Stellar Cyber 5.3.0 Release Notes

Integrated third-party alert functionality for ESET Protect. This allows ESET alerts and case correlations to be visualized within the Stellar Cyber platform.

Sensor status monitoring for Windows agents has been upgraded to handle some issues with incorrect status reporting. In particular, sensors will be considered as disconnected if they stop reporting a connected status, even if they don't report a disconnected status, and alerts will now include whether or not the sensor has been sending data. Additionally, status records for these sensors will be written to the syslog index with msg_origin.source:sensor_status_monitoring.

Introduced a new set of cloud observables in Case Management Analysis tab to support correlations of alerts from Microsoft Defender for Cloud into cases. This feature enriches the existing set of observables, enabling seamless integrations of cloud security products.

Enhanced the priority list for Microsoft case correlation on user-related key fields, ensuring better case correlation across Microsoft products. This change prioritizes user “user.name“ over “srcip_username“ to correlate user entities across three Microsoft products (Office 365, Microsoft Entra ID (formerly Azure AD), and Microsoft Defender for Cloud Apps), maintaining consistency in case correlation behavior for other products and ingested events.

Improved user account filtering from Office 365 and Google Workspace for entity licensing. The change improves the explanation of entity licensing through removing user accounts that likely do not belong to the user’s Office 365/Google Workspace subscription.

Enhanced the Original Records feature to enable querying and retrieving actual raw events that trigger Microsoft 365 alerts. This improvement aids in providing more accurate data for customers' investigation workflows by leveraging specific queries appropriate to the alert types from Microsoft 365.

Resolved an issue where the Office 365 user deletion alert was incorrectly triggered by duplicated entries in the Target field, causing false positives for single user deletions.

There are 6 new rulesets available to use. The new rulesets need to be selected in the sensor profile in order to apply to the sensors. The new rulesets are:

• adware_pup.rules
• coinminer.rules
• exploit_kit.rules
• hunting.rules
• ja3.rules
• phishing.rules

The trojan.rulesfield will be mostly merged into malware.rules. Due to this change, alerts previously triggered under the Internal / External Trojan alert type will now be triggered under the Internal / External Other Malware alert type.

For each asset in entity licensing, added hostnames (when available) to the record on top of the IP address to make it easier for the user to understand the legitimacy of the asset.

Enhanced the username and source/destination IP normalization on Microsoft products, which includes Microsoft Defender for Cloud Apps, Microsoft Entra ID (formerly Azure AD), and Microsoft 365 (Office 365). The new normalization field on username and event source/destination IP now includes user.name, user.id, srcip, srcip_username, srcip_usersid, srcip_host, and dstip_host if there is this information in the ingested Microsoft event data. This improvement allows us to better correlate alerts from different Microsoft products but with same user ID/username.

The rule, process_creation_commandline_106, is updated to the latest version in SigmaHQ. The updates include changes to the title, description, detection logic, and severity.

The Login Time Anomaly alert type now queries for records by write_time rather than timestamp, which improves coverage by negating the impact of ingestion delays for certain data sources.

Added srcip2_type, srcip2_version, and engid_gateway2 to the Impossible Travel Anomaly alert type to indicate the source IP address type, version, and gateway in the previous login event, enhancing the ability to filter and search based on private IP addresses.

The alert deduplication mechanism has been improved to better filter out duplicate or outdated alerts triggered by status changes in third-party products. This enhancement currently applies only to integrations with SentinelOne and CrowdStrike alerts.

Integrated Microsoft Sentinel incident alerts to leverage customer investments of Microsoft Sentinel Incidents in Stellar Cyber.

Note:
1. The integration focuses exclusively on Microsoft Sentinel Incident data.
2. It only supports data transferred through Azure Event Hub.

Alert Format:
The alert type has the following format:
"Microsoft Sentinel Incident: {microsoft_sentinel.Title}"

Example:
"Microsoft Sentinel Incident: 'Kekeo' malware was detected."

Updated the table on System | Detection Management to display the type of each detection: ML (Machine Learning), RULE (rule-based detections, which include Sigma rules and analytics rules), or 3rd party (detections learned from third-party integrations).

Supplemented the existing query and alert filter builders on feature pages throughout the Stellar Cyber UI with the Query and Filter Manager, a new, unified interface for creating and testing queries and creating alert filters. You can now create queries and alert filters through a cohesive experience.

