggered by events dated a few weeks prior. The root cause was delayed data retrieval from the Office 365 API.

• AELDEV-43251: Resolved an issue with unsorted volume usage.

  Addressed an issue where the volume usage rollover display in the System | Licensing | Volume Usage section was not sorted in descending order by ingestion volume.

• AELDEV-43244: Updated alert suppression logic for emerging threats to include both source and destination IPs.

  Emerging threat alerts now utilize a suppression mechanism based on both source IP (srcip) and destination IP (dstip) pairs. This modification ensures that alerts are uniquely triggered for different srcip-dstip pairs within a 24-hour period, thereby enhancing detection accuracy and alert specificity for emerging threats.

• AELDEV-43223: Enhanced Office 365 normalization for Azure Active Directory (AD) and Office 365 events correlation.

  Implemented two enhancements to improve incident correlation between Azure AD and Office 365 events. First, when a valid UserKey value exists, it is now utilized for srcip_usersid. Second, normalization rules were updated to ensure srcip_username values are consistently lowercase, enhancing the accuracy of event correlation.

• AELDEV-43221: System Action Center now respects global alert threshold settings for case creation notifications.

  Adjusted System Action Center behavior to adhere to the global setting for the number of alerts required to trigger case creation notifications. Previously, it would default to 2 regardless of global settings, causing inconsistency. This issue is now resolved to ensure uniformity in alert management.

• AELDEV-43197: Resolved an issue with a missing member name in Windows Event 4732.

  The missing member name in Windows Event 4732 records was due to missing data being in the original event. Records now accurately reflect the source data.

• AELDEV-43176: Fixed an error encountered with the filter case time range selection.

  Resolved an issue where selecting an invalid time range in the Cases page filter resulted in persistent errors, even after correction. Custom validation logic now ensures accurate error handling, improving user experience.

• AELDEV-43077: Optimized memory usage on the volume usage tab.

  Enhanced the performance of the volume usage page by limiting the display to the top 100 tenant volumes per day and refining data processing to reduce memory consumption significantly. Further optimizations targeted at UI settings were also initiated.

• AELDEV-43049: Enhanced User Process Usage Anomaly alert type by improving event record handling and user consistency.

  Implemented logic to enhance User Process Usage Anomaly alert type to ensure accurate and consistent user attribution.

• AELDEV-43033: Improved the interflow dictionary filter functionality.

  Enhanced the functionality of the interflow dictionary by ensuring the packing chartf accurately reflects the initial query filters set for the view. This update critically aligns displayed match fields with user expectations and specified filtering criteria.

• AELDEV-42899: Fixed the Proofpoint TAP alerts integration to generate alerts for clicksPermitted events.

  Improved the integration with Proofpoint Targeted Attack Protection (TAP) alerts. The alerts include clicksPermitted events, messageBlocked events, and messageDelivered events. This ensures high fidelity alerting for incidents detected through the Proofpoint TAP connector.

• AELDEV-42814: Resolved an issue where Windows Server sensor updates via the user interface were failing without clear error feedback.

  Addressed a problem where attempts to update the Windows Server sensor via the user interface were unsuccessful, without providing users with any indication of what went wrong. This issue was caused by failures in creating or executing the scheduled task for the update process and has been resolved so that updates now proceed as expected.

• AELDEV-42805: Refactored the Cato Networks connector to use generators, reducing memory usage.

  Implemented the use of generators in the Cato Networks connector to optimize memory utilization. This enhancement ensured efficient memory usage without altering the connector's functionality.

• AELDEV-42784: Enhanced debugging for Connector(s) Silent notifications to address false positives.

  Implemented additional debugging information for Connector(s) Silent notifications to better identify and mitigate false positives. The update aims to enhance diagnostic capabilities by capturing more detailed activity logs, enabling more efficient issue resolution and verification of connector health.

• AELDEV-41642: Normalized Cloudflare IP addresses for geolocation and reputation enrichment.

  The ClientIP field in Cloudflare logs was normalized to srcip for enhanced geolocation and reputation enrichment. This update allows for more effective analysis of geolocation data and reputation scores based on collected IP addresses from Cloudflare logs, improving overall data processing and threat detection capabilities.

• AELDEV-41181: Resolved an issue where device sensors with either IDS or local file assembly enabled in their sensor profiles did not detect 802.1q VLAN tags correctly.

  Addressed a defect where 802.1q VLAN tags were not recognized by sensors using the AF_PACKET driver. This correction ensures VLAN tags are detected accurately, enhancing network traffic analysis and sensor functionality across varying configurations.

• AELDEV-40945: Resolved an issue where xdr_event.description was not displayed in Dashboard Custom Charts.

  Addressed the problem causing xdr_event.description to be absent in Dashboard Custom Charts by updating configurations that ensure descriptions are included for built-in rules, specifically for Exploited C&C Connection events. This enhanced visibility and data comprehension in dashboard visualizations.

• AELDEV-40813: Fixed an issue with DNS resolution that required aggregators to be manually restarted after changing the Stellar Cyber Platform IP address or hostname.

  Addressed an issue where changing the IP address for the Stellar Cyber Platform or its domain required the proxy service on the aggregator to be manually restarted. Updates are now automatically detected and no manual restart of services is required.

• AELDEV-39509: Enhanced the calculation of memory usage by adding available memory statistics.

  Addressed a discrepancy with memory usage by including available memory statistics in the system's memory calculation. This enhancement corrects the display of memory usage to reflect the system's available memory, leading to more accurate system monitoring and diagnostics.

• AELDEV-39408: Fixed an issue when cases associated with an alert weren't displayed on the Alert Details page.

  Fixed an issue when an associated case wasn't displayed on the Alert Details page if the alert was the only one associated with the case or if some score calculations were missing. Note: The minimum number of alerts and minimum case score specified in Global Case Settings (Cases | ) don't affect whether an associated case appears on the Alert Details page.

• AELDEV-39265: Enhanced detection of non-deletion account modifications in Office 365.

  Implemented a change to accurately detect account modifications versus deletions. This enhancement allows for more precise filtering of alerts related to account status changes without misclassifying modified accounts as deleted.

• AELDEV-38390: Fixed an issue with click-and-drag operations in Firefox.

  Resolved an issue where click-and-drag operations did not work correctly in some pages when using Firefox.

• AELDEV-38215: Resolved an issue with alert filters not functioning as configured.

  Addressed a problem where specific alert filters failed to catch alerts as intended. This involved correcting the functionality of filters to ensure they operate as configured and catch the correct events. The resolution ensures that filters now accurately exclude or include alerts based on specified parameters.

• AELDEV-38019: Resolved an SSO configuration loss when upgrading from 4.3.5 to 4.3.7.

  Addressed an issue where the SSO, timezone, and logo settings were lost when upgrading the Stellar Cyber Platform from 4.3.5 to 4.3.7. Upgrading to 4.3.7002 or later retains these settings during the upgrade process.

• AELDEV-35961: Resolved the failure of the DNS query test button for the Active Directory (AD) connector.

  Improved the ability of the AD connector to process DNS queries by ensuring a correct DNS server configuration. This addressed the issue where the test button previously failed due to an inability to perform DNS queries, even when the IP address was correctly specified as the server name. The adjustment ensures more reliable DNS resolution for AD connectors.

• AELDEV-22614: Resolved an issue with the Windows agent services display.

  Resolved an issue affecting a newly added Windows agent where the status of services were not displayed correctly and activity appeared stagnant for an extended period. The agent now correctly reports activity status and displays running services properly in the UI.

• DATA-1991: Improved the Versa Network Firewall parser to support more formats.

  Improved the Versa Network Firewall parser to support the new header format. The parser will also now check the values of the top-level IP and MAC fields – fields with invalid values will be moved into the vendor namespace with their original field name. It now also supports additional values for the protocol fields protocolIdentifier and ipsProtocol.

• DATA-1950: Updated the OpenVPN parser to support new log formats and authentication results.

  Enhanced the OpenVPN parser to parse and recognize new log formats directly from Ubuntu installations of OpenVPN, including detailed authentication success and failure log entries. Adjustments and additions were made to regex patterns to support these variations, improving log data parsing fidelity.

• DATA-1895: Enhanced the pfSense Firewall parser for better OpenVPN log field parsing.

  The pfSense Firewall parser was upgraded to parse additional fields from OpenVPN logs, enhancing log analysis capabilities. Modifications included new regex patterns and parsing logic to accurately extract and process more data points from log entries.

• DATA-1808: Fixed an issue in the McAfee Firewall parser.

  Resolved an issue in the McAfee Firewall parser in which the fields mcafee.pri and mcafee.time were parsed out from the syslog header and normalized as log.syslog.priority and log.syslog.timestamp. The time field is normalized as log.syslog.time_str when it is not in a supported format.

