Stellar Cyber 6.4.0s Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.4.0s release strengthens speed, clarity, and confidence across the Open XDR Platform with production-ready Autonomous SOC capabilities, expanded machine learning detections, and enhanced operational workflows.

The release notes are organized into the following sections:

Highlights

Autonomous SOC Features

  • Intelligent Case Analysis and Summary: This feature creates AI-generated narratives within the Case Detail view to accelerate investigations. It automatically generates structured case summaries, investigative hypotheses, timelines, observables, and recommended response actions to accelerate high-severity case analysis.

    To use intelligent case analysis, you must toggle on Enable AI Case Analysis & Summary in System | ORGANIZATION MANAGEMENT | Settings. This is required in 6.4.0s even if you used this feature in the Early Access Program in a previous release.

  • Alert Auto Triage (Add-On): The automated triage of alerts is now available via an add-on license. Alert auto triage uses coordinated AI reasoning to evaluate alerts, assign transparent verdicts, suppress noise, and continuously improve through analyst feedback.

  • Phishing Email Auto Triage (Add-On): The automated triage of suspected email is now available via an add-on license. This feature automates the end-to-end triage of user-reported phishing emails, extracting indicators, correlating context, and classifying threats without manual review.

Detection and Machine Learning

  • SQL Injection Behavior Detection: This machine-learning detection identifies repeated SQL injection payload patterns across HTTP traffic, covering both external web attacks and internal lateral movement scenarios.

  • VPN Login Failure Anomaly Detection: Identity-based anomaly detection now extends to VPN authentication telemetry, identifying abnormal VPN login failure patterns across Fortinet, Check Point, Palo Alto, and other supported platforms.

Dashboard Usability

  • Responsive Dashboard Authoring: The new grid-based, responsive dashboard layout system enables fluid resizing, reordering, and breakpoint-aware views for faster iteration and scalable operational reporting.

Integrations and Data Expansion

  • Expanded Connector Coverage: This expansion introduces several new connectors and multiple content integrations across email security, cloud infrastructure, vulnerability intelligence, and identity risk platforms to broaden ingestion depth and correlation capabilities.

  • Enhanced Parser and Normalization Framework: The enhancement expands parser coverage and normalization depth across endpoint, firewall, cloud, and infrastructure telemetry to improve detection fidelity and cross-source correlation.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-3179: Updated the VMware ESXi parser to migrate a top-level action field from action to vmware_esxi.action for consistent field semantics within the unixlogs category. Saved searches, dashboards, and detection rules that reference action must be updated to use vmware_esxi.action. Queries that continue to reference action will no longer return expected results.

  • DATA-3155: Updated the Forescout syslog parser to normalize the log_type field by removing the trailing semicolon ( ; ) and refining its extracted value. Saved searches, dashboards, and detection rules that rely on exact matches of previous log_type values that included a trailing semicolon must be updated to reflect the revised format. Queries that reference the prior value with a semicolon will no longer return expected results.

  • DATA-3122: Updated the Check Point Harmony Email Collaboration parser to move the action field from the top-level event structure into a vendor-specific field checkpoint_harmony_email_collaboration.action. Saved searches, dashboards, and correlation rules that reference the top-level action field for this data source must be updated to use checkpoint_harmony_email_collaboration.action. Queries that continue to reference the top-level action will no longer return expected results.

  • DATA-3119: Updated the Forescout parser to classify Network Access Control match and unmatch events with a distinct log_type value. Instead of assigning all events the value "NAC Policy Log:", the parser now sets the value of the log_type field to "NAC Policy Match/Unmatch Event" when the forescout.match field is present. Saved searches, dashboards, and detection rules that filter specifically on log_type:"NAC Policy Log:" must be reviewed and updated if they are intended to include match or unmatch events. Queries that continue to filter exclusively on the previous value will no longer return those events.

Deprecated Features

No features have been deprecated in this release, but the following feature is planned for deprecation in a future version.

  • Upcoming Deprecation: Netskope Connector (API V1) – The Netskope connector supports API V1 and V2, but Netskope has deprecated API V1 so Stellar Cyber will retire the V1 API in a future release. Begin planning to migrate to the V2 API.

Detection/ML

New Features

Improvements

Stellar Cyber Platform

New Features

  • Enabled Jinja2 templating in the Subject field for email notifications generated by Automated Threat Hunting workflows. Jinja2 is a full-featured templating engine that supports variables ({{ ... }}), conditionals, loops ({% ... %}), and filters for formatting and value transformation. This enhancement allows you to dynamically construct subject lines based on notification context data such as event severity, timestamps, or alert attributes. Existing Mustache templates, which support simple variable substitution, continue to work without change. With Jinja2 support, you can create more expressive and context-aware subject lines to improve alert prioritization and readability in downstream systems.

  • Added monitoring to detect missed or delayed executions of Automated Threat Hunting rules. When a scheduled rule runs ten minutes or more past its expected execution time, Stellar Cyber generates a notification to indicate a potential issue. A recovery notification is generated when the rule returns to its expected schedule.

    Delays can occur due to data ingestion interruptions, resource constraints, or service disruptions that prevent rules from executing as expected. Because ATH rules generate detections and trigger downstream playbooks, missed executions can result in gaps in alerting and response activity. These notifications help you quickly identify detection blind spots, verify rule health, and restore coverage before operational visibility is impacted.

  • Optimized the processing of vulnerability scan data to eliminate the duplication of large payload fields within individual Interflow records. Previously, large scan objects, such as Qualys and SentinelOne vulnerability data, were repeated across multiple derived records, which unnecessarily increased record size. The updated process stores a single canonical copy per scan and prevents redundant duplication in related records. This enhancement reduces storage consumption and improves data efficiency.

  • Added Last executed timestamps to the Last Status report for Automated Threat Hunting playbooks. The report now displays execution timestamps for playbook components such as input processing, initialization, and configured actions, along with an icon indicating if each execution was successful. This enhancement lets you distinguish between the most recent execution time and the most recent triggered status, improving monitoring accuracy and troubleshooting.

  • Added monitoring and alerting for Threat Intelligence Platform feed ingestion within the System Action Center. Stellar Cyber now generates events for ingestion errors, retry exhaustion, sustained error rates, and absence of new indicators to help you detect feed disruptions. You can review feed status, metadata, and ingestion history and receive notifications through existing alerting channels. Each event includes remediation guidance to help you restore feed ingestion and maintain continuous threat intelligence coverage.

