Stellar Cyber 6.0.0 Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.0.0 release brings the following exciting improvements to the Stellar Cyber Open XDR Platform.

The release notes are organized into the following sections:

Highlights

  • Released a new UI for general availability, delivering a more intuitive navigation structure and an updated theme engine with light and dark modes to enhance flexibility and usability.

  • Improved accuracy, formatting, and layout fidelity in scheduled dashboard exports. Reports based on exported dashboards now match dashboard configurations more precisely and provide cleaner print-ready output with enhanced chart rendering and table formatting.

  • Introduced Saved Views to preserve customized table layouts across sessions.

  • Implemented CyberArk EPM and Crowdstrike FDR connectors for improved visibility.

Actions Required

  • Improved the Zscaler Deception parser by changing the msg_origin.category field value from ndr to honeypot to more accurately reflect the data source. If you rely on the msg_origin.category field with the previous ndr value to find, display, include, or exclude Zscaler Deception events in queries, dashboards, or filters, update those configurations to use the new value honeypot.

  • If you previously relied on the Log Size Control feature to manage Windows Event Log rotation or truncation, you must instead use the built-in AutoBackupLogFiles configuration option or an alternative mechanism.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • Moved fields to cisco in Cisco CEF parser.

    The esamid, sbrsscore, and esafinalactiondetails fields were moved from msg_data to the cisco field for improved parser alignment. VPN event messages are retained even when not fully parsed to preserve important information.

  • Added log format support for Radware Alteon parser.

    Introduced parsing support for new log formats, including AppWall logs, to improve visibility into Radware Alteon activities.

  • Updated parser metadata for firewall categorization.

    Changed the msg class and category to firewall for consistency. Promoted the action field to the top level. Changed the msg_origin.category field from ndr to honeypot to better represent origin classification.

  • Standardized Fortinet CEF parser field handling.

    Moved tunneltype, tunnelip, and reason fields from msg_data to the fortinet field for schema consistency. Data is now sent only to the Root Tenant, eliminating tenant-specific separation.

  • Added multi-tenant support for Cisco WLC parser.

    Enabled the Cisco WLC parser to recognize and process logs across multiple tenants, improving tenant-aware data parsing.

  • Added RFC-5424 support for Checkpoint Harmony Email & Collaboration logs.

    Integrated support for RFC-5424 format in the Checkpoint Harmony Email & Collaboration parser, enhancing compatibility with structured syslog data.

  • Improved message parsing for F5 BIG-IP logs.

    Enhanced the syslog-to-session/traffic parsing logic to better extract five-tuple information from messages, improving session tracking for F5 BIG-IP systems.

  • Enriched Fortinet Fortigate DNS field mapping.

    Added enrichment logic to populate the dns.question.name and domain_list fields using the qname field for improved DNS visibility.

  • Reduced the total number of possible data sources shown for Emerging Threat Filehash (SHA1) detection from 16 in version 5.5.0 to 5 in 6.0.0.

Deprecated Features

No features were deprecated in this release.

Detection/ML

New Features

Improvements

  • Upcoming CloudTrail Changes for IAM Identity Center – Normalization Update Required

    AWS is updating the structure of CloudTrail events related to IAM Identity Center to simplify user identification and improve integration with external identity providers such as Okta and Microsoft Active Directory. These changes take effect on July 14, 2025 and only impact CloudTrail events from IAM Identity Center. CloudTrail events for other AWS services remain unchanged.

    For more information, see AWS Security Blog – Important changes to CloudTrail events for AWS IAM Identity Center.

    Required Normalization Changes in Stellar Cyber

    To support the new CloudTrail format, Stellar Cyber normalization logic includes updates for IAM Identity Center events only.

