Stellar Cyber 5.5.0 Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 5.5.0 release brings the following exciting improvements to the Stellar Cyber Open XDR platform.

The release notes are organized into the following sections:

Highlights

  • New UI (public preview) – A new user interface introduces a more intuitive navigation structure and a new theme engine that adds a light mode option to the UI.

  • Detection Profiles – Through detection profiles, you can tune and customize detections per tenant. Previous detection settings were configured globally, but with the introduction of profiles, these can now be specified at the tenant or tenant group levels.

  • User-scoped API Tokens – API tokens are now scoped to specific users and inherit those users' permissions and scopes, allowing you more granular control over permissions linked to each API token.

  • RedSense Threat Intelligence Integration – Leverage the RedSense premium threat intelligence feed to enhance detection capabilities with enriched, high-fidelity threat data. To take advantage of this feature, simply use your own RedSense subscription.

  • Case Suppression – Through the use of case filters you can apply criteria that, if matched, prevent the creation of cases that don't need to be investigated. This helps reduce noise so you can focus on those cases that do require investigation.

  • Pre-DPI Traffic Filtering – A new filtering capability lets you filter out unwanted traffic to reduce processing load before Deep Packet Inspection (DPI) occurs.

  • Resource-Intensive Query Warnings – Warnings now appear when resource-intensive queries are constructed. The warnings raise awareness about the types of queries that consume an outsized amount of platform resources and offer suggestions on how to make them more efficient.

  • Query Builder Enhancements – Query builders embedded on feature pages now pop out to the full query editor with more screen real estate and testing functionality. The ability to test alert filters and case filters directly from the filter builder has been added as well.

  • Case Alert Closure Setting – A new global setting lets you specify whether all alerts related to a case are automatically closed when the case is marked Resolved or Cancelled, including cases closed via the API or InSyncs. Added a global setting that specifies the default behavior for closing alerts when a case is closed.

  • Alert Document ID – Alerts now include a globally unique document ID by appending an encoded stellar_index_id to the stellar_uuid. This enhancement enables consistent alert tracking and supports integration with downstream tools.

  • Blackberry Cylance Responder Templates – Four new webhook responder templates have been added for Blackberry Cylance, enabling automated actions to add or remove entries from Global Quarantine and Global Safe lists via the Universal Webhook Responder.

Actions Required

  • Update any scripts that reference Aliyun/AliCloud fields inside msg_data because the Aliyun/AliCloud parser now places them at the top level of the Interflow record. For the complete list of fields that were moved, see DATA-2339.

  • Improved the Aliyun/AliCloud parser to have extra parsing for the following fields, they will be stored as “aliyun.# {original_name} _obj“ instead when they’re JSON or an array of JSONs: ['trail_detail', 'detail', 'object_ref', 'response_status', 'user', 'raw_data'].

  • Changed the normalization rule for the process_id field to process.pid for the Aliyun/AliCloud parser.

  • If you use correlations that rely on the time boundary feature, switch to the time range configuration on each query, which will run more efficiently.

  • If you previously used user-level filters to control access to certain information in the data lake, partition this data into separate tenants to control access to that information more effectively.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Normalization for computer_name is now derived from sophos.username for the Sophos Central connector.

  • Improved the resolution of the srcip_host field in msgtype99 records by enriching it from additional fields. Previously, srcip_host only reflected the value from the srcip_host field in the original record. The srcip_host field is now enriched using values from hostip_host, host.name, and dstip_host when the srcip matches the hostip, host.ip, or dstip fields in the original record. This enhancement provides more complete hostname resolution in enriched flow records, improving data quality for investigations and analytics.

  • Moved the following fields from msg_data under the fortinet field in the Fortinet FortiAnalyzer parser: server, authserver, status, mac, ip, vendor, model, versionmin, versionmax, vulnresult, vulncnt,and version.

  • Updated the Ivanti Connect Secure parser to support logs prefixed with an octet count and added new regular expressions for parsing syslog message components.

  • Standardized Keycloak parser field locations by moving fields from keycloak.details to keycloak, ensuring consistent normalization across old and new log formats.

  • Updated SQL log normalization by changing the ip field from nxlog.ip to the standard srcip field.

  • Changed the normalized field for remip from fortinet.remip to remote_ip when the value is a valid IP address.

  • Updated normalization rules for the Cisco ISE parser.

    For both on-prem and SaaS versions, the device_ip_address field is no longer normalized as srcip and is now retained in the vendor namespace. Additionally, the calling_station_id field is normalized as srcip when its value is a valid IP address.

    For the SaaS version only, a typo was corrected so that DestinationIPAddress is now normalized as dstip instead of srcip. The device_port field is also retained in the vendor namespace and is no longer normalized as srcport.