  • Added System Action Center monitoring for execution states of custom Automated Threat Hunting (ATH) rules. Stellar Cyber now generates alerts for consecutive failures, percentage-based failure rates, successful recovery after failure, and missed executions beyond a defined schedule tolerance. These alerts help you detect rule instability, prevent gaps in detection coverage, and verify recovery when execution resumes. Notifications use existing response actions and alerting channels for seamless integration with your operational workflows.

Improvements

  • Added a pre-check to evaluate alert filters before dispatch. Stellar Cyber now displays the predicted matching filter name in the alert Details section, allowing you to identify the likely filter responsible for suppression before ingestion. Alerts continue through the filtering component to preserve filter-hit accounting and downstream metrics. This enhancement improves transparency into alert filtering behavior and simplifies troubleshooting when alerts are not delivered as expected.

  • Standardized correlation rule behavior by replacing the contains operator with matches across the user interface and configuration. Rules now evaluate exact match semantics rather than substring comparisons, ensuring consistent rule display and execution. This change resolves discrepancies that could cause unexpected rule triggers and improves predictability when authoring and running correlation logic.

  • Added tenant exclusion and generic connector selection options to System Action Center notification rules. You can now exclude specific tenants from rule evaluation and apply monitoring to all connector types without listing them individually. This enhancement simplifies rule configuration in multi-tenant environments, reduces duplication, and improves control over monitoring scope.

Sensors

New Features

  • Added parsing of Netskope Generic Network Virtualization Encapsulation (GENEVE) packets. The parser sets msg_origin.vendor to netskope and normalizes key packet fields, including IP addresses, ports, applications, byte counts, and timing values, without requiring additional configuration. This enhancement ensures that Netskope-encapsulated traffic is correctly identified and consistently normalized, improving visibility, correlation accuracy, and investigation efficiency across environments that use Netskope for network security and access control.

Improvements

  • Suppressed warning messages generated when sensors periodically contact Stellar Cyber to verify connectivity and retrieve operational information. Previously, this routine triggered a warning about an HTTPS request without certificate verification. Although the connection worked as expected and did not affect sensor operation, the warning appeared in system logs and automated notifications, which might have suggested a problem where none existed. Stellar Cyber now filters this message so routine connectivity checks run without producing unnecessary warnings, reducing log noise and helping you focus on meaningful operational events and security events.

  • Improved Windows event collection in Windows Server Sensors to prevent duplicate logs from being generated under certain conditions. Previously, a Windows Server Sensor could reprocess previously collected Windows events and send them again, resulting in duplicate log entries. Stellar Cyber now ensures that Windows event collection resumes from the correct position so previously collected events are not processed again. By eliminating duplicate Windows logs, this change reduces noise in investigations and helps you analyze events more efficiently.

  • Provided Windows Installer Patch (MSP) packages that enable in-place upgrades from supported 5.1.x–6.3.x Windows Server Sensor versions directly to 6.4.0 (x64). Each MSP package corresponds to a specific source version and follows the naming pattern Windows_Sensor_<from>_6.4.0-x64.msp. The upgrade preserves existing configuration settings and automatically restarts the Windows Server Sensor service during installation. A user with local administrative privileges on the Microsoft Windows host where the Windows Server Sensor is installed must perform the upgrade. Supported platforms include Windows Server 2008 R2, 2012 R2, 2016, 2019, 2022, and Windows 10 and 11. This enhancement simplifies upgrade planning and reduces operational effort by eliminating intermediate upgrade steps.

  • Added support for SUSE Linux Enterprise Server 15 SP7 for Linux Server Sensor deployments. Deployments on this platform now use the same installation package, configuration options, and lifecycle operations as other SUSE Linux Enterprise Server 15 releases. Systems running earlier supported SUSE Linux Enterprise Server 15 versions can upgrade to SP7 without requiring changes to existing sensor settings. This update ensures continued compatibility with current SUSE releases while simplifying upgrades and maintaining consistent monitoring across supported Linux environments.

  • Added installation and upgrade support for the Linux Server Sensor on Red Hat Enterprise Linux 10 and CentOS 10. The self-contained installer now detects these operating system versions and loads the required runtime libraries to ensure successful deployment. Existing sensor deployments on these platforms also upgrade through the standard Linux Server Sensor upgrade process. This enhancement expands platform compatibility and enables deployment on newer enterprise Linux distributions.

  • Added support for configuring per-source timeout values for Windows Event Logs and File Integrity Monitoring on the Windows Server Sensor to address high-latency or bandwidth-constrained environments. You can use the set receiver timeout <seconds> winlog and set receiver timeout <seconds> fim commands to allow independent timeout control. A value of 0 disables the timeout. The unset receiver timeout winlog and unset receiver timeout fim commands restore the default value of 90 seconds. The show receiver command displays the effective timeout settings. This enhancement improves log delivery reliability and reduces premature timeout failures in variable network conditions.

  • Added support for gzip compression of Windows Event Log and File Integrity Monitoring payloads sent over HTTPS from the Windows Server Sensor. You can use the set receiver compression <level> [winlog | fim] command to configure compression levels from 0 to 9, where 0 disables compression and omission of the data type applies the setting to both sources. The unset receiver compression command restores the default compression level of 1. The show receiver command displays the active compression settings for each data type. Higher compression levels reduce bandwidth consumption while increasing CPU usage. This enhancement provides greater flexibility for environments with network constraints without requiring sensor profile changes.

  • Updated the sample Ansible inventory and playbook files used to automate Linux Server Sensor deployment. These files support automated installation and registration of the sensor in both on-premises and SaaS environments. The updated samples now support registration using either a token (SaaS deployments) or a Stellar Cyber platform IP address, as well as build selection and optional use of the all-in-one installer. This enhancement streamlines deployment automation and ensures consistent installation workflows across deployment models.

  • Resolved Linux Server Sensor startup failures that occurred when pre–Deep Packet Inspection traffic filter expressions were excessively long, complex, or contained invalid syntax. The sensor now tolerates larger and more complex filter expressions and handles malformed syntax without preventing service startup. The update increased internal limits to support expanded filtering requirements. This enhancement improves sensor stability and prevents configuration errors from interrupting traffic monitoring.

  • Added a control in Modular Sensor profiles that allows you to enable or disable the Log Forwarder module. You can disable log forwarding on Modular Sensors that do not require it. The setting applies only to Modular Sensors and does not affect other modules. Modular Sensors must run version 6.4.0 or later for the setting to take effect. This enhancement reduces resource usage and improves efficiency in environments where log forwarding is not required.

  • Changed the default CPU scaling setting so that the Photon-100 sensor running on Ubuntu 22.04 operates at higher processor speeds instead of dynamically reducing speed to conserve power. This setting ensures the CPU remains optimized for data processing workloads. The configuration persists across system reboots and sensor upgrades. This change applies only to Photon-100 and does not affect Photon-150 or Photon-160 models. This enhancement improves processing throughput and ensures consistent performance on supported Photon-100 deployments.