    • For IAM Identity Center CloudTrail events:

      Use userIdentity.onBehalfOf.userId to normalize into srcip_usersid and user.id

      Use additionalEventData.UserName to normalize into user.name and username

    • For all other AWS services (no change):

      Use userIdentity.principalId for srcip_usersid and user.id

      Use responseElements.user.meta.createdBy for srcip_usersid, user.id (specifically for SCIM events)

      Use userIdentity.userName for user.name and username

    Normalization Priority Table

    AWS CloudTrail Field (on premises) AWS CloudTrail Field (SaaS) Enriched Field(s) Notes Priority
    userIdentity.onBehalfOf.userId aws.userIdentity.onBehalfOf.userId srcip_usersid, user.id Primary identifier for IAM Identity Center events 1st Priority
    responseElements.user.meta.createdBy aws.responseElements.user.meta.createdBy srcip_usersid, user.id Fallback (SCIM events) 2nd Priority
    userIdentity.principalId aws.userIdentity.principalId srcip_usersid, user.id Final fallback (non-IAM Identity Center events) 3rd Priority
    additionalEventData.UserName aws.additionalEventData.UserName user.name, username Primary username field for IAM Identity Center 1st Priority
    userIdentity.userName aws.userIdentity.userName user.name, username Fallback for username (non-IAM Identity Center) 2nd Priority

  • The Detection Management System now includes enhanced visibility for active data sources. Data sources that are actively configured and recently sending detection data are flagged with distinct visual indicators, and connection details are accessible via tooltips or a details pane. Additionally, heartbeat metadata provides recent activity timestamps and status messages. New filtering and sorting options allow users to efficiently view and manage active versus inactive data sources, improving detection coverage insights. See Using the Detection Management System.

  • Introduced enhancements to Detection Management, providing flags for active data sources that recently sent required events. Visual indicators now help users assess data source activity and their operational status efficiently. Additional details, like sensor connections and heartbeat metadata, are accessible via tooltips or detail panes. The Possible Data Sources show all data sources that are possible across an organization. A green check mark is displayed on a data source when it has been active in the past five (5) days and has an event contributing to the detection. The data can come from any tenant in the organization. See Using the Detection Management System.

  • Implemented an improvement that allows filtering and searching of Indicators of Compromise (IoCs) by type in the Threat Intelligence Platform. This enhancement lets you specify IoC types such as Domain Name, File Name, or URL in the search and filter criteria, improving the precision of threat intelligence operations. See Managing IoCs in the Threat Intelligence Platform.

Usability

New Features

  • Added a search box to the Interflow dictionary interface, enabling substring matching for rapid field filtering. This feature mirrors the search and filter functionality used in Interflow records, optimizing your workflow by allowing quick access to specific field information without extensive scrolling. The implementation ensures efficient performance with large lists.

  • Added functionality to sort Sigma rules based on their grade level in the detection table, enabling easier prioritization and analysis of Sigma rule alerts by their assigned grade ranking.

  • Implemented a feature allowing Sigma rules to be sorted by risk level. This enhancement helps you prioritize threats by organizing rules based on the associated risk assessment.

  • Enabled the ability to sort data based on hit counts, specifically using the stats.hits_l7 field. This lets you organize and prioritize items according to their activity level, aiding in efficient data analysis.

  • Implemented notifications that alert users of upcoming and in-progress maintenance. The notifications display clearly informs you of scheduled system downtime, ensuring that maintenance windows are communicated effectively. Alerts adjust based on the maintenance timeline to keep you updated before, during, and immediately after maintenance activities.

  • Introduced functionality to maintain user sessions during UI upgrades by removing session invalidation tied to build hash differences. Instead, users are prompted to refresh the page manually to load the latest version. This change prevents automatic logout during UI updates while providing a visual cue to refresh, ensuring session continuity without interruption.

  • AELDEV-52133: Introduced the Saved Views feature to preserve customized table layouts across sessions.

    Added a new capability that lets you save and reapply custom table configurations, including column visibility, order, width, filters, and sorting. This feature is available wherever structured table data is presented and supports improved usability through consistent, personalized data views. You can create named views, mark favorites, search and filter saved views, and perform actions such as editing, cloning, or deleting configurations. All saved views are scoped to individual users and can be applied or unselected at any time to toggle between custom and default layouts.

  • Implemented a feature in the AI Investigator module to rename investigation notebooks automatically based on the first query run in the notebook. The notebook name updates dynamically using the query metadata, improving organization and making it easier to identify and revisit specific investigation workflows.