Improved the Stellar Cyber Chat interface to support multiple languages. You can use the Language drop-down list at the bottom of theStellar Cyber Chat window to change the language Stellar Cyber Chat uses to answer questions. Stellar Cyber Chat usually recognizes the language you use to ask a question regardless of the setting of the Language drop-down. However, the chatbot only answers in the language specified by the drop-down.

Whether you intend to offboard a tenant (System | Tenants | Delete icon) or continue using a tenant (System | Data Management), you can choose the database indices from which to purge tenant data: Records, Assets, Users (asset users), and Cases.

Implemented a feature to identify users who deleted files and folders in Windows File Integrity Monitoring (FIM). This requires correlating FIM events with Windows audit events 4663 and 4656. You need to enable Object Access Auditing and create audit rules on the Windows server for targeted files and folders. The system enriches FIM records with user information from audit logs, providing enhanced details for threat hunting and compliance reports.

The import task time range has been extended from 720 hours (30 days) to 744 hours (31 days). This enhancement allows for the import of cold data for a full month, including longer months.

The delay for the threat_syn_flood rule was reduced from 240 minutes to 5 minutes. The rule now queries based on write_time instead of timestamp, ensuring a more efficient process with a maximum of 10-minute delay after the original document is written to Elasticsearch. Similar adjustments were made for the following rules: external_ssh_success_brute_forcer (30 minutes), internal_ssh_success_brute_forcer (35 minutes), external_cloud_success_brute_forcer (30 minutes), and internal_cloud_success_brute_forcer (35 minutes).

For the Bad Reputation Login rule, the field srcip_reputation's value may be empty. When the field has a value, it is now included in the description.

If the field is available, the xdr_event.description for the alert created by this rule is as follows:

The account {{SRCIP_USER}} logged on from a suspicious machine ({{SOURCE_HOST}}) that has a reputation category of {{srcip_reputation}}.

Otherwise, it will appear as follows:

The account {{SRCIP_USER}} logged on from a suspicious machine ({{SOURCE_HOST}}).

Updated the Threat Hunting correlation interface to enhance the time range selection. The adjustment includes a more intuitive correlation time switch, an optimized user workflow, and increased efficiency. Changes span across multiple files, refining both the UI and underlying logic.

The enrichment of detected_values for alert records has been removed, optimizing the handling process. The UI now exclusively uses detected_fields to query original documents, supporting period-separated nested values (for example, dns.question.registered_domain). If a field has no value, it is simply ignored during processing. This change improves code efficiency and robustness.

Fixed an issue where switching the global tenant filter caused log filters for other tenants to display on the sensor overview page and prevented profile edits when tenant filters were present. The Sensor Profile column is now disabled in the tenant view to align with related edit/delete behaviors.

When Stellar Cyber sends an email message with a file attachment that is too large for email servers to forward, the message that appears when you select Respond | Automation and then … | Last Status for one of the Automated Threat Hunting playbooks was unclear. The revised message more clearly states the situation: Attachment too large (Email server returned 500, message: None), sent without interflow attachment ( sent to: user@domain.name ). In addition, the Executed successfully field shows a red x to indicate no attachment was included.

Asset updates do not occur immediately and are performed asynchronously in the background. To track the progress of asset updates you have initiated, you can now refer to the Task List in the UI.

Resolved an issue where only one calculation CSV was sent in an email when multiple calculations were configured. Now, emails correctly send all calculation results. If multiple calculations are configured, multiple CSV files are sent.

Login email addresses are now case insensitive, improving usability. This change necessitates handling duplicate emails as was previously documented in the 5.1.1 release notes. Usernames with “@” are not supported for login; email addresses must be used instead.

Enhanced the Linux Server Sensor to support installation in Kali Linux 2023.4, Rocky Linux 9, Oracle Linux 8.6, Oracle L Linux 8.8, SUSE 12 SP5, and SUSE 15 SP5.

Added ability to toggle Network Traffic analysis (aella_flow) on and off in the Sensor Profile for Linux-based sensors. With Network Traffic disabled, the sensor operates as a Log Forwarder. None of the other features in the Network tab are available for selection or configuration. In addition:

• Malware Sandbox is disabled in the Sensor tab.

• IDPS is disabled in the Sensor tab.

When disabling Network Traffic, a dialog prompts you to decide whether to clean buffered data, allowing for more control over sensor configurations.

Enhanced the Linux Server Sensor installation script to support configuration of the tenant ID together with the address of the managing Stellar Cyber platform. This update lets users specify both the managing platform IP/hostname and the tenant ID using command line arguments, streamlining the server sensor deployment process.