• DATA-1450: Resolved an issue where logs sent to port 5149 caused a parser_raw_msg not found warning.

  Fixed a bug where sending logs to port 5149 generated a parser_raw_msg does not exist error due to a an internal configuration misalignment. This was resolved to correctly process the incoming log records.

• DATA-1444: Enhanced Ubiquiti log parsing to process and normalize protocol names and Type of Service (TOS) values.

  Updated the Ubiquiti log parser to correctly extract and normalize the proto_name from the message data to the top-level attribute, and ensure the TOS values are correctly parsed as integers, including handling of hexadecimal values. This enhancement ensures accurate data representation and improves compatibility with downstream processing and analytics.

• DATA-850: Fixed parsing inconsistencies for proto and duration fields in Ericom ZTEdge logs.

  Resolved issues with Ericom ZTEdge logs where proto field values were incorrect and duration values were inaccurately rounded down. Implemented normalization rules to accurately parse and represent proto values and converted duration to a string (duration_str) to maintain precision. These changes ensure that log data is accurately represented and consistent with source values.

Detection/ML

New Features

• AELDEV-44771: Introduced Avanan alerts integration.

  Integrated Avanan alerts into the Stellar Cyber Platform. The integration supports alerts from both delivered and quarantined categories:

  • Avanan (Delivered) with the assigned technique; for example, Avanan (Delivered): Phishing
  • Avanan (Quarantined) with the assigned technique; for example, Avanan (Quarantined): Spam

• AELDEV-43555: Added support for two new alert types in HYAS Protect logs: "DNS Query to TOR Proxy Domain" and "Phishing Domain with File Extension TLD".

  Implemented a new feature that enables the ingestion of HYAS Protect logs. This integration includes support for detecting specific DNS queries to certain websites or top-level domains (TLDs). The enhancement includes new detection rules and alert types based on HYAS Protect DNS logging.

• AELDEV-43554: Support Newly Registered Domains detection for HYAS Protect logs.

  Added HYAS Protect logs into the existing Stellar Cyber detection of newly registered domains (alert type: Recently Registered Domains).

• AELDEV-43309: Enhanced Threat Intelligence Platform (TIP) version 1.0 by enabling the ingestion of file hash Indicators of Compromise (IOCs) from key threat intelligence sources.

  Introduced the following key enhancements:

  • Expanded Sources for IOC Ingestion: File hash IOCs are pulled from respected threat intelligence feeds including AlienVault, DHS, http://Abuse.ch Threatfox, and Emerging Threats.
  • Regular Synchronization: The ingestion process for file hash IOCs is synchronized on a regular schedule. This ensures that the most current and relevant threat data is integrated into the Stellar Cyber Platform, enhancing the timeliness and relevance of threat detection.
  • Enhanced File Reputation Functionality: Integrating these file hash IOCs into detection pipelines ,significantly improves the ability of Stellar Cyber to assess and respond to file-based threats. This leads to more accurate and effective file reputation assessments throughout the network.

• AELDEV-43166: Enriched IDS rule details to a multitude of ML alert types, notably around anomalies detected by Suricata rules.

  Added Suricata IDS rule information to the alerts of the following IDS-related Alert Types in ids.rule: Private to Private Exploit Anomaly, Private to Public Exploit Anomaly, Public to Public Exploit Anomaly, Public to Private Exploit Anomaly, Internal IDS Signature Spike, and External IDS Signature Spike. These additions include instances where such alerts did not previously contain correlated IDS rule data, thus enhancing visibility and context for security analysts. The update encompasses both internal and external IDS anomaly alert types across various network traffic.

• AELDEV-42820: Improved the logic for detecting extended login failures to enhance user authentication security monitoring.

  Added more nuanced detection capabilities to both User Login Failure and Account Login Failure alerts. The following key enhancements were added:

  • Daily Alerts During Prolonged Attacks: Stellar Cyber generates daily alerts for ongoing prolonged attack attempts, ensuring continuous monitoring and prompt response.
  • Detection of Lower Login Failure Rates: Added alerts for attack scenarios that exhibit lower rates of login failures. This enhancement helps in identifying and mitigating threats that might otherwise go undetected due to their subtlety.
  • Adaptive Alert Logic: The detection model now more effectively follows the distribution of data, which can change constantly. It accumulates scores based on user activities, and an alert is triggered if the accumulated score crosses a predetermined threshold. This dynamic approach allows for more accurate detection of anomalies over various time frames without the need for a separate training period.

• AELDEV-42644: Introduced a new capability in Case Management to support a configurable correlation timeout.

  Lets you specify the time window within which new alerts are considered for correlation into both new and currently open cases.

• AELDEV-42639: Added alert subtypes for User Login Failure and Account Login Failure Anomalies and improved original record queries.

  Enhanced External/Internal User Login Failure Anomaly and External/Internal Account Login Failure Anomaly alert types with specific subtypes to refine detection capabilities. Original record queries were refined for better precision, allowing a clearer analysis of the raw events that contribute to an alert. This update provides finer granularity in alerts and improves the accuracy and relevance of the original records presented.

• AELDEV-41430: Enhanced the alert mapping for VMware Carbon Black alerts that lacked a threat_cause_category field.

  Improved the integration with Carbon Black alerts by ensuring that alerts without the threat_cause_category field are now mapped to the appropriate stage in the Killchain. This update enhances threat visibility and response by addressing an issue where certain alerts were previously excluded from Killchain mapping.

• AELDEV-39931: Expanded ML alert types to include IPS threat logs.

  Enhanced machine learning alert types to integrate firewall IPS threat logs. Now firewall IPS threat logs contribute to alert types of Private/Public to Private/Public Exploit Anomalies, and Private/Public to Private/Public IPS Signature Spikes. The currently supported firewall IPS threat log sources are Fortigate, Palo Alto Networks, and SonicWall.

• AELDEV-38041: Enhanced the User Asset Access Anomaly to add a subtype for SMB traffic with unusual user-asset access patterns.

  Implemented a new alert subtype “SMB User Based” to alert type “User Asset Access Anomaly”. This identifies unusual user-asset access patterns over SMB traffic.

• AELDEV-38032: Released new Sigma rules detecting suspicious Azure activity from Azure Activity Log.

  Released new rules for Azure, sourced from SigmaHQ, to perform rule-based detection. These rules detect suspicious Azure activity using key detection fields, such as resourceId and operationName, from Azure Activity Log. The following 21 new alert types are added in this release:

  • Azure Application Gateway Changed
  • Azure DNS Zone Changed
  • Azure New CloudShell Created
  • Azure Security Configuration Changed
  • Microsoft Entra Application Deleted
  • Microsoft Entra Hybrid Health AD FS New Server
  • Microsoft Entra Hybrid Health AD FS Service Deleted
  • Microsoft Entra ID MFA Disabled
  • Microsoft Entra Owner Removed From Application
  • Suspicious Azure Account Permission Elevation
  • Suspicious Azure Deployment Activity
  • Suspicious Azure Device Activity
  • Suspicious Azure Firewall Activity
  • Suspicious Azure Key Vault Activity
  • Suspicious Azure Kubernetes Activity: Credential Access
  • Suspicious Azure Kubernetes Activity: Defense Evasion
  • Suspicious Azure Kubernetes Activity: Impact
  • Suspicious Azure Kubernetes Activity: Persistence
  • Suspicious Azure Kubernetes Activity: Privilege Escalation
  • Suspicious Azure Network Activity
  • Suspicious Azure Service Principal Activity

• AELDEV-38031: Switched to using write_time for querying login events in UBA alert types to accommodate upstream data source delays.

  Modified UBA alert types to use write_time for querying login events, reducing detection latencies for alert types like Login Time and Login Failure. This enhancement also addresses a detection edge case where certain data sources with very long delays in reporting login events, such as several hours of delays for example, might not be always covered.

• AELDEV-36264: Added a new ML alert type: Password Resets Anomaly.

  Added a new detection system for identifying anomalous password reset activity on Windows systems. It currently supports one subtype: Windows Account Password Reset Anomaly, which detects abnormal password resets for Windows accounts. It's aimed at spotting potential security breaches by scrutinizing password reset patterns and generating alerts for activities that deviate from the norm, thereby improving the capability to preemptively mitigate account compromise risks.

• AELDEV-34318: Enhanced Threat Intelligence processing.

  Introduced a new threat intelligence processing capability to significantly reduce the time lag between the identification of malware or threats and the ingestion of the corresponding Indicators of Compromise (IOCs). This feature is disabled by default and includes the following key enhancements:

  • Faster IOC Ingestion: Increased the speed at which threat intelligence data is processed and incorporated into Stellar Cyber, ensuring more effective threat detection and continuous monitoring.

