Stellar Cyber 5.2.0s Release Notes

Highlights

The 5.2.0s release introduces several key features and improvements that enhance the Stellar Cyber Open XDR platform:

Alert Enrichment and Detection

• Enhanced alert enrichment for SMB traffic: Provides deeper insights into SMB Read/Write Anomalies.

• Detailed IDS rule enrichment: Adds comprehensive threat intelligence for various exploit anomalies.

• New ML alert type for abnormal Windows account password resets: Enables proactive security measures.

Reporting and Visualization

• Faster alert reporting: Improves response times for Impossible Travel Anomaly and User Login Location Anomaly.

• Enhanced case analysis graphs: Offers clearer visualization of complex attack scenarios.

• Refined correlation strategy: Ensures every alert is assigned to a case.

Integrations and Standards

• Third-party alert integrations: Expands capabilities with Netskope, Sophos, Defender for Cloud, and Huntress.

• InSync Integrations: Introduces bi-directional integration with ServiceNow^® and the Stellar Cyber case management system, enabling customers to collaborate across platforms and integrate seamlessly with existing workflows.

• MITRE framework update: Aligns threat intelligence with the latest industry standards.

Usability Enhancements

• Stellar Cyber Chat in the knowledge base: Introduces Stellar Cyber Chat as an AI chatbot to help you find information quickly and easily within the knowledge base.

• Usability enhancements: Includes new case management dashboards, bulk actions, visibility into enriched fields, and enhanced observable insights, enabling faster triage and investigation of alerts as part of a case.

• Data visibility improvements: Features human-readable JSON timestamps and automatic log parser sync.

• Field Customization: Introduces key field customization for alerts created from Automated Threat Hunting (ATH) rules, empowering analysts with easier access to critical context information.

Platform and Infrastructure

• Platform enhancements: Adds new API endpoints and single sign-on with Rippling to automate tasks and simplify user management.

• Public API endpoints: Introduces new public API endpoints for storage usage, ingestion statistics, and case history. For case history, separate endpoints let you retrieve all activities or just score change history. Refer to About the Case and Incident APIs for a detailed comparison of the features available in each.

• Sensor and connector enhancements: Introduces new ingestion ports and expanded connector support.

• System Action Center: Enhances the System Action Center with Slack responses and many new rule types.

Data Processing and Parsers

• Data processor improvements: Offers tailored threat detection and increased context accuracy.

• New and improved parsers: Broadens the range of log sources monitored for more accurate threat detection and comprehensive security solutions.

Actions Required

• Update any configurations with field changes noted in the Behavior Changes section.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• The alert types with Azure AD have been renamed to Microsoft Entra ID. This change only applies to the display name of the affected alert types (xdr_event.display_name). The internal event name (xdr_event.name) remains unchanged. The following alert types have this name change: Azure AD Apps Modified To Allow Multi-Tenant Access → Microsoft Entra Apps Modified To Allow Multi-Tenant Access, Azure AD Custom Domains Changed → Microsoft Entra Custom Domains Changed, and AzureADRiskDetection → Microsoft Entra RiskDetection (third-party alert integration) This name change also applies to alert descriptions and other display strings in alerts and rules.

• Trend Micro Apex Central CEF parser – deviceprocessname is moved from msg_data to the vendor field.

• McAfee Firewall parser – Unsupported values in the protocol field are moved into vendor namespace while those with supported values are still normalized as proto.

• Netflow parser: This parser no longer puts all the fields into msg_data. Except for the srcip, dstip, srcport, dstport, proto, inbytes_delta, and inpkts_delta fields, all other fields are now under netflow.

• Fortinet Fortigate parser – The action, url, and direction fields are normalized into top-level fields.

• Barracuda Firewall parser – proto_name is normalized into proto when possible.

• Mako Networks Firewall parser – A proto: <proto-name> key-value pair is parsed as proto: <proto-name> when the value is icmp, igmp, tcp, or udp. Any other value is stored under vendor namespace.

• Mako Networks Firewall parser – The action field moved from the msg_data to the top level.

• Ubiquiti UAP-AC-Pro parser – The whole message part is kept in the log.event_description field for wcad logs.

• Ubiquiti UAP-AC-Pro parser – The ubiquiti.wevent_type field is renamed as ubiquiti.event_type.

• ProofPoint parser – The following key list was added: ["process_name", "process_id", "s", "m", "x", "mod", "cmd", "rule", "dkimresult", "spfresult", "duration", "value", "routes", "rcpt_routes", "rcpt_notroutes", "data_routes", "data_notroutes", "to", "delay", "xdelay", "mailer", "tls_verify", "tls_version", "cipher", "pri", "relay", "dsn", "stat", "from", "size", "class", "nrcpts", "msgid", "proto", "daemon", "auth", "version", "verify", "bits", "reply", "ctladdr", "STARTTLS", "msg"]

• Any fields that come from key-value pairs that aren't in the list are stored in msg_data.

• Sophos Firewall parser – device is normalized into sophos.device.

• Cisco Meraki parser – device is normalized into cisco.device.

• The schema for the PUT /connect/api/v1/users/{id} API endpoint no longer requires the name field as of the 5.2.0s release. Existing API requests that include the name field will not break in 5.2.0s. The name field is simply ignored if included in a PUT or PATCH request to the users API endpoint.

• Users should no longer be configured with duplicate email addresses. Currently, the username and email addresses are discrete fields, with the former being the unique identifier. In an upcoming release, these fields will be consolidated with the email address field becoming the unique identifier for a user. Administrators should begin updating their user accounts to ensure no two users have the same email address.

• In previous releases, the names of applications and protocols appeared in the user interface in uppercase, mixed case, and lowercase formats, sometimes resulting in multiple similar entries differing only by case. For example, syslog, SYSLOG, Sylog, SysLog. To reduce the number of entries, Stellar Cyber now combines them into one entry with a lowercase name: syslog, SYSLOG, Sylog, SysLog → syslog. A possible exception to the use of lowercase application names is user-configured custom applications (System | Traffic Filters | Custom Applications). For custom applications, Stellar Cyber displays the name in whatever case the user defined it

Deprecations

• The Company Trends page is no longer available.

• Azure Security Center was renamed and this content type is deprecated from Azure Event Hub connector.

• The Sophos alert type for Malware on Disk, which also has a detection for Windows Defender for Endpoint, is deprecated. The new Sophos alert integration covers the same alerts.

• The normalization fields sha256, group, and threat are deprecated and will be changed in a future release.

Critical Bug Fixes

• AELDEV-44530: Resolved an issue with the rule parent_child_55 causing false positives for legitimate system operations.

  Corrected the rule parent_child_55 "Unusual Parent-Child Relationship" to prevent false positive alerts when the Windows system process smss.exe is legitimately initiated by the system. This adjustment ensures that normal Windows operations involving smss.exe do not trigger security alerts, improving the accuracy of Stellar Cyber threat detection mechanisms.

• AELDEV-44504: Adjusted Port Scan Anomaly alert type to reduce false positives.

  Fixed a bug that sometimes caused firewall data to incorrectly trigger Port Scan Anomaly alerts with the subtype "Connection Failure Anomaly (Sensor Traffic)".

• AELDEV-44478: Resolved an issue in which the query builder didn't save pasted content.

  Addressed a bug where the query builder remained empty after attempting to paste content using the right-click mouse method. This was solved by making modifications that ensured content pasted via right-clicking is now correctly recognized and saved.

• AELDEV-44356: Resolved a Windows Server sensor connection issue, ensuring that processes use the correct Stellar Cyber Platform port.

  Corrected the behavior of Windows Server sensor processes download_image.exe and post_file.exe to ensure only post_file.exe initiates connections to the Stellar Cyber Platform on TCP port 443. This correction prevents other processes from unnecessarily attempting connections, enhancing system efficiency and security compliance.

• AELDEV-44270: Reduced false positives for two security rules.

  Two security rules, identified as windows_security_169 and process_creation_commandline_15, were updated to minimize false positives. The windows_security_169 rule now leverages the latest SigmaHQ version with additional process name filters. For the process_creation_commandline_15 rule, detection is now based solely on hostip, addressing the high variability in command lines.

• AELDEV-44198: Resolved an issue that prevented global settings adjustments due to a session timeout validation error.