  • Updated the LEEF parser to align with the format specified in the new LEEF standard for using the proto field. Protocol values such as http, https, ssl, and other values that do not map to standard transport or application protocol fields are now normalized under the vendor namespace as {vendor}.proto_name.

  • The fields Action, URL, and Sha256 in Cisco logs are now normalized as action, url, and file.hash.sha256, respectively. All other fields are retained under the cisco vendor namespace.

  • In the Fortinet FortiAnalyzer parser, the attack field is now enriched and normalized as threat. Additionally, any log containing a sessionid field is now treated as a firewall log.

  • For CyberArk Privileged Threat Analytics (PTA) CEF ingestion, the request_id, ticket_id, affected_user_name, device_type, database, other_info, externalid, and reason fields have been moved from msg_data to the vendor namespace.

    The log.event_description field is now removed when its value can be parsed into cyberark.Value and cyberark.Old_Value.

    In addition, when cef_device_vendor is "CyberArk" or "Cyber-Ark" and cef_device_product is "Vault", the fields dev_type, msg_origin.source, dev_class, and msg_class are set to cyberark_vault, and msg_origin.category is set to iam.

  • In the Cisco Router Switch parser, normalization was added for several fields. The cisco.description_obj.user field is now mapped to user.name, and cisco.description_obj.Source is normalized as srcip. The cisco.mnemonic field is enriched as login_type when the value is LOGIN_FAILED or LOGIN_SUCCESS. Additionally, cisco.description_obj.localport is now normalized as dstport.

  • The detection previously identified by xdr_event.name as azure_unusual_account_creation and xdr_event.subtype.name as azure_ad_account_created_deleted has been removed. It is replaced by a new detection with xdr_event.name set to account_created_deleted_in_short_timeframe and display name Account Created and Deleted within a Close Timeframe.

  • Enabling the Case Filters feature as part of the Early Access Program (EAP) hides the Case Visibility setting in Cases | Global Case Settings. If you used Case Visibility to apply a global filter and then enabled Case Filters, you now need to filter results per context—using saved queries or ad-hoc filters at the table or view level. If you don't enable Case Filters, Case Visibility remains available in this release. If Case Filters becomes generally available, Case Visibility is expected to be removed.

Deprecated Features

There are no deprecated features in this release.

Detection/ML

New Features

This release introduces new detections that might be relevant to your environment. These detections are enabled by default and can result in an increased volume of alerts depending on your deployed data sources and use cases. To ensure the alerts are actionable, Stellar Cyber recommends reviewing the applicability of each detection to your environment. You can then disable, suppress, or apply alert filters to detections that do not align with your operational requirements..

Improvements

  • Isolated specific Sigma rules with heavier workloads into separate detection jobs to improve performance in larger deployments. This change ensures that detection and rule settings in the Detection Management module remain valid and do not produce duplicates. Focused on reducing performance bottlenecks while preserving the integrity of existing rules and detections.

  • Added Sigma rules into the DNS detection framework. This enhancement allows for improved identification and management of potential security threats within DNS traffic. The update includes integration of new Sigma rules, and adaptation of established rules tailored for DNS environments, ensuring heightened detection capabilities. You can now benefit from advanced threat detection by leveraging these rule integrations, leading to proactive security measures in handling DNS-related anomalies. See Rule-Based Alert Types.

  • Added Detection Profiles to the Detection Management System to support granular detection rule management in multi-tenant environments. Rules can now be configured as ON, OFF, or SILENT per tenant, with independently adjustable alert suppression intervals. Detection Profiles can be created from a default configuration and applied to multiple tenants. Profile changes automatically propagate to all assigned tenants. See Using the Detection Management System.

  • Normalized the following fields in Netskope alerts to align with standard schema and improve detection:

    • netskopewsg.srcip → srcip

    • netskopewsg.dstip → dstip

    • netskopewsg.user → user.name and username

    • netskopewsg.url → url

    • netskopewsg.useragent → user_agent.original

    • netskopewsg.domain → domain_list

  • Added support for Impossible Travel and User Login Location Anomalies to use logins that have login_result:mfa_success. A 10% fidelity score reduction is applied to alerts with MFA due to the increased likelihood of the login being authentic. For logins that generate multiple records, a non-MFA record is prioritized for alert generation due to reduced data in MFA records. Impossible travel alerts record whether MFA is present for both logins via the has_mfa and has_mfa2 fields. See Machine Learning Alert Type Details.

    has_mfa and has_mfa2 are best-effort and are not guaranteed to be accurate, specifically when there are ingestion delays.

Usability

New Features

  • Added a Recipients array field to the columns for the Office 365 connector, enabling the creation of reports that include this field. Previously unavailable, this enhancement now allows visibility of Recipients data in downloaded reports.

  • Enhanced the alert system by integrating a Related Events tab in the SentinelOne alert dialog box, which summarizes related raw events. The new tab is available for alerts with msg_class: sentinelone_threat_detection, which lets you view related events and access the Threat Hunting table. This feature requires valid SentinelOne API credentials and proper alert configurations to function correctly.

