Stellar Cyber 5.3.0 Release Notes
Software Release Date: November 14, 2024
Release Note Updated: December 10, 2024
The Stellar Cyber 5.3.0 release brings the following exciting improvements to the Stellar Cyber Open XDR platform.
The release notes are organized into the following sections:
Highlights
-
Introduced Detection Management in Stellar Cyber Open XDR 5.3.0. Detection Management enhances SOC teams' control over detection rules, providing customizable alert settings, real-time insights, and improved visibility for optimized threat detection. More...
-
Supplemented the existing query builder and alert filter builder with a new, unified interface for creating and testing queries and creating alert filters: the Query and Filter Manager. You can now create queries and alert filters through a cohesive experience. More...
-
Added Case Resolution field to Case Management. More...
-
Implemented user identification for deleted files and folders on Windows servers through Object Access Auditing and audit rules. More...
-
Added the ability to toggle the Network Traffic option in Sensor Profiles for Linux-based sensors. More...
-
Implemented a warning for updating queries that use an outdated format. More...
-
Fixed slow performance due to a memory leak on System | Sensors page after the 5.2.0 upgrade. More...
Actions Required
-
The new Query Builder introduces an updated schema. Make sure to update any queries in the new query table that are using the old schema flow. They will be flagged for review.
-
Update any configurations with field changes noted in the Behavior Changes section.
Behavior Changes
Changes that affect the way you interact with the product or interpret results are listed below.
-
The
aella_flow
module is now optional for Linux-based sensors; it can be disabled with the Network Traffic option in a standard sensor profile. -
Do not rely on free-disk-space checks performed by server sensors. Instead, set log rotation policies appropriate for the log volume of the server workloads.
-
Fortigate CEF parser – Fields were moved from
msg_data
to the vendor namespace. -
Checkpoint Harmony Endpoint parser – The
attack_status
andservice_domain
fields were relocated from undermsg_data
to thecheckpoint
container. -
Aliyun parser – Fields were moved from
msg_data
to the vendor container. -
ESET PROTECT parser – The
group_description
field was relocated to the vendor container. -
Palo Alto Networks Prisma Cloud parser – The CVE, CVSS, and package path fields are now extracted into separate fields in the vendor namesapace.
-
Cisco ASA parser – Support for
permitted
as anaction
field value was added anddst_service
is now normalized asdstport
. -
Sophos parser – An additional ten fields are now extracted from
msg_data
. -
Incapsula SIEM Integration parser – Seven additional fields are now normalized.
-
Aliyun parser – Six additional fields are now normalized.
-
OpenVPN parser – The field
openvpn.detial_message
has been renamed toopenvpn.detail_message
to ensure the proper parsing of logs.
Deprecated Features
The following features have been deprecated in this release.
-
The Use a query as preset filter feature for user profiles is deprecated in 5.3.0 and scheduled for removal in 5.5.0.
Detection/ML
New Features
Integrated third-party alert functionality for ESET Protect. This allows ESET alerts and case correlations to be visualized within the Stellar Cyber platform.
Sensor status monitoring for Windows agents has been upgraded to handle some issues with incorrect status reporting. In particular, sensors will be considered as disconnected if they stop reporting a connected status, even if they don't report a disconnected status, and alerts will now include whether or not the sensor has been sending data. Additionally, status records for these sensors will be written to the syslog index with msg_origin.source:sensor_status_monitoring
.
Introduced a new set of cloud observables in Case Management Analysis tab to support correlations of alerts from Microsoft Defender for Cloud into cases. This feature enriches the existing set of observables, enabling seamless integrations of cloud security products.
Improvements
Enhanced the priority list for Microsoft case correlation on user-related key fields, ensuring better case correlation across Microsoft products. This change prioritizes “user.name“ over “srcip_username“ to correlate user entities across three Microsoft products—Office 365, Microsoft Entra ID (formerly Azure AD), and Microsoft Defender for Cloud Apps—maintaining consistency in case correlation behavior for other products and ingested events.
Improved user account filtering from Office 365 and Google Workspace for entity licensing. The change improves the explanation of entity licensing through removing user accounts that likely do not belong to the user’s Office 365/Google Workspace subscription.
Enhanced the Original Records feature to enable querying and retrieving raw events that trigger Microsoft 365 alerts. This improvement aids in providing more accurate data for investigation workflows by leveraging specific queries appropriate to the alert types from Microsoft 365.
Resolved an issue where the Office 365 user deletion alert was incorrectly triggered by duplicate entries in the Target
field, causing false positives for single user deletions.
Made six new rulesets available for selection in Modular Sensor profiles:
- adware_pup.rules
- coinminer.rules
- exploit_kit.rules
- hunting.rules
- ja3.rules
- phishing.rules
These six rulesets are not enabled by default. To enable them, select System | Sensor Profiles, add or edit a Modular Sensor profile, enable and expand IDS, expand Signature, click below the preselected rulesets in the Selected Rules field, make your selections, and then Submit your changes.
Merged the trojan.rule
field into malware.rules
. Due to this change, alerts previously triggered under the Internal/External Trojan alert type are now triggered under the Internal/External Other Malware alert type.
Added a hostname (when available) to the IP address in each record for assets in entity licensing. This makes it easier to understand the legitimacy of assets.
Enhanced the username and source/destination IP normalization on Microsoft products, which includes Microsoft Defender for Cloud Apps, Microsoft Entra ID (formerly Azure AD), and Microsoft 365 (Office 365). The new normalization field on username and event source/destination IP now includes user.name
, user.id
, srcip
, srcip_username
, srcip_usersid
, srcip_host
, and dstip_host
if this information is in the ingested Microsoft event data. This improvement allows Stellar Cyber to better correlate alerts from different Microsoft products but with same user ID/username.