The show logforwarder CLI command now shows whether the Log Forwarder | HTTP JSON Parser feature is enabled in the sensor's profile. The command add the status of the HTTP JSON Parser setting to existing log forwarding details, such as Syslog TLS and Raw Log Capture. This enhancement helps users easily determine the status of the HTTP JSON Parser feature on the sensor without additional steps.

After applying Windows updates, there was an issue where the Windows Server Sensor stopped collecting Security-Audit logs until the aella_winlog service was restarted. Resolved this by implementing a mechanism to handle errors more gracefully, ensuring continuous log collection.

Previously, a Windows server sensor would check available disk space and return an error if the disk did not have at least the estimated minimum disk space required. The estimation technique was unreliable given the vast number of different server workloads and log generation rates. This disk space check has been removed and Stellar Cyber encourages you to set log rotation policies that are appropriate for the log volume of your use cases.

Resolved an issue where DPDK failed to run on new Ubuntu 22.04 modular sensors. Updated the sensor configuration to default to AF_PACKET instead of DPDK due to kernel module version mismatches. DPDK-compatible NICs were not found, resulting in fallback to AF_PACKET. Verified that aella_flow can run with AF_PACKET without significant performance loss.

The Amazon Security Lake connector was updated to support OCSF 1.1. The update includes the deprecation of the security finding event class in favor of specific classes such as Vulnerability Finding, Compliance Finding, Detection Finding, and Incident Finding. Table names in Security Lake now include versioning (for example, 2_0). Additionally, new partitions are utilized in Security Lake buckets for version 2.0, and native support for WAF logs and EKS Audit logs has been added. Integration queries must be updated to utilize these changes.

Implemented normalization for events coming through Azure Event Hub from Microsoft Sentinel. The data normalization rules were developed in collaboration with both the Machine Learning team and customer feedback. This ensures consistent and accurate categorization of log data from Azure Event Hub providing logs from Microsoft Sentinel and Microsoft Defender for Cloud sources. Users can configure this in the Event Source settings in the UI, and Stellar Cyber will automatically apply the appropriate parsing rules based on source system attributes.

Due to the data that is from Event Hub, Stellar Cyber only filters the incident data and some native alerts generated by Microsoft Sentinel. For alerts generated from other data sources, Stellar Cyber cannot filter them from the Event Hub data flow.

Added integration with Armis Threat Detection, enabling SOC analysts to work on alerts and monitor IoT environments.

A new ExtraHop connector was implement to support the Reveal(x) 360 appliance.

Added support for the Cynet connector to pull Hosts, Alerts, and Audit Logs. This integration facilitates improved data management and alerting for MSSP partners.

Integrated the 1Password connector, leveraging the Events API to ingest data. This allows 1Password Business customers to send audit events, item usage events, and sign-in attempts directly to Stellar Cyber. Data retrieved via the REST API includes detailed logs about account activities and usage, which can be integrated into SIEM tools for security monitoring and analysis.

All fields in office365.Data have been parsed to support additional SOC use cases. The parsed fields are now available under office365.Data_obj.

Enrichment functionality for ingested ExtraHop Reveal(x) 360 detection events was enhanced with additional IP address enrichment capabilities.

The Hillstone connector was updated to correctly handle login and API requests by ensuring proper encoding for the username and handling of additional cookie fields. Previous connector versions were not compatible with changes in the Hillstone API, as observed during tests. The connector now supports both older and newer Hillstone versions by enriching error handling and encoding mechanisms.

Support for MSGTYPE 99 emission has been added for Trellix MVISION devices. This update includes normalizations for srcip, srcmac, and srcip_host. Devices are now ingested correctly, ensuring accurate data capture and processing.

The Cisco Umbrella connector has been relocated from the Web Security category to the DNS Security category. Existing configurations will automatically reflect this change, and new connectors will now appear under the DNS Security dropdown during configuration.

A configuration option was added to the Universal Webhook Responder enabling users to disable SSL certificate verification on a per connector basis. This feature is useful for environments using self-signed certificates, lab setups for testing, or as a workaround for wildcard certificates, and aims to enhance flexibility while maintaining security.

The SentinelOne Test button was updated to emit error logs and results instead of discarding them. Enhanced logging was implemented to log both outcomes and exceptions, providing users with detailed error messages. The function now properly processes various content types and handles exceptions, ensuring more informative feedback for troubleshooting.