  • Added support for restricting SSH access to the management interface by specifying allowed source IP addresses or CIDR ranges on Ubuntu 22.04 sensors using the set interface management ssh-whitelist command. The whitelist applies only to incoming SSH connections and does not affect outbound traffic or communication with the platform, receiver, or repository services. You can modify or remove the configuration through the CLI, including remote CLI and console access to prevent lockout. This enhancement strengthens access control and helps reduce exposure of the management interface to unauthorized SSH connections.

Connectors

New Features

Improvements

Parsers

New Features

  • Added a built-in parser for ingesting PostgreSQL logs in RFC 3164 syslog format on port 6083. Normalized fields include timestamp, severity, process ID, database, user, client address, and message to support analytics and correlation. To enable syslog forwarding, configure log_destination to syslog and set log_line_prefix to include time, process ID, user, database, and host information before forwarding events to the sensor syslog listener. File-based PostgreSQL logs can also be forwarded through a syslog agent to the same listener. The parser supports standard PostgreSQL syslog and default log formats, improving visibility and correlation for database activity and security monitoring.

  • Added a built-in parser for ingesting Radware DefenseFlow logs over TCP syslog on port 6082. This parser processes multi-line messages and emits one event per payload segment to prevent data loss and ensure accurate event representation. Normalized fields populate common attributes to support correlation, detection, and reporting across network and security telemetry. To enable ingestion, configure Radware DefenseFlow to forward syslog traffic to the sensor IP address on TCP port 6082. This parser improves visibility into Radware mitigation and traffic events, enabling more reliable analysis and threat detection.

  • Added a built-in parser for ingesting Tait Communications Tait EnableFleet logs in RFC 5424 syslog format over TCP on port 6081. This parser normalizes authentication events, user lifecycle changes, role assignments, and configuration updates into consistent fields to support structured analysis. Parsed records populate fields such as action, initiating_user, target_user, failure_reason, stellar_uuid, and message to enable precise filtering and correlation. To enable ingestion, configure EnableFleet to forward RFC 5424 syslog over TCP to the sensor syslog listener on port 6081. This parser improves visibility into identity and configuration activity, enabling stronger auditing, detection, and investigation workflows.

  • Added a built-in parser for ingesting Absolute Secure Endpoint logs with a custom RFC 5424 syslog header and CEF payload over TCP on port 6078. This parser extracts structured fields such as eventType, actorType, actorName, actorID, objectType, objectName, objectID, verb, secondaryObjectType, secondaryObjectName, secondaryObjectID, and objectProperties to support detailed activity tracking. To enable ingestion, configure the Absolute Secure Endpoint SIEM connector or a syslog forwarder to send CEF-formatted messages over TCP to the Sensor ingestion IP address on port 6078. Parsed events populate normalized fields and are available for search, correlation, and detection workflows. This parser improves visibility into endpoint activity and administrative actions reported by Absolute Secure Endpoint.

  • Added a built-in parser for ingesting HPE Alletra logs in RFC 3164 syslog format on port 6079. This parser normalizes Linux process-related event fields to support consistent indexing and analysis. This parser provides structured visibility into system and process activity, improving search accuracy, correlation, and detection capabilities.

  • Added a built-in parser for ingesting HPE iLO Amplifier Pack logs in syslog format over TCP on port 6080. This parser enables consistent normalization and reliable device context, enhancing search, correlation, and detection outcomes.

  • Added a built-in parser for ingesting Skyhigh Secure Web Gateway logs in RFC 3164 syslog format on port 6076. This parser extracts attributes from header_first_line, maps native fields to the vendor namespace, and normalizes virus_name to threat when present to ensure consistent threat classification. This parser enhances visibility into web traffic security events and improves threat detection accuracy for Skyhigh Secure Web Gateway deployments.

  • Added a built-in parser for ingesting Tait Communications Tait EnableProtect logs in RFC 5424 syslog format on port 6077. The parser normalizes header attributes into fields such as event_time, severity, host, and app_name, and extracts the first structured data element to populate vendor and product for accurate classification. This parser improves structured visibility into Tait EnableProtect activity and enables consistent filtering and correlation across Tait network management events.

  • Added a built-in parser for ingesting Datto AP (Datto Wi-Fi) logs in RFC 3164 syslog format on port 6075. The parser normalizes hostapd events, including association, authentication, deauthentication, and client state transitions. Extracted attributes include MAC address, SSID, access point identifier, and result codes to support structured filtering and correlation. This parser enhances visibility into wireless client activity and access point behavior, enabling more effective monitoring and investigation of Datto wireless environments.

  • Added a built-in parser for ingesting Cisco Web Security Appliance (WSA) access logs in RFC 3164 syslog format on port 6074. The parser supports the Squid-format access log field order and extracts timestamp, client_ip, url, http_method, http_status, bytes_transferred, request_duration, user_name, action, and related proxy attributes. This parser enables consistent normalization of web proxy activity, improving visibility, correlation, and analysis across Cisco WSA deployments.

  • Added a built-in parser for ingesting threatER Enforce logs in RFC 5424 syslog format on port 6073. The parser supports octet-counted framing as defined in RFC 6587 and extracts key-value pairs from the message body, mapping fields such as source and destination IP address, source and destination port, protocol, action, direction, reason, and flags to normalized attributes. Parsed events are routed to the Traffic data domain, enabling accurate correlation and analysis of network enforcement activity from threatER Enforce.

  • Added a built-in parser for ingesting AWS CloudWatch logs in JSON format on port 6071. This parser supports single-line JSON events from AWS Lambda custom application logs and extracts structured attributes such as trace_id, timestamp, service_name, environment, execution_time_ms, request, response, error, and nested fields within the events array. Events containing network attributes (srcip, dstip, srcport, dstport, proto) are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into AWS Lambda execution activity and enables consistent normalization for cloud application monitoring and analysis.

  • Added a built-in parser for ingesting Synology DiskStation Manager (DSM) logs in RFC 3164 and RFC 5424 syslog formats on port 6072. The parser supports DSM version 7.1 and later and normalizes authentication events, file and share access activity, service and package changes, and configuration updates into structured fields. Events containing threat-related attributes are routed to the IDPS/Malware Sandbox Events index, network-related events are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into storage system activity and enables detection and correlation of administrative and access-related changes on Synology NAS devices.