Updated the process_creation_commandline_106
rule to the latest version in SigmaHQ. The updates include changes to the title, description, detection logic, and severity.
The Login Time Anomaly alert type now queries for records by write_time
rather than timestamp
. This improves coverage by negating the impact of ingestion delays for certain data sources.
Added srcip2_type
, srcip2_version
, and engid_gateway2
to the Impossible Travel Anomaly alert type to indicate the source IP address type, version, and gateway in the previous login event. These additions enhance the ability to filter and search based on private IP addresses.
Improved the alert deduplication mechanism to better filter out duplicate or outdated alerts triggered by status changes in third-party products. This enhancement currently applies only to integrations with SentinelOne and CrowdStrike alerts.
Integrated Microsoft Sentinel incident alerts to leverage investments of Microsoft Sentinel Incidents in Stellar Cyber. Note that the integration focuses exclusively on Microsoft Sentinel Incident data and only supports data transferred through Azure Event Hub. The alert type has the following format: "Microsoft Sentinel Incident: {microsoft_sentinel.Title}" For example, "Microsoft Sentinel Incident: 'Kekeo' malware was detected."
Updated the table on System | Detection Management to display the type of each detection: ML (Machine Learning), RULE (rule-based detections, which include Sigma rules and analytics rules), or 3rd party (detections learned from third-party integrations).
Platform
New Features
Supplemented the existing query and alert filter builders on feature pages throughout the Stellar Cyber UI with the Query and Filter Manager, a new, unified interface for creating and testing queries and creating alert filters. You can now create queries and alert filters through a cohesive experience.
Improved the Stellar Cyber Chat interface to support multiple languages. You can use the Language drop-down list at the bottom of theStellar Cyber Chat window to change the language Stellar Cyber Chat uses to answer questions. Stellar Cyber Chat usually recognizes the language you use to ask a question regardless of the setting of the Language drop-down. However, the chatbot only answers in the language specified by the drop-down.
Whether you intend to offboard a tenant (System | Tenants | Delete icon) or continue using a tenant (System | Data Management), you can choose database indices to purge tenant data from: Records, Assets, Users (asset users), and Cases.
Implemented a feature to identify users who deleted files and folders in Windows File Integrity Monitoring (FIM). This requires correlating FIM events with Windows audit events 4663 and 4656. You need to enable Object Access Auditing and create audit rules on the Windows server for targeted files and folders. The system enriches FIM records with user information from audit logs, providing enhanced details for threat hunting and compliance reports.
Improvements
Extended the import task time range from 720 hours (30 days) to 744 hours (31 days). This enhancement allows for the import of cold data for a full month, including longer months.
Reduced the delay for the threat_syn_flood rule from 240 minutes to 5 minutes. The rule now queries based on write_time instead of timestamp, ensuring a more efficient process with a maximum of 10-minute delay after the original document is written to Elasticsearch. Similar adjustments were made for the following rules: external_ssh_success_brute_forcer (30 minutes), internal_ssh_success_brute_forcer (35 minutes), external_cloud_success_brute_forcer (30 minutes), and internal_cloud_success_brute_forcer (35 minutes).
Included the value of the srcip_reputation
field in the alert description for Bad Reputation Login rules; that is, when there is a value. The field might be empty.
If the field is available, the xdr_event.description
for the alert created by this rule is as follows:
The account {{
SRCIP_USER
}} logged on from a suspicious machine ({{SOURCE_HOST
}}) that has a reputation category of {{srcip_reputation
}}.
Otherwise, it appears as follows:
The account {{
SRCIP_USER
}} logged on from a suspicious machine ({{SOURCE_HOST
}}).
Updated the Threat Hunting correlation interface to enhance the time range selection. The adjustment includes a more intuitive correlation time switch, an optimized user workflow, and increased efficiency. Changes span across multiple files, refining both the UI and underlying logic.
Removed the enrichment of detected_values for alert records, optimizing the handling process. The UI now exclusively uses detected_fields to query original documents, supporting period-separated nested values (for example, dns.question.registered_domain). If a field has no value, it's ignored during processing. This change improves code efficiency and robustness.
Fixed an issue where switching the global tenant filter caused log filters for other tenants to appear on the sensor overview page and prevented profile edits when tenant filters were present. The Sensor Profile column is now disabled in the tenant view to align with related edit/delete behaviors.
Clarified the notification that appears when Stellar Cyber sends an email message with a file attachment that's too large for email servers to forward. The message appears when you select Respond | Automation and then … | Last Status for one of the Automated Threat Hunting playbooks. The revised message more clearly states the situation: Attachment too large (Email server returned 500, message: None), sent without interflow attachment ( sent to: user@domain.name )
. In addition, the Executed successfully field shows a red x to indicate no attachment was included.
Added a task list for tracking asset updates, which don't occur immediately and are performed asynchronously in the background. To track the progress of asset updates you have initiated, you can now refer to the Task List.
Resolved an issue where only one calculation CSV was sent in an email when multiple calculations were configured. Now, emails correctly send all calculation results. If multiple calculations are configured, multiple CSV files are sent.
Made login email addresses case insensitive, improving usability. This change necessitates handling duplicate emails as was previously documented in the 5.1.1 release notes. Usernames with “@” are not supported for login; email addresses must be used instead.