  • Proactive Threat Hunting: The accelerated ingestion rates let security teams identify and mitigate threats more quickly, enhancing overall detection and response capabilities.

  • Custom Feed Integration with TAXII 2.0 and STIX Compatibility: Provided support for user-defined threat intelligence feeds using formats like TAXII and TSV. This enhancement leverages the TAXII 2.0 standard for seamless cyber threat intelligence exchange over HTTPS and is fully compatible with STIX 2.0. These improvements provide greater flexibility in ingesting and structuring threat intelligence to meet specific organizational needs.

• AELDEV-33570: Implemented the Microsoft Defender for Cloud Apps alert integration.

  Integrated Microsoft Defender for Cloud Apps (MCAS) into the Stellar Cyber Platform to receive alerts. This enhancement allows Stellar Cyber to receive and analyze MCAS-native alerts, enhancing visibility over potential security threats.

• AELDEV-33137: Integrated Microsoft Defender for Cloud alerts.

  Integrated Microsoft Defender for Cloud alerts into the Stellar Cyber Platform. This enhancement allows Stellar Cyber to receive and analyze Microsoft Defender for Cloud alerts from Azure Event Hub, enhancing visibility over potential security threats.

• AELDEV-31632: Implemented HYAS Protect passthrough alerts.

  Introduced the following three passthrough alerts for HYAS Protect:

  • Domain tagged with Suspicious Registrar with the alert type prefix HYAS Protect (Watch Engine)
  • Domain tagged as blocked by the HYAS Engine with the alert type prefix HYAS Protect (Block)
  • Domain tagged as Highly Suspicious with the alert type prefix HYAS Protect (Highly Suspicious)

• AELDEV-28835: Updated External/Internal SMB Read/Write Anomaly alert types to include summarized file paths and filenames, improving alert context.

  When alerts are triggered from SMB traffic with path-related metadata decoded by Modular Sensors, Stellar Cyber enriches External/Internal SMB Read/Write Anomaly alert types for accessed file paths in event_summary.smb_path_list. Stellar Cyber ranks the significance of the paths—for example, system paths or user paths—by their uniqueness and access frequency during the detection period. Alerts now display significant file paths based on visit frequency and folder properties, enhancing the understanding of the alert triggers.

Improvements

• AELDEV-41128: Updated Sigma Rule “Raspberry Robin Dot Ending File” (Stellar Cyber rule ID: process_creation_commandline_90) to its latest version to reduce false positives.

  Updated rule ID process_creation_commandline_90 in the Suspicious Process Creation Commandline alert category. The update was sourced from SigmaHQ and aims to reduce false positives through improved detection logic.

• AELDEV-40747: Improved the case analysis graph for alerts triggered by Windows Logon failures.

  For cases generated from LimaCharlie Windows Event Log alerts, specifically logon events identified by event_id: 4625, the case analysis graph now displays additional information such as the username and IP address of both the source and destination hosts involved in the logon if they are present in the failure events. This enhancement provides more context by showing the user and IP address along with the host machine and process previously displayed, improving the depth of analysis available in the graph.

• AELDEV-39970: Implemented third-party Huntress alert integration.

  Integrated with Huntress to provide improved alert and asset retrieval functionalities. This integration involves complex parsing of incident reports, which might contain multiple events and extensive information exceeding 10,000 characters.

• AELDEV-38977: Implemented case-insensitive matching for the Sigma rule engine and modified the engine to support the ignore_case keyword in Sigma queries.

  Improved the Sigma Rule “AWS IAM Backdoor Users Keys” (Stellar Cyber rule ID: aws_13) to make sure it is only triggered when one user creates an API key for another user but not when a user creates a key for themselves. This update simplifies previous implementations by eliminating the need for separate processing fields for case sensitivity, allows case-insensitive comparisons, and enhances rule flexibility and accuracy.

• AELDEV-38626: Adjusted the scoring model for Exploited Command and Control (C&C) Connection alerts.

  Fixed an issue with the alert scoring model that incorrectly scored exploited C&C connection alerts. It now calculates a dynamic fidelity score (previously it was always 99) and contributes to the final alert scores (max: 82).

• AELDEV-37095: Reduced latency for the Impossible Travel Anomaly and User Login Location Anomaly alert types.

  Switched from using timestamp to write_time in User Behavior Analytics (UBA) alert types, particularly for Impossible Travel and User Login Location, to effectively manage and mitigate the impact of increased event delays from data sources such as Google Workspace. The alerts for data sources with low ingestion delays (for example, Windows events) are reported much faster than before and ensures better coverage of events by reducing query delays.

• AELDEV-37079: Implemented an improved correlation strategy to ensure that each alert will be assigned to a case, even if the alert cannot be correlated with other alerts.

  The node summarization feature in case graphs has been enhanced to support multi-level summarizations. Specifically, this improvement allows the summarization of connected nodes across multiple levels, reducing the complexity and size of graphs significantly. Initially focusing on summarizing processes into aggregated nodes, this capability extends further into adjacent node levels, streamlining the visualization of complex, multi-step relationships in case data.

• AELDEV-35712: Upgraded the MITRE framework from v8 to v13 in all third-party alerts.

  Updated the process for mapping and enriching Tactics, Techniques, and Procedures (TTPs) for third-party alert integrations to use a database-driven approach. The new methodology enhances performance and maintainability and ensures robustness.

• AELDEV-34261: Implemented third-party Sophos alert integration.

  Integrated Sophos alerts into the Stellar Cyber Killchain, enabling native third-party alert processing within the Stellar Cyber Open XDR Platform. The enhanced capability allows for seamless importing and enrichment of threat data from Sophos, improving incident analysis and response efficiency.

• AELDEV-28757: Added key fields to Deep Instinct alert integration.

  Enhancements made to Deep Instinct alerts include UI improvements for clipboard copying and visibility of File Path and File Hash. Key fields for Threat Type, Type, and Event ID were added for more detailed alert information. Efforts to customize key field configurations for greater user flexibility were also implemented, while retaining the world map feature.

• AELDEV-28393: Implemented a third-party Netskope alert integration.

  Integrated Netskope alert functionality, enabling the identification and response to connection, breach, and malsite alert types. The integration involves configurations for each alert type, along with mappings for tactical and technical aspects, enhancing alert detection capabilities.

Usability

New Features

• AELDEV-44269: Added a Case Health API endpoint.

  Implemented a new endpoint, GET /cases/health, to let you check the health status of the Case API. This endpoint returns a JSON response indicating the status (working or not working) and the version of the backend. The public API always returns a 200 HTTP status code, but the response content reflects the actual state of the Case backend.

• AELDEV-41127: Added a new observable for Windows registry keys to the Case Analysis graph.

  Implemented a feature where the modified_at field of a case is now automatically updated whenever a comment or some evidence is added, updated, or deleted. This ensures accurate tracking of case modifications and enhances API filtering capabilities for updated cases. The change does not affect case score calculations.

• AELDEV-40458: Enhanced the user interface (UI) to support configurable time ranges for each layer of correlation rules.

  Implemented a new UI feature that allows users to set distinct time ranges for each layer within a correlation rule to address use cases such as the detection of short-term accounts. This feature facilitates the creation of more precise and effective security correlation rules by enabling time-specific queries across multiple layers.

• AELDEV-38902: Implemented the capability to query for alerts not associated with cases.

  Added a new query capability that allows you to filter alerts not correlated to any cases. To enable a more efficient workflow for identifying and addressing potential security incidents, this feature supports complex case management and improved visibility into uncorrelated alerts.

• AELDEV-37728: Added new Case Management dashboards.

  Introduced a basic Case Management Dashboard to facilitate quick insight into case metrics without extensive complexity. Features include Total Case Number with a pivot on severity (line or bar chart), Case Breakdowns by Severity and Status (pie charts), Case Assignee Chart, and Case Breakdown by Alert Number (line or bar chart), complemented by a Case List table at the bottom.

• AELDEV-35872: Added support for bulk actions in the Case table.

  The Case Table supports bulk edits to the Status, Tags, or Assignee of multiple cases. Once you apply a bulk action to one or more cases, Stellar Cyber displays a success or failure message at the top of the display and keeps track of its progress in the Task List.

Improvements

• AELDEV-44724: Updated score, fidelity, severity cells with color codes for Case Details.

  Adjusted the score, severity, and fidelity field cells to include color codes based on their values on the Case Details page to improve the visual clarity and quick assessment of field values.

• AELDEV-44643: Added a column for raw field names in the Alert Details panel.

  Added a new column to display raw field names to the Alert Details panel. This lets you easily view the raw field names alongside other details, making data interpretation more intuitive.

• AELDEV-44248: Enhanced the Alert Details panel with field filters and a search tool.

