Stellar Cyber 6.4.0 Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.4.0 release strengthens speed, clarity, and confidence across the Open XDR Platform with production-ready Autonomous SOC capabilities, expanded machine learning detections, and enhanced operational workflows.

The release notes are organized into the following sections:

Highlights

Detection and Machine Learning

  • SQL Injection Behavior Detection: This machine-learning detection identifies repeated SQL injection payload patterns across HTTP traffic, covering both external web attacks and internal lateral movement scenarios.

  • VPN Login Failure Anomaly Detection: Identity-based anomaly detection now extends to VPN authentication telemetry, identifying abnormal VPN login failure patterns across Fortinet, Check Point, Palo Alto, and other supported platforms.

Dashboard Usability

  • Responsive Dashboard Authoring: The new grid-based, responsive dashboard layout system enables fluid resizing, reordering, and breakpoint-aware views for faster iteration and scalable operational reporting.

Integrations and Data Expansion

  • Expanded Connector Coverage: This expansion introduces several new connectors and multiple content integrations across email security, cloud infrastructure, vulnerability intelligence, and identity risk platforms to broaden ingestion depth and correlation capabilities.

  • Enhanced Parser and Normalization Framework: The enhancement expands parser coverage and normalization depth across endpoint, firewall, cloud, and infrastructure telemetry to improve detection fidelity and cross-source correlation.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-3179: Updated the VMware ESXi parser to migrate a top-level action field from action to vmware_esxi.action for consistent field semantics within the unixlogs category. Saved searches, dashboards, and detection rules that reference action must be updated to use vmware_esxi.action. Queries that continue to reference action will no longer return expected results.

  • DATA-3155: Updated the Forescout syslog parser to normalize the log_type field by removing the trailing semicolon ( ; ) and refining its extracted value. Saved searches, dashboards, and detection rules that rely on exact matches of previous log_type values that included a trailing semicolon must be updated to reflect the revised format. Queries that reference the prior value with a semicolon will no longer return expected results.

  • DATA-3122: Updated the Check Point Harmony Email Collaboration parser to move the action field from the top-level event structure into a vendor-specific field checkpoint_harmony_email_collaboration.action. Saved searches, dashboards, and correlation rules that reference the top-level action field for this data source must be updated to use checkpoint_harmony_email_collaboration.action. Queries that continue to reference the top-level action will no longer return expected results.

  • DATA-3119: Updated the Forescout parser to classify Network Access Control match and unmatch events with a distinct log_type value. Instead of assigning all events the value "NAC Policy Log:", the parser now sets the value of the log_type field to "NAC Policy Match/Unmatch Event" when the forescout.match field is present. Saved searches, dashboards, and detection rules that filter specifically on log_type:"NAC Policy Log:" must be reviewed and updated if they are intended to include match or unmatch events. Queries that continue to filter exclusively on the previous value will no longer return those events.

Deprecated Features

No features have been deprecated in this release, but the following feature is planned for deprecation in a future version.

  • Upcoming Deprecation: Netskope Connector (API V1) – The Netskope connector supports API V1 and V2, but Netskope has deprecated API V1 so Stellar Cyber will retire the V1 API in a future release. Begin planning to migrate to the V2 API.

Detection/ML

New Features

Improvements

Stellar Cyber Platform

New Features

  • Integrated Snowflake configuration with backend deployment and validation. Saving a data pipeline now provisions and manages the Snowflake connector services, including start, update, and removal, based on configuration changes. Backend validation enforces required connection parameters and destination consistency before deployment. To configure, navigate to Data Pipeline | Configuration, select Snowflake as the destination, and provide account, user, warehouse, database, schema, and authentication settings such as password or key-based credentials. After applying changes, deployment brings up the services and begins data delivery if connectivity and permissions are valid.

  • Enabled Jinja2 templating in the Subject field for email notifications generated by Automated Threat Hunting workflows. Jinja2 is a full-featured templating engine that supports variables ({{ ... }}), conditionals, loops ({% ... %}), and filters for formatting and value transformation. This enhancement allows you to dynamically construct subject lines based on notification context data such as event severity, timestamps, or alert attributes. Existing Mustache templates, which support simple variable substitution, continue to work without change. With Jinja2 support, you can create more expressive and context-aware subject lines to improve alert prioritization and readability in downstream systems.

  • Added monitoring to detect missed or delayed executions of Automated Threat Hunting rules. When a scheduled rule runs ten minutes or more past its expected execution time, Stellar Cyber generates a notification to indicate a potential issue. A recovery notification is generated when the rule returns to its expected schedule.

    Delays can occur due to data ingestion interruptions, resource constraints, or service disruptions that prevent rules from executing as expected. Because ATH rules generate detections and trigger downstream playbooks, missed executions can result in gaps in alerting and response activity. These notifications help you quickly identify detection blind spots, verify rule health, and restore coverage before operational visibility is impacted.

  • Optimized the processing of vulnerability scan data to eliminate the duplication of large payload fields within individual Interflow records. Previously, large scan objects, such as Qualys and SentinelOne vulnerability data, were repeated across multiple derived records, which unnecessarily increased record size. The updated process stores a single canonical copy per scan and prevents redundant duplication in related records. This enhancement reduces storage consumption and improves data efficiency.

  • Introduced release-specific Data Processor binaries and images for Ubuntu 16.04 and Ubuntu 24.04 to align with operating system and Python runtime requirements. Ubuntu 16.04 builds continue to use Python 2, while Ubuntu 24.04 supports Python 3 for new deployments and staged upgrades. This approach enables a controlled migration path from legacy environments to modern operating systems while maintaining upgrade continuity and deployment stability.

  • Introduced a dedicated runtime and image set for on-premises deployments running Ubuntu 24.04 with Python 3. Earlier Ubuntu releases continue to use the existing runtime and image set to maintain stability during transition. Stellar Cyber maintains separate image sets to ensure operating system compatibility; image sets cannot be mixed across Ubuntu versions. This enhancement supports modernization to Ubuntu 24.04 while preserving upgrade continuity for existing deployments.

  • Added Last executed timestamps to the Last Status report for Automated Threat Hunting playbooks. The report now displays execution timestamps for playbook components such as input processing, initialization, and configured actions, along with an icon indicating if each execution was successful. This enhancement lets you distinguish between the most recent execution time and the most recent triggered status, improving monitoring accuracy and troubleshooting.