  • Added a built-in parser for ingesting CTM360 Data Leakage Protection logs in RFC 5424 syslog format on port 6084. This parser normalizes credential-leak notifications into structured fields, including leak_id, website, username, password, computer_name, leak_type, leak_source, status, date_compromised, first_seen, last_seen, created_at, updated_at, validate_at, and remediate_at. Events containing network attributes such as srcip, srcport, dstip, dstport, and proto are routed to the Traffic index, and all other events are routed to the Syslog index. This parser improves visibility into exposed credential activity and enables consistent correlation and detection of data leakage events across environments.

  • Added a built-in parser for ingesting Darktrace alerts in Common Event Format (CEF) on standard CEF ingestion ports 5143 and 5870. This parser extends CEF processing to normalize Darktrace-specific fields into the Stellar Cyber schema.

    The parser maps key fields as follows:

    • cef.severity > event.severity (numeric range 1–10)

    • cef.name > event.threat.name

    • msg_data[name="dvchost"].strvalue > host.name

    • msg_data[name="darktraceurl"].strvalue > darktrace.darktraceurl

    • msg_data[name="externalid"].strvalue > darktrace.externalid

    • msg_data[name="message"].strvalue > darktrace.message

    • hostip_username > user.name

    • hostip_usersid > user.id

    This normalization ensures that Darktrace alerts are consistently enriched and correlated with other telemetry across the platform.

  • Added a built-in parser for ingesting ThreatX logs in syslog format over TCP on port 6070. The parser extracts HTTP request and response metadata, network context, and action outcomes to support structured analysis of application-layer security events. This parser enhances visibility into web traffic inspection activity and improves correlation and detection capabilities for ThreatX deployments.

  • Added a built-in parser for ingesting Microsoft RDWebAccess logs in JSON format on port 6068. This parser supports ingestion of IIS-based Remote Desktop Web Access logs that have been converted to JSON and forwarded through Generic Data Capture or existing TCP listeners. Extracted fields include timestamp, client_ip, server_ip, http_method, uri, http_status, user_agent, and username to provide structured visibility into remote access activity. This parser improves monitoring and investigation of RDWebAccess usage by enabling consistent search, correlation, and analysis of authentication and web session events.

  • Added a built-in parser for ingesting Netgear Smart Switch series logs in RFC 3164 syslog format on port 6069. This parser normalizes standard switch event attributes to support structured search, correlation, and detection across Smart Switch environments.

  • Added built-in parsers for ingesting Check Point SmartConsole and Check Point SmartDefense logs in Common Event Format (CEF) on TCP ports 5143 (standard CEF) and 5870 (octet-counted CEF).

    The Check Point SmartConsole parser extracts structured attributes from CEF payloads, including administrator activity fields parsed from the msg_data array such as administrator, requestcontext, objectname, additional_info, and related event timing and counter values. These fields enable detailed audit reporting of administrative actions, policy changes, and management activity, improving visibility and search accuracy for compliance and operational monitoring.

    The Check Point SmartDefense parser extracts threat prevention and detection attributes, including rule identifiers such as cu_rule_id, detection metadata such as cu_detected_by, and additional event context from structured CEF extensions. By normalizing these fields into discrete searchable attributes, the parser improves correlation, reporting, and detection fidelity for SmartDefense security events.

  • Added a built-in parser for ingesting Imperva SecureSphere logs in customized Common Event Format (CEF) on port 5143. This parser supports Imperva-specific CEF header variations in which cef_device_event_class_id can be optional and ensures continued parsing when the device event class identifier field is omitted. Extracted labeled custom string fields cs1 through cs5 using cs1Label through cs5Label, mapping them to normalized attributes such as policy, servergroup, servicename, applicationname, and description, and parsed act as action. This parser improves normalization accuracy and ensures reliable field extraction for Imperva SecureSphere events, enabling consistent search, filtering, and correlation.

  • Added a built-in parser for ingesting Check Point Harmony Mobile logs in priority and key-value pair (KVP) syslog format on port 6067. This parser normalizes user identity attributes by mapping DeviceEmail to user.name and populating username where applicable, ensuring consistent identity representation across events. It improves correlation and detection accuracy for Harmony Mobile telemetry by aligning user fields with existing normalized identity attributes.

  • Added a built-in parser for ingesting HarfangLab EDR logs on port 6066 in either RFC 3164 syslog format with JSON payloads or in RFC 5424 syslog format. This parser normalizes endpoint telemetry into the Stellar Cyber schema and classifies anti-malware detections as threat events, routing them to the IDPS/Malware Sandbox Events index. Network-related events populate the Traffic index when source and destination address fields are present, and all other events are routed to the Syslog index. Structured attributes such as process, host, user, srcip, dstip, srcport, dstport, proto, threat, and threat_id are extracted into normalized fields to support investigation and analytics. This parser improves visibility into HarfangLab endpoint activity and enables consistent threat detection and reporting across environments.

  • Added a built-in parser for ingesting Mage Data Platform logs in Mage Data custom comma-separated values (CSV) format on port 6085. This parser maps the first 17 columns in order—INSTANCE_ID, INSTANCE_NAME, JOB_ID, ALERT_JOB_ID, ALERT_NAME, ALERT_TYPE, RETRIEVE_FLAG, ACTION_DATE, USER_NAME, IP_ADDRESS, HOST, PROGRAM, DC_NAME, MODULE, SERVER_NAME, DB_NAME, and PARSER_KEY—into structured fields, and ignores any columns that follow. The value in ACTION_DATE sets the event timestamp. This parser improves structured visibility into Mage Data alert activity and enables consistent correlation of data leakage events across environments.

Improvements

  • Enhanced the Oracle Solaris parser to recognize updated syslog header prefixes and revised message structures. The parser now extracts and normalizes fields including timestamp, hostname, process, pid, facility, severity, and message, while maintaining compatibility with existing Oracle Solaris log sources. This improvement enables more accurate normalization and supports more reliable search, correlation, and detection.

  • Expanded the VMware ESXi parser to recognize additional syslog header formats and structured data entries without quotation marks. Mapped normalized fields including timestamp, host, app, proc_id, msg_id, and severity, and populated key-value pairs in the message body into fields prefixed with kv_. This enhancement improved parsing consistency and ensured accurate normalization across diverse ESXi log formats.

  • Enhanced field extraction for Barracuda Web Application Firewall syslog within the Barracuda Firewall parser to improve normalization and detection coverage. When the corresponding data source is enabled in Detection Management, parsed fields now populate detections that target WAF data, including WAF Internal Attacker. This enhancement improves visibility into WAF activity and strengthens detection accuracy for web application threats.