Sensors
New Features
Enhanced the Linux Server Sensor to support installation in Kali Linux 2023.4, Rocky Linux 9, Oracle Linux 8.6, Oracle L Linux 8.8, SUSE 12 SP5, and SUSE 15 SP5.
Added ability to toggle Network Traffic analysis (aella_flow) on and off in the Sensor Profile for Linux-based sensors. With Network Traffic disabled, the sensor operates as a Log Forwarder. None of the other features in the Network tab are available for selection or configuration. In addition:
-
Malware Sandbox is disabled in the Sensor tab.
-
IDPS is disabled in the Sensor tab.
When disabling Network Traffic, a dialog prompts you to decide whether to clean buffered data, allowing for more control over sensor configurations.
Improvements
Enhanced the Linux Server Sensor installation script to support configuration of the tenant ID together with the address of the managing Stellar Cyber platform. This update lets you specify both the managing platform IP/hostname and the tenant ID using command line arguments, streamlining the server sensor deployment process.
Enhanced the show logforwarder CLI command to show whether the Log Forwarder | HTTP JSON Parser feature is enabled in the sensor profile. The command adds the status of the HTTP JSON Parser setting to existing log forwarding details, such as Syslog TLS and Raw Log Capture. This enhancement helps you determine the status of the HTTP JSON Parser feature on the sensor without having to take additional steps.
After applying Windows updates, there was an issue where the Windows Server Sensor stopped collecting Security-Audit logs until the aella_winlog service was restarted. Resolved this issue by implementing a mechanism to handle errors more gracefully, ensuring continuous log collection.
Previously, a Windows server sensor would check available disk space and return an error if the disk did not have at least the estimated minimum disk space required. The estimation technique was unreliable given the vast number of different server workloads and log generation rates. This disk space check has been removed and Stellar Cyber encourages you to set log rotation policies that are appropriate for the log volume of your use cases.
Resolved an issue where DPDK (Data Plane Development Kit) failed to run on new Ubuntu 22.04 modular sensors by updating the sensor configuration to default to AF_PACKET instead of DPDK due to kernel module version mismatches. DPDK-compatible NICs were not found, resulting in fallback to AF_PACKET. Verified that aella_flow
can run with AF_PACKET without significant performance loss.
Connectors
New Features
Updated the Amazon Security Lake connector to support OCSF 1.1. The update includes the deprecation of the security finding event class in favor of specific classes such as Vulnerability Finding, Compliance Finding, Detection Finding, and Incident Finding. Table names in Security Lake now include versioning (for example, 2_0). Additionally, new partitions are utilized in Security Lake buckets for version 2.0, and native support for WAF logs and EKS Audit logs has been added. Integration queries must be updated to utilize these changes.
Implemented normalization for events coming through Azure Event Hub from Microsoft Sentinel. The data normalization rules were developed in collaboration with both the Machine Learning team and customer feedback. This ensures consistent and accurate categorization of log data from Azure Event Hub providing logs from Microsoft Sentinel and Microsoft Defender for Cloud sources. You can configure this in the Event Source settings in the UI and Stellar Cyber will automatically apply the appropriate parsing rules based on source system attributes.
Due to the data that is from Event Hub, Stellar Cyber only filters the incident data and some native alerts generated by Microsoft Sentinel. For alerts generated from other data sources, Stellar Cyber cannot filter them from the Event Hub data flow.
Added integration with Armis Threat Detection, enabling SOC analysts to work on alerts and monitor IoT environments.
Implemented a new ExtraHop connector to support the Reveal(x) 360 appliance.
Added support for the Cynet connector to pull hosts, alerts, and audit logs. This integration facilitates improved data management and alerting for MSSP partners.
Integrated the 1Password connector, leveraging the Events API to ingest data. This allows 1Password Business customers to send audit events, item usage events, and sign-in attempts directly to Stellar Cyber. Data retrieved via the REST API includes detailed logs about account activities and usage, which can be integrated into SIEM tools for security monitoring and analysis.
Improvements
Supported additional SOC use cases by parsing all fields in office365.Data
. The parsed fields are now available under office365.Data_obj
.
Enhanced the enrichment functionality for ingested ExtraHop Reveal(x) 360 detection events with additional IP address enrichment capabilities.
Updated the Hillstone connector to correctly handle login and API requests by ensuring proper encoding for the username and handling of additional cookie fields. Previous connector versions were not compatible with changes in the Hillstone API. The connector now supports both older and newer Hillstone versions by enriching error handling and encoding mechanisms.
Added support for MSGTYPE 99 emissions for Trellix MVISION devices. This update includes normalizations for srcip
, srcmac
, and srcip_host
. Device data is now ingested correctly, ensuring accurate data capture and processing.
Relocated the Cisco Umbrella connector from the Web Security category to the DNS Security category. Existing configurations automatically reflect this change and new connectors appear in the DNS Security drop-down list during configuration.
Added a configuration option to the Universal Webhook Responder that lets you disable SSL certificate verification on a per connector basis. This feature is useful for environments using self-signed certificates, lab setups for testing, or as a workaround for wildcard certificates, and enhances flexibility while maintaining security.
Updated the SentinelOne Test button to emit error logs and results instead of discarding them. Enhanced logging was implemented to log both outcomes and exceptions, providing detailed error messages. The function now properly processes various content types and handles exceptions, ensuring more informative feedback for troubleshooting.
Updated the Imperva Web Application Firewall (WAF) log format so that all fields exist under the vendor namespace
(imperva
). Data previously present under msg_data
with the format {name: <name>, strvalue: <value>}
has been updated to have the typical format of imperva.<name>: <value>
.