  • Added functionality in AI Investigator to refresh previous query results and adjust the time range for time-based prompts, such as “last 24 hours.” The Reset button reruns the original query with its parameters intact but updates the time range to cover the same duration starting from the current time. For example, a query for the “last 7 days” is rerun for the last seven days counted from today rather than from the previous execution date. Additionally, the time window can be adjusted directly from the query response, changing it from options like the “last 24 hours” to the “last 7 days” without rewriting the prompt. The Reset button and time window controls are prominently displayed on the left and above the query results for easy access, supporting streamlined investigations.

Improvements

  • AELDEV-56091: Released the new Stellar Cyber UI for general availability.

    Released a new UI in the 6.0.0 release as the default interface after being offered as a public preview in 5.5.0. The new user interface provides a more intuitive navigational structure and includes an updated theme engine that supports both dark and light mode options, enhancing flexibility and usability.

  • AELDEV-54412: Improved accuracy, formatting, and layout fidelity in scheduled dashboard exports.

    Introduced enhancements to improve the quality, consistency, and usability of scheduled reports. A title is required before saving a scheduled report, preventing unnamed entries. Reports based on dashboards reflect the latest dashboard configuration and exclude any removed columns. Interflow record counts in reports match the dashboard output. A new Enhanced Print Optimized option was also added to the PDF Type setting, offering clearer chart rendering and cleaner table formatting. Wide tables are split across pages to ensure all content is visible in print-ready output.

  • Enhanced the report scheduling interface by adding a tooltip to the recipients list. The tooltip displays both the email domain and tenant information, providing additional context to help distinguish recipient types when configuring report delivery. This improvement supports more efficient report scheduling by clarifying recipient identities without altering the list structure.

  • Added the capability to upload a separate logo specifically for the light theme under the Organization Logo (Light Theme) section in System | ORGANIZATION MANAGEMENT | Settings. The custom logo appears on the login page and other relevant areas when the light theme is active, ensuring better visibility and brand consistency for organizations using this feature.

  • user-scoped access controls for public APIs

    Implemented user-scoped access controls across public APIs to expand support beyond root and super_admin accounts, allowing tenant and partner users to access relevant resources. Ownership validation checks were added to verify that users have rights over requested records based on fields such as org_id and tenant_id. This change applies to multiple APIs, including /ingestion-stats, update_elastic_record, and security_events. These enhancements improve security and resource control by enforcing proper authorization boundaries and providing clear error messages when access is denied, ensuring consistent and secure operations for diverse user roles.

  • deleted from a case

    Added a confirmation dialog box when you delete an alert from a case. This helps prevent accidental deletions by requiring you to confirm the action, reducing the risk of unintended data loss.

  • Implemented UI elements to facilitate navigation and selection of predefined questions within the AI threat hunting interface. Included enhancements like adding icons and a copy prompt functionality, and improved styling of related components. These changes aim to streamline user interaction with predefined AI-assisted inquiries, improving efficiency and accessibility for security analysts. Removed unnecessary component state to enhance performance and maintainability of the predefined questions component. Additional improvements include the use of signals in question components and the introduction of a prompt count for usability tracking.

  • Updated the AI Investigator to fully apply user-specified time ranges in search queries, correcting the previous behavior that automatically defaulted to a seven-day window. Queries now accurately reflect the time range you specify, ensuring alignment with your prompts. Added functionality to display warnings if the requested time range exceeds predefined limits.

  • Introduced a language selection option in the schedule settings for reports. This enhancement lets you specify the language in which scheduled reports are generated. If you don’t select a language, the report defaults to the language configured in your user profile. This default behavior applies only to newly created or modified scheduled reports, not to previously created reports. Both PDF reports and reports based on exported dashboards support this language setting.

  • Implemented persistent, user-defined index settings on the Threat Hunting page. Saved preferences are restored across sessions, allowing you to maintain your chosen indices, such as Syslog or Traffic, when navigating away and returning to the page. This enhancement eliminates the need to reset preferences on each visit and improves usability for threat investigations.