  • Added monitoring and alerting for Threat Intelligence Platform feed ingestion within the System Action Center. Stellar Cyber now generates events for ingestion errors, retry exhaustion, sustained error rates, and absence of new indicators to help you detect feed disruptions. You can review feed status, metadata, and ingestion history and receive notifications through existing alerting channels. Each event includes remediation guidance to help you restore feed ingestion and maintain continuous threat intelligence coverage.

  • Added System Action Center monitoring for execution states of custom Automated Threat Hunting (ATH) rules. Stellar Cyber now generates alerts for consecutive failures, percentage-based failure rates, successful recovery after failure, and missed executions beyond a defined schedule tolerance. These alerts help you detect rule instability, prevent gaps in detection coverage, and verify recovery when execution resumes. Notifications use existing response actions and alerting channels for seamless integration with your operational workflows.

Improvements

  • Enhanced the Data Processor upgrade process to support a special upgrade mode controlled by a setting in the ConfigMap environment. When this mode is enabled, the upgrade skips pulling container images, skips pod restart status checks, and disables automatic rollback. The upgrade logs clearly indicate the skipped steps and confirm that rollback was not attempted. This enhancement provides controlled upgrade behavior for environments that require customized Data Processor upgrade handling.

  • Added a pre-check to evaluate alert filters before dispatch. Stellar Cyber now displays the predicted matching filter name in the alert Details section, allowing you to identify the likely filter responsible for suppression before ingestion. Alerts continue through the filtering component to preserve filter-hit accounting and downstream metrics. This enhancement improves transparency into alert filtering behavior and simplifies troubleshooting when alerts are not delivered as expected.

  • Standardized correlation rule behavior by replacing the contains operator with matches across the user interface and configuration. Rules now evaluate exact match semantics rather than substring comparisons, ensuring consistent rule display and execution. This change resolves discrepancies that could cause unexpected rule triggers and improves predictability when authoring and running correlation logic.

  • Added tenant exclusion and generic connector selection options to System Action Center notification rules. You can now exclude specific tenants from rule evaluation and apply monitoring to all connector types without listing them individually. This enhancement simplifies rule configuration in multi-tenant environments, reduces duplication, and improves control over monitoring scope.

Sensors

New Features

  • Added parsing of Netskope Generic Network Virtualization Encapsulation (GENEVE) packets. The parser sets msg_origin.vendor to netskope and normalizes key packet fields, including IP addresses, ports, applications, byte counts, and timing values, without requiring additional configuration. This enhancement ensures that Netskope-encapsulated traffic is correctly identified and consistently normalized, improving visibility, correlation accuracy, and investigation efficiency across environments that use Netskope for network security and access control.

Improvements

  • Suppressed warning messages generated when sensors periodically contact Stellar Cyber to verify connectivity and retrieve operational information. Previously, this routine triggered a warning about an HTTPS request without certificate verification. Although the connection worked as expected and did not affect sensor operation, the warning appeared in system logs and automated notifications, which might have suggested a problem where none existed. Stellar Cyber now filters this message so routine connectivity checks run without producing unnecessary warnings, reducing log noise and helping you focus on meaningful operational events and security events.

  • Improved Windows event collection in Windows Server Sensors to prevent duplicate logs from being generated under certain conditions. Previously, a Windows Server Sensor could reprocess previously collected Windows events and send them again, resulting in duplicate log entries. Stellar Cyber now ensures that Windows event collection resumes from the correct position so previously collected events are not processed again. By eliminating duplicate Windows logs, this change reduces noise in investigations and helps you analyze events more efficiently.

  • Provided Windows Installer Patch (MSP) packages that enable in-place upgrades from supported 5.1.x–6.3.x Windows Server Sensor versions directly to 6.4.0 (x64). Each MSP package corresponds to a specific source version and follows the naming pattern Windows_Sensor_<from>_6.4.0-x64.msp. The upgrade preserves existing configuration settings and automatically restarts the Windows Server Sensor service during installation. A user with local administrative privileges on the Microsoft Windows host where the Windows Server Sensor is installed must perform the upgrade. Supported platforms include Windows Server 2008 R2, 2012 R2, 2016, 2019, 2022, and Windows 10 and 11. This enhancement simplifies upgrade planning and reduces operational effort by eliminating intermediate upgrade steps.

  • Added support for SUSE Linux Enterprise Server 15 SP7 for Linux Server Sensor deployments. Deployments on this platform now use the same installation package, configuration options, and lifecycle operations as other SUSE Linux Enterprise Server 15 releases. Systems running earlier supported SUSE Linux Enterprise Server 15 versions can upgrade to SP7 without requiring changes to existing sensor settings. This update ensures continued compatibility with current SUSE releases while simplifying upgrades and maintaining consistent monitoring across supported Linux environments.

  • Added installation and upgrade support for the Linux Server Sensor on Red Hat Enterprise Linux 10 and CentOS 10. The self-contained installer now detects these operating system versions and loads the required runtime libraries to ensure successful deployment. Existing sensor deployments on these platforms also upgrade through the standard Linux Server Sensor upgrade process. This enhancement expands platform compatibility and enables deployment on newer enterprise Linux distributions.

  • Added support for configuring per-source timeout values for Windows Event Logs and File Integrity Monitoring on the Windows Server Sensor to address high-latency or bandwidth-constrained environments. You can use the set receiver timeout <seconds> winlog and set receiver timeout <seconds> fim commands to allow independent timeout control. A value of 0 disables the timeout. The unset receiver timeout winlog and unset receiver timeout fim commands restore the default value of 90 seconds. The show receiver command displays the effective timeout settings. This enhancement improves log delivery reliability and reduces premature timeout failures in variable network conditions.

  • Added support for gzip compression of Windows Event Log and File Integrity Monitoring payloads sent over HTTPS from the Windows Server Sensor. You can use the set receiver compression <level> [winlog | fim] command to configure compression levels from 0 to 9, where 0 disables compression and omission of the data type applies the setting to both sources. The unset receiver compression command restores the default compression level of 1. The show receiver command displays the active compression settings for each data type. Higher compression levels reduce bandwidth consumption while increasing CPU usage. This enhancement provides greater flexibility for environments with network constraints without requiring sensor profile changes.