  Introduced the ability to filter fields in the Alert Details pane through quick filters for Detection and Threat Intelligence (TI) enrichments. There's also a Search tool that searches across key fields, values, and field names among the alert details, facilitating quicker access to relevant information.

• AELDEV-44244: Implemented alert highlighting when the Alert Details panel is opened.

  Added functionality to highlight and maintain focus on an alert row when it is selected from the alert list, so you can keep track of the alert in the list when it is under review in the Alert Details panel. The solution includes a noticeable color highlight upon opening an Alert Details panel and a subtle pulsing effect to draw attention to the row once the panel is closed. This feature aids in efficient navigation and review of alerts without losing context.

• AELDEV-44242: Improved usability of alert detail in case management

  When viewing an alert in case details and then navigating away from the case in previous releases, you would need to locate the alert in the list again and reopen it upon returning to the case. The page now stores the selected alert in your browser history so you can navigate back to the alert context using the Back button in your browser.

• AELDEV-42482: Added ID filtering to the GET /cases API endpoint.

  The GET /cases API endpoint now supports filtering by case ID, enabling unique case identification and integration with external SOAR or ticketing systems. This enhancement facilitates more efficient synchronization and tracking between Stellar Cyber and external systems, and it allows for detailed case status updates and modifications using unique case IDs.

• AELDEV-42138: Included timestamps for changes to status, severity, and assignee in exported cases.

  When you export a case, all relevant data from the Case Activity panel is included, including changes to its severity, status, assignee, and alerts. Timestamps are provided showing when each change occurred.

• AELDEV-42134: Added a public API endpoint for querying all alert types, including custom-created alert types.

  Added the GET /custom_security_events public API which returns custom created alerts.

• AELDEV-41650: Enhanced the UI with collapsible long key fields and other design changes.

  Implemented improvements in the UI handling of long key fields. Adjustments include smaller horizontal spacing between label and content, reduced label size with a color change, and expandable/collapsible functionality for long strings. Tooltips were also modified to enhance clarity.

• AELDEV-41599: Renamed Visualize | ML-IDS to Intrusion Signatures to include Intrusion Prevention System (IPS) signatures.

  Enhanced the Visualize/ML-IDS feature to encompass IPS signatures, effectively transforming it into an ML-IDS/IPS. This enhancement not only includes renaming ML-IDS to accommodate IPS data but also content updates to various pages in the Stellar Cyber UI and to index names to better reflect the integration of IPS signatures. Relevant visualizations, analytics, and alert types have been updated to incorporate this new data seamlessly, ensuring more comprehensive threat detection capabilities.

• AELDEV-41431: Implemented record deduplication based on arbitrary field names for ATH rules.

  Introduced a feature that allows users to specify a field in Automated Threat Hunting (ATH) rules for consolidation of records with matching fields. This update enables the creation of only one record per defined field every 24 hours, addressing situations where a particular connector is sending a new alert record every time an alert is updated on the connector source.

• AELDEV-40252: Added the ability to hide unused tiles on the Threat Hunting page.

  The UI has been enhanced to allow you to hide tiles related to unconfigured data sources in the Threat Hunting page. This improves usability by removing clutter to make relevant data more accessible.

• AELDEV-40251: Improved exporting on the Connector page so you can export selected columns in a PDF.

  Enhanced the connector view functionality by allowing users to export their selected view with specific columns as a PDF. This feature facilitates easier reporting and documentation for critical insights and supports better data management and sharing.

• AELDEV-39870: Added the ability to hover over the Deep Instinct File Path and File Hash to expand and see the field value.

  Implemented a new UI feature that allows users to either click or hover their cursor over the File Path and File Hash fields to fully expand these values if they were previously trimmed for display purposes. This provides better visibility into these key data points without the need to navigate away from the current view.

• AELDEV-39396: Added descriptions for the internal API /entity_usage/daily_count/{scope}.

  Introduced comprehensive request parameter guidelines for the internal API /entity_usage/daily_count/{scope}, specifying that days and date parameters must be used exclusively.

• AELDEV-39384: Unused internal APIs for ElasticSearch indices were hidden.

  Enhanced security and optimization by hiding unused internal APIs related to Elasticsearch indices within the SaaS environment. This adjustment results in a more streamlined interface, reducing potential attack surfaces, and improving system performance by eliminating unnecessary endpoints.

• AELDEV-39249: Added support for custom log parsers.

  The ability for you to configure custom log parsers, previously hidden in the SaaS UI for safety concerns, has been reinstated. This update allows you to directly access and configure custom log parsers within the UI, facilitating a more convenient setup process for sophisticated log parsing requirements. This enhancement ensures compatibility with existing RBAC paths and integrates seamlessly into the user profile home page drop-down.

• AELDEV-38938: Added support for CIDR notation in IP address lookup groups.

  Updated IP address lookup groups to support CIDR notation. This allows you to define networks within a lookup group more efficiently.

• AELDEV-38220: Replaced Azure Active Directory (AD) with the new name: Microsoft Entra ID.

  In alignment with the Microsoft rebranding of Azure Active Directory as Microsoft Entra ID, Stellar Cyber updated all occurrences of the term throughout the user interface. This includes updates in third-party alert integrations, built-in alert types, rules descriptions, and various UI elements such as threat hunting columns and RBAC actions.

• AELDEV-38084: Increased the number of languages that the Stellar Cyber user interface (UI) supports.

  Implemented a new translation mechanism that supports a wider range of languages for the Stellar Cyber UI.

• AELDEV-36982: Implemented the ability to bulk configure the aggregator IP address for multiple sensors in the user interface (UI).

  Introduced the ability to bulk assign sensors to an aggregator directly from the Sensor page, greatly streamlining the process.

• AELDEV-36900: Added support to the Disable User action to use the username field populated from Office 365 records, in addition to the Microsoft Entra ID userPrincipalName field.

  Implemented an enhancement for Azure Active Directory records. Now, records can be enriched with the userPrincipalName field, which lets the response connector operate on more complete user information. The user interface was updated to use username to disable the user. This enhances system usability and response capabilities.

• AELDEV-30440: Differentiated enriched fields in Interflow Data.

  Distinguished the enriched fields from raw event fields in Interflow data. This update introduces a visual indicator in the Stellar Cyber 00UI to help you identify enriched fields in both alert information and Interflow fields. An inverted type-icon denotes enriched fields, providing a clearer and more intuitive experience when navigating through Interflow data.

• AELDEV-28852: Added custom key fields to alert types.

  Enhanced alert types by implementing your ability to set custom key fields, allowing for more tailored alert configurations. The change improves alert customization and relevance.

• AELDEV-28756: Added Tenant Group field at the top of all Case detail displays.

  Adding the Tenant Group field to the Case detail pages allows customer support engineers to swiftly identify the MSP partner associated with a case, facilitating quicker and more effective case resolution.

• AELDEV-25631: Added Tenant Group to the columns in the connector table.

  Added a Tenant Group column to the Connector table. This enhancement improves visibility and management of connectors by allowing you to see the assigned tenant group directly in the Connector table. The update applies to all existing and future connectors without requiring additional configuration.

• AELDEV-10935: Added next and previous navigation buttons to the Alert Details panel.

  Implemented navigational buttons for seamless event investigation, allowing you to navigate between alerts directly from within the Alert Details panel, which eliminates the need to repeatedly open and close the panel. This update streamlines the workflow for analyzing alerts in a table view.

Stellar Cyber Platform

New Features

• AELDEV-44991: Added a feature toggle and status CLI sub-commands.

  Introduced new capabilities for toggling features and the following new commands:

  • set feature to toggle features on or off.
  • show feature to display the status of features.
• AELDEV-42632: Added Linux Server Sensor support for Amazon Linux 2023.

  The Linux Server Sensor now supports installation on Amazon Linux 2023 with complete support for all features.

• AELDEV-43967: Added dashboards for average data volume usage per asset.

  Added two new dashboards: one aggregates monthly average volume usage per asset for a 12-month period, and another gives a daily breakdown over 30 days. This lets you analyze data ingestion per asset, identifying which assets are ingesting more or less data. The feature is currently available only for specific organizations via a feature flag.

• AELDEV-40453: Implemented an upgrade pre-check and a UI banner for notifying users about duplicate user accounts.

  Added a verification process and UI banner notification to alert you of duplicate usernames or emails due to the introduction of case insensitivity. In previous releases, usernames like johnsmith and JohnSmith are considered two different, valid names. From 5.2.0, they are considered duplicates of the same username.

• AELDEV-39288: Added the ability to add alert type descriptions.

  Implemented a feature that lets you add custom descriptions to alert types for enhanced clarity, facilitating a better understanding of alerts for analysts. Additionally, a new UI section has been created to organize and manage custom alert types so you can customize your alert workflow.