Stellar Cyber Platform

New Features

There are no new features for the Stellar Cyber Platform in this release.

Improvements

  • Updated AWS CloudTrail enrichment to accommodate the deprecated fields userIdentity.principalId and userIdentity.userName. The enrichment process now adjusts the priority of user ID fields to include userIdentity.onBehalfOf.userId and responseElements.user.meta.createdBy. It also alters the name fields for user.name and username to prioritize additionalEventData.UserName. These changes ensure proper data processing without reliance on deprecated attributes.

  • Normalized the X-Forwarded-For header IP address to serve as the source IP address in Web Application Firewall (WAF) traffic within flow data reports. This normalization applies specifically to designated WAF IP addresses or IP address ranges. It ensures accurate representation of client IP addresses for improved analysis and maintains competitive parity with other NDR vendors.

Sensors

New Features

  • Enabled domain fronting detection in flow data reports and integrated the IPv4 and IPv6 address databases (IPDB and IPDB6) to enhance classification of encrypted traffic, especially HTTPS. Added a classification cache to increase speed and accuracy, ensuring classification occurs on the first packet. This improvement supports better application identification by analyzing multiple IP addresses, optimizing performance without requiring updates to the machine learning system. The solution is embedded in the SSL protocol and follows Protobook documentation for protocol tuning options.

Improvements

  • Enhanced the responsiveness of remote command execution on Linux Server Sensors to ensure faster and more reliable interactions through the command-line interface. This improvement supports consistent performance across diverse Linux environments while maintaining compatibility with Windows Server Sensors, which are unaffected by this change.

  • Improved error reporting for TLS certificate installation and application failures by displaying detailed error messages in the user interface. These messages had previously only been available in the CLI. When a TLS certificate fails to install or validate, you now receive a clear error message in the UI and a warning alert. If a failure disrupts services such as log forwarding, the system automatically reverts to the last known good TLS configuration to maintain functionality while logging the failure for troubleshooting. These improvements help you quickly identify and resolve TLS certificate problems without service interruptions.

  • Added functionality to monitor and report the time differences between Windows event timestamps, their collection timestamps, and event publish times. This monitoring provides hourly delta measurements for each channel to assist in diagnosing delays in event processing.

  • Disabled the Log Size Control feature in sensor profiles for Windows Server Sensors. Though previously deprecated in 5.5.0, this functionality is now fully disabled. Sensor profiles with this setting applied will have no effect on Windows Server Sensors running version 6.0.0.

Connectors

New Features

  • AELDEV-54348: Introduced the CrowdStrike FDR connector.

    Added a connector for CrowdStrike Falcon Data Replicator (FDR) to ingest security events and secondary event attachments through Amazon S3 with Amazon Simple Queue Service (SQS) notifications. This connector retrieves and normalizes Falcon telemetry for ingestion, enabling Stellar Cyber to analyze and correlate the data with other threat intelligence sources automatically. With this integration, you can improve visibility and accelerate investigation and response workflows across your environment. See Configuring CrowdStrike FDR Connectors.

  • AELDEV-54342: Introduced the CyberArk EPM connector.

    Added a connector for CyberArk Endpoint Privilege Manager (EPM) to ingest events and policy audit logs into Stellar Cyber. This connector enables centralized visibility and analysis of CyberArk EPM security data, improving detection and investigation of privilege-related threats across your environment. See Configuring CyberArk EPM Connectors.

  • Added a connector for NodeZero, an automated penetration testing platform, to ingest data into the Stellar Cyber Platform. This connector retrieves penetration test results, action logs, identified weaknesses, and host data through the Horizon3.ai GraphQL API. By integrating these insights, you can centralize and analyze NodeZero findings within Stellar Cyber to enhance threat detection, streamline vulnerability remediation, and accelerate investigation workflows. See Configuring NodeZero Connectors.

  • Added a connector for SOCRadar to ingest incident data into the Stellar Cyber Platform. This connector retrieves validated incident records, including alarms, associated assets, threat categories, and recommended response actions, through the SOCRadar incident API. By automating this integration, you can enrich your security operations with external threat intelligence, correlate incidents with local events, and accelerate investigation and response efforts. See Configuring SOCRadar Connectors.