Added the ability to set different intervals for each content type of SentinelOne connectors. Previously, changing the interval affected all content types, requiring multiple connectors. This enhancement reduces the need for multiple configurations and simplifies management for organizations with numerous tenants. Connectors are automatically upgraded to the new format using the existing interval configured.
Enabled the ability to bulk test connectors, which means you can select multiple connectors and test them simultaneously through the Stellar Cyber UI. This enhancement improves efficiency for large-scale connector verification.
Revised the handling of "internal developer error metrics" across all connectors by changing HTTP 400 error codes to HTTP 460. This helps differentiate developer-specific messages from standard error responses. This adjustment aims to ensure clear diagnostics while preventing confusion with standard HTTP codes.
Ported AWS CloudTrail detection logic to support logs collected through the S3 Generic connector.
Enhanced the Microsoft Entra ID connector to extract the userAgent
field from the additionalInfo
attribute in azure_ad_risk_detection
events. This enables better insights into the typical device usage patterns of users during risk detection processes. The change includes parsing additional details such as alertUrl
, mitreTechniques
, and riskReasons
from the same attribute. Note that with this enhancement, you might see more alerts.
Extended support for GCC, GCC High, and DoD Government Plans in the Microsoft Defender for Endpoint connector. This update includes configuration UI enhancements that lets you select your subscription plan.
Updated the SentinelOne connector to include Activities logs. This update enables monitoring of critical actions such as isolated hosts, installed and uninstalled endpoints, remote shells, agent uninstalls, agent disabling, console actions, unusual login locations, and account expirations.
Updated the Office 365 connector parser to include additional fields within office365.Parameters. The new fields parsed include Identity, Trustee, AccessRights, along with a comprehensive set of parameters from mailbox and inbox rules. Both SaaS and on-premises modes have been enhanced to enrich these fields within the vendor namespace.
Parsers
New Features
Added a built-in parser for ingesting Aviatrix Firewall logs on port 5762.
Added a built-in parser for ingesting Firepower Management Center (FMC) logs on port 5759.
Added a built-in parser for ingesting Ivanti Connect Secure logs on port 5756.
Added a built-in parser for ingesting Minerva Labs (CEF) logs on port 5143.
Added a built-in parser for ingesting Ivanti Endpoint Manager logs on port 5757.
Added a built-in parser for ingesting Ahnlab Cloud Protection Platform logs on port 5755.
Added a built-in parser for ingesting LiquidFiles logs on ingestion port 5753.
Added a built-in parser for ingesting FreeRadius logs on ingestion port 5750.
Added a built-in parser for ingesting VMware NSX Edge Firewall logs on port 5758.
Added a built-in parser for ingesting Pritunl VPN logs on port 5748.
Added a built-in parser for ingesting Clavister NetWall logs on port 5760.
Added a builit-in parser for ingesting Veeam backup and replication logs on port 5751.
Added a built-in parser for ingesting Winlogbeat logs in HTTP JSON format on port 5752.
Added a built-in parser for ingesting Commenvault Commserve logs on port 5740.
Added a built-in parser for ingesting Efficient IP SOLIDserver logs on port 5761.
Added a built-in parser for ingesting Netgear Full Managed Switch logs on port 5749.
Added a built-in parser for ingesting Amazon Web Services WAF logs on port 5735.
HTTPJSON AWS WAF ingestion can no longer be used with the http://x.x.x.x:5200/aws_waf/
URL. The new URL is http://x.x.x.x:5200/httpjson_aws_waf/
. In addition, the vendor namespace for HTTPJSON AWS WAF ingestion was changed to aws_waf
.
Improvements
Improved the FireEye - CMS (CEF) ingestion to support more fields and to support logs from FireEye MPS (Malware Protection System).
Moved fields from msg_data
to the vendor
field and to the ad.
field under the vendor
field to improve the processing and organization of data in CEF format from Fortigate devices.
Added support for the Ahnlab Cloud Protection Platform parser to handle logs sent completely in JSON; that is, the metadata (typically found in the log header) and the event data (found in the log message) are represented as key-value pairs within a single JSON object.
Enhanced the NXLog parser to support the parsing of IPv6 addresses in Windows DNS Server logs.
Added support to the Pentera Appliance parser for different time formats. In addition to formats like 2024-10-01T16:00:30, the parser now supports timestamps like Oct 01 16:00:30.
Moved the attack_status
and service_domain
fields from msg_data
to checkpoint
in the Checkpoint Harmony Endpoint parser.
Moved fields from msg_data
to the vendor field in the Aliyun parser to make them searchable.
Improved the ESET PROTECT parser to include the following enriched fields: event.severity_str
, process.executable
, file.hash.sha1
, host.ip
, event.category
, event.threat.name
, url
, and srcip
. The group_description
field is now stored under the vendor namespace and enriched as tenantid
, if it's a valid tenant ID. The eset.aggregate_count
, eset.handled
, and eset.inbound
fields were converted to strings. Support for Threat_Event
and other event types has been added alongside normalization for conflicting data types to improve compatibility and functionality.
Improved the Palo Alto Networks Prisma Cloud parser by extracting CVE, CVSS, and package path fields into separate fields within the vendor namespace. This modification facilitates better chart creation and vulnerability comparison, supporting use case development.