Imperva Web Application Firewall (WAF) log format was updated such that all fields now exist under the vendor namespace (imperva). Data previously present under msg_data that had the format

have now been updated to have the typical format of imperva.<name>: <value>.

Users can now set different intervals for each content type of SentinelOne connectors. Previously, changing the interval affected all content types, requiring multiple connectors. This enhancement reduces the need for multiple configurations and simplifies management for organizations with numerous tenants. Connectors are automatically upgraded to the new format using the existing interval configured.

Enabled bulk testing of connectors, which means you can now select multiple connectors and test them simultaneously via the UI. This enhancement improves efficiency for large-scale connector verification.

Revised the handling of "internal developer error metrics" across all connectors by changing HTTP 400 error codes to HTTP 460. This helps differentiate developer-specific messages from standard error responses. This adjustment aims to ensure clear diagnostics while preventing confusion with standard HTTP codes.

The AWS CloudTrail detection logic has been ported to support logs collected via the S3 Generic connector.

Microsoft Entra ID connector was enhanced to extract the userAgent field from the additionalInfo attribute in azure_ad_risk_detection events. This enables better insights into the typical device usage patterns of users during risk detection processes. The change includes parsing additional details such as alertUrl, mitreTechniques, and riskReasons from the same attribute. With this enhancement, you may see more alerts.

Extended support for GCC, GCC High, and DoD Government Plans in the Microsoft Defender for Endpoint connector. This update includes configuration UI enhancements to allow users to select their Subscription Plan.

The SentinelOne connector was updated to include Activities logs. This update enables monitoring of critical actions such as isolated hosts, installed and uninstalled endpoints, remote shells, agent uninstalls, agent disabling, console actions, unusual login locations, and account expirations.

The Office 365 connector parser was updated to include additional fields within office365.Parameters. The new fields parsed include Identity, Trustee, AccessRights, along with a comprehensive set of parameters from mailbox and inbox rules. Both SaaS and on-premises modes have been enhanced to enrich these fields within the vendor namespace.

Added a built-in parser for ingesting Aviatrix Firewall logs on port 5762.

Added a built-in parser for ingesting Firepower Management Center (FMC) logs on port 5759.

Added a built-in parser for ingesting Ivanti Connect Secure logs on port 5756.

Added a built-in parser for ingesting Minerva Labs (CEF) logs on port 5143.

Added a built-in parser for ingesting Ivanti Endpoint Manager logs on port 5757.

Added a built-in parser for ingesting Ahnlab Cloud Protection Platform logs on port 5755.

Added a built-in parser for ingesting LiquidFiles logs on ingestion port 5753.

Added a built-in parser for ingesting FreeRadius logs on ingestion port 5750.

Added a built-in parser for ingesting VMware NSX Edge Firewall logs on port 5758.

Added a built-in parser for ingesting Pritunl VPN logs on port 5748.

Added a built-in parser for ingesting Clavister NetWall logs on port 5760.

Added a builit-in parser for ingesting Veeam backup and replication logs on port 5751.

Added a built-in parser for ingesting Winlogbeat logs in HTTP JSON format on port 5752.

Added a built-in parser for ingesting Commenvault Commserve logs on port 5740.

Added a built-in parser for ingesting Efficient IP SOLIDserver logs on port 5761.

Added a built-in parser for ingesting Netgear Full Managed Switch logs on port 5749.

Added a built-in parser for ingesting Amazon Web Services WAF logs on port 5735.

HTTPJSON AWS WAF ingestion can no longer be used with the http://x.x.x.x:5200/aws_waf/ URL. The new URL is http://x.x.x.x:5200/httpjson_aws_waf/. In addition, the vendor namespace for HTTPJSON AWS WAF ingestion was changed to aws_waf.

Improved the FireEye - CMS (CEF) ingestion to support more fields and to support logs from FireEye MPS (Malware Protection System).

Moved fields from msg_data to the vendor field and to the ad. field under the vendor field to improve the processing and organization of data in CEF format from Fortigate devices.

Improved the Epay parser to parse the fields in the Logstash header and the severity in the message section. In addition, if there isn’t a timestamp in the log message, the timestamp in the Logstash header is now used instead.

Added support for the Ahnlab Cloud Protection Platform parser to handle logs sent completely in JSON; that is, the metadata (typically found in the log header) and the event data (found in the log message) are represented as key-value pairs within a single JSON object.

Enhanced the NXLog parser to support the parsing of IPv6 addresses in Windows DNS Server logs.