  • Added a connector for Recorded Future to ingest alerts through the Recorded Future Connect API. This connector retrieves multiple alert types, including domain abuse, vulnerabilities, data leakage, third-party risk, and identity exposures. The integration supports alert mapping and requires separate API tokens for general alerts and playbook alerts. This feature enables users to pull relevant security alerts directly into their system for improved monitoring and response activities. See Configuring Recorded Future Connectors.

  • Added a connector for Microsoft Graph Security API to ingest alerts and incidents. This connector retrieves alert details, associated evidence, and recommended response actions, supporting commercial, GCC (Government Community Cloud), GCC High, and Government Cloud environments. By integrating this data, you can correlate Microsoft Defender XDR threat intelligence with local events, accelerate investigation, and strengthen coordinated response across your security operations. See Configuring Microsoft Graph Security API Connectors.

  • Added a connector for Qualys File Integrity Monitoring (FIM) to ingest security events, ignored events, incidents, and asset information into the Stellar Cyber Platform. This integration centralizes Qualys FIM data to help you detect unauthorized file changes, investigate suspicious activity, and correlate file integrity alerts with other security events for improved incident response. See Configuring Qualys FIM Connectors.

  • Added a connector for Automox to ingest data through its REST APIs, including devices, events, users, policies, audit logs, and pre-patch reports. The connector supports mapping each Automox Zone (tenant) to a corresponding Stellar Cyber tenant, using unique Account IDs and API keys for authentication. By bringing this data into the Stellar Cyber Platform, you can achieve longer retention of Automox security data, correlate file integrity and patch information with other events, and improve investigation and response efforts across your environment. See Configuring Automox Connectors.

  • Added a connector for Office 365 Reporting Web Service to ingest Message Trace reports from Exchange Online. This connector provides visibility into email traffic patterns and delivery status, using its own authentication method with Microsoft Entra ID roles and permissions. Due to Microsoft API limitations, data is retrieved with a 24-hour delay and capped at 2000 records per query. This integration helps you monitor and correlate email activity more effectively within Stellar Cyber. See Configuring Office 365 Reporting Web Service Connectors.

Improvements

Parsers

New Features

  • Added a parser to process HTTP Web Application and API Protection (WAAP) logs from F5 systems on port 5925. This parser supports HTTP Newline-Delimited JSON (NDJSON) log format, including the Content-Type header application/x-ndjson, ensuring compatibility with structured HTTP traffic data sent by modern F5 WAAP deployments. By normalizing key fields such as HTTP methods, response codes, source and destination addresses, and enriched application metadata, you can achieve greater visibility and faster analysis of advanced web and API security events across your environment.

  • Added a parser to ingest logs from the F5 BIG-IP Virtual Edition, enabling the Stellar Cyber Platform to parse traffic, system, and web security events in CSV and custom log formats. This capability improves visibility and detection across F5 BIG-IP Virtual Edition deployments by normalizing key fields such as user sessions, access policies, and user agent details. With this enhancement, you can centralize and analyze F5 BIG-IP Virtual Edition activity for more efficient security monitoring and faster threat investigations.

  • Added a new parser to ingest logs from F5 BIG-IP Application Security Manager (ASM). This parser supports both Common Event Format (CEF) and key-value pair (KVP) log formats, ensuring consistent ingestion and normalization of security events, including DoS, bot, DNS, and DDoS data. By reliably parsing these logs, you can correlate F5 ASM security events with other telemetry in Stellar Cyber to strengthen threat detection and investigation workflows.

  • Added a parser to ingest logs from SolarWinds Serv-U file transfer servers on port 5924. This parser processes logs in SolarWinds custom format with embedded key-value pairs, enabling analysis of secure file transfer activity, user authentication, and file access events. It supports normalization of key fields such as usernames, file paths, and transfer statuses, helping you monitor Serv-U deployments for compliance, detect suspicious transfers, and accelerate investigations involving file sharing across your environment.