  • Added Case ID field mapping to the Alerts table in the InSyncs configuration. Alerts mapped to a case now display the corresponding Case ID. If alerts are associated with multiple cases, they display a list of Case IDs. Alerts not mapped to any case show N/A or No Case Mapped. These enhancements improve the linkage between alerts and case management systems such as ServiceNow, ensuring alert consistency and traceability.

  • Implemented email notifications to users associated with API keys when their keys are revoked. This applies to the revocation of single or multiple keys, as well as when users revoke their own keys. The feature uses the existing email service to send these notifications, ensuring users are promptly informed about any changes to their API key status.

  • AELDEV-52571

    Added a Close all related alerts option to the Case Settings dialog box, which specifies whether all alerts related to a case are closed by default when the status of the parent case changes to either Resolved or Cancelled. When this option is enabled, alerts in cases closed through the API or InSyncs are also closed automatically.

    You can override this default setting for individual cases in the confirmation dialog box that appears when canceling or resolving a case. The Update the status of all alerts to Closed option is automatically set according to whatever you specify for this global default, but you can reverse the setting in the confirmation dialog for an individual case.

  • Added Microsoft Entra ID to the Connector dropdown menu that appears when Disable User is selected in the Actions section in Automated Threat Hunting (ATH) Playbook settings (Respond | Automation | Create or Edit). This addition allows increases interoperability in managing user access controls. If you don't see this option, it might need to be enabled. Contact your Stellar Cyber account manager to enable it.

  • AELDEV-49024

    Implemented per-user API keys. In previous releases, public API access was only available to users with Root scope and Super Admin privileges. With the introduction of per-user API keys, it's possible to enable more granular control over permissions. An account can only make calls to the public API endpoints available to its assigned RBAC privileges. This approach respects the industry-standard principle of least privilege, enables easy breach isolation, and allows immediate key revocation to contain any unauthorized access quickly.

  • Added support for an optional Alert Instance Description in the Create an Alert Type dialog box (Alerts | Create). It supports merge fields that let you include variables that render unique contextual details for each alert instance. When used, the text you enter overrides the text taken by default from the Alert Type Description. The Alert Instance Description appears in the Alert Details side panel and alert instance table.

  • Added a system warning that appears when a query is likely to consume excessive resources and affect performance. The warning helps you identify resource-intensive queries and encourages query optimization through best practices such as narrowing time ranges, avoiding full-text search, and reducing use of wildcards or nested aggregations. The warning does not block queries from being executed but does provide advice for improving efficiency.

  • Added a public API endpoint that allows the retrieval of data ingestion details per tenant on a daily and monthly basis. The API endpoint GET /storage-usages/daily_and_monthly provides information including tenant name, daily ingestion amounts, monthly ingestion amounts, and tenant ID (referred to as customer ID). This update lets clients access data ingestion metrics programmatically, facilitating enhanced usage tracking and reporting. If you don't see this endpoint, contact your Stellar Cyber account manager and request that it be enabled so you can use it.

  • Added a Test button to simulate alert and case filters directly in the builder in the Query and Filter Manager (System | Queries and Filters). When creating or editing a filter, the Test button lets you run the filter as a query to show representative results so you can validate the type of results returned.

  • Enhanced the public API to support the addition of tenants to a per-tenant ATH (Automated Threat Hunting) rule. This enhancement lets you automate the addition of tenants to existing ATH rules, facilitating seamless integration post-client PoC (Proof of Concept) processes. The update addresses the need for automation in managing tenant-specific ATH rules, reducing manual interventions. This functionality is accessible through the updated /api/alert_watchers endpoint. If you don't see this option, contact your Stellar Cyber account manager and request that it be enabled so you can use it.

  • Updated the public API to support modifications of existing queries. The {{/queries/{id}}} endpoint now supports the PUT verb, which lets you update an existing query.

Improvements

  • Updated the API to so you can set the resolution field when closing a case. You can now designate resolutions as False Positive, Benign, or True Positive. This feature, previously available only in the user interface, provides flexibility for automated workflows. Case closure operations can be performed using the HTTP PUT method, with the resolution specified in the payload. Attempts to set the resolution to unsupported values are disregarded.

  • Made alert context displays consistent by ensuring that associated case IDs are displayed (or available for display) everywhere alerts are shown.

  • Updated APIs for /storage-usages and /storage-usages/daily_and_monthly to support user-scoped access. This allows tenant and partner users to interact with these APIs. Ownership checks between the requester and target records validating org_id and tenant_id were introduced to enforce this access control and ensure proper authorization. This change expands API accessibility beyond root and super_admin users, while maintaining stringent security protocols.