• AELDEV-38947: Added the ability to automatically sync new custom log parsers to the Log Sources page.

  Implemented an enhancement allowing newly uploaded custom log parsers to be automatically listed in the Name drop-down on the Log Sources page. Custom parsers are immediately available in the drop-down upon upload or immediately removed from it upon deletion.

• AELDEV-38315: Enhanced role-based access control (RBAC) for Root-scoped query management in MSSP

  Implemented functionality to allow root-level users to change the share scope of a query between Root Tenant and All Tenants even if the query is in use. To ensure clarity, a prompt warns users when a query is changed from All Tenants back to Root Tenant because this revokes access to the query for non-root users.

• AELDEV-37124: Added a new API endpoint to delete sensors in bulk via the API.

  Implemented functionality to delete sensors in bulk through the APIs. This enhancement lets you delete over 100 sensors at a time, significantly improving operational efficiency when managing large-scale deployments.

• AELDEV-36260: Implemented System Action Center updates with prioritized notifications, server sensor monitoring, and enhancements in actions and user notifications.

  Phase 3 of the System Action Center was completed, introducing prioritized notifications, new rules for notification services, and customization options for server sensor monitoring, including handling of no data, offline status, and status changes. Enhancements were made in actions and user notifications, adding support for email and Slack links, enhancing RBAC privilege escalation notifications, and user account lockout handling. Additional debug logging and minor template fixes were also included.

• AELDEV-35872: Added a new API endpoint to create cases via the API.

  Added a new Create Case endpoint to the Stellar Cyber public API. This endpoint accepts a comprehensive set of fields including customer ID, alerts, case name, severity, status, assignee, tags, and comments. The solution involves robust data validation mechanisms to ensure the integrity and accuracy of the input data. This feature lets you programmatically create cases with detailed contextual information, streamlining incident management.

• AELDEV-34397: Stellar Cyber Cyber supports Rippling as an identity provider for single sign-on (SSO) authentication of its administrative users.

  Stellar Cyber integrates with Rippling for Single Sign-On (SSO) to provide authentication and access management, which enhances security and improves the user experience.

• AELDEV-34268: Added support for alert filter statistics per tenant.

  Implemented enhancements that enable support of multiple organizations. The ElasticSearch client was modified to render templates and route data to appropriate ElasticSearch clusters based on organization. This improves both data segmentation and security.

• AELDEV-21726: Added support for using available geolocation information in original records.

  Geolocation enrichment now prioritizes the use of geolocation information from original records if present. This update supports more reliable geolocation-based analyses by using authentic location data from sources like Azure Active Directory, supplemented by GeoIP2 DB when necessary.

Improvements

• AELDEV-43654: Cached license page results for volume ingestion charts.

  Implemented caching for license page results to optimize the loading time of volume ingestion charts, especially for environments with many tenants.

• AELDEV-43545: Enhanced Security Analytics (SA) rules with start and end time fields for improved event time range definitions.

  SA rules now include start times and end times, or their singular counterparts, to accurately define event time ranges. Using specific time ranges ensures more precise alert timing and detection accuracy. This update impacts all SA rules, enhancing the system's ability to backtrack and correlate events effectively.

• AELDEV-42819: Addressing style made configurable for General S3-compatible data sink

  The General S3-compatible data sink supports configurable addressing style settings. You can select between virtual and path styles, accommodating specific requirements from different S3-compatible storage providers. This enhancement ensures compatibility with storage such as Alibaba and Cloudflare R2, which only support certain addressing protocols. A new field has been added to the configuration page, allowing you to specify the preferred addressing style.

• AELDEV-39135: Resolved an issue where deleted or disabled Automated Threat Hunting (ATH) email rules continued to trigger emails.

  Addressed an issue where ATH email rules that were deleted or disabled still sent emails due to miscommunication between internal components. The synchronization process was improved to ensure that deleted and disabled rules are properly reflected across all services.

• AELDEV-38861: Implemented new and improved hash support in lookups.

  Enhanced the Lookup feature to allow the matching of hashes (MD5, SHA256, IMPHASH) without requiring prefixes. This enhancement streamlines the process for SOC teams when dealing with Windows reported hashes in various formats. It also negates the need for an entire string match, which simplifies malicious file identification.

• AELDEV-37361: Extended the time for the legacy webhook network timeout for overall reliability.

  Extended the legacy webhook network timeout from 120 to 240 seconds and improved it to be more reliable overall.

• AELDEV-33312: Implemented support for human-readable JSON timestamps in exports.

  Implemented a timestamp_utc field in JSON exports, enhancing readability by converting epoch timestamps to human-readable UTC format. This change applies to all alert records exported from the platform, ensuring consistency and ease of use for non-technical users.

• AELDEV-33295: Implemented improved filtering on query calculation data in Automated Threat Hunting.

  Optimized query calculations now allow for efficient nested value comparison and data aggregation, maintaining all parent data during list comparisons. This results in better aggregation and supports specific conditional filtering within calculation groups, directly impacting data analysis and reporting capabilities.

• AELDEV-28852: Added custom key fields to custom alert types.

  Enhanced custom alert types by implementing the ability to add custom key fields, allowing for more tailored alert configurations. The change improves alert customization and relevance.

• AELDEV-21484: Updated the NTP configuration to exclusively use trusted servers.

  Updated the Network Time Protocol (NTP) configuration for both on-premises and managed appliances to use trusted, US-based servers, specifically time1.google.com through time4.google.com and 0.us.pool.ntp.org, 1.us.pool.ntp.org.

Sensors

New Features

• AELDEV-40650: Added a new indicator for sensor mode to indicate if it is SaaS or on-premises.

  The output of show version in the sensor CLI was enhanced to distinguish between on-prem and SaaS operation modes. On-prem sensors now append a 'p' to their AOS Version. This differentiation aids in troubleshooting and system configuration without changing existing versioning schemes or requiring UI alterations.

• AELDEV-37783: Added TCP port 443 as a new ingestion port for log sources.

  The System | Log Sources page in the Stellar Cyber user interface now supports log ingestion over TLS on TCP port 443. UDP isn't supported to ensure the system correctly handles log forwarding over TLS to enforce secure transmission.

Improvements

• AELDEV-45666: Added Linux Server Sensor support for Debian 12

  The Linux Server Sensor and the associated installer support Debian 12.

• AELDEV-44436: Removed the disk space check from the validation process that a Modular Sensor uses to determine if it has sufficient system resources to run various modules.

  Due to the dynamic nature of disk usage, which can vary significantly, checking disk space to determine if there are sufficient system resources led to inaccurate conclusions. As a result, the disk space check was removed from the validation process. The process now checks CPU totals and memory size

• AELDEV-44403: Windows Server Sensors running 5.1.1 or later support sensor profiles that contain text in Unicode such as Chinese, Japanese, and Korean.

  Windows sensors running 5.1.0 do not support sensor profiles that contain text in Unicode such as Chinese, Japanese, and Korean. However, Windows sensors running 5.1.1 or later do. If you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows sensors.

• AELDEV-41762: Linux Server Sensors no longer use the /tmp directory for any CLI commands.

  Some hardening guidelines recommend restricting access to the /tmp directory. To comply with these guidelines, the Linux Server Sensor no longer uses the /tmp directory for any CLI commands. This change ensures that the sensor does not rely on the /tmp directory for any operations, enhancing security and compliance.

• AELDEV-41549: Resolved /tmp access restrictions and permission issues for Linux Server Sensors.

  Linux Server Sensors no longer use the /tmp directory for any CLI commands, allowing these commands to run successfully in hardened environments where access to /tmp is restricted. Additionally resolved permission errors that could occur when uninstalling the Linux Server Sensor in environments where SELinux is enabled. This correction ensures that Linux Server Sensors can be uninstalled without encountering permission issues.

• AELDEV-41181: Resolved an issue where Modular Sensors with either IDS or local file assembly enabled in their sensor profiles did not detect 802.1Q VLAN tags correctly.

  Addressed a defect where 802.1q VLAN tags were not recognized by Modular Sensors. This correction ensures VLAN tags are detected accurately, enhancing network traffic analysis and sensor functionality across varying configurations.

• AELDEV-40868: Released a dedicated aellads package for Ubuntu 22.04.

  Released a dedicated aellads package for Ubuntu 22.04. This update addresses OpenSSL vulnerabilities identified in versions prior to 1.0.2ze. Apply the package to new sensor deployments running on Ubuntu 22.04. Systems running older Ubuntu versions will continue to use the current aellads package.

• AELDEV-38800: Added OS uptime and sensor uptime to the show version command.