  Fixed a regression where the system enforced an invalid session timeout setting, preventing modifications to global settings. Session timeouts configured to 0 are now automatically updated to 60 to comply with the new validation rules, ensuring configurations can be updated without errors.

• AELDEV-43990: Resolved an issue where the expiration date shown in the System | License page did not update.

  Addressed an issue where the license expiration date shown in the System | License page did not update when a new license was applied..

• AELDEV-43985: Resolved an issue with reverting isolation actions in Defender for Endpoint integrations.

  Fixed the revert action functionality for Defender for Endpoint by ensuring the action_type parameter is correctly included in revert requests. This adjustment rectifies the inability to revert isolation actions on endpoints, ensuring operational consistency and reliability.

• AELDEV-43922: Corrected an error with Office 365 connectors where start and end times were not properly specified.

  Resolved an issue causing Office 365 connectors to fail when fetching data due to the incorrect handling of start and end times. This was done by ensuring that time intervals are less than 24 hours apart and modifyiung time-split logic to prevent overlap issues, thus eliminating "Start time and End time must both be specified" errors.

• AELDEV-43913: Resolved an issue where the min_score parameter in the Cases API wasn't returning expected results.

  Addressed an issue in the Cases API where the min_score argument incorrectly returned at most one case despite higher limit settings or it failed to return any results. The min_score argument now functions as intended, properly filtering cases by minimum score.

• AELDEV-43889: Resolved a decode issue with the generic S3 connector that prevented correct data parsing.

  Addressed a decoding error in the generic S3 connector that prevented it from properly downloading and parsing S3 object data due to a UTF-8 codec incompatibility. Modified error handling and decoding processes to ensure compatibility with diverse data formats, resulting in successful data retrieval and display in the Threat Hunting module.

• AELDEV-43794: Resolved an issue where modifications to the Log Source configuration required manual restarts to take effect.

  Addressed an issue where the Log Source configuration would not update after new rules were added or existing ones were modified until aella_conf was manually restarted. Safeguards were added and log outputs were improved for better troubleshooting, ensuring configurations update as expected without the need for manual service restarts.

• AELDEV-43793: Corrected key usage for Event_ID 4703, enabling Token Right Adjusted Event reporting after upgrading to 5.1.1.

  Previously, Windows Server sensors failed to report Event_ID 4703 (Token Right Adjusted Events/Non Sensitive Privilege Use/User / Device Claims) due to incorrect key configurations. The 5.1.1 upgrade involved fixing these keys, thereby restoring and enabling accurate event reporting. This adjustment addresses a reporting gap experienced before the upgrade, ensuring comprehensive event coverage and visibility.

• AELDEV-43732: Fixed an issue preventing proper loading of dashboards and charts with certain RBAC settings.

  Resolved a problem where dashboards, charts, queries, and correlations failed to load correctly for users with specific RBAC settings. This was particularly noticeable when any of these components were disabled. The update ensures all components load correctly regardless of RBAC configurations.

• AELDEV-43451: Resolved an issue preventing case creation from pre-upgrade alerts.

  Fixed a bug where cases could not be created from alerts generated before the 5.1.1 upgrade due to incorrect 'stellar_index_id' values. The solution involves a check to ensure the correct index value is used, allowing case creation from any alert, ensuring seamless operations post-upgrade.

• AELDEV-43409: The SentinelOne connector now uses updated credentials after configuration adjustments.

  Resolved an issue where the SentinelOne connector failed to utilize the most recently updated credentials, resulting in erroneous 401 Unauthorized errors during data pulls. The fix ensures credentials are refreshed appropriately upon connector configuration updates, mitigating credential mishandling and data retrieval issues.

• AELDEV-43402: Resolved a traceback issue in aella_cli on Amazon Linux 2023 that led to repeated cron emails.

  Addressed an exception in aella_cli, where sorting processes by CPU usage could crash due to NoneType comparisons with floats, causing cron to send repeated error emails. The fix ensures stability by handling None values appropriately, mitigating the issue without disrupting the cron's operational efficiency.

• AELDEV-43396: Disabled remote access to Nessus management port 8834.

  In the latest update, Nessus management port 8834 on modular sensors is no longer remotely accessible, enhancing system security. This change addresses potential vulnerabilities associated with external access to the Nessus webserver. If you use this port for direct Nessus webserver access, note that this functionality is deprecated.

• AELDEV-43395: Resolved an issue with Windows Server sensor 4.3.7 being incorrectly flagged as malicious by Google and Ikarus.

  4.3.7 Windows Server sensors were mistakenly identified as malicious by Google and Ikarus due to an outdated version of the installer. Upgrading to the latest installer version addressed the false positives, ensuring no vulnerabilities are detected, and maintaining the integrity of Stellar Cyber software.

• AELDEV-43296: Addressed incidents and alerts triggered by old events due to Office 365 API delays.

  Resolved an issue where incidents and alerts were erroneously triggered by events dated a few weeks prior. The root cause was delayed data retrieval from the Office 365 API.

• AELDEV-43251: Resolved an issue with unsorted volume usage.

  Addressed an issue where the volume usage rollover display in the System | Licensing | Volume Usage section was not sorted in descending order by ingestion volume.

• AELDEV-43244: Updated alert suppression logic for emerging threats to include both source and destination IPs.

  Emerging threat alerts now utilize a suppression mechanism based on both source IP (srcip) and destination IP (dstip) pairs. This modification ensures that alerts are uniquely triggered for different srcip-dstip pairs within a 24-hour period, thereby enhancing detection accuracy and alert specificity for emerging threats.

• AELDEV-43223: Enhanced Office 365 normalization for Azure Active Directory (AD) and Office 365 events correlation.

  Implemented two enhancements to improve incident correlation between Azure AD and Office 365 events. First, when a valid UserKey value exists, it is now utilized for srcip_usersid. Second, normalization rules were updated to ensure srcip_username values are consistently lowercase, enhancing the accuracy of event correlation.

• AELDEV-43221: System Action Center now respects global alert threshold settings for case creation notifications.

  Adjusted System Action Center behavior to adhere to the global setting for the number of alerts required to trigger case creation notifications. Previously, it would default to 2 regardless of global settings, causing inconsistency. This issue is now resolved to ensure uniformity in alert management.

• AELDEV-43197: Resolved an issue with a missing member name in Windows Event 4732.

  The missing member name in Windows Event 4732 records was due to missing data being in the original event. Records now accurately reflect the source data.

• AELDEV-43176: Fixed an error encountered with the filter case time range selection.

  Resolved an issue where selecting an invalid time range in the Cases page filter resulted in persistent errors, even after correction. Custom validation logic now ensures accurate error handling, improving user experience.

• AELDEV-43077: Optimized memory usage on the volume usage tab.

  Enhanced the performance of the volume usage page by limiting the display to the top 100 tenant volumes per day and refining data processing to reduce memory consumption significantly. Further optimizations targeted at UI settings were also initiated.

• AELDEV-43049: Enhanced User Process Usage Anomaly alert type by improving event record handling and user consistency.

  Implemented logic to enhance User Process Usage Anomaly alert type to ensure accurate and consistent user attribution.

• AELDEV-43033: Improved the interflow dictionary filter functionality.

  Enhanced the functionality of the interflow dictionary by ensuring the packing chartf accurately reflects the initial query filters set for the view. This update critically aligns displayed match fields with user expectations and specified filtering criteria.

• AELDEV-42814: Resolved an issue where Windows Server sensor updates via the user interface were failing without clear error feedback.

  Addressed a problem where attempts to update the Windows Server sensor via the user interface were unsuccessful, without providing users with any indication of what went wrong. This issue was caused by failures in creating or executing the scheduled task for the update process and has been resolved so that updates now proceed as expected.

• AELDEV-42805: Refactored the Cato Networks connector to use generators, reducing memory usage.

  Implemented the use of generators in the Cato Networks connector to optimize memory utilization. This enhancement ensured efficient memory usage without altering the connector's functionality.

• AELDEV-42784: Enhanced debugging for Connector(s) Silent notifications to address false positives.