  • Added a parser to ingest logs from the Judy Security Password Manager to ingest JSON-formatted logs. This parser was developed to accommodate a Judy Security specific log format, which does not use standard CEF but instead forwards JSON data for authentication and password management events. By normalizing Judy Security logs, you can correlate user access and password management activity with other telemetry, strengthening threat detection and investigation workflows.

  • Added a parser to ingest logs from Check Point Quantum appliances on port 5920, processing logs in Check Point custom syslog format with structured data fields. This parser enables the normalization of network security events including firewall activity, access control, and intrusion prevention alerts. This enhancement helps you correlate Check Point Quantum telemetry with other data sources in Stellar Cyber, improving threat detection, investigation, and response across your environment.

  • Added a parser to process logs from Judy Security Email Protection systems on port 5919. This parser supports RFC-3164 syslog format with embedded key-value pairs, enabling reliable ingestion of security event data including email policy enforcement, malware detection, phishing attempts, and quarantined messages. By normalizing fields such as sender, recipient, subject, action taken, and detection outcome, you gain deeper visibility into email security posture, helping you correlate events with other telemetry in Stellar Cyber for enhanced detection, investigation, and response.

  • Introduced a parser to ingest DNS and audit event logs from ISC BIND 9 on port 5916. This parser processes logs formatted according to RFC-3164 with embedded key-value pairs, making it easier for you to extract meaningful information from domain query and resolution data. This parser improves your ability to monitor secure DNS operations and supports consistent normalization for advanced threat detection and compliance workflows.

  • Added a parser for Check Point SandBlast Appliance logs on port 5915 in Check Point custom syslog format. This parser normalizes advanced threat prevention events, including file emulation, exploit detection, and zero-day protections, to improve visibility and investigation of sophisticated threats. With this enhancement, you can correlate SandBlast Appliance telemetry more effectively with other security data across your environment.

  • Added a parser to ingest logs from McAfee ESM (Enterprise Security Manager) and Nitro SIEM, supporting the Common Event Format (CEF) log structure. This parser extracts the nitroAppID, nitroDomainID, and nitroHostID key fields. By improving field-level parsing, you can gain deeper visibility into user authentication, domain, and host-related security events, simplifying investigations and improving situational awareness across McAfee ESM/Nitro SIEM deployments.

  • Added a parser to ingest logs from Progress Kemp LoadMaster appliances on port 5143. This parser processes logs in Common Event Format (CEF), normalizing key fields such as srcip, dstip, srcport, dstport, method, and url for improved threat detection and security analysis. The parser maps recognized fields to top-level ECS-compatible fields while preserving others in the progress_kemp_lm or msg_data vendor-specific namespaces. With this enhancement, you can more effectively monitor and correlate Progress Kemp network events with other data sources in Stellar Cyber, strengthening investigation and response workflows.

  • Added a parser to ingest logs from Radware Cybercontroller Plus on port 5914. This parser processes logs in Radware custom syslog format, normalizing key fields related to network security policy enforcement, threat mitigation events, and DDoS protection. By structuring these logs for analysis, you can more easily correlate Radware telemetry with other security data sources in Stellar Cyber, improving detection, investigation, and response workflows.

  • Added a parser to ingest web proxy logs from Squid Proxy on port 5918. This parser processes logs formatted according to RFC-3164, normalizing key fields related to user web access behavior, HTTP methods, URLs, and proxy actions. By structuring these logs for analysis, you can monitor web usage patterns, detect suspicious activity, and correlate proxy data with other security telemetry in Stellar Cyber to improve investigation and response.

  • Added a parser to ingest logs from Nippon Electric Company (NEC) Indoor Unit on port 5921. This parser processes logs with an RFC-3164 header and NEC custom syslog format, normalizing fields related to device operational status, security events, and network communications. By structuring these logs for analysis, you can achieve broader device coverage, monitor NEC Indoor Unit activity more effectively, and correlate this telemetry with other security data sources in Stellar Cyber to enhance detection and investigation workflows.