  Updated the show version command to display OS uptime along with a more readable format for sensor uptime across supported platforms (excluding Windows Server Sensors). Ensured compatibility with a wide range of operating systems including Red Hat, CentOS, Ubuntu, Debian, SUSE, AlmaLinux, Amazon Linux, Mint, and Oracle. This enhancement provides immediate visibility into the operational duration of the OS and sensor, enhancing monitoring and troubleshooting capabilities.

• AELDEV-38172: Improved the outputs of show userapp and show metalist to simplify the data returned in responses.

  Introduced a filtering capability to the show userapp and show metalist commands, enabling users to exclude records by matching strings. This significantly reduces clutter from log forwarder entries and streamlines the visibility of relevant data by applying regular expression (regex) patterns.

• AELDEV-36898: When a Stellar Cyber sensor receives a log for Windows event 5156 ("The Windows Filtering Platform has allowed a connection"), it normalizes it as a 5-tuple.

  When the Windows Filtering Program permits connections between a program and a process on the same computer or a remote one, it logs these events as "Windows Filtering Platform has allowed a connection" with ID 5156. Stellar Cyber sensors normalize them as a 5-tuple of source and destination IP address, source and destination port, and protocol and include them in Interflow records.

• AELDEV-35710: Enhanced msgtype: 39 to include tenant ID, ensuring accurate log ingestion tracking by tenant.

  Implemented enhancements in msgtype: 39 to include a tenant ID field, allowing Stellar Cyber to uniquely identify and track log ingestion per tenant. This modification ensures logs are attributed to the correct tenant, rather than defaulting to the root tenant, and it enhances multi-tenancy and accuracy in log source attribution.

• AELDEV-35346: Blocked Tenable scanners from scanning the Modular Sensor system.

  Implemented rules to prevent the Tenable scanner embedded in a Modular Sensor from scanning its own internal hardware and software components. This ensures scans are conducted as intended from a network perspective rather than as an internal OS scan.

Connectors

New Features

• AELDEV-38097: Added a new Microsoft Defender for Cloud content type to the Azure Event Hub connector.

  Successfully completed the integration of Microsoft Defender for Cloud with Stellar Cyber's Azure Event Hub connector. This integration ensures that detections from Microsoft Defender for Cloud are normalized and monitored effectively, enhancing the capability to raise cases for sophisticated Azure setups. This update aids SOC analysts in handling cases with detailed contextual information, vulnerabilities, and misconfigurations for improved investigation and risk scoring.

• AELDEV-37146: Implemented the Huntress connector.

  Successfully integrated with Huntress to provide improved alert and asset retrieval functionalities.

• AELDEV-37136: Implemented Microsoft Defender for Cloud Apps connector for enhanced cybersecurity monitoring.

  Added a connector for Microsoft Defender for Cloud Apps to enhance integration with Azure Cloud workload protection. This improvement includes integrating alerts for SOC analysts, enabling them to work on cases with contextual information, and leveraging Cloud Security Posture Management (CSPM). It also incorporates vulnerabilities and misconfigurations into scoring and investigations. Additionally, data normalization was refined by using machine learning feedback.

• AELDEV-32018: Implemented ServiceNow Integration, InSyncs, for bidirectional communication and case management.

  ServiceNow Case Integration feature was implemented, enabling the opening and closing of cases via ServiceNow. It supports bidirectional updates between Stellar Cyber and ServiceNow cases, including updates to case activity and requests for information. This ensures seamless communication and efficient case management across platforms.

• AELDEV-31549: Integrated HYAS Protect DNS log reports and agents to support DNS log ingestion and analysis.

  Developed a new connector for ingesting HYAS Protect DNS log reports and agents through the HYAS API. The connector normalizes the log data for analysis.

• AELDEV-31303: Developed ESET responder using the ESET Cloud API.

  The ESET responder includes the following response actions using the ESET Cloud API endpoints: Isolate computer from network, End computer isolation from network, On-Demand Scan, and Run command as actions. Use an ESET responder to configure a Webhook action that can be triggered manually or that can enhance Automated Threat Hunting (ATH) actions.

  Before configuring an ESET responder, the responder service must first be restarted. Contact Stellar Cyber technical support for assistance.

• AELDEV-29088: Implemented the Palo Alto Networks CORTEX XDR connector.

  Completed integration of the Stellar Cyber platform with Palo Alto Networks CORTEX XDR to enable SOC analysts to collect and work with log data from the Palo Alto Networks ecosystem. This integration facilitates enhanced monitoring and threat detection capabilities by leveraging the extensive log information from Palo Alto Networks.

• AELDEV-27585: Implemented the Malwarebytes OneView connector for asset and detection data extraction.

  Added integration with Malwarebytes OneView through the Malwarebytes OneView connector. This connector retrieves asset information and associated detections such as endpoint IDs and IP events directly from the OneView API.

Improvements

• AELDEV-45957: Updated the normalization and enrichment of data received through the Duo Security connector to a new format.

  When using the Duo Security connector, data normalizations and enrichments are now under a vendor namespace called “duosecurity”. As a result, custom Automated Threat Hunting (ATH) rules that use Duo Security fields must be migrated to the new format.

• AELDEV-44124: Implemented API token authentication for Fortigate Firewall connector.

  Added support for API token authentication in the Fortigate Firewall connector by allowing connectors to use API tokens in addition to traditional username/password authentication. This update facilitates more secure and versatile authentication options for Fortigate firewalls.

• AELDEV-42061: Implemented an Incidents content type on the Broadcom SES connector to pull incidents.

  Added functionality to the Broadcom Symantec Endpoint Security (SES) Connector enabling it to pull incident data using the /incidents API endpoint. This enhancement supports improved integration with Broadcom SES by leveraging incident-specific data, aiding in comprehensive threat analysis and response capabilities.

• AELDEV-41735: Improved error messaging for the Fortigate Firewall connector.

  Updated Fortigate Firewall connector error messaging to provide clearer guidance on resolving login failures. This specifically addresses scenarios where incorrect password usage resulted in ambiguous error feedback. The error message now explicitly suggests checking credentials and, if necessary, adjusting settings related to API version differences.

• AELDEV-41009: Enhanced AWS WAF log parsing to include specific HTTP header fields.

  Improved AWS WAF log parsing capabilities for enriched security insights by parsing 'Host', User-agent, and Content-Type fields from AWS CloudWatch message objects. This enhancement supports more accurate detection of user agent anomalies and integrates with the Stellar Cyber reputation service for enhanced security alerting.

• AELDEV-40725: Resolved Palo Alto Networks tags field conflict issues.

  The fix addressed conflicts between endpoint and alert content types for Palo Alto Networks, particularly related to the tags field. Normalization was implemented to distinguish between object and list formats within the tags field, which resolved syslog entry errors and missing log collector messages in alerts.

• AELDEV-39532: Added support for Assumed Role authentication on AWS CloudWatch connector.

  Implemented support for Assumed Role authentication in the Cloudwatch connector, enhancing security and management across multiple connectors. You can now create an Identity and Access Management (IAM) user, enter an Amazon Resource Name (ARN) for a specific role, and the system will temporarily assign an ID/secret based on the assumed role.

• AELDEV-38831: Enhanced the Proofpoint TAP connector to support disabling users through Active Directory.

  Enhanced the Proofpoint Targeted Attack Protection (TAP) connector for better integration with Active Directory (AD). This update allows the system to use email addresses from Proofpoint logs to directly disable user accounts through AD, by normalizing email.recipient.addresses to ensure compatibility with AD user disablement requirements. This improvement facilitates quicker response actions against compromised accounts identified through TAP click events.

• AELDEV-37633: Improved normalization and parsing to the Oracle Cloud Infrastructure (OCI) connector and added Virtual Cloud Network (VCN) flow logs.

  The OCI connector enhancement allows independent treatment of various data types for normalization and parsing utilizing the 'oracle.type' field. There is better support for data events, specifically VCN flow records, by ensuring accurate classification and indexing.

• AELDEV-36203: Enhanced parsing of Cloudflare Logpull data to elevate key fields for better detection triggers.

  Refined the parser for Cloudflare Logpull data, ensuring critical fields are now elevated to the top level to enhance detection capabilities. This update facilitates more effective anomaly detection and strengthens WAF (Web Application Firewall) event identification by leveraging advanced parsing strategies.

• AELDEV-35839: Added support to pull one month of prior vulnerabilities on the Microsoft Defender for Endpoint connector.

  Updated the Microsoft Defender for Endpoint connector configuration to include a Lookback Time field, allowing the setting of a customizable lookback period in hours, with a maximum of 730 hours (approximately one month). This enhancement aids in capturing a broader range of vulnerabilities upon connector initialization or restart to better align data visibility with customer expectations.

• AELDEV-34788: Enabled support for VPC Flow logs ingestion on the AWS CloudWatch connector.