  • Updated the sample Ansible inventory and playbook files used to automate Linux Server Sensor deployment. These files support automated installation and registration of the sensor in both on-premises and SaaS environments. The updated samples now support registration using either a token (SaaS deployments) or a Stellar Cyber platform IP address, as well as build selection and optional use of the all-in-one installer. This enhancement streamlines deployment automation and ensures consistent installation workflows across deployment models.

  • Resolved Linux Server Sensor startup failures that occurred when pre–Deep Packet Inspection traffic filter expressions were excessively long, complex, or contained invalid syntax. The sensor now tolerates larger and more complex filter expressions and handles malformed syntax without preventing service startup. The update increased internal limits to support expanded filtering requirements. This enhancement improves sensor stability and prevents configuration errors from interrupting traffic monitoring.

  • Added a control in Modular Sensor profiles that allows you to enable or disable the Log Forwarder module. You can disable log forwarding on Modular Sensors that do not require it. The setting applies only to Modular Sensors and does not affect other modules. Modular Sensors must run version 6.4.0 or later for the setting to take effect. This enhancement reduces resource usage and improves efficiency in environments where log forwarding is not required.

  • Changed the default CPU scaling setting so that the Photon-100 sensor running on Ubuntu 22.04 operates at higher processor speeds instead of dynamically reducing speed to conserve power. This setting ensures the CPU remains optimized for data processing workloads. The configuration persists across system reboots and sensor upgrades. This change applies only to Photon-100 and does not affect Photon-150 or Photon-160 models. This enhancement improves processing throughput and ensures consistent performance on supported Photon-100 deployments.

  • Added support for restricting SSH access to the management interface by specifying allowed source IP addresses or CIDR ranges on Ubuntu 22.04 sensors using the set interface management ssh-whitelist command. The whitelist applies only to incoming SSH connections and does not affect outbound traffic or communication with the platform, receiver, or repository services. You can modify or remove the configuration through the CLI, including remote CLI and console access to prevent lockout. This enhancement strengthens access control and helps reduce exposure of the management interface to unauthorized SSH connections.

Connectors

New Features

Improvements

Parsers

New Features

  • Added a built-in parser for ingesting PostgreSQL logs in RFC 3164 syslog format on port 6083. Normalized fields include timestamp, severity, process ID, database, user, client address, and message to support analytics and correlation. To enable syslog forwarding, configure log_destination to syslog and set log_line_prefix to include time, process ID, user, database, and host information before forwarding events to the sensor syslog listener. File-based PostgreSQL logs can also be forwarded through a syslog agent to the same listener. The parser supports standard PostgreSQL syslog and default log formats, improving visibility and correlation for database activity and security monitoring.

  • Added a built-in parser for ingesting Radware DefenseFlow logs over TCP syslog on port 6082. This parser processes multi-line messages and emits one event per payload segment to prevent data loss and ensure accurate event representation. Normalized fields populate common attributes to support correlation, detection, and reporting across network and security telemetry. To enable ingestion, configure Radware DefenseFlow to forward syslog traffic to the sensor IP address on TCP port 6082. This parser improves visibility into Radware mitigation and traffic events, enabling more reliable analysis and threat detection.

  • Added a built-in parser for ingesting Tait Communications Tait EnableFleet logs in RFC 5424 syslog format over TCP on port 6081. This parser normalizes authentication events, user lifecycle changes, role assignments, and configuration updates into consistent fields to support structured analysis. Parsed records populate fields such as action, initiating_user, target_user, failure_reason, stellar_uuid, and message to enable precise filtering and correlation. To enable ingestion, configure EnableFleet to forward RFC 5424 syslog over TCP to the sensor syslog listener on port 6081. This parser improves visibility into identity and configuration activity, enabling stronger auditing, detection, and investigation workflows.

  • Added a built-in parser for ingesting Absolute Secure Endpoint logs with a custom RFC 5424 syslog header and CEF payload over TCP on port 6078. This parser extracts structured fields such as eventType, actorType, actorName, actorID, objectType, objectName, objectID, verb, secondaryObjectType, secondaryObjectName, secondaryObjectID, and objectProperties to support detailed activity tracking. To enable ingestion, configure the Absolute Secure Endpoint SIEM connector or a syslog forwarder to send CEF-formatted messages over TCP to the Sensor ingestion IP address on port 6078. Parsed events populate normalized fields and are available for search, correlation, and detection workflows. This parser improves visibility into endpoint activity and administrative actions reported by Absolute Secure Endpoint.

  • Added a built-in parser for ingesting HPE Alletra logs in RFC 3164 syslog format on port 6079. This parser normalizes Linux process-related event fields to support consistent indexing and analysis. This parser provides structured visibility into system and process activity, improving search accuracy, correlation, and detection capabilities.

  • Added a built-in parser for ingesting HPE iLO Amplifier Pack logs in syslog format over TCP on port 6080. This parser enables consistent normalization and reliable device context, enhancing search, correlation, and detection outcomes.

  • Added a built-in parser for ingesting Skyhigh Secure Web Gateway logs in RFC 3164 syslog format on port 6076. This parser extracts attributes from header_first_line, maps native fields to the vendor namespace, and normalizes virus_name to threat when present to ensure consistent threat classification. This parser enhances visibility into web traffic security events and improves threat detection accuracy for Skyhigh Secure Web Gateway deployments.

  • Added a built-in parser for ingesting Tait Communications Tait EnableProtect logs in RFC 5424 syslog format on port 6077. The parser normalizes header attributes into fields such as event_time, severity, host, and app_name, and extracts the first structured data element to populate vendor and product for accurate classification. This parser improves structured visibility into Tait EnableProtect activity and enables consistent filtering and correlation across Tait network management events.

  • Added a built-in parser for ingesting Datto AP (Datto Wi-Fi) logs in RFC 3164 syslog format on port 6075. The parser normalizes hostapd events, including association, authentication, deauthentication, and client state transitions. Extracted attributes include MAC address, SSID, access point identifier, and result codes to support structured filtering and correlation. This parser enhances visibility into wireless client activity and access point behavior, enabling more effective monitoring and investigation of Datto wireless environments.