  Implemented additional debugging information for Connector(s) Silent notifications to better identify and mitigate false positives. The update aims to enhance diagnostic capabilities by capturing more detailed activity logs, enabling more efficient issue resolution and verification of connector health.

• AELDEV-41181: Resolved an issue where device sensors with either IDS or local file assembly enabled in their sensor profiles did not detect 802.1q VLAN tags correctly.

  Addressed a defect where 802.1q VLAN tags were not recognized by sensors using the AF_PACKET driver. This correction ensures VLAN tags are detected accurately, enhancing network traffic analysis and sensor functionality across varying configurations.

• AELDEV-40945: Resolved an issue where xdr_event.description was not displayed in Dashboard Custom Charts.

  Addressed the problem causing xdr_event.description to be absent in Dashboard Custom Charts by updating configurations that ensure descriptions are included for built-in rules, specifically for Exploited C&C Connection events. This enhanced visibility and data comprehension in dashboard visualizations.

• AELDEV-39509: Enhanced the calculation of memory usage by adding available memory statistics.

  Addressed a discrepancy with memory usage by including available memory statistics in the system's memory calculation. This enhancement corrects the display of memory usage to reflect the system's available memory, leading to more accurate system monitoring and diagnostics.

• AELDEV-39408: Fixed an issue when cases associated with an alert weren't displayed on the Alert Details page.

  Fixed an issue when an associated case wasn't displayed on the Alert Details page if the alert was the only one associated with the case or if some score calculations were missing. Note: The minimum number of alerts and minimum case score specified in Global Case Settings (Cases | ) don't affect whether an associated case appears on the Alert Details page.

• AELDEV-39265: Enhanced detection of non-deletion account modifications in Office 365.

  Implemented a change to accurately detect account modifications versus deletions. This enhancement allows for more precise filtering of alerts related to account status changes without misclassifying modified accounts as deleted.

• AELDEV-38390: Fixed an issue with click-and-drag operations in Firefox.

  Resolved an issue where click-and-drag operations did not work correctly in some pages when using Firefox.

• AELDEV-38215: Resolved an issue with alert filters not functioning as configured.

  Addressed a problem where specific alert filters failed to catch alerts as intended. This involved correcting the functionality of filters to ensure they operate as configured and catch the correct events. The resolution ensures that filters now accurately exclude or include alerts based on specified parameters.

• AELDEV-35961: Resolved the failure of the DNS query test button for the Active Directory (AD) connector.

  Improved the ability of the AD connector to process DNS queries by ensuring a correct DNS server configuration. This addressed the issue where the test button previously failed due to an inability to perform DNS queries, even when the IP address was correctly specified as the server name. The adjustment ensures more reliable DNS resolution for AD connectors.

• DATA-1991: Improved the Versa Network Firewall parser to support more formats.

  Improved the Versa Network Firewall parser to support the new header format. The parser will also now check the values of the top-level IP and MAC fields – fields with invalid values will be moved into the vendor namespace with their original field name. It now also supports additional values for the protocol fields protocolIdentifier and ipsProtocol.

• DATA-1950: Updated the OpenVPN parser to support new log formats and authentication results.

  Enhanced the OpenVPN parser to parse and recognize new log formats directly from Ubuntu installations of OpenVPN, including detailed authentication success and failure log entries. Adjustments and additions were made to regex patterns to support these variations, improving log data parsing fidelity.

• DATA-1895: Enhanced the pfSense Firewall parser for better OpenVPN log field parsing.

  The pfSense Firewall parser was upgraded to parse additional fields from OpenVPN logs, enhancing log analysis capabilities. Modifications included new regex patterns and parsing logic to accurately extract and process more data points from log entries.

• DATA-1808: Fixed an issue in the McAfee Firewall parser.

  Resolved an issue in the McAfee Firewall parser in which the fields mcafee.pri and mcafee.time were parsed out from the syslog header and normalized as log.syslog.priority and log.syslog.timestamp. The time field is normalized as log.syslog.time_str when it is not in a supported format.

• DATA-1444: Enhanced Ubiquiti log parsing to process and normalize protocol names and Type of Service (TOS) values.

  Updated the Ubiquiti log parser to correctly extract and normalize the proto_name from the message data to the top-level attribute, and ensure the TOS values are correctly parsed as integers, including handling of hexadecimal values. This enhancement ensures accurate data representation and improves compatibility with downstream processing and analytics.

• DATA-850: Fixed parsing inconsistencies for proto and duration fields in Ericom ZTEdge logs.

  Resolved issues with Ericom ZTEdge logs where proto field values were incorrect and duration values were inaccurately rounded down. Implemented normalization rules to accurately parse and represent proto values and converted duration to a string (duration_str) to maintain precision. These changes ensure that log data is accurately represented and consistent with source values.

Detection/ML

New Features

• AELDEV-43166: Enriched IDS rule details to a multitude of ML alert types, notably around anomalies detected by Suricata rules.

  Added Suricata IDS rule information to the alerts of the following IDS-related Alert Types in ids.rule: Private to Private Exploit Anomaly, Private to Public Exploit Anomaly, Public to Public Exploit Anomaly, Public to Private Exploit Anomaly, Internal IDS Signature Spike, and External IDS Signature Spike. These additions include instances where such alerts did not previously contain correlated IDS rule data, thus enhancing visibility and context for security analysts. The update encompasses both internal and external IDS anomaly alert types across various network traffic.

• AELDEV-42639: Added alert subtypes for User Login Failure and Account Login Failure Anomalies and improved original record queries.

  Enhanced External/Internal User Login Failure Anomaly and External/Internal Account Login Failure Anomaly alert types with specific subtypes to refine detection capabilities. Original record queries were refined for better precision, allowing a clearer analysis of the raw events that contribute to an alert. This update provides finer granularity in alerts and improves the accuracy and relevance of the original records presented.

• AELDEV-41430: Enhanced the alert mapping for VMware Carbon Black alerts that lacked a threat_cause_category field.

  Improved the integration with Carbon Black alerts by ensuring that alerts without the threat_cause_category field are now mapped to the appropriate stage in the Killchain. This update enhances threat visibility and response by addressing an issue where certain alerts were previously excluded from Killchain mapping.

• AELDEV-39931: Expanded ML alert types to include IPS threat logs.

  Enhanced machine learning alert types to integrate firewall IPS threat logs. Now firewall IPS threat logs contribute to alert types of Private/Public to Private/Public Exploit Anomalies, and Private/Public to Private/Public IPS Signature Spikes. The currently supported firewall IPS threat log sources are Fortigate, Palo Alto Networks, and SonicWall.

• AELDEV-38041: Enhanced the User Asset Access Anomaly to add a subtype for SMB traffic with unusual user-asset access patterns.

  Implemented a new alert subtype “SMB User Based” to alert type “User Asset Access Anomaly”. This identifies unusual user-asset access patterns over SMB traffic.

• AELDEV-38031: Switched to using write_time for querying login events in UBA alert types to accommodate upstream data source delays.

  Modified UBA alert types to use write_time for querying login events, reducing detection latencies for alert types like Login Time and Login Failure. This enhancement also addresses a detection edge case where certain data sources with very long delays in reporting login events, such as several hours of delays for example, might not be always covered.

• AELDEV-36264: Added a new ML alert type: Password Resets Anomaly.

  Added a new detection system for identifying anomalous password reset activity on Windows systems. It currently supports one subtype: Windows Account Password Reset Anomaly, which detects abnormal password resets for Windows accounts. It's aimed at spotting potential security breaches by scrutinizing password reset patterns and generating alerts for activities that deviate from the norm, thereby improving the capability to preemptively mitigate account compromise risks.

• AELDEV-28835: Updated External/Internal SMB Read/Write Anomaly alert types to include summarized file paths and filenames, improving alert context.

  When alerts are triggered from SMB traffic with path-related metadata decoded by Modular Sensors, Stellar Cyber enriches External/Internal SMB Read/Write Anomaly alert types for accessed file paths in event_summary.smb_path_list. Stellar Cyber ranks the significance of the paths—for example, system paths or user paths—by their uniqueness and access frequency during the detection period. Alerts now display significant file paths based on visit frequency and folder properties, enhancing the understanding of the alert triggers.