  Stellar Cyber now supports the ingestion of VPC Flow logs directly via the AWS CloudWatch connector, enhancing our integration capabilities. This update allows you to directly ingest Virtual Private Cloud (VPC) Flow Logs without relying on the CloudTrail connector, offering more flexibility and efficiency in log management. Adjustments include normalization and enrichment updates to ensure seamless integration and analysis.

• AELDEV-33276: Enhanced the Duo Security connector to include the Trust Monitor content type.

  Updated the Duo Security connector so it can process and ingest Trust Monitor events. This enhancement provides more detailed security event monitoring and custom alerting capabilities for Trust Monitor violations.

• AELDEV-25219: Enhanced the Deep Instinct alert integration with additional key fields.

  Updated the Deep Instinct alert integration to include new key fields such as MSP Name and File Hash, along with a tooltip for file paths and options for file hash actions. This enhancement simplifies actions like virus total checks and linking to events on the Deep Instinct portal directly from the UI. Implemented UI changes for better data presentation and interaction.

• DATA-1965: Added WAF-related enrichments for F5 CEF ingestion

  Implemented enrichment of Web Application Firewall (WAF) logs for F5 in CEF format. This enhancement enables the system to trigger detections based on specific WAF log content, improving threat detection capabilities for on-premises and cloud environments. The update includes modifications to customized parsers and templates, ensuring proper field enrichments and integration with the machine learning detection system.

Parsers

New Features

• DATA-2006: Added a parser for Arista Networks Data Center Switch Router.

  Added a parser for Arista Networks Data Center Switch Router on ingestion port 5747.

• DATA-1977: Added a parser for Appgate VPN.

  Added a parser for Appgate VPN on ingestion port 5743.

• DATA-1976: Added a parser for ConnectWise ScreenConnect.

  Added a parser for ConnectWise ScreenConnect on ingestion port 5744.

• DATA-1941: Added a parser for McAfee Proxy logs.

  Added a parser for McAfee Proxy logs, enabling the ingestion of logs on port 5739. This parser accurately extracts and processes key-value pairs from the logs, supporting enhanced data analysis and cybersecurity insights.

• DATA-1829: Added a parser for Libraesva ESG.

  Added a parser for Libraesva Email Security Gateway (ESG) on ingestion port 5742.

• DATA-1927: Added a parser for Pentera Appliance logs.

  Added a parser for the Pentera Appliance. This enhancement allows for efficient parsing of logs from the Pentera Pentest appliance, capturing crucial information such as task details, severity, status, and more via ingestion port 5737. The parser facilitates improved monitoring and analysis of penetration testing activities.

• DATA-1915: Added a parser for Commvault Metallic ThreatWise logs.

  Added a parser for Commvault Metallic ThreatWise, targeting syslog data on port 5736.

• DATA-1906: Added a parser for Prophaze WAF logs.

  Added a Prophaze WAF parser, enabling the ingestion of logs through port 5733. This update addresses the need for parsing updated log samples provided by the customer, ensuring compatibility with the latest log format specifications for improved detection and analysis capabilities.

• DATA-1904: Added a parser for NVIDIA Mellanox Switch logs.

  Added a parser for NVIDIA Mellanox Switch logs on ingestion port 5734, targeting logs in standard and WELF (key-value pair) formats. This update enhances log parsing capabilities and accuracy for NVIDIA Mellanox Switch, accommodating custom log variations with no available documentation from the vendor.

• DATA-1897: Added a parser for the Vectra AI Platform logs.

  Added a parser, enabling efficient processing of Vectra AI Platform logs. This parser accommodates Logpoint logs ingested via Vectra Agent, ensuring precise data parsing and integration.

• DATA-1890: Added a parser for HPE Nimble Storage logs.

  Added a log parser for HPE Nimble Storage on ingestion port 5731, supporting models AF-214611 and AF-214699. This parser handles audit and event logs, enhancing our monitoring capabilities of HPE Nimble Storage devices by extracting key log details more efficiently.

• DATA-1864: Added a parser for Relianoid WAF logs.

  Added a parser for Relianoid WAF on ingestion port 5730.

• DATA-1820: Added a parser for Checkpoint SmartCenter.

  Added a parser for Checkpoint SmartCenter on ingestion port 5741 to process Checkpoint SmartCenter logs.

• DATA-1814: Added a parser for Nutanix NX.

  Added a parser for Nutanix NX on ingestion port 5724.

• DATA-1786: Added a parser for QNAP QTS logs.

  Added a parser for QNAP QTS on ingestion port 5726.

• DATA-1728: Added a parser for FortiADC.

  Added a parser for FortiADC on ingestion port 5725.

• DATA-1711: Added a parser for Cynerio logs.

  Implemented a parser for Cynerio logs on ingestion port 5727.

• DATA-1702: Added a parser for Citrix XenServer logs.

  Implemented a parser for Citrix XenServer logs on ingestion port 5732.

• DATA-1666: Added a parser for UMV WSS logs.

  Added a parser for UMV WSS (Web Server Safeguard) on ingestion port 5709.

• DATA-1604: Added the Cisco Catalyst SD-WAN log parser with the Netflow v9 format.

  A Cisco Catalyst SD-WAN log parser for NetFlow format was introduced on ingestion port 5746.

Improvements

• DATA-1958: Enhanced Snare Agent parser to enrich Windows-related fields from 'ExpandedString'.

  Updated Snare Agent parser now enriches fields from the 'ExpandedString' for specific Windows Event IDs, including but not limited to 4624, 4625, 4771, 4776, and 4648. This update allows detailed parsing and mapping of fields directly from Snare logs to the expected Windows Event Log schema, improving the accuracy of log ingestion and the applicability of security detections.

• DATA-1957: Resolved Cisco WLC parser error when processing logs sent to port 5531.

  Addressed a reported issue with Cisco WLC logs that caused parser errors when transmitted to our parser on port 5531. Adjustments were made to correctly parse both JSON and CSV records from Cisco WLC, ensuring accurate log processing.

• DATA-1953: Improved IBM AS400 parser to support CEF format logs.

  Enhanced the IBM AS400 log parser for compatibility with the CEF (Common Event Format) log format. This upgrade includes support for all predefined fields and additional fields found in sample logs. Modifications were made to ensure comprehensive log analysis and improved functionality, accommodating customer's request to avoid port changes.

• DATA-1947: Enhanced the IIS nxlog parser for a specific customer to include URL and SIP fields.

  Updated the Microsoft IIS log parser configuration to parse additional fields such as URL and SIP for a particular customer request. This involved creating a special customized parser configuration tailored to match the customer's log format and field requirements.

• DATA-1945: Enhanced parsing for Fortinet FortiGate logs to include 'ftntfgtqname' and 'ftntfgtcatdesc' fields.

  Updated the Fortinet - FortiGate (CEF) log parser to extract 'ftntfgtqname' and 'ftntfgtcatdesc' fields directly from 'msg_data' into the vendor namespace. This enhancement is compatible across multiple platform versions, ensuring improved data categorization and access for FortiGate users.

• DATA-1944: Improved the Sophos Firewall parser to parse out additional fields from msg_data.

  Moved the fields app_name, app_technology, app_category, bytes_received, bytes_sent, packets_received, and packets_sent out from the msg_data for the Sophos Firewall parser.

• DATA-1942: Improved Kemp Technologies Load Master LB Parser for enhanced log parsing.

  Enhancements to the Kemp Technologies Load Master LB Parser include detailed parsing of the syslog_message field, employing regular expressions to decipher syslog messages more accurately and to extract key-value pairs. The updates involve significant modifications to the parser's codebase, improving overall log analysis and parsing fidelity.

• DATA-1939: Updated the Huawei iMaster NCE-Campus log parser to support new log formats.

  The Huawei iMaster NCE-Campus log parser was updated to include support for logs with a standard rfc3164 header, diverging from the format provided during initial development. This update introduces regex matching for the new header format to ensure comprehensive log parsing across versions 4.3.7, 5.1.1, and 5.2.0.

• DATA-1938: Updated Cisco XE router log parser to support IOS versions from 16.09.02 to 17.09.02a.

  Enhanced the existing Cisco XE router log parser to accurately parse logs across newer IOS versions, specifically from IOS-XE 16.09.02 to IOS-XE 17.09.02a. This update ensures compatibility with a broader range of Cisco XE routers, enhancing log analysis reliability and efficiency for these models. The parser now conforms to updated standards, excluding the previous 'parser_raw_msg' storage for a more streamlined data handling approach.

• DATA-1926: Enhanced Aruba ClearPass log parsing for additional key-value fields.