  • Updated the Stormshield SNS Firewall action (Respond | Actions | Firewall Actions | Create) to apply only to incoming traffic. This change prevents configuration issues with the Stormshield SNS firewall platform.

  • Addressed the issue where editing or resizing a chart gadget on a dashboard (Visualize | Dashboards) triggered a refresh of all gadgets on the page. This led to excessive queries that potentially impacted performance. With this update, resizing a chart gadget no longer prompts any refresh. During the gadget editing process, only the current gadget is updated, preventing unnecessary operations on the remaining gadgets and optimizing resource usage.

  • Enhanced dashboard PDF export functionality to let you set the resolution (Respond | Reports | Exported Dashboards, select an exported dashboard | Schedule | PDF TypePreserve Layout | Zoom Level). This addresses previous rendering issues like truncated data and overlapping labels by providing more control over the export appearance.

  • AELDEV-49139

    Added a new theme selector that lets you toggle between light and dark color palettes. This feature is in public preview. This feature can be enabled through the feature preview menu (username| Feature preview | ThemingEnable). Once you've enabled the Feature preview for Theming, you can switch between the Light Theme and Dark Theme using the corresponding entries under the user menu at the top right of the main menu.

  • AELDEV-47841

    Redesigned the header and side navigation components to improve usability and ease of navigation throughout the platform. This feature is in private preview. This feature can be enabled through the feature preview menu (username| Feature preview | ThemingEnable).

  • Removed the previously deprecated Use a query as preset filter option (System | Users | Create or Edit). User-level filters are no longer applicable and any existing filters have no effect.

  • Added the ability to open the full query builder from embedded query builder views, and maintain state between the different editors. This makes it easier for you to build complex queries in context.

  • Added an enhanced help menu in global navigation. This feature can be enabled through the feature preview menu (username | Feature preview | ThemingEnable).

  • Added an enhanced Notifications menu in global navigation. This feature can be enabled through the feature preview menu (username | Feature preview | ThemingEnable).

  • Added an enhanced tenant selector menu in global navigation. his feature can be enabled through the feature preview menu (username | Feature preview | ThemingEnable).

  • Added an enhanced user menu in global navigation. his feature can be enabled through the feature preview menu (username | Feature preview | ThemingEnable).

  • Enhanced global navigation. his feature can be enabled through the feature preview menu (username | Feature preview | ThemingEnable).

Stellar Cyber Platform

New Features

  • Added a warning prompt when attempting to delete a sensor profile that still has associated installation tokens. You'll be informed that deleting the sensor profile will invalidate these tokens. This enhancement serves as a safeguard to prevent unintentional invalidation of tokens. The implementation introduces a prompt if there are associated tokens, ensuring you're aware of the consequences of this deletion.

  • Implemented support for merge fields in custom alert names and alert descriptions in the Alert Configuration section of an Automated Threat Hunting (ATH) rule (Respond | Automation | Create). You can now dynamically insert contextual information into alerts.

  • AELDEV-42968

    Added the document ID to the alert key fields, which lets you manage and track alerts using this identifier. This integration assists in event referencing across downstream tools. It appends an encoded stellar_index_id to stellar_uuid to ensure global uniqueness and applies to all alerts.

  • Added {{buf_log_usage_percent}} in Sensor Monitoring (message ID 36). It displays the percentage of buffer used. You can create alerts based on the field value. The alert will trigger based on specific criteria, such as exceeding a percentage threshold of buffer usage. It lets you take corrective actions, like increasing buffer size or upgrading sensors. This enhancement provides real-time notifications so you can better manage data flow and avoid data loss during high log volumes.

Improvements

  • Added a warning prompt that appears when attempting to delete a sensor profile. The prompt informs you if the profile is associated with existing installation tokens. Deleting such profiles will render those tokens invalid. This ensures that you're aware of the impact the deletion has on deployment tokens before proceeding and helps prevent the accidental invalidation of tokens that are still in use.

Sensors

New Features

  • Added network traffic filters that are enforced before traffic is processed through the Deep Packet Inspection (DPI) engine. This enables more efficient filtering on layer 2-4 attributes, optimizes the utilization of sensor resources, and improves sensor throughput. Note that the pre-DPI filter behavior can vary from source host and destination host filtering. You configure and apply pre-DPI filters in Sensor Profiles.