Added support to the Pentera Appliance parser for different time formats. In addition to formats like 2024-10-01T16:00:30, the parser now supports timestamps like Oct 01 16:00:30.

Moved the attack_status and service_domain fields from msg_data to checkpoint in the Checkpoint Harmony Endpoint parser.

Moved fields from msg_data to the vendor field in the Aliyun parser to make them searchable.

Improved the ESET PROTECT parser to include the following enriched fields: event.severity_str, process.executable, file.hash.sha1, host.ip, event.category, event.threat.name, url, and srcip. The group_description field is now stored under the vendor namespace and enriched as tenantid, if it's a valid tenant ID. The eset.aggregate_count, eset.handled, and eset.inbound fields were converted to strings. Support for Threat_Event and other event types has been added alongside normalization for conflicting data types to improve compatibility and functionality.

Improved the Palo Alto Networks Prisma Cloud parser by extracting CVE, CVSS, and package path fields into separate fields within the vendor namespace. This modification facilitates better chart creation and vulnerability comparison, supporting use case development.

Enhanced the Aliyun parser to support more log formats. In addition to logs formatted as RFC 3164 or RFC 5424 (priority optional) + regex with JSON and key-value pairs, the Aliyun parser also supports key-value pairs with or without double pipes ( || ) at the start of the message. For example, both of these formats are supported: header-section - - ||key1=value1||key2=value2||key3=value3 and header-section - - key1=value1||key2=value2||key3=value3

Enhanced the Ubiquiti parser to support custom formats and to normalize the "ubiquiti.ACTION" field to "action". Furthermore, when the value of the action is "D" or "R", then Stellar Cyber maps the value to "deny", and when it's any other value, it maps the value to "allow".

Improved the parser for Cisco ASA (Adaptive Security Appliance) to support permitted as a value for the action field and to normalize dst_service as dstport.

Updated the Sophos parser to extract additional fields from msg_data . Specifically, the parser now extracts the following fields: fw_rule_name, nat_rule_name, gw_name_request, web_policy_id, app_filter_policy_id, dst_trans_port, dst_zone_type, src_zone, src_zone_type, and dst_zone. This enhancement allows for more detailed and granular data analysis.

Improved log ingestion by the Incapsula SIEM Integration parser by normalizing these fields: sip, cpt, spt, and app to dstip, srcport, dstport, and proto respectively, if their values are valid.

Added support for the Prophaze WAF parser to handle logs whose header is in RFC 3164 format with a timestamp in RFC 5424 format and a message in JSON format.

Enhanced the ThreatLocker Zero Trust EPP parser on ingestion port 5200 to allow parsing of ThreatLocker logs formatted as JSON arrays. Stellar Cyber can now ingest multiple logs in a single batch for streamlined visibility and alert processing.

Improved log ingestion by the Aliyun parser by normalizing these fields: dstip, dstport, srcaddr, dstaddr, protocol, and ip_protocol.

Enhanced the Ubiquiti parser to include support for logs generated by EdgeRouter devices. The parser can now interpret logs where the firewall action is embedded in the payload, as well as other log attributes following the RFC3164 format.

The new Detection Management interface in Stellar Cyber Open XDR 5.3.0 provides enhanced control over detection rules, enabling SOC teams to streamline alert management with options to set rules to On, Off, or Silent. Users can customize alert preferences across detection tiers, including Tier 1, Tier 2, Experimental, ML, and Third-Party detections. Real-time Hit Statistics offer insights into rule performance, while detailed views of Sigma Rules and data sources provide greater visibility, helping teams optimize threat detection and response.

The API Test Page available under the ? icon in the Stellar Cyber main menu, now includes the /connect/api/v1/access_token endpoint with basic authentication. This way, you can generate a JWT token with basic authentication directly from the Test Page and then use that to access the rest of the API endpoints in the Test Page, providing improved visibility and accessibility for API integration and management.

Introduced a new public API endpoint at api/privilege_profile/_names to enable the retrieval of privilege profiles. This facilitates the setting of priv_profile_id for create/update user operations via the public API. The new endpoint can be accessed and tested via the API Test Page, available in version 5.3.0.

Introduced a new public API endpoint that enables the retrieval of sensor phonehome logs. This feature allows users to download logs reported by sensors programmatically, facilitating enhanced monitoring and diagnostics through API calls. The new endpoint can be accessed and tested via the API Test Page, available in version 5.3.0.