  • Enhanced extraction of performance metrics from Fortinet FortiGate performance log events. Extracted discrete key-value fields from msg_data, including cpu, mem, totalsession, disk, bandwidth, setuprate, disklograte, fazlograte, freediskstorage, and sysuptime. The parser retained waninfo as a structured string representing interface metrics. These enhancements improved visibility into FortiGate device health and resource utilization.

  • Expanded Check Point Common Event Format (CEF) parsing to normalize additional fields and handle duplicate extensions. The parser maps csXLabel plus csX pairs to canonical keys under the checkpoint namespace. Fields previously emitted as strvalue in msg_data became searchable, including rule_name, rule_action, layer_uuid, nat_rulenum, service_id, creation_time, and duration. Colons in keys were removed, and when identical keys repeat, only the first populates normalized fields. This enhancement lets you query previously unsearchable Check Point fields using normalized keys, expands structured field coverage, and delivers more consistent parsing for accurate investigations.

  • Enhanced structured extraction of the objectProperties field in Absolute Secure Endpoint events. The parser now populates absolute_secure_endpoint.objectProperties_obj as an array of objects containing property, old_value, and new_value, with multi-valued entries represented as ordered arrays. The original objectProperties string remains available for backward compatibility and search. You can query absolute_secure_endpoint.objectProperties_obj.property and filter on absolute_secure_endpoint.objectProperties_obj.new_value or absolute_secure_endpoint.objectProperties_obj.old_value. This enhancement lets you detect and report on configuration changes more precisely by converting unstructured change data into queryable structured fields while maintaining backward compatibility.

  • Enhanced Barracuda Web Application Firewall (WAF) log parsing from the Log Event Description field. The parser extracts User-Agent strings, email addresses, and additional key-value pairs as discrete fields for search, correlation, and detection. Existing WAF data sources parse these attributes automatically; no configuration changes are required. Ensure the data source uses the Barracuda WAF product type and forwards syslog using the Barracuda Export Log Formats output.

  • Enhanced parsing of the msg field in Fortinet FortiWeb logs by mapping log_id values to message patterns and extracting structured fields. The parser now extracts server_ip, server_port, server_pool, and status. To ensure correct ingestion, send FortiWeb logs to the Fortinet FortiWeb parser rather than to the generic Common Event Format parser.

  • Enhanced the F5 BIG-IP Virtual Edition parser to support RFC 3164 syslog headers, BIG-IP key-value content, and raw log messages without headers. Parsing now accepts messages with or without a syslog header, normalizes timestamps, and extracts BIG-IP key-value pairs into structured fields for consistent normalization. No additional transformation is required to accommodate different syslog header formats. Logs can be forwarded over syslog with the header preserved or sent as raw BIG-IP log output. This enhancement improves parsing accuracy and ensures consistent field extraction across varied BIG-IP logging configurations.

  • Enhanced field extraction for Kaspersky Security Center events. Parsing recognizes key-value pairs within syslog_message and maps them to discrete fields. Values for action, result, host, user, and application populate corresponding normalized fields when present. This enhancement lets you analyze Kaspersky event activity more consistently by converting embedded key-value data into structured, queryable fields. Existing Syslog inputs continue to function without reconfiguration, provided the complete vendor-formatted message is forwarded through Syslog to ensure proper field mapping.

  • Enhanced parsing of structured JSON content embedded in the f5.full_request payload within F5 Application Security Manager events received in Common Event Format. When valid JSON is present, the parser populates f5.full_request_obj with extracted fields while preserving native data types. You can query extracted values using f5.full_request_obj.<field> (for example, f5.full_request_obj.monto). Parsing applies automatically to new events and does not modify existing F5 fields. Stellar Cyber continues to send events that include attack_type to the IDPS/Malware Sandbox Events index without requiring any configuration changes. This enhancement lets you analyze structured request payload data directly without relying on raw JSON searches while preserving existing F5 field behavior.

  • Enhanced the Radware DefensePro parser to support log headers that omit the APP-NAME field and to recognize Radware DefenseFlow message patterns. Devices that omit APP-NAME or use - now parse consistently. Multi-line DefenseFlow records parse header fields only; message content remains unparsed. Multi-line ingestion is available only over User Datagram Protocol (UDP). To ensure consistent parsing, configure devices to emit Request for Comments (RFC) 5424-compliant headers and prefer single-line messages. Logs that match these formats parse automatically.

  • Added support for alternative field orders in Internet Information Services (IIS) World Wide Web Consortium (W3C) Extended Log File Format logs. Parsing uses a configured mapping and does not read the #Fields header. When the header is absent, the parser accepts both the configured sequence and a supported alternate sequence. This enhancement corrected the default field list to resolve a key typo and align mappings.

  • Mapped additional Fortinet FortiGate log values from msg_data to dedicated fields. To enable richer filtering and correlation, events now include virus, viruscat, virusid, filehash, filehashsrc, referralurl, dstuser, dstuuid, srcuuid, dtype, countav, countdns, countssl, countweb, tlsver, and sslaction. The parser normalizes filename to file.name and dstuser to dstip_username. Queries, detections, and dashboards can filter, group, and alert on these fields. Parsing applies to newly ingested data; reprocessing is required to update historical events.

  • Added Request for Comments (RFC) 5424 Syslog header support for the Radware Cyber Controller Plus parser. To ensure consistent ingestion of header-prefixed events, the parser recognizes and extracts header fields before parsing the payload. Events with an RFC 5424 header now parse and normalize; the 28-column payload mapping remains unchanged. Parsed records populate event_type, severity, event_time, src_ip, dst_ip, dst_port, protocol, direction, policy, and event_id. Previously rejected messages no longer show the Unsupported format error. Existing sources require no changes. For new sources, assign the Radware Cyber Controller Plus parser to the data source.

  • Added vendor namespace fields for VMware vCenter Single Sign-On authentication events. Logs containing the phrase "Authentication succeeded" now populate authentication_status with "succeeded", tenant_username with the user principal, and tenant with the tenant domain. The original message remains in log.event_description for search and correlation. Parsing applies to syslog messages from the Single Sign-On service that follow the documented format. No new top-level fields are introduced. This enhancement lets you filter and analyze authentication activity by outcome, tenant, and user while preserving the original log content for reference.

  • DATA-3179: Expanded VMware ESXi log parsing support.

    Enhanced the VMware ESXi parser to support additional log formats and syslog header standards. The parser now accepts Request for Comments 5424 syslog headers and recognizes Envoy Proxy access logs as well as vpxa, rhttpproxy, hostd-probe, and localcli messages. To ensure consistent field semantics in unixlogs, the top-level action field now maps to vmware_esxi.action. Update saved searches, dashboards, and rules that reference action to use vmware_esxi.action instead. No ingestion changes are required, and supported events parse automatically. This enhancement improves parsing coverage and field consistency across VMware ESXi log sources.