Enhanced the Aliyun parser to support more log formats. In addition to logs formatted as RFC 3164 or RFC 5424 (priority optional) + regex with JSON and key-value pairs, the Aliyun parser also supports key-value pairs with or without double pipes ( ||
) at the start of the message. For example, both of these formats are supported: header-section - - ||key1=value1||key2=value2||key3=value3
and header-section - - key1=value1||key2=value2||key3=value3
Enhanced the Ubiquiti parser to support custom formats and to normalize the "ubiquiti.ACTION" field to "action". Furthermore, when the value of the action is "D" or "R", then Stellar Cyber maps the value to "deny", and when it's any other value, it maps the value to "allow".
Improved the parser for Cisco ASA (Adaptive Security Appliance) to support permitted
as a value for the action
field and to normalize dst_service
as dstport
.
Updated the Sophos parser to extract additional fields from msg_data
. Specifically, the parser now extracts the following fields: fw_rule_name
, nat_rule_name
, gw_name_request
, web_policy_id
, app_filter_policy_id
, dst_trans_port
, dst_zone_type
, src_zone, src_zone_type
, and dst_zone
. This enhancement allows for more detailed and granular data analysis.
Improved log ingestion by the Incapsula SIEM Integration parser by normalizing these fields: sip
, cpt
, spt
, and app
to dstip
, srcport
, dstport
, and proto
respectively, if their values are valid.
Added support for the Prophaze WAF parser to handle logs whose header is in RFC 3164 format with a timestamp in RFC 5424 format and a message in JSON format.
Enhanced the ThreatLocker Zero Trust EPP parser on ingestion port 5200 to allow parsing of ThreatLocker logs formatted as JSON arrays. Stellar Cyber can now ingest multiple logs in a single batch for streamlined visibility and alert processing.
Improved log ingestion by the Aliyun parser by normalizing these fields: dstip
, dstport
, srcaddr
, dstaddr
, protocol
, and ip_protocol
.
Enhanced the Ubiquiti parser to include support for logs generated by EdgeRouter devices. The parser can now interpret logs where the firewall action
is embedded in the payload, as well as other log attributes following the RFC3164 format.
Usability
New Features
Added Detection Management to provide customizable alert settings, real-time insights, and improved visibility for optimized threat detection. The new Detection Management interface enables enhanced control over detection rules, allowing SOC teams to streamline alert management with options to set rules to On, Off, or Silent. You can customize alert preferences across detection tiers, including Tier 1, Tier 2, Experimental, ML, and Third-Party detections. Real-time Hit Statistics offer insights into rule performance, while detailed views of Sigma Rules and data sources provide greater visibility, helping teams optimize threat detection and response.
Added the /connect/api/v1/access_token endpoint with basic authentication to the API Test Page, which is available in API Docs under the ? icon in the Stellar Cyber main menu. This way, you can generate a JWT token with basic authentication directly from the Test Page and then use that to access the rest of the API endpoints on the Test Page, providing improved visibility and accessibility for API integration and management.
Introduced a new public API endpoint at api/privilege_profile/_names to enable the retrieval of privilege profiles. This facilitates the setting of priv_profile_id for create/update user operations via the public API. The new endpoint can be accessed and tested via the API Test Page, available in version 5.3.0.
Introduced a new public API endpoint that enables the retrieval of sensor phonehome
logs. This feature lets you download logs reported by sensors programmatically, facilitating enhanced monitoring and diagnostics through API calls. The new endpoint can be accessed and tested via the API Test Page, available in version 5.3.0.
Added new public API endpoints to create, modify, and delete data analyzer profiles. This enhancement lets you manage data analyzer profiles on premises, and includes the ability to add and remove connectors from profiles. You can access the new endpoints and test them on the API Test Page, available in version 5.3.0.
Added a new public API endpoint that lets you query alert types and retrieve associated key field information, as displayed in the UI. This enhancement supports better integration and usage of security alerts within third-party systems.
Improvements
Revised the warning message displayed in the Create Notification wizard of the System Action Center. It previously instructed you to configure a publicly accessible domain in the Settings page for Slack actions. This option is not available for NG-SaaS users, which made the previous warning misleading.
Resolved an issue where the System | Sensors page experienced a significant memory leak post-5.2.0 upgrade. The memory usage was excessively high, particularly in environments with 7000+ sensors, leading to sluggish and unresponsive page performance.
Implemented a warning in the Query and Filter Manager (System | Queries and Filters) that appears when you edit and save existing queries flagged for potential behavior changes. Additionally, a visual cue has been added in the Queries table to indicate which queries have this potential.
Resolved issues related to adding and removing filters on the Threat Hunting page. You should no longer encounter unexpected behavior when managing filters. Refer to the support documentation for further details.
Updated the Connector Setup UI to include a new NDR category in the category drop-down list for creating new connectors, such as ExtraHop Reveal(x) 360.
Added support for the Bahasa Indonesia language to the Stellar Cyber Platform.
A case resolution field was added to cases that lets you close a case by designating it as a False Positive, True Positive, Benign, or by leaving the resolution undesignated (None). Selected resolutions are appended to the Resolved status and are searchable in the Cases table. The field is also represented in case charts, dashboards, and reports.
Enhanced the query builder by adding the is not
operator, which lets you exclude specific values from a field, and the does not contain
operator, which excludes fields embedded within message data.
Added a Description field to the Automated Threat-hunting (ATH) rule interface so you can enter a note about the purpose of the playbook for future reference. This allows SOC analysts to provide context about the purpose and expected outcome of an ATH rule.
Included URLs for alerts in the Stellar Cyber UI for alert entries in scheduled alert reports (Respond | Reports | Alerts Report | Schedule). The URLs appear in a separate column labeled Alert URL in the exported file. You can either copy and paste a URL into a browser, or, if you open the CSV file in an application that converts URLs to hyperlinks, simply click a link. Either action opens the corresponding page for the alert in the Stellar Cyber UI.