Added new public API endpoints to create, modify, and delete data analyzer profiles. This enhancement allows customers to manage their data analyzer profiles on-premise, including adding or removing connectors. The new endpoints can be accessed and tested via the API Test Page, available in version 5.3.0.

Added a new public API endpoint that lets customers query alert types and retrieve associated key field information, as displayed in the UI. This enhancement supports better integration and usage of security alerts within third-party systems.

The warning message displayed in the Create Notification wizard of the System Action Center has been revised. It previously instructed users to configure a publicly accessible domain in the Settings page for Slack actions. This option is not available for NG-SaaS users, making the previous warning misleading.

Resolved an issue where the System | Sensors page experienced a significant memory leak post-5.2.0 upgrade. The memory usage was excessively high, particularly in environments with 7000+ sensors, leading to sluggish and unresponsive page performance.

Implemented a warning in the Query and Filter Manager (System | Queries and Filters) that appears when you edit and save existing queries flagged for potential behavior changes. Additionally, a visual cue has been added in the Queries table to indicate which queries have this potential.

Resolved issues related to adding and removing filters on the Threat Hunting page. Users should no longer encounter unexpected behavior when managing filters. Refer to the support documentation for further details.

The Connector Setup UI has been updated to include a new NDR category in the category dropdown list for creating new connectors, such as ExtraHop Reveal(x) 360.

Added support for the Bahasa Indonesia language to the platform.

A case resolution field was added to cases allowing users closing a case to designate it as a False Positive, True Positive, Benign, or to leave the resolution undesignated (None). Selected resolutions are appended to the Resolved status and are searchable in the Cases table. The field is also represented in case charts, dashboards, and reports.

Enhanced the query builder by adding the is not operator, which lets users exclude specific values from a field, and the does not contain operator, which excludes fields embedded within message data.

Added a Description field to the Automated Threat-hunting (ATH) rule interface so you can enter a note about the purpose of the playbook for future reference. This allows SOC analysts to provide context about the purpose and expected outcome of an ATH rule.

Included URLs for alerts in the Stellar Cyber UI for alert entries in scheduled alert reports (Respond | Reports | Alerts Report | Schedule). The URLs appear in a separate column labeled Alert URL in the exported file. You can either copy and paste a URL into a browser, or, if you open the CSV file in an application that converts URLs to hyperlinks, simply click a link. Either action opens the corresponding page for the alert in the Stellar Cyber UI.

Resolved an issue where some alerts were not being assigned an alert score. This ensures all alerts will now have an associated alert score, thereby improving the efficiency of SOAR ingestion workflows.

Fixed an issue where users were unable to close alerts and received the following error: Elastic Search cluster is under high load. This issue was addressed to restore normal alert management functionality.

Resolved an issue where timestamps were not rendering correctly on the ATH Playbook page. This problem was traced to epoch timestamps from a data source missing milliseconds. This fix is also included in version 5.2.2.

Inadvertently used the domain name of the organization in the notification URL, causing the Public Address field in Settings to be ineffective. This update corrects the issue by ensuring that the domain name is skipped for on-premises deployments.

For User Login Failure Anomaly alerts, data sources that consider records with login_result:uncertain now include them in the original records of their alerts. Previously, the exclusion of these records caused an inconsistency in the number of login successes and failures as displayed in the alert versus the original records.

Sometimes upgrades get stuck for a long time, making it difficult to diagnose what exactly is the problem. Stellar Cyber added additional logs to track the entry/exit/duration of key functions and also added more debug logs to help identify problems better.

The Severity field in the POST Case API endpoint is now optional instead of mandatory.

Resolved an issue where alert filter settings were lost when the alert filter interface was opened from the Event Detail action tab. Additionally, addressed a bug where the remove filter functionality in the sidebar did not work as expected.

Fixed discrepancies on the System | Software Update page. The current software version, last performed date, and pre-upgrade check date now display correct and consistent timestamps. Additionally, clarified log entries for DL upgrade attempts.

Resolved an issue where the partition size in AWS Modular Sensor deployments was not correctly allocated as initially configured. This fix ensures that the assigned partition size now matches the specified parameters, improving deployment accuracy and resource management.

Resolved an issue causing AWS modular sensors to show no activity and multiple services to stop. Logs indicated no data ingestion from syslog or traffic sources, despite network traffic to the appropriate ports. Restart commands failed to remedy the situation. Investigation revealed that the disk was full, preventing temporary file writes. Clearing disk space restored functionality, bringing the affected data plane status back online.