  • Added support for a variant syslog header in the Cisco Unified Communications Manager (CUCM) parser. The parser now recognizes headers formatted as priority, message counter, timestamp, application identifier, severity code, event name, and tags while existing header formats remain supported. Configure syslog inputs to use the Cisco CUCM parser to normalize these events, and update any custom pipelines, dashboards, or searches that reference prior field keys to align with the extracted fields. No additional configuration is required for default deployments.

  • Enhanced parsing of HPE OfficeConnect (1920S/1820) syslog messages to support the modified Request for Comments 3164 header format and user session events. The parser now recognizes USER_MGR messages and extracts session_id, event_action, username, and client_source_ip. No configuration changes are required for existing deployments, and events appear under the HPE Switch data source. This enhancement improves visibility into user session activity on OfficeConnect switches by converting session details into structured, queryable fields.

  • Enhanced parsing of Cisco router and switch syslog messages that include a time zone in the timestamp field. Messages now parse correctly and appear in the user interface with accurate time interpretation. Existing syslog forwarding configurations require no changes. This enhancement ensures consistent event timing and accurate analysis across devices configured with time zone–aware timestamps.

  • Added support for Radware Cyber Controller Plus log headers and leading field variations. Parsing now recognizes Classless Inter-Domain Routing (CIDR) notation for network ranges and consistently extracts IP addresses. Comma-Separated Values (CSV)-encoded sections parse correctly to prevent field misalignment. Configure the data source as Radware Cyber Controller Plus or assign the corresponding parser to the connector to enable the enhanced parsing.

  • Enhanced parsing and normalization of Kaspersky Security Center event@23668 threat logs. The parser maps source parameters to the following normalized fields:

    • p1 > hash.sha256

    • p2 > url

    • p5 > threat.name

    • p7 > user.name

    • hip . host.ip and hostip

    • hdn > host.name

    • tdn > kaspersky_security_center.component

    • et > kaspersky_security_center.event_type

    • etdn > kaspersky_security_center.event_type_description

    • md5 from nested p9 JSON > hash.md5

    The message section parses key-value pairs for process.name, process.executable, and process.pid. Parsing supports both legacy and updated layouts and handles events such as GNRL_EV_VIRUS_FOUND and GNRL_EV_VIRUS_FOUND_AND_BLOCKED. To ensure correct parsing, configure sources to send Request for Comments 5424 messages with structured data event@23668. This enhancement improves threat visibility by converting embedded event parameters into consistent, queryable security metadata.

  • DATA-3155: Improved Forescout syslog parsing for Network Access Control Policy Log and Connection Status events.

    Enhanced extraction from Forescout syslog messages for Network Access Control (NAC) Policy Log and Connection Status events. The parser normalizes log_type, source_ip, rule, details, status, and reason for policy entries, and type, source, target, vendor, and severity for connection entries. Parsing covers repeated key-value sections, quoted values, and missing fields to ensure consistent results across varied syslog formats. Coverage activates automatically for existing Forescout syslog sources without needing any configuration changes.

  • Added field normalization and enrichment for the Palo Alto Networks Prisma Cloud (Compute Edition) parser. The event.threat.name field derives from palo_alto_networks_prisma_cloud.incident_category, then palo_alto_networks_prisma_cloud.attack_type, then palo_alto_networks_prisma_cloud.attack_techniques in priority order. The event.severity_str field maps from palo_alto_networks_prisma_cloud.severity. The parser applies automatically when you configure Palo Alto Networks Prisma Cloud (Compute Edition) as the data source.

  • Added normalization for the SAP Security Audit parser. Events now map alguser to user.name and username, and map alglterm to host.name and hostname. The original alguser and alglterm fields remain available for reference. To avoid type conflicts with the nested host object, normalization does not write to host as a string. No configuration changes are required for existing data sources.

  • Enhanced the McAfee Network Security parser to support configurable syslog field order as defined in Network Security Manager. The parser processes exclamation mark ( ! )–delimited payloads and dynamically maps fields according to the customized message sequence. Parsed values populate attributes such as timestamp, local_header_timestamp, vendor_event_id, normalized severity (1–100), srcip, dstip, srcport, dstport, app_name, proto, and threat_name. Changes to field order in Network Security Manager are recognized automatically without additional parser configuration. This enhancement improves parsing flexibility and ensures accurate normalization across varied McAfee IPS syslog configurations.

  • Enhanced the Common Event Format parser to recognize Varonis DatAdvantage events. The parser identifies deviceVendor=Varonis and deviceProduct=DatAdvantage headers and maps key extensions to normalized fields, including action, event_time, user, host, severity, and external_id. Parsing applies to events that include these identifiers in the CEF header. To ensure proper ingestion, send CEF logs to port 5143 or, if necessary, ingest on port 514 with Log Source redirection enabled to the CEF parser. This enhancement improves visibility into Varonis activity by normalizing key event attributes for consistent analysis and detection.

  • Corrected key-value parsing failures in the Ruckus SmartZone Network Controller parser that previously raised an undefined method error. The parser now recognizes Linux syslog events from the Secure Shell daemon and sudo within controller logs. Field normalization aligns extracted values to src_ip, dst_ip, action, user, facility, and severity. Existing data sources ingest these events without requiring custom rules. To apply this parser, assign the Ruckus SmartZone Network Controller parser to the appropriate data source in the parser configuration. This enhancement improves parsing reliability and extends visibility into controller authentication and privilege activity.

  • Improved the F5 BIG-IP LTM parser to support Common Event Format (CEF) logs encapsulated in syslog headers. The parser recognizes CEF headers and key-value pairs in F5 HTTP Request events and maps them to normalized fields for analytics and detection. To ensure consistent parsing across deployments, ingestion accepts the encapsulated format and extracts standard attributes, extensions, and message text. Configure the log source to emit CEF over syslog and select the F5 BIG-IP LTM parser in ingestion settings.

  • Enhanced parsing of attackers and targets values from the msg_data section of NetScout Systems Omnis Cyber Intelligence events. The parser now populates these values as keys under the vendor namespace for consistent querying and content development. Parsing for responderIPPort remains unchanged, and destination port mapping continues to require a valid numeric value from the sender configuration. This enhancement improves visibility into attacker and target relationships by converting embedded event details into structured, queryable fields while preserving existing port-handling behavior.

  • DATA-3122: Improved field normalization for Check Point Harmony Email Collaboration logs.