Operational Notes
-
Keep in mind that the global Status filters available at the left of most Stellar Cyber tables (All Open, New, In Progress, Ignored, and Closed) apply only to security events (alerts). They do not apply to cases. You can apply Status filters to cases, too, but only from the Cases interface itself. The names of the Status filters for cases are also slightly different from those available for alerts.
-
Lookup strings for hash values should not include the SHA= or MD5= prefix. Enter these strings using just the hash value itself.
Resolved Issues
Resolved an issue where some alerts were not being assigned an alert score. This ensures all alerts will now have an associated alert score, thereby improving the efficiency of SOAR ingestion workflows.
Fixed an issue where you were unable to close alerts and received the following error: Elastic Search cluster is under high load. This issue was addressed to restore normal alert management functionality.
Resolved an issue where timestamps were not rendering correctly on the ATH Playbook page. This problem was traced to epoch timestamps from a data source missing milliseconds. This fix is also included in version 5.2.2.
Inadvertently used the domain name of the organization in the notification URL, causing the Public Address field in Settings to be ineffective. This update corrects the issue by ensuring that the domain name is skipped for on-premises deployments.
For User Login Failure Anomaly alerts, data sources that consider records with login_result:uncertain now include them in the original records of their alerts. Previously, the exclusion of these records caused an inconsistency in the number of login successes and failures as displayed in the alert versus the original records.
Sometimes upgrades get stuck for a long time, making it difficult to diagnose what exactly is the problem. Stellar Cyber added additional logs to track the entry/exit/duration of key functions and also added more debug logs to help identify problems better.
Made the Severity field in the POST Case API endpoint as optional instead of mandatory.
Resolved an issue where alert filter settings were lost when the alert filter interface was opened from the Event Detail action tab. Additionally, addressed a bug where the remove filter functionality in the sidebar did not work as expected.
Fixed discrepancies on the System | Software Update page. The current software version, last performed date, and pre-upgrade check date now display correct and consistent timestamps. Additionally, clarified log entries for DL upgrade attempts.
Resolved an issue where the partition size in AWS Modular Sensor deployments was not correctly allocated as initially configured. This fix ensures that the assigned partition size now matches the specified parameters, improving deployment accuracy and resource management.
Resolved an issue causing AWS modular sensors to show no activity and multiple services to stop. Logs indicated no data ingestion from syslog or traffic sources, despite network traffic to the appropriate ports. Restart commands failed to remedy the situation. Investigation revealed that the disk was full, preventing temporary file writes. Clearing disk space restored functionality, bringing the affected data plane status back online.
Implemented a change where cases were automatically deleted when all associated alerts within the case were marked as either ignored or closed. This streamlines case management by removing clutter and ensuring that only active cases remain in the system.
Sensor profiles that included tenant names in the debug log have been updated to conceal sensitive information. The debug logs now display unique profile IDs instead of tenant names to ensure confidentiality.
Addressed an issue where Windows logs displayed inconsistent geo-location information for the same Client IP address, Source IP address, and srcip geo source. This inconsistency was causing logs to alternate between locations in the United States and Bulgaria. Implemented a correction to improve consistency and accurate geo-location data in the logs.
Resolved an issue where Include Only filters in packet receivers stopped functioning correctly after upgrading to 5.1.1. The appid
was incorrectly converted, causing the packet forwarding filter to fail. This has been corrected to ensure proper filtering, allowing specific traffic types such as http and ftp to be included accurately while excluding others.
Improved sensor disk usage logging. Once the disk exceeded 80%, a log is printed daily to the aella_ctrl log so that Stellar Cyber can diagnose the issue.
Resolved a bug that didn't let you add custom alerts to new cases in version 5.2.0. The issue occurred due to a server error (HTTP 500) when attempting to add alerts to cases.
Some scheduled PDF reports could display incorrect values due to an issue with query retrieval timing. This problem caused inconsistencies between Visualizer and the exported reports. The issue has been fixed by ensuring that charts listen for query updates during rendering, matching the data displayed in Visualizer. Affected users should now see accurate data in their scheduled reports.
Updated the ESET Responder Webhook templates to support automatic variable replacement. The targets.devicesUuids
was set to eset.source_uuid
, and targets.deviceGroupsUuids
was removed. Additionally, triggers.manual.expireTime
was adjusted for consistency and removed from the automatic template generation. These changes ensure streamlined user interaction and better API handling.
Removed unnecessary /data_refinery
API calls that were leading to 403 errors when user profiles lacked the required permissions. This improvement ensures that only essential API requests are made, thereby reducing confusion and enhancing the user experience.
Resolved the issue that caused log filters to show no hit counts despite being configured properly. This fix ensures that log filters now display hit counts accurately according to the profile configuration, which improves the reliability of log analysis.
Updated the parent_child_29 Sigma rule to reduce the false positives by excluding \System32\dns.exe
in image name filters.
Fixed an issue where View Assets from Usage Details on the License page opened in a new tab, while View Assets from Asset Usage opened in a pop-up panel. Both now consistently open in a pop-up panel.
The vuln_exploit_correlation
alert types have original records in more than one index so they require special handling in building the query string, index selection, and time range. Stellar Cyber addressed this with a custom original records query that checks in more than one index.
Addressed an issue causing repeated false cases with a 24-hour delay in internal plaintext password detection due to an SEF bug. The ATH deduplicated alert document now correctly updates the write_time
and stellar_uuid
when the document is updated. This fix is also included in the patch for 5.2.0 NG environments and requires a restart of the stellar-sef
service, which might result in document loss during the restart process.