Implemented a change where cases were automatically deleted when all associated alerts within the case were marked as either ignored or closed. This streamlines case management by removing clutter and ensuring that only active cases remain in the system.

Sensor profiles that included tenant names in the debug log have been updated to conceal sensitive information. The debug logs now display unique profile IDs instead of tenant names to ensure confidentiality.

Addressed an issue where Windows logs displayed inconsistent geo-location information for the same Client IP address, Source IP address, and srcip geo source. This inconsistency was causing logs to alternate between locations in the United States and Bulgaria. Implemented a correction to improve consistency and accurate geo-location data in the logs.

Resolved an issue where Include Only filters in packet receivers stopped functioning correctly after upgrading to 5.1.1. The appid was incorrectly converted, causing the packet forwarding filter to fail. This has been corrected to ensure proper filtering, allowing specific traffic types such as http and ftp to be included accurately while excluding others.

Improved sensor disk usage logging. Once the disk exceeded 80%, a log is printed daily to the aella_ctrl log so that Stellar Cyber can diagnose the issue.

Resolved a bug where users were unable to add custom alerts to new cases in version 5.2.0. The issue occurred due to a server error (HTTP 500) when attempting to add alerts to cases.

Some scheduled PDF reports could display incorrect values due to an issue with query retrieval timing. This problem caused inconsistencies between Visualizer and the exported reports. The issue has been fixed by ensuring that charts listen for query updates during rendering, matching the data displayed in Visualizer. Affected users should now see accurate data in their scheduled reports.

Updated the ESET Responder Webhook templates to support automatic variable replacement. The targets.devicesUuids was set to eset.source_uuid, and targets.deviceGroupsUuids was removed. Additionally, triggers.manual.expireTime was adjusted for consistency and removed from the automatic template generation. These changes ensure streamlined user interaction and better API handling.

Reviewed and removed unnecessary /data_refinery API calls that were leading to 403 errors when user profiles lacked the required permissions. This improvement ensures that only essential API requests are made, thereby reducing customer confusion and enhancing the user experience.

Resolved the issue that caused log filters to show no hit counts despite being configured properly. This fix ensures that log filters now display hit counts accurately according to the profile configuration, which improves the reliability of log analysis.

Updated the parent_child_29 Sigma rule, to reduce the false positives by excluding \System32\dns.exe in image name filters.

Fixed the issue where View Assets from Usage Details on the License page opened in a new tab, while View Assets from Asset Usage displayed a popup. Both now consistently open in a pop-up window.

The vuln_exploit_correlation alert types have original records in more than one index so they require special handling in building the query string, index selection, and time range. Stellar Cyber addressed this with a custom original records query that checks in more than one index.

Addressed an issue causing repeated false cases with a 24-hour delay in internal plaintext password detection due to an SEF bug. The ATH deduplicated alert document now correctly updates the write_time and stellar_uuid when the document is updated. This fix is also included in the patch for 5.2.0 NG environments and requires a restart of the stellar-sef service, which may result in document loss during the restart process.

Resolved an issue where absolute time ranges set when retrieving Usernames used incorrect properties, resulting in null timestamps. Implemented a fallback to the past week for such Elasticsearch requests. Added logs to track requests lacking a time range. Conducted comprehensive checks to ensure proper handling of all time range types, including relative, absolute, and daily.

An issue that could cause the ds_linux_install.sh installation script to fail on AWS Linux 2 has been resolved in release 5.3.0. Customers can download the updated installation script from the official release URLs for a seamless installation experience. Refer to the installation documentation for detailed instructions.

Resolved an issue where ingestion volume charts displayed incorrect, lower-than-actual volumes following the upgrade from version 5.1 to version 5.2. The regression affected license calculation accuracy by misreporting ingestion data.

Modified the license page to accurately display ingestion values less than 1GB for MSSP customers using API connector logs. Values such as 0.0019GB will now be shown instead of 0GB to prevent confusion and improve billing clarity.

Fixed an issue where ATH rule "Create time" column displayed erroneous future dates. The dates now correctly reflect the actual creation time of the ATH rules, improving data accuracy.

Fixed an issue where ingestion volume charts showed incorrect, lower-than-actual volumes following the upgrade from version 5.1 to version 5.2. This regression affected the accuracy of license calculations by misreporting ingestion data.

Resolved an issue where a user-created case was accessible even though it had a Global Case Score below the minimum setting. It was clarified that global settings only apply to system-generated cases. Additionally, the case did not contain an alert due to potential alert purging based on timestamp.