Improvements

Connectors

New Features

Improvements

Parsers

New Features

Improvements

  • Moved the following fields from msg_data to aruba fields for the Aruba ClearPass CEF parser:

    arubaclearpassauthrequestid, arubaclearpassauthapname, arubaclearpassautherrorcode, arubaclearpassauthnasidentifier, arubaclearpassauthnasporttype, arubaclearpassauthssid, arubaclearpassauthauthstatus, arubaclearpasscppmerrorcodeerrorcodedetails, arubaclearpasscppmerrorcodeerrorgroupdetails, authentication_protocol, enforcement_profiles, arubaclearpassradiusarubauserrole, arubaclearpassradiuscallingstationid, arubaclearpassauthtlsversion, arubaclearpassauthauthmethod, arubaclearpassradiusterminationcause, user_name, end_host_id, source, nas_ip, cppm_node, service_name, roles, enf_profiles, calling_station_id, ap_name, framed_ip_address, nas_name, nas_port_type, ssid, tls_version, auth_method, request_status, service_type, alerts, filter, attributes, authentication_source, aruba_user_role, authentication_inner_method, arubaclearpassauthusertype,host_ip

  • Improved the Linux Syslog parser to extract additional fields from accepted authentication logs. Added support for parsing and normalizing the method, username, and srcip fields from SSH login events. These fields are extracted into the log.syslog namespace and normalized at the top level for better visibility and consistency. To ensure consistent parsing across different syslog formats, enhancements were validated on common Linux distributions, including Amazon AMI and Ubuntu.

  • Expanded the EfficientIP SOLIDserver DDI parser to extract key information from previously unparsed log sections. The parser now captures and normalizes details such as the client IP address, DNS query domain, resource record type, and DNS server IP address. This enhancement provides deeper visibility into DNS request activities and improves the usability of the parsed data for threat hunting and analysis.

  • Enhanced SonicWall log parsing to correctly associate forwarded logs with the original tenant and sensor, resolving prior attribution errors. The in_beats.rb file was updated to extract and preserve forwarder_engid, forwarder_engid_name, tenantid, and tenant_name from the originating Windows Sensor, alongside the engid and engid_name of the receiving Modular Sensor. Forwarded SonicWall logs now accurately display both the original and receiving metadata, ensuring proper tenant assignment and data integrity in multi-tenant environments.

  • Enhanced the Barracuda Firewall parser to accurately extract user and action fields from logs received on port 5524. In addition, the parser now correctly processes cases where action values are missing. These improvements ensure more complete and consistent event parsing for firewall login and authentication activity.

  • Reorganized Fortinet FortiAnalyzer parsing by relocating specific fields from the msg_data object to the nested fortinet object. The affected fields include: server, authserver, status, mac, ip, vendor, model, versionmin, versionmax, vulnresult, vulncnt, and version.

  • Improved the Cisco Firepower parser to parse the following messages in detail:

    • 106001 – A TCP connection was built.

    • 106006 – A TCP connection was denied due to an ACL.

    • 106007 – A TCP connection was denied due to a Layer 3 or Layer 4 filter.

    • 106010 – A TCP connection was closed.

    • 106015 – A TCP connection was torn down.

    • 106018 – An ICMP connection was denied due to an ACL.

    • 106100 – A UDP connection was built.

    • 106102 – A UDP connection was denied due to an ACL.

    • 106103 – A UDP connection was torn down.

  • Updated the Ivanti Connect Secure parser to support logs prefixed with an octet count and added new regular expressions for parsing syslog message components.

  • Enhanced the Cisco Umbrella parser to enrich these fields: dns.question.name, dns.question.registered_domain, and dns.question.top_level_domain using values derived from domain_list. This provides more detailed domain-level context for DNS logs.

  • Standardized Keycloak parser field locations by moving fields from keycloak.details to keycloak, ensuring consistent normalization across old and new log formats.

  • Improved the NXlog parser to have different normalizations for the ip field in the SQL log. Instead of moving it into the vendor namespace, it's now normalized as srcip.

  • Changed the normalized field for remip from fortinet.remip to remote_ip when the value is a valid IP address. Other values remain in fortinet.remip.

  • Updated the Ivanti Pulse Secure parser to handle logs where optional fields such as Realm and Role are missing. Improved the regular expression to support a broader range of log formats, ensuring detailed parsing even for web request logs, unauthenticated access attempts, and session events. This enhancement increases parser resilience and ensures consistent event normalization across diverse Ivanti Pulse Secure log types.

  • Updated the Trellix EX (FireEye) CEF parser to extract the flexString2 field, which contains the subject line of an email, and normalize it under the field name subject. This enhancement ensures that email subject information is consistently captured during ingestion, improving visibility for email-based threat investigations.

  • Updated the IBM i (AS400) parser to handle new log formats containing the Accepted (SIM) => prefix, where fields appear in readable message form rather than strict key-value pairs. Enhanced the parser to use regex extraction for these logs and normalized the Time field to event.timestamp. These improvements ensure robust parsing across both traditional and new free-text IBM AS400 log formats.

  • Adjusted normalization rules for the following fields in the Cisco ISE parser:

    • For both on-prem and SaaS versions, the device_ip_address field is no longer normalized as srcip and is now retained in the vendor namespace. Additionally, the calling_station_id field is normalized as srcip when its value is a valid IP address.