  • Added a built-in parser for ingesting Cisco Web Security Appliance (WSA) access logs in RFC 3164 syslog format on port 6074. The parser supports the Squid-format access log field order and extracts timestamp, client_ip, url, http_method, http_status, bytes_transferred, request_duration, user_name, action, and related proxy attributes. This parser enables consistent normalization of web proxy activity, improving visibility, correlation, and analysis across Cisco WSA deployments.

  • Added a built-in parser for ingesting threatER Enforce logs in RFC 5424 syslog format on port 6073. The parser supports octet-counted framing as defined in RFC 6587 and extracts key-value pairs from the message body, mapping fields such as source and destination IP address, source and destination port, protocol, action, direction, reason, and flags to normalized attributes. Parsed events are routed to the Traffic data domain, enabling accurate correlation and analysis of network enforcement activity from threatER Enforce.

  • Added a built-in parser for ingesting AWS CloudWatch logs in JSON format on port 6071. This parser supports single-line JSON events from AWS Lambda custom application logs and extracts structured attributes such as trace_id, timestamp, service_name, environment, execution_time_ms, request, response, error, and nested fields within the events array. Events containing network attributes (srcip, dstip, srcport, dstport, proto) are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into AWS Lambda execution activity and enables consistent normalization for cloud application monitoring and analysis.

  • Added a built-in parser for ingesting Synology DiskStation Manager (DSM) logs in RFC 3164 and RFC 5424 syslog formats on port 6072. The parser supports DSM version 7.1 and later and normalizes authentication events, file and share access activity, service and package changes, and configuration updates into structured fields. Events containing threat-related attributes are routed to the IDPS/Malware Sandbox Events index, network-related events are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into storage system activity and enables detection and correlation of administrative and access-related changes on Synology NAS devices.

  • Added a built-in parser for ingesting CTM360 Data Leakage Protection logs in RFC 5424 syslog format on port 6084. This parser normalizes credential-leak notifications into structured fields, including leak_id, website, username, password, computer_name, leak_type, leak_source, status, date_compromised, first_seen, last_seen, created_at, updated_at, validate_at, and remediate_at. Events containing network attributes such as srcip, srcport, dstip, dstport, and proto are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into exposed credential activity and enables consistent correlation and detection of data leakage events across environments.

  • Added a built-in parser for ingesting Darktrace alerts in Common Event Format (CEF) on standard CEF ingestion ports 5143 and 5870. This parser extends CEF processing to normalize Darktrace-specific fields into the Stellar Cyber schema.

    The parser maps key fields as follows:

    • cef.severity > event.severity (numeric range 1–10)

    • cef.name > event.threat.name

    • msg_data[name="dvchost"].strvalue > host.name

    • msg_data[name="darktraceurl"].strvalue > darktrace.darktraceurl

    • msg_data[name="externalid"].strvalue > darktrace.externalid

    • msg_data[name="message"].strvalue > darktrace.message

    • hostip_username > user.name

    • hostip_usersid > user.id

    This normalization ensures that Darktrace alerts are consistently enriched and correlated with other telemetry across the platform.

  • Added a built-in parser for ingesting ThreatX logs in syslog format over TCP on port 6070. The parser extracts HTTP request and response metadata, network context, and action outcomes to support structured analysis of application-layer security events. This parser enhances visibility into web traffic inspection activity and improves correlation and detection capabilities for ThreatX deployments.

  • Added a built-in parser for ingesting Microsoft RDWebAccess logs in JSON format on port 6068. This parser supports ingestion of IIS-based Remote Desktop Web Access logs that have been converted to JSON and forwarded through Generic Data Capture or existing TCP listeners. Extracted fields include timestamp, client_ip, server_ip, http_method, uri, http_status, user_agent, and username to provide structured visibility into remote access activity. This parser improves monitoring and investigation of RDWebAccess usage by enabling consistent search, correlation, and analysis of authentication and web session events.

  • Added a built-in parser for ingesting Netgear Smart Switch series logs in RFC 3164 syslog format on port 6069. This parser normalizes standard switch event attributes to support structured search, correlation, and detection across Smart Switch environments.

  • Added built-in parsers for ingesting Check Point SmartConsole and Check Point SmartDefense logs in Common Event Format (CEF) on TCP ports 5143 (standard CEF) and 5870 (octet-counted CEF).

    The Check Point SmartConsole parser extracts structured attributes from CEF payloads, including administrator activity fields parsed from the msg_data array such as administrator, requestcontext, objectname, additional_info, and related event timing and counter values. These fields enable detailed audit reporting of administrative actions, policy changes, and management activity, improving visibility and search accuracy for compliance and operational monitoring.

    The Check Point SmartDefense parser extracts threat prevention and detection attributes, including rule identifiers such as cu_rule_id, detection metadata such as cu_detected_by, and additional event context from structured CEF extensions. By normalizing these fields into discrete searchable attributes, the parser improves correlation, reporting, and detection fidelity for SmartDefense security events.

  • Added a built-in parser for ingesting Imperva SecureSphere logs in customized Common Event Format (CEF) on port 5143. This parser supports Imperva-specific CEF header variations in which cef_device_event_class_id can be optional and ensures continued parsing when the device event class identifier field is omitted. Extracted labeled custom string fields cs1 through cs5 using cs1Label through cs5Label, mapping them to normalized attributes such as policy, servergroup, servicename, applicationname, and description, and parsed act as action. This parser improves normalization accuracy and ensures reliable field extraction for Imperva SecureSphere events, enabling consistent search, filtering, and correlation.

  • Added a built-in parser for ingesting Check Point Harmony Mobile logs in priority and key-value pair (KVP) syslog format on port 6067. This parser normalizes user identity attributes by mapping DeviceEmail to user.name and populating username where applicable, ensuring consistent identity representation across events. It improves correlation and detection accuracy for Harmony Mobile telemetry by aligning user fields with existing normalized identity attributes.