Resolved an issue where absolute time ranges set when retrieving Usernames used incorrect properties, resulting in null timestamps. Implemented a fallback to the past week for such Elasticsearch requests. Added logs to track requests lacking a time range. Conducted comprehensive checks to ensure proper handling of all time range types, including relative, absolute, and daily.
An issue that could cause the ds_linux_install.sh installation script to fail on AWS Linux 2 has been resolved in release 5.3.0. You can download the updated installation script from the official release URLs for a seamless installation experience. Refer to the installation documentation for detailed instructions.
Resolved an issue where ingestion volume charts displayed incorrect, lower-than-actual volumes following the upgrade from version 5.1 to version 5.2. The regression affected license calculation accuracy by misreporting ingestion data.
Modified the License page (System | Licensing) to accurately display ingestion values less than 1GB for MSSP customers using API connector logs. Values such as 0.0019GB are shown instead of 0GB to prevent confusion and improve billing clarity.
Fixed an issue where ATH rule "Create time" column displayed erroneous future dates. The dates now correctly reflect the actual creation time of the ATH rules, improving data accuracy.
Fixed an issue where ingestion volume charts showed incorrect, lower-than-actual volumes following the upgrade from version 5.1 to version 5.2. This regression affected the accuracy of license calculations by misreporting ingestion data.
Resolved an issue where a user-created case was accessible even though it had a Global Case Score below the minimum setting. It was clarified that global settings only apply to system-generated cases. Additionally, the case did not contain an alert due to potential alert purging based on timestamp.
Fixed an issue where the modified timestamp of a case fetched via the API did not reflect the latest update. The modified timestamp now accurately represents the most recent changes made to a case. This includes updates such as adding new alerts or score modifications.
Resolved an issue where the Linux Server Sensor was mistakenly generating Uncommon Process Anomaly alerts for its internal processes, specifically aella_phonehome
and aella_gettech
.
Resolved an issue where attempting to add a new Active Directory connector resulted in a Bad request error with status code 400, and a repeated Cannot get connector configuration message. The problem was identified to be related to DS/DP configuration synchronization. After synchronization, the error was no longer observed.
Resolved an issue affecting the installation of the Linux Server Sensor on some Amazon Linux 2 instances. The installation now properly handles the /etc/redhat-release symlink
, ensuring seamless deployment.
The Server Sensor upgrade no longer touches services that might have been installed by users, such as td-agent
or maltrace.etc
.
Verified that the Server Sensor OpenSSL usage was not vulnerable to CVE-2022-2068 or CVE-2022-1292, because the c_rehash
script was not in use. Other identified CVEs were linked to binaries in /opt/aella/lib/libbak
, which are not used by the Server Sensor. To address potential concerns, the directory has been removed.
Resolved an issue where sensors experienced reboots and failed reconnection caused by time synchronization errors. This fix prevents time jumps that affected heartbeat code.
Addressed an issue where the aella_ctrl_win_srv.exe
process on the Windows Server sensor was repeatedly trying to connect to TCP port 5601, conflicting with existing services on the host. Investigation revealed that filebeat
was using port 5601 even when its service was not enabled. Updated the logic for aella_ctrl
to prevent unnecessary connections to port 5601.
Adjusted the fidelity scoring mechanism for Impossible Travel alerts to increase the contribution of distance and decrease the contribution of speed and crossing continental lines. This primarily affects lower fidelity alerts which now have higher fidelity scores on average.
Resolved an installation failure of the 4.3.7 Linux Server sensor on Debian 8 due to dependency issues. Starting from version 5.1.1, the Linux Server sensor package is self-contained and does not require additional package installation for Debian 8. Ensure that your environment does not block necessary dependency installations and update any expired GPG keys as needed.
Implemented improvements to reduce scheduling delays for per-tenant ATH rules with short intervals (less than five minutes). The system now uses a single parallel query instead of sequential execution, which resolves issues where queries would time out. Additionally, a new field indicates how late a rule is running, letting you be aware of delays as very complex queries may still experience delays under certain conditions.
Resolved an issue where exported PDF reports (Respond | Reports) continued to show the default Stellar Cyber logo instead of custom logos set by users (System | Settings | Global Settings: System Logo). Exported reports now correctly display custom logos as configured.
Enhanced parsers so that they include URL reputation enrichment whenever the url
field is present. This improvement ensures that URLs are now evaluated for reputation, providing additional context and security insights during analysis.
Fixed an incorrect normalization on the Sonicwall Firewall parser to avoid sending logs to the wrong indices.
Improved the NXlog parser to parse the Windows DNS Server logs in detail.
Improved the Zscaler ZIA firewall parser to support the KVP (key-value pair) format of logs. Added value validation for IP fields to the Zscaler ZIA firewall parser. (Invalid fields are moved into the vendor namespace.) Enhanced the parsing of the detection
field so that the parser tries to normalize durationms
to it first.
Added support for a new log format to the Checkpoint Firewall parser.
Corrected a typo in the OpenVPN parser. The field openvpn.detial_message
has been renamed to openvpn.detail_message
to ensure proper parsing of logs.
Improved the NXlog parser to correctly parse the log format, ensuring accurate and complete event descriptions.
Added support for a new log format to the Wazuh SIEM parser.
Added support for a new log format to the FireEye HX parser.
Added normalization for srcip
, dstip
, srcport
, dstport
, and proto
to the HTTPJSON ECS (Elastic Compute Service) Windows parser.