    • For the SaaS version only, a typo was corrected so that DestinationIPAddress is now normalized as dstip instead of srcip. The device_port field is also retained in the vendor namespace and is no longer normalized as srcport.

  • Improved the Fortinet - FortiGate (CEF) parser to parse the requestmethod field from msg_data.

  • Enhanced the Fortinet FortiMail parser by extracting and normalizing several fields previously located in the msg_data object. The updated parser now normalizes the following fields directly: dst_ip, log_part, subject, wf_cat_id, virus_id, virus_name, signature_id, and disposition. This improves data accessibility and consistency for downstream analysis.

  • Enhanced the Trellix FireEye HX parser to recognize and normalize a broader range of log message types, including custom formats. Updates included regex optimization and parser configuration adjustments to accommodate new message structures.

  • Refined the LEEF parser to automatically remove unnecessary leading and trailing single quotation marks from field values. Additionally, updated the parser to handle the proto field according to the new LEEF standard. Values such as http, https, ssl, and other unsupported protocols are now normalized under the vendor namespace as {vendor}.proto_name.

  • Enhanced the parser to extract key=value pairs from the palo_alto_networks.description field in SYSTEM log messages. These values are now normalized into individual fields and mapped to ECS or custom fields where applicable, improving field-level visibility and supporting more granular analysis.

  • Expanded the Cisco Umbrella parser to recognize logs with RFC-3164 syslog headers and a common Logstash header format. Added support for seven additional CSV log variants. Improved field normalization by mapping "Action," "URL," and "SHA256" to Stellar Cyber standard fields, while moving other fields into the vendor namespace. The parser now also uses the internal timestamp in the log as the event timestamp to ensure more accurate record alignment.

  • Expanded the Cisco routers and switches parser to recognize and extract fields from additional log message types. This update improves normalization coverage and enables more detailed parsing of operational and access logs across diverse Cisco device configurations.

  • Improved field extraction in the Forescout parser to support updated log formats. Added support for extracting fields such as Function, 802.1x Calling Station ID, 802.1x NAS ID, Credential Vulnerability, Login Credentials, Communication Protocol, and Member Of.

  • Added new log format support for the Barracuda Firewall parser to address compatibility issues with events sent in key=value format. The update enhances parsing accuracy for logs received over port 5524, including those with variations in header formatting and space alignment. This change ensures successful extraction of fields such as proto, srcIP, dstPort, and others, which previously triggered header-matching errors in the parser.

  • DATA-2339: Improved the Aliyun / AliCloud parser to parse more fields.

    Improved the Aliyun / AliCloud parser to extract additional fields when their values are JSON objects or arrays of JSON objects. The fields trail_detail, detail, object_ref, response_status, user, and raw_data are now parsed and stored as aliyun.<original_name>_obj. Additionally, the normalization rule for the process_id field is now mapped to process.pid.

    The following fields were also moved out from the msg_data to the aliyun vendor namespace and other containers within Interflow records: "ali_uid", "api_version", "asset_ip", "asset_port", "audit_id", "bypass_id", "bytes", "cdn_in", "cdn_out", "check_item", "check_item_level", "check_item_name", "check_level", "check_type", "city_id", "class_name", "client_mode", "cmd_line", "connection_type", "container_file_path", "container_host_name", "container_machine_ip", "container_mip", "data_type", "defense_action", "docker_proc_path", "dst_ip_region", "end", "eni-id", "err_msg", "error_message", "file_gid_name", "file_name", "file_path", "file_uid_name", "get_request", "gid", "gid_name", "host_instance_id", "host_ip", "inter_ip", "intranet_in", "intranet_out", "ioc_ip", "ip_version", "k8s_cluster_id", "k8s_name_space", "k8s_node_name", "k8s_pod_name", "kind", "last_login", "metering_datasize", "metering_datasize_ca", "metering_datasize_zrs", "metering_datasize_zrsii", "net_connect_dir", "network_in", "network_out", "ori_path", "ori_source", "ori_topic", "os_name", "os_type", "packets", "parent_cmd_line", "parent_file_name", "parent_file_path", "parent_proc_id", "parent_proc_name", "parent_proc_path", "parent_proc_start_time", "pcmdline", "platform", "proc_id", "process_img", "process_img_size", "project", "put_request", "raw_data", "raw_ts", "remote_ip", "reqeust_path", "request_object", "response_object", "scan_time", "sid", "src_ip_list", "src_ip_region", "srv_cmd", "stage", "stage_time_stamp", "start", "storage", "storage_type", "sub_type_alias_name", "suspicious_event_id", "sync_in", "sync_out", "tcp-flags", "template_id", "transport_protocol_name", "transport_protocol_status", "type_alias_name", "u_name", "unique_info", "verb", "vm-id", "vpc-id", "vswitch-id", "vul_alias_name", "vul_name".