  • Added a built-in parser for ingesting HarfangLab EDR logs on port 6066 in either RFC 3164 syslog format with JSON payloads or in RFC 5424 syslog format. This parser normalizes endpoint telemetry into the Stellar Cyber schema and classifies anti-malware detections as threat events, routing them to the IDPS/Malware Sandbox Events index. Network-related events populate the Traffic index when source and destination address fields are present, and all other events are routed to the Syslog index. Structured attributes such as process, host, user, srcip, dstip, srcport, dstport, proto, threat, and threat_id are extracted into normalized fields to support investigation and analytics. This parser improves visibility into HarfangLab endpoint activity and enables consistent threat detection and reporting across environments.

  • Added a built-in parser for ingesting Mage Data Platform logs in Mage Data custom comma-separated values (CSV) format on port 6085. This parser maps the first 17 columns in order—INSTANCE_ID, INSTANCE_NAME, JOB_ID, ALERT_JOB_ID, ALERT_NAME, ALERT_TYPE, RETRIEVE_FLAG, ACTION_DATE, USER_NAME, IP_ADDRESS, HOST, PROGRAM, DC_NAME, MODULE, SERVER_NAME, DB_NAME, and PARSER_KEY—into structured fields, and ignores any columns that follow. The value in ACTION_DATE sets the event timestamp. This parser improves structured visibility into Mage Data alert activity and enables consistent correlation of data leakage events across environments.

Improvements

  • Enhanced the Oracle Solaris parser to recognize updated syslog header prefixes and revised message structures. The parser now extracts and normalizes fields including timestamp, hostname, process, pid, facility, severity, and message, while maintaining compatibility with existing Oracle Solaris log sources. This improvement enables more accurate normalization and supports more reliable search, correlation, and detection.

  • Expanded the VMware ESXi parser to recognize additional syslog header formats and structured data entries without quotation marks. Mapped normalized fields including timestamp, host, app, proc_id, msg_id, and severity, and populated key-value pairs in the message body into fields prefixed with kv_. This enhancement improved parsing consistency and ensured accurate normalization across diverse ESXi log formats.

  • Enhanced field extraction for Barracuda Web Application Firewall syslog within the Barracuda Firewall parser to improve normalization and detection coverage. When the corresponding data source is enabled in Detection Management, parsed fields now populate detections that target WAF data, including WAF Internal Attacker. This enhancement improves visibility into WAF activity and strengthens detection accuracy for web application threats.

  • Enhanced extraction of performance metrics from Fortinet FortiGate performance log events. Extracted discrete key-value fields from msg_data, including cpu, mem, totalsession, disk, bandwidth, setuprate, disklograte, fazlograte, freediskstorage, and sysuptime. The parser retained waninfo as a structured string representing interface metrics. These enhancements improved visibility into FortiGate device health and resource utilization.

  • Expanded Check Point Common Event Format (CEF) parsing to normalize additional fields and handle duplicate extensions. The parser maps csXLabel plus csX pairs to canonical keys under the checkpoint namespace. Fields previously emitted as strvalue in msg_data became searchable, including rule_name, rule_action, layer_uuid, nat_rulenum, service_id, creation_time, and duration. Colons in keys were removed, and when identical keys repeat, only the first populates normalized fields. This enhancement lets you query previously unsearchable Check Point fields using normalized keys, expands structured field coverage, and delivers more consistent parsing for accurate investigations.

  • Enhanced structured extraction of the objectProperties field in Absolute Secure Endpoint events. The parser now populates absolute_secure_endpoint.objectProperties_obj as an array of objects containing property, old_value, and new_value, with multi-valued entries represented as ordered arrays. The original objectProperties string remains available for backward compatibility and search. You can query absolute_secure_endpoint.objectProperties_obj.property and filter on absolute_secure_endpoint.objectProperties_obj.new_value or absolute_secure_endpoint.objectProperties_obj.old_value. This enhancement lets you detect and report on configuration changes more precisely by converting unstructured change data into queryable structured fields while maintaining backward compatibility.

  • Enhanced Barracuda Web Application Firewall (WAF) log parsing from the Log Event Description field. The parser extracts User-Agent strings, email addresses, and additional key-value pairs as discrete fields for search, correlation, and detection. Existing WAF data sources parse these attributes automatically; no configuration changes are required. Ensure the data source uses the Barracuda WAF product type and forwards syslog using the Barracuda Export Log Formats output.

  • Enhanced parsing of the msg field in Fortinet FortiWeb logs by mapping log_id values to message patterns and extracting structured fields. The parser now extracts server_ip, server_port, server_pool, and status. To ensure correct ingestion, send FortiWeb logs to the Fortinet FortiWeb parser rather than to the generic Common Event Format parser.

  • Enhanced the F5 BIG-IP Virtual Edition parser to support RFC 3164 syslog headers, BIG-IP key-value content, and raw log messages without headers. Parsing now accepts messages with or without a syslog header, normalizes timestamps, and extracts BIG-IP key-value pairs into structured fields for consistent normalization. No additional transformation is required to accommodate different syslog header formats. Logs can be forwarded over syslog with the header preserved or sent as raw BIG-IP log output. This enhancement improves parsing accuracy and ensures consistent field extraction across varied BIG-IP logging configurations.

  • Enhanced field extraction for Kaspersky Security Center events. Parsing recognizes key-value pairs within syslog_message and maps them to discrete fields. Values for action, result, host, user, and application populate corresponding normalized fields when present. This enhancement lets you analyze Kaspersky event activity more consistently by converting embedded key-value data into structured, queryable fields. Existing Syslog inputs continue to function without reconfiguration, provided the complete vendor-formatted message is forwarded through Syslog to ensure proper field mapping.

  • Enhanced parsing of structured JSON content embedded in the f5.full_request payload within F5 Application Security Manager events received in Common Event Format. When valid JSON is present, the parser populates f5.full_request_obj with extracted fields while preserving native data types. You can query extracted values using f5.full_request_obj.<field> (for example, f5.full_request_obj.monto). Parsing applies automatically to new events and does not modify existing F5 fields. Stellar Cyber continues to send events that include attack_type to the IDPS/Malware Sandbox Events index without requiring any configuration changes. This enhancement lets you analyze structured request payload data directly without relying on raw JSON searches while preserving existing F5 field behavior.