  • Added a parser to ingest logs from SecurityGen Next-Generation Firewall (NGFW) on port 5910. This parser processes logs in JSON format, optionally preceded by RFC-3164 or syslog application and process identifiers, normalizing key fields related to traffic flows, firewall rule actions, and policy enforcement. By structuring this data, you can monitor SecurityGen NGFW deployments more effectively, detect suspicious network activity, and correlate firewall events with other security data in Stellar Cyber.

    Added a parser to ingest logs from SecurityGen Intrusion Detection System (IDS) on port 5911. This parser supports JSON-formatted logs, with optional RFC-3164 or syslog application and process identifiers, enabling normalization of intrusion alerts, detection signatures, and network event metadata. By normalizing these fields, you can enhance visibility into threat detection data from SecurityGen IDS, improving your investigation and response workflows within Stellar Cyber.

  • Added a parser to ingest logs from Tait Communications P25 Basestation on port 5912. This parser processes logs in Tait Communications custom syslog format, normalizing key fields related to radio communication events, control channel activities, and authentication processes. By structuring this data, you can monitor the security and operational status of P25 radio systems more effectively and correlate those events with other telemetry in Stellar Cyber for enhanced investigation and response.

  • Added a parser to ingest logs from NetApp FAS (Fabric Attached Storage) on port 5908. This parser processes logs with an RFC-3164 header and ONTAP description fields, normalizing key data about storage operations, authentication events, and system health. By structuring these logs, you can monitor NetApp FAS appliances more effectively and correlate their activity with other security and infrastructure telemetry in Stellar Cyber to support improved detection, investigation, and response.

  • Added a parser to ingest logs from Coraza Web Application Firewall (WAF) using HAProxy SPOA integration on port 5913. Stream Processing Offload Agent (SPOA) allows external security services like Coraza to process traffic metadata and make policy decisions in real time before HAProxy forwards requests. This parser processes logs formatted according to RFC-3164, normalizing key fields related to web application firewall traffic, rule matches, and block or allow decisions. By structuring this data, you can monitor and investigate Coraza WAF activity more effectively, correlating events with other security telemetry in Stellar Cyber to strengthen detection and response workflows.

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns. To join the EAP and begin testing these correlation strategies, contact your Stellar Cyber Customer Success representative.

Resolved Issues

Known Issues

The following are known issues in this release.

  • AELDEV-59053: The unset dns command may not work correctly when DHCP is enabled for a sensor's management interface. Changes to DNS settings with the unset dns command may be overwritten by a DHCP refresh. Use the show dns command a few minutes after running the unset dns command to verify settings.

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

  • Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

  • You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Deployment Type Resource Host DL DA MDS
Recommended (Production)
(DL and DA VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 40 44 -
RAM (GB) 256 136 64 -
OS SSD Disk Space 1 TB 500 GB 500 GB -
Data Lake SSD Disk Space 16 TB 12+ TB - -
Integrated Data Processor
(DL, DA, and MDS VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 28 28 28
RAM (GB) 256 136 64 32
OS SSD Disk Space 1 TB 500 GB 500 GB 500 GB
Data Lake SSD Disk Space 16 TB 12+ TB - -
Minimum Configuration for Separate DP VMs
You can still deploy separate DL and DA VMs so long as the ESXi host is provisioned with sufficient CPUs to support the following minimum configuration:		 CPU/vCPU 16 16 -
RAM (GB) 128 64 -
OS SSD Disk Space 500 GB 500 GB -
Data Lake Disk Space 2+ TB - -

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

 

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 5.4.0 or later to 6.0.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 6.0.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Important Note for Air-Gapped Environments: The 6.0.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.0.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.0.0

To upgrade the Stellar Cyber Platform to 6.0.0 from a version earlier than 5.4.0, first upgrade to 5.4.0.

  1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

  2. Choose 6.0.0.

  3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade Linux or Windows Server Sensors:

You can upgrade a Server Sensor to the most recent release from the two previous releases. This means that you can upgrade a Server Sensor to the 6.0.0 release from any 5.4.x or 5.5.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Data Sensor List appears.

  2. Select Managed | Software Upgrade.

    The Data Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.