Improvements

• AELDEV-41128: Updated Sigma Rule “Raspberry Robin Dot Ending File” (Stellar Cyber rule ID: process_creation_commandline_90) to its latest version to reduce false positives.

  Updated rule ID process_creation_commandline_90 in the Suspicious Process Creation Commandline alert category. The update was sourced from SigmaHQ and aims to reduce false positives through improved detection logic.

• AELDEV-40747: Improved the case analysis graph for alerts triggered by Windows Logon failures.

  For cases generated from LimaCharlie Windows Event Log alerts, specifically logon events identified by event_id: 4625, the case analysis graph now displays additional information such as the username and IP address of both the source and destination hosts involved in the logon if they are present in the failure events. This enhancement provides more context by showing the user and IP address along with the host machine and process previously displayed, improving the depth of analysis available in the graph.

• AELDEV-39970: Implemented third-party Huntress alert integration.

  Integrated with Huntress to provide improved alert and asset retrieval functionalities. This integration involves complex parsing of incident reports, which might contain multiple events and extensive information exceeding 10,000 characters.

• AELDEV-38977: Implemented case-insensitive matching for the Sigma rule engine and modified the engine to support the ignore_case keyword in Sigma queries.

  Improved the Sigma Rule “AWS IAM Backdoor Users Keys” (Stellar Cyber rule ID: aws_13) to make sure it is only triggered when one user creates an API key for another user but not when a user creates a key for themselves. This update simplifies previous implementations by eliminating the need for separate processing fields for case sensitivity, allows case-insensitive comparisons, and enhances rule flexibility and accuracy.

• AELDEV-38626: Adjusted the scoring model for Exploited Command and Control (C&C) Connection alerts.

  Fixed an issue with the alert scoring model that incorrectly scored exploited C&C connection alerts. It now calculates a dynamic fidelity score (previously it was always 99) and contributes to the final alert scores (max: 82).

• AELDEV-37095: Reduced latency for the Impossible Travel Anomaly and User Login Location Anomaly alert types.

  Switched from using timestamp to write_time in User Behavior Analytics (UBA) alert types, particularly for Impossible Travel and User Login Location, to effectively manage and mitigate the impact of increased event delays from data sources such as Google Workspace. The alerts for data sources with low ingestion delays (for example, Windows events) are reported much faster than before and ensures better coverage of events by reducing query delays.

• AELDEV-37079: Implemented an improved correlation strategy to ensure that each alert will be assigned to a case, even if the alert cannot be correlated with other alerts.

  The node summarization feature in case graphs has been enhanced to support multi-level summarizations. Specifically, this improvement allows the summarization of connected nodes across multiple levels, reducing the complexity and size of graphs significantly. Initially focusing on summarizing processes into aggregated nodes, this capability extends further into adjacent node levels, streamlining the visualization of complex, multi-step relationships in case data.

• AELDEV-35712: Upgraded the MITRE framework from v8 to v13 in all third-party alerts.

  Updated the process for mapping and enriching Tactics, Techniques, and Procedures (TTPs) for third-party alert integrations to use a database-driven approach. The new methodology enhances performance and maintainability and ensures robustness.

• AELDEV-34261: Implemented third-party Sophos alert integration.

  Integrated Sophos alerts into the Stellar Cyber Killchain, enabling native third-party alert processing within the Stellar Cyber Open XDR Platform. The enhanced capability allows for seamless importing and enrichment of threat data from Sophos, improving incident analysis and response efficiency.

• AELDEV-28757: Added key fields to Deep Instinct alert integration.

  Enhancements made to Deep Instinct alerts include UI improvements for clipboard copying and visibility of File Path and File Hash. Key fields for Threat Type, Type, and Event ID were added for more detailed alert information. Efforts to customize key field configurations for greater user flexibility were also implemented, while retaining the world map feature.

• AELDEV-28393: Implemented a third-party Netskope alert integration.

  Integrated Netskope alert functionality, enabling the identification and response to connection, breach, and malsite alert types. The integration involves configurations for each alert type, along with mappings for tactical and technical aspects, enhancing alert detection capabilities.

Usability

New Features

• AELDEV-41127: Added a new observable for Windows registry keys to the Case Analysis graph.

  Implemented a feature where the modified_at field of a case is now automatically updated whenever a comment or some evidence is added, updated, or deleted. This ensures accurate tracking of case modifications and enhances API filtering capabilities for updated cases. The change does not affect case score calculations.

• AELDEV-40458: Enhanced the user interface (UI) to support configurable time ranges for each layer of correlation rules.

  Implemented a new UI feature that allows users to set distinct time ranges for each layer within a correlation rule to address use cases such as the detection of short-term accounts. This feature facilitates the creation of more precise and effective security correlation rules by enabling time-specific queries across multiple layers.

• AELDEV-38902: Implemented the capability to query for alerts not associated with cases.

  Added a new query capability that allows you to filter alerts not correlated to any cases. To enable a more efficient workflow for identifying and addressing potential security incidents, this feature supports complex case management and improved visibility into uncorrelated alerts.

• AELDEV-37728: Added new Case Management dashboards.

  Introduced a basic Case Management Dashboard to facilitate quick insight into case metrics without extensive complexity. Features include Total Case Number with a pivot on severity (line or bar chart), Case Breakdowns by Severity and Status (pie charts), Case Assignee Chart, and Case Breakdown by Alert Number (line or bar chart), complemented by a Case List table at the bottom.

• AELDEV-35872: Added support for bulk actions in the Case table.

  The Case Table supports bulk edits to the Status, Tags, or Assignee of multiple cases. Once you apply a bulk action to one or more cases, Stellar Cyber displays a success or failure message at the top of the display and keeps track of its progress in the Task List.

Improvements

• AELDEV-44248: Enhanced the Alert Details panel with field filters and a search tool.

  Introduced the ability to filter fields in the Alert Details pane through quick filters for Detection and Threat Intelligence (TI) enrichments. There's also a Search tool that searches across key fields, values, and field names among the alert details, facilitating quicker access to relevant information.

• AELDEV-44244: Implemented alert highlighting when the Alert Details panel is opened.

  Added functionality to highlight and maintain focus on an alert row when it is selected from the alert list, so you can keep track of the alert in the list when it is under review in the Alert Details panel. The solution includes a noticeable color highlight upon opening an Alert Details panel and a subtle pulsing effect to draw attention to the row once the panel is closed. This feature aids in efficient navigation and review of alerts without losing context.

• AELDEV-44242: Improved usability of alert detail in case management

  When viewing an alert in case details and then navigating away from the case in previous releases, you would need to locate the alert in the list again and reopen it upon returning to the case. The page now stores the selected alert in your browser history so you can navigate back to the alert context using the Back button in your browser.

• AELDEV-42482: Added ID filtering to the GET /cases API endpoint.

  The GET /cases API endpoint now supports filtering by case ID, enabling unique case identification and integration with external SOAR or ticketing systems. This enhancement facilitates more efficient synchronization and tracking between Stellar Cyber and external systems, and it allows for detailed case status updates and modifications using unique case IDs.

• AELDEV-42134: Added a public API endpoint for querying all alert types, including custom-created alert types.

  Added the GET /custom_security_events public API which returns custom created alerts.

• AELDEV-41650: Enhanced the UI with collapsible long key fields and other design changes.

  Implemented improvements in the UI handling of long key fields. Adjustments include smaller horizontal spacing between label and content, reduced label size with a color change, and expandable/collapsible functionality for long strings. Tooltips were also modified to enhance clarity.

• AELDEV-41599: Renamed Visualize | ML-IDS to Intrusion Signatures to include Intrusion Prevention System (IPS) signatures.

  Enhanced the Visualize/ML-IDS feature to encompass IPS signatures, effectively transforming it into an ML-IDS/IPS. This enhancement not only includes renaming ML-IDS to accommodate IPS data but also content updates to various pages in the Stellar Cyber UI and to index names to better reflect the integration of IPS signatures. Relevant visualizations, analytics, and alert types have been updated to incorporate this new data seamlessly, ensuring more comprehensive threat detection capabilities.

• AELDEV-41431: Implemented record deduplication based on arbitrary field names for ATH rules.

  Introduced a feature that allows users to specify a field in Automated Threat Hunting (ATH) rules for consolidation of records with matching fields. This update enables the creation of only one record per defined field every 24 hours, addressing situations where a particular connector is sending a new alert record every time an alert is updated on the connector source.