  • Enhanced the Radware DefensePro parser to support log headers that omit the APP-NAME field and to recognize Radware DefenseFlow message patterns. Devices that omit APP-NAME or use - now parse consistently. Multi-line DefenseFlow records parse header fields only; message content remains unparsed. Multi-line ingestion is available only over User Datagram Protocol (UDP). To ensure consistent parsing, configure devices to emit Request for Comments (RFC) 5424-compliant headers and prefer single-line messages. Logs that match these formats parse automatically.

  • Added support for alternative field orders in Internet Information Services (IIS) World Wide Web Consortium (W3C) Extended Log File Format logs. Parsing uses a configured mapping and does not read the #Fields header. When the header is absent, the parser accepts both the configured sequence and a supported alternate sequence. This enhancement corrected the default field list to resolve a key typo and align mappings.

  • Mapped additional Fortinet FortiGate log values from msg_data to dedicated fields. To enable richer filtering and correlation, events now include virus, viruscat, virusid, filehash, filehashsrc, referralurl, dstuser, dstuuid, srcuuid, dtype, countav, countdns, countssl, countweb, tlsver, and sslaction. The parser normalizes filename to file.name and dstuser to dstip_username. Queries, detections, and dashboards can filter, group, and alert on these fields. Parsing applies to newly ingested data; reprocessing is required to update historical events.

  • Added Request for Comments (RFC) 5424 Syslog header support for the Radware Cyber Controller Plus parser. To ensure consistent ingestion of header-prefixed events, the parser recognizes and extracts header fields before parsing the payload. Events with an RFC 5424 header now parse and normalize; the 28-column payload mapping remains unchanged. Parsed records populate event_type, severity, event_time, src_ip, dst_ip, dst_port, protocol, direction, policy, and event_id. Previously rejected messages no longer show the Unsupported format error. Existing sources require no changes. For new sources, assign the Radware Cyber Controller Plus parser to the data source.

  • Added vendor namespace fields for VMware vCenter Single Sign-On authentication events. Logs containing the phrase "Authentication succeeded" now populate authentication_status with "succeeded", tenant_username with the user principal, and tenant with the tenant domain. The original message remains in log.event_description for search and correlation. Parsing applies to syslog messages from the Single Sign-On service that follow the documented format. No new top-level fields are introduced. This enhancement lets you filter and analyze authentication activity by outcome, tenant, and user while preserving the original log content for reference.

  • DATA-3179: Expanded VMware ESXi log parsing support.

    Enhanced the VMware ESXi parser to support additional log formats and syslog header standards. The parser now accepts Request for Comments 5424 syslog headers and recognizes Envoy Proxy access logs as well as vpxa, rhttpproxy, hostd-probe, and localcli messages. To ensure consistent field semantics in unixlogs, the top-level action field now maps to vmware_esxi.action. Update saved searches, dashboards, and rules that reference action to use vmware_esxi.action instead. No ingestion changes are required, and supported events parse automatically. This enhancement improves parsing coverage and field consistency across VMware ESXi log sources.

  • Added support for a variant syslog header in the Cisco Unified Communications Manager (CUCM) parser. The parser now recognizes headers formatted as priority, message counter, timestamp, application identifier, severity code, event name, and tags while existing header formats remain supported. Configure syslog inputs to use the Cisco CUCM parser to normalize these events, and update any custom pipelines, dashboards, or searches that reference prior field keys to align with the extracted fields. No additional configuration is required for default deployments.

  • Enhanced parsing of HPE OfficeConnect (1920S/1820) syslog messages to support the modified Request for Comments 3164 header format and user session events. The parser now recognizes USER_MGR messages and extracts session_id, event_action, username, and client_source_ip. No configuration changes are required for existing deployments, and events appear under the HPE Switch data source. This enhancement improves visibility into user session activity on OfficeConnect switches by converting session details into structured, queryable fields.

  • Enhanced parsing of Cisco router and switch syslog messages that include a time zone in the timestamp field. Messages now parse correctly and appear in the user interface with accurate time interpretation. Existing syslog forwarding configurations require no changes. This enhancement ensures consistent event timing and accurate analysis across devices configured with time zone–aware timestamps.

  • Added support for Radware Cyber Controller Plus log headers and leading field variations. Parsing now recognizes Classless Inter-Domain Routing (CIDR) notation for network ranges and consistently extracts IP addresses. Comma-Separated Values (CSV)-encoded sections parse correctly to prevent field misalignment. Configure the data source as Radware Cyber Controller Plus or assign the corresponding parser to the connector to enable the enhanced parsing.

  • Enhanced parsing and normalization of Kaspersky Security Center event@23668 threat logs. The parser maps source parameters to the following normalized fields:

    • p1 > hash.sha256

    • p2 > url

    • p5 > threat.name

    • p7 > user.name

    • hip . host.ip and hostip

    • hdn > host.name

    • tdn > kaspersky_security_center.component

    • et > kaspersky_security_center.event_type

    • etdn > kaspersky_security_center.event_type_description

    • md5 from nested p9 JSON > hash.md5

    The message section parses key-value pairs for process.name, process.executable, and process.pid. Parsing supports both legacy and updated layouts and handles events such as GNRL_EV_VIRUS_FOUND and GNRL_EV_VIRUS_FOUND_AND_BLOCKED. To ensure correct parsing, configure sources to send Request for Comments 5424 messages with structured data event@23668. This enhancement improves threat visibility by converting embedded event parameters into consistent, queryable security metadata.

  • DATA-3155: Improved Forescout syslog parsing for Network Access Control Policy Log and Connection Status events.

    Enhanced extraction from Forescout syslog messages for Network Access Control (NAC) Policy Log and Connection Status events. The parser normalizes log_type, source_ip, rule, details, status, and reason for policy entries, and type, source, target, vendor, and severity for connection entries. Parsing covers repeated key-value sections, quoted values, and missing fields to ensure consistent results across varied syslog formats. Coverage activates automatically for existing Forescout syslog sources without needing any configuration changes.

  • Added field normalization and enrichment for the Palo Alto Networks Prisma Cloud (Compute Edition) parser. The event.threat.name field derives from palo_alto_networks_prisma_cloud.incident_category, then palo_alto_networks_prisma_cloud.attack_type, then palo_alto_networks_prisma_cloud.attack_techniques in priority order. The event.severity_str field maps from palo_alto_networks_prisma_cloud.severity. The parser applies automatically when you configure Palo Alto Networks Prisma Cloud (Compute Edition) as the data source.