    Moved the action field from the top-level event fields into a vendor-specific namespace for Check Point Harmony Email Collaboration events. To prevent conflicts with firewall action semantics, the parser no longer populates a global action field for this data source. Therefore, you must update searches, correlation rules, and dashboards that previously referenced the top-level action field to use the vendor-scoped field instead. JSON validation enforces the expected event structure. This enhancement improves field consistency and eliminates ambiguity between email and firewall action semantics.

  • DATA-3119: Added classification for Forescout Network Access Control events.

    Enhanced Forescout log parsing for Network Access Control (NAC) events. Parsing assigns the log_type value "NAC Policy Log:" or "NAC Policy Match/Unmatch Event" based on the presence of forescout.match. The parser handles concise and extended formats, including these optional fields: details, forescout.rule, forescout.device, and forescout.source. No configuration changes are required.

  • Expanded parsing for Trend Micro TippingPoint to support Security Management System (SMS) 2.5 syslog format and to extract structured attributes from log.event_description. The parser now maps src_ip, dst_ip, src_port, dst_port, protocol, signature, severity, policy, and action into discrete normalized fields to improve search, correlation, and detection accuracy. Configure the data source in Data Sources | Add Data Source | Trend Micro TippingPoint and enable syslog ingestion from the SMS. Existing deployments using earlier SMS formats continue to parse without modification, ensuring backward compatibility while extending visibility for newer SMS 2.5 environments.

  • Enhanced validation and normalization of the action field for Zscaler Internet Access Firewall logs. The parser now promotes only recognized values to the top-level action, including allowed, passed, log, alerted, warning, blocked, block, deny, drop, reject, and alert. While the parser continues to use blocked for Web Application Firewall logs, it now normalizes blocked to block for firewall logs and no longer populates the top-level action field with unrecognized values. As a result, you must update saved searches and dashboards that reference action = block for firewall events. This enhancement improves field consistency and ensures reliable filtering and correlation based on validated firewall action values.

  • Enhanced the Palo Alto Networks parser to support Audit log events. Audit events now parse and normalize correctly, including entries with quoted values and embedded delimiters, eliminating previous unsupported type errors. This enhancement improves visibility into administrative activity by ensuring Audit events are consistently parsed and available for analysis and correlation.

    Existing Palo Alto Networks syslog sources require no changes. As long as Audit logging is enabled on the firewalls, they continue forwarding logs using the existing configuration.

  • Enhanced normalization of FortiGate Common Event Format logs to identify changes to VPN connections, disconnections, authentication successes or failures, and tunnel states. The parser populates event_type, category, src_ip, dst_ip, user, action, result, and session_id for these events. This enhancement enables consistent evaluation and correlation of VPN activity across data sources.

  • Enhanced parsing of the event_time field in Fortinet FortiAnalyzer logs to incorporate the tz (time zone) value when present. Previously, only the date and time fields were used to construct event_time, which could result in incomplete time interpretation. The parser now recognizes supported tz formats and includes the time zone when deriving the event timestamp. This enhancement ensures more accurate event timing and consistent correlation across time zone-aware deployments.

  • Enhanced the EfficientIP SOLIDserver parser to populate the standard dns.question.name field with DNS query values. The vendor-specific dns_query field remains available for backward compatibility. This change enables consistent DNS search, detection, and correlation across data sources that use normalized DNS fields.

Usability

New Features

  • Enhanced the dashboard layout editor with a reusable, responsive, grid-based system that supports drag-and-drop repositioning, dynamic adjustments of surrounding dashboard components, and breakpoint-aware views. The updated authoring experience greatly improves ease of use, streamlines dashboard customization, and enables faster iteration for operational reporting.

  • Added a match any operator that returns a match when any word in the results from one query appears in those of the other, using a logical OR evaluation. To do this, use matches any on the relationship between two correlated queries to find partial matches between returned values, and use match when all words must be present in the values returned from both queries. This enhancement increases flexibility in cross-event comparisons and improves correlation rule precision.

  • Added an Add-on Licenses section under System | ORGANIZATION MANAGEMENT | Licensing | Licenses that lets you centrally view and manage feature-specific licenses, including Auto Triage Phishing. The page displays license capacity, utilization, expiration date, compliance status, and consumption details based on the applicable license model. You can provision licenses and disable or delete Auto Triage Phishing for specific tenants directly from this interface. When no add-on licenses are installed, the page displays an empty state with guidance. Add-on licenses appear automatically after provisioning, and additional add-ons will be listed in the same section as they become available.

  • Updated the System | DATA MANAGEMENT | Resources page to use standardized table controls, including search, filters, column selection, pagination, and bulk selection. Primary actions now appear under Add Resource and row-level Actions menus with consistent confirmation dialogs. In addition, keyboard navigation and screen reader labeling improve accessibility, and layouts adapt to different screen sizes.

  • Added a one-click Copy control with selectable output formats for content displayed in the Case Summary, Analysis, and Response tabs within artificial intelligence workflows. The Copy control now places the visible section on the clipboard in the selected format, and available formats depend on the deployment configuration. The control appears when the Enable AI Case Analysis & Summary setting is enabled. This enhancement simplifies content reuse and improves efficiency when sharing or documenting case insights.

  • Published alert and case auto-triage endpoints under the Public API using the /connect/api/v1/ prefix. The API now supports /connect/api/v1/autotriage/v1/... for submitting triage requests and retrieving results, and /connect/api/v1/hyperautomation/v1/alert... for alert-scoped operations. Requests authenticate using an API key in the X-API-Key header assigned to a role with read and update access to alerts and cases, and require Content-Type: application/json. Responses include a correlation_id to track asynchronous processing. The Public API reference documents supported operations, parameters, schemas, and status codes. For bulk workflows, rate limits apply and submissions should be staggered. This enhancement enables programmatic auto-triage and supports scalable automation workflows.

  • Improved the Role-Based Access Control (RBAC) management interface to present roles, permissions, and user assignments in a consolidated view. You can access the updated pages at System | ORGANIZATION MANAGEMENT | Role-Based Access Control and create and edit roles, assign permissions, and review effective access within a unified workflow. Enhanced filtering and sorting help you locate roles and permissions more efficiently, and consistent field labels and actions improve clarity and usability.

  • Updated the System | DATA SOURCE MANAGEMENT| Data Filters | Log Filters page with a reorganized interface that streamlines rule management across supported data sources. You can create, edit, enable or disable, and reorder filter rules using the enhanced layout. Existing filter rules remain active and retain their evaluation order, and no action is required to maintain current filtering behavior.