  • Enhanced the Apache HTTP Server parser to properly handle placeholder values, such as a dash (-), in fields that might appear empty in logs. This ensures that logs using - for missing values—such as in response_byte—are parsed correctly without generating errors or failing field extraction.

  • Enhanced the Fortinet FortiAnalyzer parser to enrich the attack field as threat. In addition, logs containing a sessionid field are now classified as firewall logs. For these logs, the msg_class, msg_origin.category, and dev_class fields are all set to firewall.

  • Moved the request_id, ticket_id, affected_user_name, device_type, database, other_info, externalid, and reason fields from msg_data to the vendor namespace.

    The log.event_description field is now removed when its value can be parsed into cyberark.Value and cyberark.Old_Value.

    In addition, when cef_device_vendor is "CyberArk" or "Cyber-Ark" and cef_device_product is "Vault", the fields dev_type, msg_origin.source, dev_class, and msg_class are set to cyberark_vault, and msg_origin.category is set to iam.

  • Added support for a new log format in the Linux Audit parser that includes a syslog-style header. This header introduces the syslog_appname and syslog_procid fields, allowing for improved attribution of events to originating processes and applications.

  • Enhanced the Cisco Router Switch parser by normalizing several additional fields. The cisco.description_obj.user field is now mapped to user.name, and cisco.description_obj.Source is normalized as srcip. The cisco.mnemonic field is enriched as login_type when the value is LOGIN_FAILED or LOGIN_SUCCESS. Additionally, cisco.description_obj.localport is now normalized as dstport.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

Case Suppression

Case Suppression is a new EAP feature that helps reduce noise by automatically hiding low-priority cases based on customizable case filters. This keeps your team focused on what matters most without losing visibility into critical threats. Enrolling in EAP gives you early access to this capability and a chance to shape its development. If you’d like to participate, contact your Customer Success representative.

Operational Notes

There are no operational notes for this release.

Resolved Issues

Known Issues

  • When you add a connector in 5.5.0 (System | Connectors | Create), XDR and IT Management appear in the Category list. Although no connectors are available within these categories in the Type list, XDR and IT Management do appear as categories in anticipation of a future release. These categories are not functional in 5.5.0 and are intentionally empty. No action is required.

  • The unset dns command may not work correctly when DHCP is enabled for a sensor's management interface. Changes to DNS settings with the unset dns command may be overwritten by a DHCP refresh. Use the show dns command a few minutes after running the unset dns command to verify settings.

  • In multi-tenancy deployments, when Interflow records lack a tenant_id, the Stellar Cyber Platform incorrectly assigns them to “unknown” instead of assigning them to the same tenant as the sensor that forwarded the records.

  • Log filters for the ColorTokens parser cannot be created automatically because the device type contains multiple values. Workaround: After sending a ColorTokens log, find the msg_origin.source field in the event record and use its value when creating the log filter.

  • Importing security rules via the Import Custom Security Rules page might cause the upload process to hang without providing a status update. If this happens, refresh the browser.

  • A query might not produce consistent search results if the field is set for a time, the value includes milliseconds, and the operator is set as is or is not. Workaround: When you define a query with a time field and a value that includes milliseconds, it’s not recommended to use is or is not as the operator. For more consistent search results, use one of the following operators instead: greater than, greater than or equal to, less than, less than or equal to, or in range.

  • When searching the Asset Analytics tab for an IP address, make sure you set the Search Column to Friendly Name, IP, or IP History. Searches for IP addresses with the Search column set to its default value of All do not work correctly. This will be fixed in a later release.

  • The Cylance responder is unable to perform the Contain Host action due to a limitation in the Cylance REST API. All requests return a 500 Internal Server error response.

  • Stellar Cyber recommends that you do not use the same login credentials to configure Azure or Azure Active Directory connectors for multiple tenants in the same company.

  • Windows Server Sensor installation can trigger the installation of Microsoft Visual C++ on the host machine if it isn't installed already. If the installation of Visual C++ fails, the Windows Server Sensor might not be able to decode the token used to authorize and configure its installation, leaving it unable to register with stellarcyber.cloud. If this happens, use the following steps to proceed:

    1. Update and restart the host Windows machine to repair the Microsoft Visual C++ installation.

    2. Either reinstall the Windows Server Sensor or use the set token command in the Sensor CLI to authorize and configure the existing installation.

  • The Log Forwarder only collects statistics for up to 100 different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds 100, statistics for the additional log source IP addresses are aggregated into the catch-all IP address of 0.0.0.0.

  • When multiple traffic filters are defined for a tenant with the same combination of IP address, port, protocol, and layer 7 rules, the filter might fail to take effect. If this happens, review the defined traffic filters and make sure there are no duplicate definitions.