  • Added normalization for the SAP Security Audit parser. Events now map alguser to user.name and username, and map alglterm to host.name and hostname. The original alguser and alglterm fields remain available for reference. To avoid type conflicts with the nested host object, normalization does not write to host as a string. No configuration changes are required for existing data sources.

  • Enhanced the McAfee Network Security parser to support configurable syslog field order as defined in Network Security Manager. The parser processes exclamation mark ( ! )–delimited payloads and dynamically maps fields according to the customized message sequence. Parsed values populate attributes such as timestamp, local_header_timestamp, vendor_event_id, normalized severity (1–100), srcip, dstip, srcport, dstport, app_name, proto, and threat_name. Changes to field order in Network Security Manager are recognized automatically without additional parser configuration. This enhancement improves parsing flexibility and ensures accurate normalization across varied McAfee IPS syslog configurations.

  • Enhanced the Common Event Format parser to recognize Varonis DatAdvantage events. The parser identifies deviceVendor=Varonis and deviceProduct=DatAdvantage headers and maps key extensions to normalized fields, including action, event_time, user, host, severity, and external_id. Parsing applies to events that include these identifiers in the CEF header. To ensure proper ingestion, send CEF logs to port 5143 or, if necessary, ingest on port 514 with Log Source redirection enabled to the CEF parser. This enhancement improves visibility into Varonis activity by normalizing key event attributes for consistent analysis and detection.

  • Corrected key-value parsing failures in the Ruckus SmartZone Network Controller parser that previously raised an undefined method error. The parser now recognizes Linux syslog events from the Secure Shell daemon and sudo within controller logs. Field normalization aligns extracted values to src_ip, dst_ip, action, user, facility, and severity. Existing data sources ingest these events without requiring custom rules. To apply this parser, assign the Ruckus SmartZone Network Controller parser to the appropriate data source in the parser configuration. This enhancement improves parsing reliability and extends visibility into controller authentication and privilege activity.

  • Improved the F5 BIG-IP LTM parser to support Common Event Format (CEF) logs encapsulated in syslog headers. The parser recognizes CEF headers and key-value pairs in F5 HTTP Request events and maps them to normalized fields for analytics and detection. To ensure consistent parsing across deployments, ingestion accepts the encapsulated format and extracts standard attributes, extensions, and message text. Configure the log source to emit CEF over syslog and select the F5 BIG-IP LTM parser in ingestion settings.

  • Enhanced parsing of attackers and targets values from the msg_data section of NetScout Systems Omnis Cyber Intelligence events. The parser now populates these values as keys under the vendor namespace for consistent querying and content development. Parsing for responderIPPort remains unchanged, and destination port mapping continues to require a valid numeric value from the sender configuration. This enhancement improves visibility into attacker and target relationships by converting embedded event details into structured, queryable fields while preserving existing port-handling behavior.

  • DATA-3122: Improved field normalization for Check Point Harmony Email Collaboration logs.

    Moved the action field from the top-level event fields into a vendor-specific namespace for Check Point Harmony Email Collaboration events. To prevent conflicts with firewall action semantics, the parser no longer populates a global action field for this data source. Therefore, you must update searches, correlation rules, and dashboards that previously referenced the top-level action field to use the vendor-scoped field instead. JSON validation enforces the expected event structure. This enhancement improves field consistency and eliminates ambiguity between email and firewall action semantics.

  • DATA-3119: Added classification for Forescout Network Access Control events.

    Enhanced Forescout log parsing for Network Access Control (NAC) events. Parsing assigns the log_type value "NAC Policy Log:" or "NAC Policy Match/Unmatch Event" based on the presence of forescout.match. The parser handles concise and extended formats, including these optional fields: details, forescout.rule, forescout.device, and forescout.source. No configuration changes are required.

  • Expanded parsing for Trend Micro TippingPoint to support Security Management System (SMS) 2.5 syslog format and to extract structured attributes from log.event_description. The parser now maps src_ip, dst_ip, src_port, dst_port, protocol, signature, severity, policy, and action into discrete normalized fields to improve search, correlation, and detection accuracy. Configure the data source in Data Sources | Add Data Source | Trend Micro TippingPoint and enable syslog ingestion from the SMS. Existing deployments using earlier SMS formats continue to parse without modification, ensuring backward compatibility while extending visibility for newer SMS 2.5 environments.

  • Enhanced validation and normalization of the action field for Zscaler Internet Access Firewall logs. The parser now promotes only recognized values to the top-level action, including allowed, passed, log, alerted, warning, blocked, block, deny, drop, reject, and alert. While the parser continues to use blocked for Web Application Firewall logs, it now normalizes blocked to block for firewall logs and no longer populates the top-level action field with unrecognized values. As a result, you must update saved searches and dashboards that reference action = block for firewall events. This enhancement improves field consistency and ensures reliable filtering and correlation based on validated firewall action values.

  • Enhanced the Palo Alto Networks parser to support Audit log events. Audit events now parse and normalize correctly, including entries with quoted values and embedded delimiters, eliminating previous unsupported type errors. This enhancement improves visibility into administrative activity by ensuring Audit events are consistently parsed and available for analysis and correlation.

    Existing Palo Alto Networks syslog sources require no changes. As long as Audit logging is enabled on the firewalls, they continue forwarding logs using the existing configuration.

  • Enhanced normalization of FortiGate Common Event Format logs to identify changes to VPN connections, disconnections, authentication successes or failures, and tunnel states. The parser populates event_type, category, src_ip, dst_ip, user, action, result, and session_id for these events. This enhancement enables consistent evaluation and correlation of VPN activity across data sources.

  • Enhanced parsing of the event_time field in Fortinet FortiAnalyzer logs to incorporate the tz (time zone) value when present. Previously, only the date and time fields were used to construct event_time, which could result in incomplete time interpretation. The parser now recognizes supported tz formats and includes the time zone when deriving the event timestamp. This enhancement ensures more accurate event timing and consistent correlation across time zone-aware deployments.

  • Enhanced the EfficientIP SOLIDserver parser to populate the standard dns.question.name field with DNS query values. The vendor-specific dns_query field remains available for backward compatibility. This change enables consistent DNS search, detection, and correlation across data sources that use normalized DNS fields.