  Stellar Cyber improved the Aruba ClearPass Policy Manager (CEF) parser to better handle key-value pairing from the 'log.event_description' field. Specific keys such as 'User', 'Role', 'Authentication Source', and 'Client IP Address' are now accurately normalized and categorized. Additional keys are consolidated under 'msg_data' for comprehensive log analysis.

• DATA-1921: Increased the length limit of the NXlog parser to support longer log entries.

  Implemented an update to the NXlog parser, enhancing its capacity to handle log entries up to 32768 bytes in length, effectively doubling its previous capability. This improvement addresses issues with log entries being cut due to exceeding the former length limit, ensuring they are parsed and logged correctly without data loss. This change was applied to both the built-in and customized configurations, enhancing log management for systems utilizing NXlog for log collection and parsing, specifically targeting environments with larger log entries.

• DATA-1894: Enhanced Checkpoint Harmony Endpoint parser for improved log field parsing.

  Updated the Checkpoint Harmony Endpoint parser to accurately parse out and normalize additional log fields including 'trojan' values. Adjustments were made to ensure proper field mapping and to resolve conflicts with time field data, enhancing the fidelity of log information for security analytics and reporting.

• DATA-1893: Updated the Radware DefensePro parser to enhance compatibility with rfc3164 and rfc5424 syslog formats and improved field normalization.

  Enhanced the Radware DefensePro parser's support for rfc3164 and rfc5424 syslog formats, allowing better standardization and normalization of 'protocol' values to the 'proto' field across various log entries. The update ensures more accurate and consistent log parsing, especially for entries generated by APSolute Vision.

• DATA-1881: Implemented RFC 5424 syslog coverage on the Aruba Switch parser.

  Implemented RFC 5424 syslog coverage on the Aruba Switch parser on port 5577.

• DATA-1876: Enhanced Fortinet FortiGate (CEF) log ingestion to support additional fields and IPS detections.

  Updated the Fortinet - FortiGate (CEF) parser to accurately ingest and parse an expanded set of fields. Enhancements include better support for fields related to interface roles, geographical information, policy details, and application risk levels. Additionally, integrated IPS detection capabilities improve security event contextualization. These changes bolster our capability to offer deeper insights and more precise analytics for FortiGate users.

• DATA-1874: Improved the Infocyte HUNT (CEF) parser.

  Improved the Infocyte HUNT (CEF) parser to parse out the eventTime field. When it can be parsed as an epoch, it s normalized as event.timestamp. Otherwise, it s moved into the vendor namespace as is.

• DATA-1847: Added a new log format for the Sonicwall VPN parser.

  Implemented a new log format for the Sonicwall VPN parser.

• DATA-1823: Enhanced the Ubiquiti UAP-AC-Pro parser.

  Enhanced the Ubiquiti UAP-AC-Pro parser to support more kinds of logs.

• DATA-1808: Improved the McAfee Firewall parser.

  Implemented the ability of the McAfee Firewall parser to parse fields with longer names of up to 63 bytes.

• DATA-1803: Improved Palo Alto Networks Firewall parser for better IPS normalization.

  Enhanced the Palo Alto Networks Firewall parser to accurately normalize IPS-related logs. The msg_class for IPS records has been changed to ips, and the specific enrichments for the firewall msg_class will no longer be applied to IPS records. For example, the ids.threat.id field name changed to ips.signature_id and the ids.severity field name changed to ips.severity.

• DATA-1802: Improved Fortinet FortiGate parser for better IPS normalization.

  Updated the Fortinet FortiGate parser to enhance IPS-related enrichments. The severity and attackid fields were moved from msg_data to the vendor namespace. Enrichments are applied when type is utm and subtype is ips to align with detection integration requirements.

• DATA-1671: Normalized Trend Micro Apex Central CEF parser fields.

  Normalized ncie_threatname into threat in the Trend Micro Apex Central CEF parser.

• DATA-1647: Added a new log format for the Proofpoint parser.

  Added a new log format on the Proofpoint parser.

• DATA-1264: Improved the Snare Agent parser.

  Implemented the Snare Agent parser to parse out fields of Windows events for these events: 4624, 4625, 4656, 4768, 4688, 4771, and 4776.

• DATA-941: Added a new log format for the Windows DNS Server parser.

  Added support for a new log format for the Windows DNS Server parser.

Operational Notes

• Keep in mind that the global Status filters available at the left of most Stellar Cyber tables (All Open, New, In Progress, Ignored, and Closed) apply only to security events (alerts). They do not apply to cases. You can apply Status filters to cases, too, but only from the Cases interface itself. The names of the Status filters for cases are also slightly different from those available for alerts.

• Lookup strings for hash values should not include the SHA= or MD5= prefix. Enter these strings using just the hash value itself.

Known Issues

• The Sensor content type for Cybereason's connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.

• Due to an ongoing issue with Cybereason's Query Sensors API, the Cybereason connector may not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete case correlation.

• When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.

• In the rare cases when the Stellar Cyber menu options have been significantly reorganized, such as in v4.3.0, it is possible that administrators will need to review settings for their custom user RBAC profiles. For example, any changed path to User Management, Connectors, or Visualize is considered by Stellar Cyber to be a "new feature". So if you have user profiles with Behavior for New Features in Future Releases set to No Access, they will not be able to access these features. Since the menu options were significantly changed in v4.3.0, migrations from older releases to v4.3.x and beyond warrant this review.

• If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

• Deleting a Data Sink Import or Restore task and then creating a new one with the same dates results in duplicate data for any pre-4.3.1 data requested by the task.

• To prevent an inconsistent database state, make sure you delete any active Data Sink import or restore tasks before using the Clear Database option in the System | Data Management | Advanced tab.

• Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

• During upgrade to v4.x and later, the alert type definitions are migrated to a new internal format, but the alert name remains the same in the UI. If the data you are viewing contains alerts generated from prior to the upgrade, be advised that those will be treated as separate from the alerts generated by the new, migrated definition (even though the alert name appears to be the same). Optionally, rename your alerts to more easily identify alerts generated from the old definitions from those created post upgrade.

• To upgrade Windows Server Sensors, use the software upgrade feature (System | Sensors | <sensor-name> | Manage | Software Upgrade) . Although you can use the System | Agents | Windows page to download MSI and/or MST files for Windows Server Sensor installations, these files should only be used for fresh installations and re-installations but not for upgrades.

• Currently, administrators need to use the Stellar Cyber UI to upgrade existing 4.2.2 Windows agent sensors. Download the GPO configuration in UI System | Agents | Windows only for new sensor installation or sensor re-installation.

• You cannot delete a Data Sink that has an active import or restore in the Data Sink Import or Data Sink Restore tabs. Delete any active import/restore tasks for the data sink, wait at least ten minutes, and then delete the data sink.

• Log Forwarder only collects statistics for limited different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds the limit, the additional log source IP address statistics will be aggregated into a catch-all IP address of 0.0.0.0. Note: In releases prior to 5.1.1, the limit had been 100 sensors, but it was increased to 200 sensors with more than 8 GB of memory in the 5.1.1 release.

• When a modular sensor is configured as a Log Forwarder-only sensor (Network Traffic and other features are not enabled), the Log Forwarder might periodically restart if there isn't enough sensor memory. Stellar Cyber recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.

• A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

• Stellar Cyber recommends using the same CPU and Memory specifications for DL nodes. Variations in specifications across worker nodes can cause Data Lake stability issues.

• When multiple traffic filters in different tenants are defined with the same combination of IP, port, protocol, and layer 7 rules, the sensor only takes the filter belonging to the same tenant with the sensor and ignores the others. Administrators should review the defined traffic filters and avoid creating duplicate definitions.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

• If you configure a sensor's aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.

• Deleting Elasticsearch data from the Root Tenant in the System | Data Management | Advanced tab deletes data from sub-tenants as well.

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 4.3.7 or later to 5.2.0. You must:

• Prepare for the upgrade

• Upgrade the Stellar Cyber Platform

• Upgrade the sensors

• Verify the upgrade

For more detailed instructions, refer to the Stellar Cyber online documentation section Upgrading Software.

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the Stellar Cyber Platform to 5.2.0

1. Select Admin | Software Upgrade.

2. Choose 5.2.0.

3. Select Start Upgrade.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
• Upgrade sensors in batches instead of all at once.
• For server sensors (agents):
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.
  • Because Windows Server Sensors running 5.1.0 do not support sensor profiles that contain text in Unicode but Windows Server Sensors running 5.1.1 or later do, if you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows Server Sensors.

To upgrade Linux or Windows Server Sensors:

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

1. Select System | Sensors.

   The Data Sensor List appears.

2. Select Software Upgrade in the Manage dropdown.

   The Data Sensor Software Upgrade page appears.

3. Choose the target software version.

4. Choose the target sensors.

5. Submit.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.