• AELDEV-40252: Added the ability to hide unused tiles on the Threat Hunting page.

  The UI has been enhanced to allow you to hide tiles related to unconfigured data sources in the Threat Hunting page. This improves usability by removing clutter to make relevant data more accessible.

• AELDEV-40251: Improved exporting on the Connector page so you can export selected columns in a PDF.

  Enhanced the connector view functionality by allowing users to export their selected view with specific columns as a PDF. This feature facilitates easier reporting and documentation for critical insights and supports better data management and sharing.

• AELDEV-39870: Added the ability to hover over the Deep Instinct File Path and File Hash to expand and see the field value.

  Implemented a new UI feature that allows users to either click or hover their cursor over the File Path and File Hash fields to fully expand these values if they were previously trimmed for display purposes. This provides better visibility into these key data points without the need to navigate away from the current view.

• AELDEV-39396: Added descriptions for the internal API /entity_usage/daily_count/{scope}.

  Introduced comprehensive request parameter guidelines for the internal API /entity_usage/daily_count/{scope}, specifying that days and date parameters must be used exclusively.

• AELDEV-39384: Unused internal APIs for ElasticSearch indices were hidden.

  Enhanced security and optimization by hiding unused internal APIs related to Elasticsearch indices within the SaaS environment. This adjustment results in a more streamlined interface, reducing potential attack surfaces, and improving system performance by eliminating unnecessary endpoints.

• AELDEV-39249: Added support for custom log parsers.

  The ability for you to configure custom log parsers, previously hidden in the SaaS UI for safety concerns, has been reinstated. This update allows you to directly access and configure custom log parsers within the UI, facilitating a more convenient setup process for sophisticated log parsing requirements. This enhancement ensures compatibility with existing RBAC paths and integrates seamlessly into the user profile home page dropdown.

• AELDEV-38938: Added support for CIDR notation in IP address lookup groups.

  Updated IP address lookup groups to support CIDR notation. This allows you to define networks within a lookup group more efficiently.

• AELDEV-38220: Replaced Azure Active Directory (AD) with the new name: Microsoft Entra ID.

  In alignment with the Microsoft rebranding of Azure Active Directory as Microsoft Entra ID, Stellar Cyber updated all occurrences of the term throughout the user interface. This includes updates in third-party alert integrations, built-in alert types, rules descriptions, and various UI elements such as threat hunting columns and RBAC actions.

• AELDEV-38084: Increased the number of languages that the Stellar Cyber user interface (UI) supports.

  Implemented a new translation mechanism that supports a wider range of languages for the Stellar Cyber UI.

• AELDEV-36982: Implemented the ability to bulk configure the aggregator IP address for multiple sensors in the user interface (UI).

  Introduced the ability to bulk assign sensors to an aggregator directly from the Sensor page, greatly streamlining the process.

• AELDEV-36900: Added support to the Disable User action to use the username field populated from Office 365 records, in addition to the Microsoft Entra ID userPrincipalName field.

  Implemented an enhancement for Azure Active Directory records. Now, records can be enriched with the userPrincipalName field, which lets the response connector operate on more complete user information. The user interface was updated to use username to disable the user. This enhances system usability and response capabilities.

• AELDEV-28852: Added custom key fields to alert types.

  Enhanced alert types by implementing your ability to set custom key fields, allowing for more tailored alert configurations. The change improves alert customization and relevance.

• AELDEV-28756: Added Tenant Group field at the top of all Case detail displays.

  Adding the Tenant Group field to the Case detail pages allows customer support engineers to swiftly identify the MSP partner associated with a case, facilitating quicker and more effective case resolution.

• AELDEV-25631: Added Tenant Group to the columns in the connector table.

  Added a Tenant Group column to the Connector table. This enhancement improves visibility and management of connectors by allowing you to see the assigned tenant group directly in the Connector table. The update applies to all existing and future connectors without requiring additional configuration.

• AELDEV-10935: Added next and previous navigation buttons to the Alert Details panel.

  Implemented navigational buttons for seamless event investigation, allowing you to navigate between alerts directly from within the Alert Details panel, which eliminates the need to repeatedly open and close the panel. This update streamlines the workflow for analyzing alerts in a table view.

Stellar Cyber Platform

New Features

• AELDEV-40453: Implemented an upgrade pre-check and a UI banner for notifying users about duplicate user accounts.

  Added a verification process and UI banner notification to alert you of duplicate usernames or emails due to the introduction of case insensitivity. In previous releases, usernames like johnsmith and JohnSmith are considered two different, valid names. From 5.2.0s, they are considered duplicates of the same username.

• AELDEV-39288: Added the ability to add alert type descriptions.

  Implemented a feature that lets you add custom descriptions to alert types for enhanced clarity, facilitating a better understanding of alerts for analysts. Additionally, a new UI section has been created to organize and manage custom alert types so you can customize your alert workflow.

• AELDEV-38947: Added the ability to automatically sync new custom log parsers to the Log Sources page.

  Implemented an enhancement allowing newly uploaded custom log parsers to be automatically listed in the Name dropdown on the Log Sources page. Custom parsers are immediately available in the dropdown upon upload or immediately removed from it upon deletion.

• AELDEV-37124: Added a new API endpoint to delete sensors in bulk via the API.

  Implemented functionality to delete sensors in bulk through the APIs. This enhancement lets you delete over 100 sensors at a time, significantly improving operational efficiency when managing large-scale deployments.

• AELDEV-36260: Implemented System Action Center updates with prioritized notifications, server sensor monitoring, and enhancements in actions and user notifications.

  Phase 3 of the System Action Center was completed, introducing prioritized notifications, new rules for notification services, and customization options for server sensor monitoring, including handling of no data, offline status, and status changes. Enhancements were made in actions and user notifications, adding support for email and Slack links, enhancing RBAC privilege escalation notifications, and user account lockout handling. Additional debug logging and minor template fixes were also included.

• AELDEV-35872: Added a new API endpoint to create cases via the API.

  Added a new Create Case endpoint to the Stellar Cyber public API. This endpoint accepts a comprehensive set of fields including customer ID, alerts, case name, severity, status, assignee, tags, and comments. The solution involves robust data validation mechanisms to ensure the integrity and accuracy of the input data. This feature lets you programmatically create cases with detailed contextual information, streamlining incident management.

• AELDEV-34397: Stellar Cyber Cyber supports Rippling as an identity provider for single sign-on (SSO) authentication of its administrative users.

  Stellar Cyber integrates with Rippling for Single Sign-On (SSO) to provide authentication and access management, which enhances security and improves the user experience.

• AELDEV-34268: Added support for alert filter statistics per tenant.

  Implemented enhancements that enable support of multiple organizations. The ElasticSearch client was modified to render templates and route data to appropriate ElasticSearch clusters based on organization. This improves both data segmentation and security.

• AELDEV-21726: Added support for using available geolocation information in original records.

  Geolocation enrichment now prioritizes the use of geolocation information from original records if present. This update supports more reliable geolocation-based analyses by using authentic location data from sources like Azure Active Directory, supplemented by GeoIP2 DB when necessary.

Improvements

• AELDEV-43545: Enhanced Security Analytics (SA) rules with start and end time fields for improved event time range definitions.

  SA rules now include start times and end times, or their singular counterparts, to accurately define event time ranges. Using specific time ranges ensures more precise alert timing and detection accuracy. This update impacts all SA rules, enhancing the system's ability to backtrack and correlate events effectively.

• AELDEV-39135: Resolved an issue where deleted or disabled Automated Threat Hunting (ATH) email rules continued to trigger emails.

  Addressed an issue where ATH email rules that were deleted or disabled still sent emails due to miscommunication between internal components. The synchronization process was improved to ensure that deleted and disabled rules are properly reflected across all services.

• AELDEV-38861: Implemented new and improved hash support in lookups.

  Enhanced the Lookup feature to allow the matching of hashes (MD5, SHA256, IMPHASH) without requiring prefixes. This enhancement streamlines the process for SOC teams when dealing with Windows reported hashes in various formats. It also negates the need for an entire string match, which simplifies malicious file identification.