The F5 BIG-IP parser was enhanced to support DNS Fast logs. This update includes additional rules and regular expressions, specifically tailored for DNS Fast logs, ensuring proper parity with the F5 log format. You can now seamlessly incorporate DNS Fast log data into your logging and analysis workflows.
Added new log format support for Cisco Firepower parser.
Introduced the new FireEye - CMS (CEF) ingestion on port 5143.
Improved the Cisco ASA parser to use the standard protocol parsing process for more protocol fields.
Known Issues
-
Changing any parameter in a sensor profile (for example, changing port settings or disabling modules) causes the Tenable Nessus linking key to become invalid. This results in both existing and new sensors being unable to connect to the Tenable Cloud. Workaround: Avoid making changes to a sensor profile for sensors linked to Tenable Nessus.
-
Importing security rules via the Import Custom Security Rules page might cause the upload process to hang without providing a status update. If this happens, refresh the browser.
-
A query might not produce consistent search results if the
field
is set for a time, thevalue
includes millseconds, and theoperator
is set asis
oris not
. Workaround: When you define a query with a timefield
and avalue
that includes milliseconds, it’s not recommended to useis
oris not
as theoperator
. For more consistent search results, use one of the following operators instead:greater than
,greater than or equal to
,less than
,less than or equal to
, orin range
. -
When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search column set to its default value of All don't work correctly. This will be fixed in a later release.
-
The Cylance responder is unable to perform the Contain Host action due to a limitation in the Cylance REST API. All requests return a 500 Internal Server error response.
-
Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.
-
Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it isn't installed already. If the installation of Visual C++ fails, the Windows Server Sensor might not be able to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber.cloud. If this happens, use the following steps to proceed:
-
Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.
-
Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.
-
-
The Log Forwarder only collects statistics for up to 100 different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds 100, statistics for the additional log source IP addresses are aggregated into the catch-all IP address of 0.0.0.0.
-
When multiple traffic filters are defined for a tenant with the same combination of IP address, port, protocol, and layer 7 rules, the filter might fail to take effect. If this happens, review the defined traffic filters and make sure there are no duplicate definitions.
-
If you change the network interface configuration of a sensor VM after deployment, the eth0 interface might be remapped to a new interface. If this happens, the management network is disconnected. Contact Stellar Cyber Customer Success for assistance.
-
The Sensor content type for the Cybereason connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.
-
Due to an ongoing issue with the Cybereason Query Sensors API, the Cybereason connector might not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete case correlation.
-
When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.
-
If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.
-
Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields/rule support will be added in the future.
-
Log Forwarder only collects statistics for limited different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds the limit, the additional log source IP address statistics will be aggregated into a catch-all IP address of 0.0.0.0. Note: In releases prior to 5.1.1, the limit had been 100 sensors, but it was increased to 200 sensors with more than 8 GB of memory in the 5.1.1 release.
-
When a modular sensor is configured as a Log Forwarder-only sensor (Network Traffic and other features are not enabled), the Log Forwarder might periodically restart if there isn't enough sensor memory. Stellar Cyber recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.
-
A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.
-
When multiple traffic filters in different tenants are defined with the same combination of IP, port, protocol, and layer 7 rules, the sensor only takes the filter belonging to the same tenant with the sensor and ignores the others. Administrators should review the defined traffic filters and avoid creating duplicate definitions.
-
Files might not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.
-
If you change the network interface configuration of a sensor VM after deployment, the eth0 interface might be remapped to a new interface. If this happens, the management network becomes disconnected. Contact Customer Success for assistance.
-
If you configure a sensor aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.
-
Deleting Elasticsearch data from the Root Tenant in the System | Data Management | Advanced tab deletes data from sub-tenants as well.
Upgrading the Stellar Cyber Platform
You can upgrade the Stellar Cyber Platform from 4.3.7 or later to 5.3.0. You must:
-
Prepare for the upgrade
-
Upgrade the Stellar Cyber Platform to 5.3.0
-
Upgrade the sensors
-
Verify the upgrade
For more detailed instructions, refer to Upgrading Software.
Prepare for the Upgrade
To prepare for the upgrade:
- Back up the data and configuration
- Make sure the sensors are up and running
- Take note of the ingestion rate
- Take note of the number of alerts
- Make sure the system health indicator shows
- Run the pre-upgrade check
Upgrade the Stellar Cyber Platform to 5.3.0
-
Select Admin | Software Upgrade.
-
Choose 5.3.0.
-
Select Start Upgrade.
Upgrade the Sensors
New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:
- Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
- Upgrade sensors in batches instead of all at once.
- For server sensors (agents):
- Upgrade a small set of sensors that cover non-critical assets.
- After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
- After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.
- Because Windows Server Sensors running 5.1.0 do not support sensor profiles that contain text in Unicode but Windows Server Sensors running 5.1.1 or later do, if you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows Server Sensors.
To upgrade Linux or Windows Server Sensors:
If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.
-
Select System | Sensors.
The Data Sensor List appears.
-
Select Software Upgrade in the Manage dropdown.
The Data Sensor Software Upgrade page appears.
-
Choose the target software version.
-
Choose the target sensors.
-
Submit.
Verify the Upgrade
To verify that the upgrade was successful:
- Check the Current Software Version on the Admin | Software Upgrade page.
- Make sure the sensors are up and running.
- Check the ingestion rate and make sure it is as expected.
- Check the number of alerts and make sure it is as expected.
- Check the system health indicator:
- indicates a perfectly healthy system.
- indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
- indicates major issues. Contact Technical Support.