  • If you change the network interface configuration of a sensor VM after deployment, the eth0 interface might be remapped to a new interface. If this happens, the management network is disconnected. Contact Stellar Cyber Customer Success for assistance.

  • The Sensor content type for the Cybereason connector requires the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to collect.

  • Due to an ongoing issue with the Cybereason Query Sensors API, the Cybereason connector might not always be able to retrieve host IP addresses, resulting in missing host information in alerts and incomplete case correlation.

  • When a new tenant is onboarded, the rare-type alerts (anomaly_tag:rare) triggered from Private/Public to Private/Public Exploit Anomaly, Scanner Reputation Anomaly, External / Internal Non-Standard Port Anomaly, Carbon Black:XDR Anomaly, and CylanceOPTICS:XDR Anomaly may have an unusually large days_silent and a higher than usual fidelity. This issue will be addressed in a future release.

  • If you use a Cynet connector to perform a Contain Host or Shutdown Host on a host that is already disabled, shutdown, or otherwise not reachable, Cynet returns a status that the request was successful which is reported in the Stellar Cyber UI. If you are not certain whether an action was successful, you may verify it in the Cynet dashboard.

  • Operators are enabled in pick list menus when they are supported with the selected field or rule. For this reason, use the menu-based queries rather than the Search keyword field with these operators. Examples include contains, does not contain, and is operators. Additional fields/rule support will be added in the future.

  • Log Forwarder only collects statistics for limited different log source IP addresses per Log Forwarder worker. If the total number of log source IP addresses exceeds the limit, the additional log source IP address statistics will be aggregated into a catch-all IP address of 0.0.0.0.

    In releases prior to 5.1.1, the limit had been 100 sensors, but it was increased to 200 sensors with more than 8 GB of memory in the 5.1.1 release.

  • When a modular sensor is configured as a Log Forwarder-only sensor (Network Traffic and other features are not enabled), the Log Forwarder might periodically restart if there isn't enough sensor memory. Stellar Cyber recommends that the sensor memory (in GB) be at least 1.5 times the CPU core number. For example, if the sensor has a total of 8 cores, the sensor should have at least 8 * 1.5 = 12 GB of memory.

  • A modular sensor upgrade will fail when the associated modular sensor profile has the IDS or Sandbox features enabled and the corresponding feature license is not assigned to the sensor. Workaround: Authorize the sensor with an IDS and Sandbox license, or in the modular sensor profile, disable the IDS and the Sandbox features and try to upgrade again.

  • When multiple traffic filters in different tenants are defined with the same combination of IP, port, protocol, and layer 7 rules, the sensor only takes the filter belonging to the same tenant with the sensor and ignores the others. Administrators should review the defined traffic filters and avoid creating duplicate definitions.

  • Files might not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

  • If you change the network interface configuration of a sensor VM after deployment, the eth0 interface might be remapped to a new interface. If this happens, the management network becomes disconnected. Contact Customer Success for assistance.

  • If you configure a sensor aggregator using its hostname instead of its IP address, you can not see the aggregator in the Sensor List. This does not affect the sensor's ability to communicate with the DP through the aggregator.

  • Deleting Elasticsearch data from the Root Tenant in the System | Data Management | Advanced tab deletes data from sub-tenants as well.

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

  • Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

  • You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Deployment Type Resource Host DL DA MDS
Recommended (Production)
(DL and DA VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 40 44 -
RAM (GB) 256 136 64 -
OS SSD Disk Space 1 TB 500 GB 500 GB -
Data Lake SSD Disk Space 16 TB 12+ TB - -
Integrated Data Processor
(DL, DA, and MDS VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 28 28 28
RAM (GB) 256 136 64 32
OS SSD Disk Space 1 TB 500 GB 500 GB 500 GB
Data Lake SSD Disk Space 16 TB 12+ TB - -
Minimum Configuration for Separate DP VMs
You can still deploy separate DL and DA VMs so long as the ESXi host is provisioned with sufficient CPUs to support the following minimum configuration:		 CPU/vCPU 16 16 -
RAM (GB) 128 64 -
OS SSD Disk Space 500 GB 500 GB -
Data Lake Disk Space 2+ TB - -

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

 

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 5.3.0 or later to 5.5.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 5.5.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Important Note for Air-Gapped Environments: The 5.5.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 5.5.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 5.5.0

To upgrade the Stellar Cyber Platform to 5.5.0 from a version earlier than 5.3.0, first upgrade to 5.3.0.

  1. Select Admin | Software Upgrade.

  2. Choose 5.5.0.

  3. Select Start Upgrade.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade Linux or Windows Server Sensors:

You can upgrade a Server Sensor to the most recent release from the two previous releases. This means that you can upgrade a Server Sensor to the 5.5.0 release from any 5.3.x or 5.4.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | Sensors.

    The Data Sensor List appears.

  2. Select Software Upgrade in the Manage dropdown.

    The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.