Usability

New Features

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP feature is in this release:

XDR Connect Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Case Management Enhancements

Customizable case queues provide persistent, rule-based case groupings that align with SOC workflows, enabling structured workload segmentation by severity, function, escalation path, customer, or alert characteristics.

Resolved Issues

  • Added authentication for local CLI requests sent to port 9716 on server sensors. Previously, non-administrative users could log in to the server and run administrative sensor CLI commands on this port. Server sensors now require administrative privileges to run administrative sensor CLI commands. This security enhancement ensures that only authorized administrators perform sensor management tasks and prevents local privilege escalation.

  • Corrected how license usage limit alerts report tenant information when rules target multiple tenants. Previously, email and Slack notifications could display incorrect tenant names or missing usage values, even though the alert shown in the UI was accurate. Stellar Cyber now generates tenant-specific summaries that correctly attribute license usage information to each tenant in these notifications. This change ensures that notifications accurately reflect license usage across tenants, helping you understand which tenants exceeded thresholds and respond more effectively.

  • Corrected a condition in which complex pre-DPI filter expressions were not applied as expected. Previously, when you configured a complex filter, the sensor could fail to apply it, causing traffic that should have been filtered to continue being processed. Stellar Cyber now correctly applies complex pre-DPI filters so the configured filtering rules work as intended. This change ensures that your traffic filtering policies operate reliably and helps you control which traffic Stellar Cyber processes and analyzes.

  • Strengthened validation in the password reset process to prevent domain injection in reset emails. The reset link now derives the domain from the configured web server collection rather than untrusted request headers, blocking domain injection in password reset emails. No configuration change is required, and valid requests continue to function as before.

  • Resolved an issue that caused incorrect CPU utilization readings on high-core Windows systems. On hosts with more than 56 logical processors, Windows Server Sensors sometimes incorrectly reported 100% usage. After upgrading to 6.4.0, dashboards and sensor status views now display accurate CPU utilization.

  • Resolved an issue where embedded HTML in ingested event fields could trigger unexpected redirects or 404 errors in alert tables. Stellar Cyber now escapes HTML in fields such as description, preventing errors when sorting by Alert Score, filtering results, or opening alert details. This change applies to Operational View dashboards and other alert tables. Sorting and filtering now function correctly across all time ranges.

  • Resolved an issue where saved alert filter tests and Query Builder executions could fail due to oversized request headers. In multi-tenant environments, this condition triggered HTTP 431 errors and caused saved filters to return zero results. Saved filter tests now return results consistent with equivalent ad hoc queries in Query Builder.

  • Corrected field typing for azure_ad.status.errorCode to support matching on Microsoft Entra sign-in events with error code 53003. The Microsoft Entra Sign-in Failures rule and the Sign-in Failure Due to Conditional Access child rule now evaluate the numeric code directly, ensuring detections trigger as expected. This update applies to newly ingested data. To evaluate historical data, you might need to reindex the affected indices. Ensure Microsoft Entra sign-in log collection remains enabled and that the detection is active to generate alerts.

  • Corrected the default behavior of newly observed IP address detection within DNS Tracking enrichment. Detection now activates only when DNS Tracking enrichment is enabled and properly configured. Environments with DNS Tracking disabled no longer generate newly observed IP address detections. To use this capability, enable DNS Tracking enrichment and define the domains or IP addresses you want to monitor.

  • TLS could not be enabled for secure syslog ingestion on TCP 6514 unless a custom parser file was present. This created an unnecessary dependency that prevented secure log forwarding from working as expected in standard configurations. TLS now activates for the configured ingestion entry without requiring /etc/td-agent/customer_log.conf. This fix ensures secure syslog ingestion works as expected without additional configuration dependencies.

  • Restricted access to the internal system monitoring service that collects operating system performance and health metrics from Data Processor nodes. This service was previously reachable on port 9100 from other machines on the network without authentication. It's now accessible only within the Stellar Cyber Platform; external systems can no longer directly retrieve node monitoring data. This change eliminates unauthenticated exposure of system information and strengthens platform security.

  • Clarified the alert descriptions for External and Internal User Data Volume Anomaly to reflect session-based evaluation. Descriptions no longer reference a 5-minute interval and now explain that the detection evaluates totalbytes across the entire firewall session.

  • Improved global text search performance in Asset Analytics to reduce query latency and return consistent results across asset attributes at scale. Searches now execute more efficiently while maintaining accurate matching across asset data. You can enter keywords in the Search field and optionally apply filters to narrow results by asset type or classification.

  • Resolved an issue where the Microsoft Entra ID Revoke sign-in sessions action name did not display correctly in User Actions and Create User views. The action name now appears consistently in lists, selectors, and related records, ensuring clear identification when reviewing and creating user response actions.

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the cluster nodes required by your expected daily ingestion volume.

Refer to Stellar Cyber Platform (DP) System Requirements and Capacity Planning for details on the quantities of cluster nodes required for different daily ingestion volumes, as well as the system resources you must provision for their virtual machines.

Keep in mind the following:

  • Each VM  must be thick-provisioned.

  • You can install all of the VMs in the same datastore if there is sufficient space for both the VMs and the disk space required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 6.2.0 or later to 6.4.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 6.4.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Due to additional functionality and features, resource utilization (CPU and memory) might increase depending on your usage patterns. You can keep tabs on the platform's CPU and disk usage by clicking the Node List button in the System | Data Management | Data Analyzer page. If necessary, you can scale up your platform by adding DA and DL worker nodes, as described here for AWS, GCP, and OCI.

Important Note for Air-Gapped Environments: The 6.4.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.4.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.4.0

To upgrade the Stellar Cyber Platform to 6.4.0 from a version earlier than 6.2.0, first upgrade to 6.2.0.

  1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

  2. Choose 6.4.0.

  3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

Depending on the type of server sensor, upgrade your sensors to version 6.4.0 as follows:

  • Linux Server Sensors: Upgrade directly to 6.4.0 from either of the two previous releases: 6.2.0 or 6.3.0.

  • Windows Server Sensors: Upgrade directly to 6.4.0 from an extended range of previous releases: 5.1.0 through 6.3.0.

    If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.