Fixed an issue where the modified timestamp of a case fetched via the API did not reflect the latest update. The modified timestamp now accurately represents the most recent changes made to a case. This includes updates such as adding new alerts or score modifications.

Resolved an issue where the Linux Server Sensor was mistakenly generating Uncommon Process Anomaly alerts for its internal processes, specifically aella_phonehome and aella_gettech.

Resolved an issue where attempting to add a new Active Directory connector resulted in a Bad request error with status code 400, and a repeated Cannot get connector configuration message. The problem was identified to be related to DS/DP configuration synchronization. After synchronization, the error was no longer observed.

Resolved an issue affecting the installation of the Linux Server Sensor on some Amazon Linux 2 instances. The installation now properly handles the /etc/redhat-release symlink, ensuring seamless deployment.

The Server Sensor upgrade no longer touches services that may have been installed by users, such as td-agent or maltrace.etc.

Verified that the Server Sensor's OpenSSL usage was not vulnerable to CVE-2022-2068 or CVE-2022-1292, because the c_rehash script was not in use. Other identified CVEs were linked to binaries in /opt/aella/lib/libbak, which are not used by the Server Sensor. To address potential concerns, the directory has been removed.

Resolved an issue where sensors experienced reboots and failed reconnection caused by time synchronization errors. This fix prevents time jumps that affected heartbeat code.

Addressed an issue where the aella_ctrl_win_srv.exe process on the Windows Server Sensor was repeatedly trying to connect to TCP port 5601, conflicting with existing services on the host. Investigation revealed that filebeat was using port 5601 even when its service was not enabled. Updated the logic for aella_ctrl to prevent unnecessary connections to port 5601.

Adjusted the fidelity scoring mechanism for Impossible Travel alerts to increase the contribution of distance and decrease the contribution of speed and crossing continental lines. This primarily affects lower fidelity alerts which will now have higher fidelity scores on average.

Resolved the installation failure of the 4.3.7 Linux Server Sensor on Debian 8 due to dependency issues. Starting from version 5.1.1, the Linux Server Sensor package is self-contained and does not require additional package installation for Debian 8. Customers should ensure their environment does not block necessary dependency installations and update any expired GPG keys as needed.

Implemented improvements to reduce scheduling delays for per-tenant ATH rules with short intervals (less than five minutes). The system now uses a single parallel query instead of sequential execution, which resolves issues where queries would time out. Additionally, a new field indicates how late a rule is running, allowing customers to be aware of delays as very complex queries may still experience delays under certain conditions.

Resolved an issue where exported PDF reports (Respond | Reports) continued to show the default Stellar Cyber logo instead of custom logos set by users (System | Settings | Global Settings: System Logo). Exported reports now correctly display custom logos as configured.

Enhanced parsers so that they include URL reputation enrichment whenever the url field is present. This improvement ensures that URLs are now evaluated for reputation, providing additional context and security insights during analysis.

Fixed an incorrect normalization on the Sonicwall Firewall parser to avoid sending logs to the wrong indices.

Improved the NXlog parser to parse the Windows DNS Server logs in detail.

• Improved the Zscaler ZIA firewall parser to support the KVP (key-value pair) format of logs.
• Added value validation for IP fields to the Zscaler ZIA firewall parser. (Invalid fields are moved into the vendor namespace.)
• Enhanced the parsing of the detection field so that the parser will try to normalize durationms to it first.

Added support for a new log format to the Checkpoint Firewall parser.

Corrected a typo in the OpenVPN parser. The field openvpn.detial_message has been renamed to openvpn.detail_message to ensure proper parsing of logs.

Improved the NXlog parser to correctly parse the log format, ensuring accurate and complete event descriptions.

Added support for a new log format to the Wazuh SIEM parser.

Added support for a new log format to the FireEye HX parser.

Added normalization for srcip, dstip, srcport, dstport, and proto to the HTTPJSON ECS (Elastic Compute Service) Windows parser.

The F5 BIG-IP parser was enhanced to support DNS Fast logs. This update includes additional rules and regular expressions, specifically tailored for DNS Fast logs, ensuring proper parity with the F5 log format. You can now seamlessly incorporate DNS Fast log data into your logging and analysis workflows.

Added new log format support for Cisco Firepower parser.

Introduced the new FireEye - CMS (CEF) ingestion on port 5143.

Improved the Cisco ASA parser to use the standard protocol parsing process for more protocol fields.