Stellar Cyber 6.0.0s Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.0.0 release brings the following exciting improvements to the Stellar Cyber Open XDR Platform.

The release notes are organized into the following sections:

Highlights

  • Released a new UI for general availability, delivering a more intuitive navigation structure and an updated theme engine with light and dark modes to enhance flexibility and usability.

  • Introduced case filters for general availability, replacing the former global Case Visibility setting. You can now define and apply filter conditions for system-created cases directly from the Cases interface.

  • Improved accuracy, formatting, and layout fidelity in scheduled dashboard exports. Reports based on exported dashboards now match dashboard configurations more precisely and provide cleaner print-ready output with enhanced chart rendering and table formatting.

  • Introduced Saved Views to preserve customized table layouts across sessions.

  • Implemented CyberArk EPM and Crowdstrike FDR connectors for improved visibility.

Actions Required

  • Improved the Zscaler Deception parser by changing the msg_origin.category field value from ndr to honeypot to more accurately reflect the data source. If you rely on the msg_origin.category field with the previous ndr value to find, display, include, or exclude Zscaler Deception events in queries, dashboards, or filters, update those configurations to use the new value honeypot.

  • If you previously relied on the Log Size Control feature to manage Windows Event Log rotation or truncation, you must instead use the built-in AutoBackupLogFiles configuration option or an alternative mechanism.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Migrated existing Case Visibility settings in Cases | Global Case Settings to default case filters when you upgraded. You can modify them in Cases | Settings | Case Filters. If you used case filters during the Early Access Program in 5.5.0, your existing filters remain active in 6.0.0 and might affect which cases are displayed.

  • Moved fields to cisco in Cisco CEF parser.

    The esamid, sbrsscore, and esafinalactiondetails fields were moved from msg_data to the cisco field for improved parser alignment. VPN event messages are retained even when not fully parsed to preserve important information.

  • Added log format support for Radware Alteon parser.

    Introduced parsing support for new log formats, including AppWall logs, to improve visibility into Radware Alteon activities.

  • Updated parser metadata for firewall categorization.

    Changed the msg class and category to firewall for consistency. Promoted the action field to the top level. Changed the msg_origin.category field from ndr to honeypot to better represent origin classification.

  • Standardized Fortinet CEF parser field handling.

    Moved tunneltype, tunnelip, and reason fields from msg_data to the fortinet field for schema consistency. Data is now sent only to the Root Tenant, eliminating tenant-specific separation.

  • Added multi-tenant support for Cisco WLC parser.

    Enabled the Cisco WLC parser to recognize and process logs across multiple tenants, improving tenant-aware data parsing.

  • Added RFC-5424 support for Checkpoint Harmony Email & Collaboration logs.

    Integrated support for RFC-5424 format in the Checkpoint Harmony Email & Collaboration parser, enhancing compatibility with structured syslog data.

  • Improved message parsing for F5 BIG-IP logs.

    Enhanced the syslog-to-session/traffic parsing logic to better extract five-tuple information from messages, improving session tracking for F5 BIG-IP systems.

  • Enriched Fortinet Fortigate DNS field mapping.

    Added enrichment logic to populate the dns.question.name and domain_list fields using the qname field for improved DNS visibility.

  • Reduced the total number of possible data sources shown for Emerging Threat Filehash (SHA1) detection from 16 in version 5.5.0 to 5 in 6.0.0.

Deprecated Features

No features were deprecated in this release.

Detection/ML

New Features

Improvements

Usability

New Features

Improvements

Stellar Cyber Platform

New Features

There are no new features for the Stellar Cyber Platform in this release.

Improvements

Sensors

New Features

Improvements

Connectors

New Features

Improvements

Parsers

New Features

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns. To join the EAP and begin testing these correlation strategies, contact your Stellar Cyber Customer Success representative.

Automated Triage of Phishing Email

The automated triage of suspected phishing email is a new EAP feature, available for SaaS deployments only. It classifies user-reported email messages through built-in threat intelligence, optional external threat intelligence, and AI-powered analysis. This feature provides an automated triage agent that analyzes reported emails, offering detailed analysis and AI-generated insights. As a result of automated processing, Stellar Cyber reduces manual workloads, enables faster response times, and ensures consistent, transparent alerting in the UI.

Resolved Issues

Known Issues

The following are known issues in this release.

  • AELDEV-59053: The unset dns command may not work correctly when DHCP is enabled for a sensor's management interface. Changes to DNS settings with the unset dns command may be overwritten by a DHCP refresh. Use the show dns command a few minutes after running the unset dns command to verify settings.

Upgrading Sensors

You can upgrade Stellar Cyber Sensors from 5.4.0 or later to 6.0.0. You must:

  • Prepare for the upgrade

  • Upgrade the sensors

  • Verify the upgrade

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For Server Sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.0.0 release from any 5.4.x or 5.5.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.