  • Optimized pagination behavior on Case List pages by eliminating direct navigation to specific page numbers. Navigation uses Previous and Next controls for page movement. This enhancement delivers faster page transitions and a more responsive browsing experience when viewing large case volumes.

  • Added the ability to initiate sensor agent uninstallation directly from the user interface before deregistration. You can select one or more connected sensors and issue an uninstall command as part of the delete workflow. The uninstall option is available only for connected sensors. The workflow displays operation status and records actions for audit and compliance purposes, improving operational control and lifecycle management of deployed agents.

  • Added the ability to configure and manage case management queues. You can create, view, and modify case queues directly in the UI to better organize case assignment and workflow handling.

  • Updated the Security Assertion Markup Language (SAML) single sign-on configuration to improve how identity provider settings are defined and managed. You can configure settings such as Assertion Consumer Service (ACS) URL, Single Logout URL, NameID format, and certificates using X.509 certificate or metadata XML upload within the streamlined configuration workflow. Existing SAML integrations continue to function without changes, ensuring a smoother configuration experience without impacting current deployments.

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP feature is in this release:

XDR Connect Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Case Management Enhancements

Customizable case queues provide persistent, rule-based case groupings that align with SOC workflows, enabling structured workload segmentation by severity, function, escalation path, customer, or alert characteristics.

Resolved Issues

  • Resolved an issue where changes to the Windows operating system hostname were not reflected in the management console for Windows Server Sensors. The console now updates the sensor hostname automatically after the sensor reconnects to the Stellar Cyber Platform. After upgrading to Windows Server Sensor version 6.4.0, changing the computer name and rebooting the host or restarting the Windows Server Sensor service triggers the update. This fix ensures that the sensor name in the management console accurately reflects the current Windows host name.

  • Added authentication for local CLI requests sent to port 9716 on server sensors. Previously, non-administrative users could log in to the server and run administrative sensor CLI commands on this port. Server sensors now require administrative privileges to run administrative sensor CLI commands. This security enhancement ensures that only authorized administrators perform sensor management tasks and prevents local privilege escalation.

  • Corrected how license usage limit alerts report tenant information when rules target multiple tenants. Previously, email and Slack notifications could display incorrect tenant names or missing usage values, even though the alert shown in the UI was accurate. Stellar Cyber now generates tenant-specific summaries that correctly attribute license usage information to each tenant in these notifications. This change ensures that notifications accurately reflect license usage across tenants, helping you understand which tenants exceeded thresholds and respond more effectively.

  • Corrected a condition in which complex pre-DPI filter expressions were not applied as expected. Previously, when you configured a complex filter, the sensor could fail to apply it, causing traffic that should have been filtered to continue being processed. Stellar Cyber now correctly applies complex pre-DPI filters so the configured filtering rules work as intended. This change ensures that your traffic filtering policies operate reliably and helps you control which traffic Stellar Cyber processes and analyzes.

  • Strengthened validation in the password reset process to prevent domain injection in reset emails. The reset link now derives the domain from the configured web server collection rather than untrusted request headers, blocking domain injection in password reset emails. No configuration change is required, and valid requests continue to function as before.

  • Resolved an issue that caused incorrect CPU utilization readings on high-core Windows systems. On hosts with more than 56 logical processors, Windows Server Sensors sometimes incorrectly reported 100% usage. After upgrading to 6.4.0s, dashboards and sensor status views now display accurate CPU utilization.

  • Resolved an issue where embedded HTML in ingested event fields could trigger unexpected redirects or 404 errors in alert tables. Stellar Cyber now escapes HTML in fields such as description, preventing errors when sorting by Alert Score, filtering results, or opening alert details. This change applies to Operational View dashboards and other alert tables. Sorting and filtering now function correctly across all time ranges.

  • Resolved an issue where saved alert filter tests and Query Builder executions could fail due to oversized request headers. In multi-tenant environments, this condition triggered HTTP 431 errors and caused saved filters to return zero results. Saved filter tests now return results consistent with equivalent ad hoc queries in Query Builder.

  • Corrected field typing for azure_ad.status.errorCode to support matching on Microsoft Entra sign-in events with error code 53003. The Microsoft Entra Sign-in Failures rule and the Sign-in Failure Due to Conditional Access child rule now evaluate the numeric code directly, ensuring detections trigger as expected. This update applies to newly ingested data. To evaluate historical data, you might need to reindex the affected indices. Ensure Microsoft Entra sign-in log collection remains enabled and that the detection is active to generate alerts.

  • Corrected the default behavior of newly observed IP address detection within DNS Tracking enrichment. Detection now activates only when DNS Tracking enrichment is enabled and properly configured. Environments with DNS Tracking disabled no longer generate newly observed IP address detections. To use this capability, enable DNS Tracking enrichment and define the domains or IP addresses you want to monitor.

  • TLS could not be enabled for secure syslog ingestion on TCP 6514 unless a custom parser file was present. This created an unnecessary dependency that prevented secure log forwarding from working as expected in standard configurations. TLS now activates for the configured ingestion entry without requiring /etc/td-agent/customer_log.conf. This fix ensures secure syslog ingestion works as expected without additional configuration dependencies.

  • Restricted access to the internal system monitoring service that collects operating system performance and health metrics from Data Processor nodes. This service was previously reachable on port 9100 from other machines on the network without authentication. It's now accessible only within the Stellar Cyber Platform; external systems can no longer directly retrieve node monitoring data. This change eliminates unauthenticated exposure of system information and strengthens platform security.

  • Clarified the alert descriptions for External and Internal User Data Volume Anomaly to reflect session-based evaluation. Descriptions no longer reference a 5-minute interval and now explain that the detection evaluates totalbytes across the entire firewall session.

  • Improved global text search performance in Asset Analytics to reduce query latency and return consistent results across asset attributes at scale. Searches now execute more efficiently while maintaining accurate matching across asset data. You can enter keywords in the Search field and optionally apply filters to narrow results by asset type or classification.

  • Resolved an issue where the Microsoft Entra ID Revoke sign-in sessions action name did not display correctly in User Actions and Create User views. The action name now appears consistently in lists, selectors, and related records, ensuring clear identification when reviewing and creating user response actions.

Upgrading Sensors

Depending on the type of server sensor, you can upgrade your sensors directly to version 6.4.0 from these previous versions:

  • Linux Server Sensors: 6.2.0 or 6.3.0

  • Windows Server Sensors: 5.1.0 through 6.3.0

Upgrade the sensors to version 6.4.0 using the following process:

  1. Prepare for the upgrade.

  2. Upgrade the sensors.

  3. Verify the upgrade.

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.4.0 release from any 6.2.x or 6.3.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.