• AELDEV-33312: Implemented support for human-readable JSON timestamps in exports.

  Implemented a timestamp_utc field in JSON exports, enhancing readability by converting epoch timestamps to human-readable UTC format. This change applies to all alert records exported from the platform, ensuring consistency and ease of use for non-technical users.

• AELDEV-33295: Implemented improved filtering on query calculation data in Automated Threat Hunting.

  Optimized query calculations now allow for efficient nested value comparison and data aggregation, maintaining all parent data during list comparisons. This results in better aggregation and supports specific conditional filtering within calculation groups, directly impacting data analysis and reporting capabilities.

• AELDEV-28852: Added custom key fields to custom alert types.

  Enhanced custom alert types by implementing the ability to add custom key fields, allowing for more tailored alert configurations. The change improves alert customization and relevance.

Sensors

New Features

• AELDEV-40650: Added a new indicator for sensor mode to indicate if it is SaaS or on-premises.

  The output of show version in the sensor CLI was enhanced to distinguish between on-prem and SaaS operation modes. On-prem sensors now append a 'p' to their AOS Version. This differentiation aids in troubleshooting and system configuration without changing existing versioning schemes or requiring UI alterations.

• AELDEV-37783: Added TCP port 443 as a new ingestion port for log sources.

  The System | Log Sources page in the Stellar Cyber user interface now supports log ingestion over TLS on TCP port 443. UDP isn't supported to ensure the system correctly handles log forwarding over TLS to enforce secure transmission.

Improvements

• AELDEV-44436: Removed the disk space check from the validation process that a Modular Sensor uses to determine if it has sufficient system resources to run various modules.

  Due to the dynamic nature of disk usage, which can vary significantly, checking disk space to determine if there are sufficient system resources led to inaccurate conclusions. As a result, the disk space check was removed from the validation process. The process now checks CPU totals and memory size

• AELDEV-44403: Windows Server Sensors running 5.1.1 or later support sensor profiles that contain text in Unicode such as Chinese, Japanese, and Korean.

  Windows sensors running 5.1.0 do not support sensor profiles that contain text in Unicode such as Chinese, Japanese, and Korean. However, Windows sensors running 5.1.1 or later do. If you want to use Unicode in your sensor profiles, be sure to upgrade to 5.1.1 or later before downloading any profiles with Unicode to your Windows sensors.

• AELDEV-41762: Linux Server Sensors no longer use the /tmp directory for any CLI commands.

  Some hardening guidelines recommend restricting access to the /tmp directory. To comply with these guidelines, the Linux Server Sensor no longer uses the /tmp directory for any CLI commands. This change ensures that the sensor does not rely on the /tmp directory for any operations, enhancing security and compliance.

• AELDEV-41549: Resolved /tmp access restrictions and permission issues for Linux Server Sensors.

  Linux Server Sensors no longer use the /tmp directory for any CLI commands, allowing these commands to run successfully in hardened environments where access to /tmp is restricted. Additionally resolved permission errors that could occur when uninstalling the Linux Server Sensor in environments where SELinux is enabled. This correction ensures that Linux Server Sensors can be uninstalled without encountering permission issues.

• AELDEV-41181: Resolved an issue where Modular Sensors with either IDS or local file assembly enabled in their sensor profiles did not detect 802.1Q VLAN tags correctly.

  Addressed a defect where 802.1q VLAN tags were not recognized by Modular Sensors. This correction ensures VLAN tags are detected accurately, enhancing network traffic analysis and sensor functionality across varying configurations.

• AELDEV-38800: Added OS uptime and sensor uptime to the show version command.

  Updated the show version command to display OS uptime along with a more readable format for sensor uptime across supported platforms (excluding Windows Server Sensors). Ensured compatibility with a wide range of operating systems including Red Hat, CentOS, Ubuntu, Debian, SUSE, AlmaLinux, Amazon Linux, Mint, and Oracle. This enhancement provides immediate visibility into the operational duration of the OS and sensor, enhancing monitoring and troubleshooting capabilities.

• AELDEV-38172: Improved the outputs of show userapp and show metalist to simplify the data returned in responses.

  Introduced a filtering capability to the show userapp and show metalist commands, enabling users to exclude records by matching strings. This significantly reduces clutter from log forwarder entries and streamlines the visibility of relevant data by applying regular expression (regex) patterns.

• AELDEV-36898: When a Stellar Cyber sensor receives a log for Windows event 5156 ("The Windows Filtering Platform has allowed a connection"), it normalizes it as a 5-tuple.

  When the Windows Filtering Program permits connections between a program and a process on the same computer or a remote one, it logs these events as "Windows Filtering Platform has allowed a connection" with ID 5156. Stellar Cyber sensors normalize them as a 5-tuple of source and destination IP address, source and destination port, and protocol and include them in Interflow records.

• AELDEV-35710: Enhanced msgtype: 39 to include tenant ID, ensuring accurate log ingestion tracking by tenant.

  Implemented enhancements in msgtype: 39 to include a tenant ID field, allowing Stellar Cyber to uniquely identify and track log ingestion per tenant. This modification ensures logs are attributed to the correct tenant, rather than defaulting to the root tenant, and it enhances multi-tenancy and accuracy in log source attribution.

• AELDEV-35346: Blocked Tenable scanners from scanning the Modular Sensor system.

  Implemented rules to prevent the Tenable scanner embedded in a Modular Sensor from scanning its own internal hardware and software components. This ensures scans are conducted as intended from a network perspective rather than as an internal OS scan.

Connectors

New Features

• AELDEV-38097: Added a new Microsoft Defender for Cloud content type to the Azure Event Hub connector.

  Successfully completed the integration of Microsoft Defender for Cloud with Stellar Cyber's Azure Event Hub connector. This integration ensures that detections from Microsoft Defender for Cloud are normalized and monitored effectively, enhancing the capability to raise cases for sophisticated Azure setups. This update aids SOC analysts in handling cases with detailed contextual information, vulnerabilities, and misconfigurations for improved investigation and risk scoring.

• AELDEV-37146: Implemented the Huntress connector.

  Successfully integrated with Huntress to provide improved alert and asset retrieval functionalities.

• AELDEV-37136: Implemented Microsoft Defender for Cloud Apps connector for enhanced cybersecurity monitoring.

  Added a connector for Microsoft Defender for Cloud Apps to enhance integration with Azure Cloud workload protection. This improvement includes integrating alerts for SOC analysts, enabling them to work on cases with contextual information, and leveraging Cloud Security Posture Management (CSPM). It also incorporates vulnerabilities and misconfigurations into scoring and investigations. Additionally, data normalization was refined by using machine learning feedback.

• AELDEV-32018: Implemented ServiceNow Integration, InSyncs, for bidirectional communication and case management.

  ServiceNow Case Integration feature was implemented, enabling the opening and closing of cases via ServiceNow. It supports bidirectional updates between Stellar Cyber and ServiceNow cases, including updates to case activity and requests for information. This ensures seamless communication and efficient case management across platforms.

• AELDEV-29088: Implemented the Palo Alto Networks CORTEX XDR connector.

  Completed integration of the Stellar Cyber platform with Palo Alto Networks CORTEX XDR to enable SOC analysts to collect and work with log data from the Palo Alto Networks ecosystem. This integration facilitates enhanced monitoring and threat detection capabilities by leveraging the extensive log information from Palo Alto Networks.

Improvements

• AELDEV-44124: Implemented API token authentication for Fortigate Firewall connector.

  Added support for API token authentication in the Fortigate Firewall connector by allowing connectors to use API tokens in addition to traditional username/password authentication. This update facilitates more secure and versatile authentication options for Fortigate firewalls.

• AELDEV-42061: Implemented an Incidents content type on the Broadcom SES connector to pull incidents.

  Added functionality to the Broadcom Symantec Endpoint Security (SES) Connector enabling it to pull incident data using the /incidents API endpoint. This enhancement supports improved integration with Broadcom SES by leveraging incident-specific data, aiding in comprehensive threat analysis and response capabilities.

• AELDEV-41735: Improved error messaging for the Fortigate Firewall connector.

  Updated Fortigate Firewall connector error messaging to provide clearer guidance on resolving login failures. This specifically addresses scenarios where incorrect password usage resulted in ambiguous error feedback. The error message now explicitly suggests checking credentials and, if necessary, adjusting settings related to API version differences.

• AELDEV-41009: Enhanced AWS WAF log parsing to include specific HTTP header fields.

  Improved AWS WAF log parsing capabilities for enriched security insights by parsing 'Host', User-agent, and Content-Type fields from AWS CloudWatch message objects. This enhancement supports more accurate detection of user agent anomalies and integrates with the Stellar Cyber reputation service for enhanced security alerting.

• AELDEV-40725: Resolved Palo Alto Networks tags field conflict issues.

  The fix addressed conflicts between endpoint and alert content types for Palo Alto Networks, particularly related to the tags field. Normalization was implemented to distinguish between object and list formats within the tags field, which resolved syslog entry errors and missing log collector messages in alerts.

• AELDEV-39532: Added support for Assumed Role authentication on AWS CloudWatch connector.

  Implemented support for Assumed Role authentication in the Cloudwatch connector, enhancing security and management across multiple connectors. You can now create an Identity and Access Management (IAM) user, enter an Amazon Resource Name (ARN) for a specific role, and the system will temporarily assign an ID/secret based on the assumed role.

• AELDEV-38831: Enhanced the Proofpoint TAP connector to support disabling users through Active Directory.

  Enhanced the Proofpoint Targeted Attack Protection (TAP) connector for better integration with Active Directory (AD). This update allows the system to use email addresses from Proofpoint logs to directly disable user accounts through AD, by normalizing email.recipient.addresses to ensure compatibility with AD user disablement requirements. This improvement facilitates quicker response actions against compromised accounts identified through TAP click events.

• AELDEV-37633: Improved normalization and parsing to the Oracle Cloud Infrastructure (OCI) connector and added Virtual Cloud Network (VCN) flow logs.

  The OCI connector enhancement allows independent treatment of various data types for normalization and parsing utilizing the 'oracle.type' field. There is better support for data events, specifically VCN flow records, by ensuring accurate classification and indexing.

• AELDEV-36203: Enhanced parsing of Cloudflare Logpull data to elevate key fields for better detection triggers.

  Refined the parser for Cloudflare Logpull data, ensuring critical fields are now elevated to the top level to enhance detection capabilities. This update facilitates more effective anomaly detection and strengthens WAF (Web Application Firewall) event identification by leveraging advanced parsing strategies.

• AELDEV-35839: Added support to pull one month of prior vulnerabilities on the Microsoft Defender for Endpoint connector.

  Updated the Microsoft Defender for Endpoint connector configuration to include a Lookback Time field, allowing the setting of a customizable lookback period in hours, with a maximum of 730 hours (approximately one month). This enhancement aids in capturing a broader range of vulnerabilities upon connector initialization or restart to better align data visibility with customer expectations.

• AELDEV-34788: Enabled support for VPC Flow logs ingestion on the AWS CloudWatch connector.

  Stellar Cyber now supports the ingestion of VPC Flow logs directly via the AWS CloudWatch connector, enhancing our integration capabilities. This update allows you to directly ingest Virtual Private Cloud (VPC) Flow Logs without relying on the CloudTrail connector, offering more flexibility and efficiency in log management. Adjustments include normalization and enrichment updates to ensure seamless integration and analysis.

• AELDEV-33276: Enhanced the Duo Security connector to include the Trust Monitor content type.

  Updated the Duo Security connector so it can process and ingest Trust Monitor events. This enhancement provides more detailed security event monitoring and custom alerting capabilities for Trust Monitor violations.

• AELDEV-25219: Enhanced the Deep Instinct alert integration with additional key fields.

  Updated the Deep Instinct alert integration to include new key fields such as MSP Name and File Hash, along with a tooltip for file paths and options for file hash actions. This enhancement simplifies actions like virus total checks and linking to events on the Deep Instinct portal directly from the UI. Implemented UI changes for better data presentation and interaction.

Parsers

New Features

• DATA-1941: Added a parser for McAfee Proxy logs.

  Added a parser for McAfee Proxy logs, enabling the ingestion of logs on port 5739. This parser accurately extracts and processes key-value pairs from the logs, supporting enhanced data analysis and cybersecurity insights.

• DATA-1829: Added a parser for Libraesva ESG.

  Added a parser for Libraesva Email Security Gateway (ESG) on ingestion port 5742.

• DATA-1927: Added a parser for Pentera Appliance logs.

  Added a parser for the Pentera Appliance. This enhancement allows for efficient parsing of logs from the Pentera Pentest appliance, capturing crucial information such as task details, severity, status, and more via ingestion port 5737. The parser facilitates improved monitoring and analysis of penetration testing activities.

• DATA-1915: Added a parser for Commvault Metallic ThreatWise logs.

  Added a parser for Commvault Metallic ThreatWise, targeting syslog data on port 5736.

• DATA-1906: Added a parser for Prophaze WAF logs.

  Added a Prophaze WAF parser, enabling the ingestion of logs through port 5733. This update addresses the need for parsing updated log samples provided by the customer, ensuring compatibility with the latest log format specifications for improved detection and analysis capabilities.

• DATA-1904: Added a parser for NVIDIA Mellanox Switch logs.

  Added a parser for NVIDIA Mellanox Switch logs on ingestion port 5734, targeting logs in standard and WELF (key-value pair) formats. This update enhances log parsing capabilities and accuracy for NVIDIA Mellanox Switch, accommodating custom log variations with no available documentation from the vendor.

• DATA-1897: Added a parser for the Vectra AI Platform logs.

  Added a parser, enabling efficient processing of Vectra AI Platform logs. This parser accommodates Logpoint logs ingested via Vectra Agent, ensuring precise data parsing and integration.

• DATA-1890: Added a parser for HPE Nimble Storage logs.

  Added a log parser for HPE Nimble Storage on ingestion port 5731, supporting models AF-214611 and AF-214699. This parser handles audit and event logs, enhancing our monitoring capabilities of HPE Nimble Storage devices by extracting key log details more efficiently.

• DATA-1864: Added a parser for Relianoid WAF logs.

  Added a parser for Relianoid WAF on ingestion port 5730.

• DATA-1820: Added a parser for Checkpoint SmartCenter.

  Added a parser for Checkpoint SmartCenter on ingestion port 5741 to process Checkpoint SmartCenter logs.

• DATA-1814: Added a parser for Nutanix NX.

  Added a parser for Nutanix NX on ingestion port 5724.

• DATA-1786: Added a parser for QNAP QTS logs.

  Added a parser for QNAP QTS on ingestion port 5726.

• DATA-1728: Added a parser for FortiADC.

  Added a parser for FortiADC on ingestion port 5725.

• DATA-1711: Added a parser for Cynerio logs.

  Implemented a parser for Cynerio logs on ingestion port 5727.

• DATA-1702: Added a parser for Citrix XenServer logs.

  Implemented a parser for Citrix XenServer logs on ingestion port 5732.

• DATA-1666: Added a parser for UMV WSS logs.

  Added a parser for UMV WSS (Web Server Safeguard) on ingestion port 5709.

Improvements

• DATA-1958: Enhanced Snare Agent parser to enrich Windows-related fields from 'ExpandedString'.

  Updated Snare Agent parser now enriches fields from the 'ExpandedString' for specific Windows Event IDs, including but not limited to 4624, 4625, 4771, 4776, and 4648. This update allows detailed parsing and mapping of fields directly from Snare logs to the expected Windows Event Log schema, improving the accuracy of log ingestion and the applicability of security detections.

• DATA-1957: Resolved Cisco WLC parser error when processing logs sent to port 5531.

  Addressed a reported issue with Cisco WLC logs that caused parser errors when transmitted to our parser on port 5531. Adjustments were made to correctly parse both JSON and CSV records from Cisco WLC, ensuring accurate log processing.

• DATA-1953: Improved IBM AS400 parser to support CEF format logs.

  Enhanced the IBM AS400 log parser for compatibility with the CEF (Common Event Format) log format. This upgrade includes support for all predefined fields and additional fields found in sample logs. Modifications were made to ensure comprehensive log analysis and improved functionality, accommodating customer's request to avoid port changes.

• DATA-1947: Enhanced the IIS nxlog parser for a specific customer to include URL and SIP fields.

  Updated the Microsoft IIS log parser configuration to parse additional fields such as URL and SIP for a particular customer request. This involved creating a special customized parser configuration tailored to match the customer's log format and field requirements.

• DATA-1945: Enhanced parsing for Fortinet FortiGate logs to include 'ftntfgtqname' and 'ftntfgtcatdesc' fields.

  Updated the Fortinet - FortiGate (CEF) log parser to extract 'ftntfgtqname' and 'ftntfgtcatdesc' fields directly from 'msg_data' into the vendor namespace. This enhancement is compatible across multiple platform versions, ensuring improved data categorization and access for FortiGate users.

• DATA-1942: Improved Kemp Technologies Load Master LB Parser for enhanced log parsing.

  Enhancements to the Kemp Technologies Load Master LB Parser include detailed parsing of the syslog_message field, employing regular expressions to decipher syslog messages more accurately and to extract key-value pairs. The updates involve significant modifications to the parser's codebase, improving overall log analysis and parsing fidelity.

• DATA-1939: Updated the Huawei iMaster NCE-Campus log parser to support new log formats.

  The Huawei iMaster NCE-Campus log parser was updated to include support for logs with a standard rfc3164 header, diverging from the format provided during initial development. This update introduces regex matching for the new header format to ensure comprehensive log parsing across versions 4.3.7, 5.1.1, and 5.2.0.

• DATA-1938: Updated Cisco XE router log parser to support IOS versions from 16.09.02 to 17.09.02a.

  Enhanced the existing Cisco XE router log parser to accurately parse logs across newer IOS versions, specifically from IOS-XE 16.09.02 to IOS-XE 17.09.02a. This update ensures compatibility with a broader range of Cisco XE routers, enhancing log analysis reliability and efficiency for these models. The parser now conforms to updated standards, excluding the previous 'parser_raw_msg' storage for a more streamlined data handling approach.

• DATA-1926: Enhanced Aruba ClearPass log parsing for additional key-value fields.

  Stellar Cyber improved the Aruba ClearPass Policy Manager (CEF) parser to better handle key-value pairing from the 'log.event_description' field. Specific keys such as 'User', 'Role', 'Authentication Source', and 'Client IP Address' are now accurately normalized and categorized. Additional keys are consolidated under 'msg_data' for comprehensive log analysis.

• DATA-1921: Increased the length limit of the NXlog parser to support longer log entries.

  Implemented an update to the NXlog parser, enhancing its capacity to handle log entries up to 32768 bytes in length, effectively doubling its previous capability. This improvement addresses issues with log entries being cut due to exceeding the former length limit, ensuring they are parsed and logged correctly without data loss. This change was applied to both the built-in and customized configurations, enhancing log management for systems utilizing NXlog for log collection and parsing, specifically targeting environments with larger log entries.

• DATA-1894: Enhanced Checkpoint Harmony Endpoint parser for improved log field parsing.

  Updated the Checkpoint Harmony Endpoint parser to accurately parse out and normalize additional log fields including 'trojan' values. Adjustments were made to ensure proper field mapping and to resolve conflicts with time field data, enhancing the fidelity of log information for security analytics and reporting.

• DATA-1893: Updated the Radware DefensePro parser to enhance compatibility with rfc3164 and rfc5424 syslog formats and improved field normalization.

  Enhanced the Radware DefensePro parser's support for rfc3164 and rfc5424 syslog formats, allowing better standardization and normalization of 'protocol' values to the 'proto' field across various log entries. The update ensures more accurate and consistent log parsing, especially for entries generated by APSolute Vision.

• DATA-1881: Implemented RFC 5424 syslog coverage on the Aruba Switch parser.

  Implemented RFC 5424 syslog coverage on the Aruba Switch parser on port 5577.

• DATA-1874: Improved the Infocyte HUNT (CEF) parser.

  Improved the Infocyte HUNT (CEF) parser to parse out the eventTime field. When it can be parsed as an epoch, it s normalized as event.timestamp. Otherwise, it s moved into the vendor namespace as is.

• DATA-1847: Added a new log format for the Sonicwall VPN parser.

  Implemented a new log format for the Sonicwall VPN parser.

• DATA-1823: Enhanced the Ubiquiti UAP-AC-Pro parser.

  Enhanced the Ubiquiti UAP-AC-Pro parser to support more kinds of logs.

• DATA-1808: Improved the McAfee Firewall parser.

  Implemented the ability of the McAfee Firewall parser to parse fields with longer names of up to 63 bytes.

• DATA-1705: Normalized several Fortinet Fortigate parser fields.

  Normalized the action, url, and direction fields in Fortinet Fortigate logs into top-level fields to enhance consistency and make them easier to query and analyze.

• DATA-1671: Normalized Trend Micro Apex Central CEF parser fields.

  Normalized ncie_threatname into threat in the Trend Micro Apex Central CEF parser.

• DATA-1647: Added a new log format for the Proofpoint parser.

  Added a new log format on the Proofpoint parser.

• DATA-1264: Improved the Snare Agent parser.

  Implemented the Snare Agent parser to parse out fields of Windows events for these events: 4624, 4625, 4656, 4768, 4688, 4771, and 4776.

• DATA-941: Added a new log format for the Windows DNS Server parser.

  Added support for a new log format for the Windows DNS Server parser.

Operational Notes

• Keep in mind that the global Status filters available at the left of most Stellar Cyber tables (All Open, New, In Progress, Ignored, and Closed) apply only to security events (alerts). They do not apply to cases. You can apply Status filters to cases, too, but only from the Cases interface itself. The names of the Status filters for cases are also slightly different from those available for alerts.

• Lookup strings for hash values should not include the SHA= or MD5= prefix. Enter these strings using just the hash value itself.

Known Issues

• When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search column set to its default value of All don't work correctly. This will be fixed in a later release.

• The Cylance responder is unable to perform the Contain Host action due to a limitation in the Cylance REST API. All requests return a 500 Internal Server Error response.

• Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.

• Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it isn't installed already. If the installation of Visual C++ fails, the Windows Server Sensor might not be able to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber.cloud. If this happens, use the following steps to proceed:

  1. Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.

  2. Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.

• The Log Forwarder only collects statistics for up to 100 different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds 100, statistics for the additional log source IP addresses are aggregated into the catch-all IP address of 0.0.0.0.

• When multiple traffic filters are defined for a tenant with the same combination of IP address, port, protocol, and layer 7 rules, the filter might fail to take effect. If this happens, review the defined traffic filters and make sure there are no duplicate definitions.

• If you change the network interface configuration of a sensor VM after deployment, the eth0 interface might be remapped to a new interface. If this happens, the management network is disconnected. Contact Stellar Cyber Customer Success for assistance.

• The Sensor content type for Cybereason's connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.

• Due to an ongoing issue with Cybereason's Query Sensors API, the Cybereason connector may not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete case correlation.

• When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.

• If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

• Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields / rule support will be added in the future.

• Log Forwarder only collects statistics for limited different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds the limit, the additional log source IP address statistics will be aggregated into a catch-all IP address of 0.0.0.0. Note: In releases prior to 5.1.1, the limit had been 100 sensors, but it was increased to 200 sensors with more than 8 GB of memory in the 5.1.1 release.

• When a modular sensor is configured as a Log Forwarder-only sensor (Network Traffic and other features are not enabled), the Log Forwarder might periodically restart if there isn't enough sensor memory. Stellar Cyber recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.

• A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

• When multiple traffic filters in different tenants are defined with the same combination of IP, port, protocol, and layer 7 rules, the sensor only takes the filter belonging to the same tenant with the sensor and ignores the others. Administrators should review the defined traffic filters and avoid creating duplicate definitions.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Customer Success for assistance.

• If you configure a sensor's aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.

• Deleting Elasticsearch data from the Root Tenant in the System | Data Management | Advanced tab deletes data from sub-tenants as well.

Upgrading Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. Stellar Cyber recommends the following to ensure a smooth upgrade:

• Upgrade sensors in batches instead of all at once.

• For Server Sensors:

  • Upgrade a small set of sensors that cover non-critical assets.

  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.

  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining agent sensors.

  • If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.