Stellar Cyber 6.1.0 Release Notes

Software Release Date:
Release Note Updated: October 21, 2025

These release notes list and describe the new features and improvements in the 6.1.0 release for the Stellar Cyber Open XDR Platform.

The release notes are organized into the following sections:

Highlights

  • Aggregations and Grouping in Queries: Enabled data summarization and statistical analysis directly in the Query Builder, simplifying the process of uncovering trends and insights.

  • Expanded Identity Threat Detection: Added new Sigma-based rules for Active Directory (AD) attack detections and geo-anomaly alerts to combat credential theft and privilege escalation.

  • ServiceNow Integration Enhancements: Added support for filtering and syncing cases and alerts by multiple tenants or tenant groups to streamline ticketing workflows. This enhancement improves flexibility for MSSPs and multi-tenant environments by ensuring only relevant tenant data is synchronized.

  • On-Demand ServiceNow Sync: Added a button so you can immediately synchronize alerts or cases, giving you more control over ticketing workflows.

  • Customizable ML Detections: Implemented configuration options for Impossible Travel Anomaly and User Login Location Anomaly alert types, allowing you to align anomaly rules with organizational patterns and reduce false positives.

  • CrowdStrike Premium Threat Intelligence: Integrated real-time, high-fidelity Indicators of Compromise (IOCs) directly into Stellar Cyber for faster, more accurate threat detections.

  • Advanced Network-Based Detection: Introduced high-fidelity Command and Control (C2) beaconing detection and visibility into new or rare Top-Level Domains (TLDs) to identify stealthy threats earlier.

  • Seamless Integrations: Enhanced third-party alert ingestion and new connectors to unify your operations.

  • IDS Rule Support: Addressed rule dependencies to ensure Emerging Threats Professional (ETPro) exploit rules function correctly.

  • ICMP Tunneling Detection: Implemented a machine-learning (ML) model to improve accuracy and reduce noise in ICMP tunneling alerts.

  • Tenant-Level License Visibility: Added views to track license allocations and consumption at the tenant level, providing clear insight into usage per tenant

Actions Required

  • Improved the Zscaler Deception parser to categorize events with msg_origin.category set to honeypot. If you use parser-based workflows, dashboards, or rules that depend on this field, verify that they reflect the updated value to ensure uninterrupted data handling.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-2749: Updated the WatchGuard VPN parser so syslog messages are no longer discarded when they cannot be fully parsed. The raw message is now retained in log.event_description, with fields such as user.name and srcip extracted where available. You might now see more raw WatchGuard VPN syslog events than before, even if not all fields are normalized, which can affect alerts, queries, and storage volume.

  • DATA-2731: Updated field mappings in the Relianoid WAF parser, which parses logs from a Relianoid application delivery controller (ADC) with integrated web application firewall (WAF) capabilities. The relianoid_waf.custom_value_3 field was renamed to relianoid_waf.target_name, and a new relianoid_waf.custom_value_3 now captures ModSecurity message values. (ModSecurity is an open-source web application firewall engine.) This update corrects an issue where only metadata was parsed and the remainder of the WAF message was left in JSON. You might now see more parsed fields and different field names in Relianoid WAF logs. This change can affect saved queries, dashboards, or integrations that relied on the old field name, so you might need to adjust filters or reports accordingly. At the same time, the update increases visibility into ModSecurity activity and gives you more complete information for analysis.

  • DATA-2708: Refined category and class values in the ColorTokens parser for Gatekeeper (Xshield 3.0) and Xprotect logs to ensure accurate classification.

    • For Gatekeeper, msg_origin.category has changed from endpoint to firewall, and dev_class (msg_class) has changed from colortokens_gatekeeper to firewall.

    • For Xprotect, msg_origin.category has chanfged from xdr to endpoint, while dev_class (msg_class) remains colortokens_xprotect.

    You might now see different categories and classes in parsed ColorTokens logs, which can affect saved queries, dashboards, or integrations that rely on the old values.

Deprecated Features

No features have been deprecated in this release.

Detection/ML

New Features

Improvements

Usability

New Features

Improvements

Stellar Cyber Platform

New Features

Improvements

  • Extended existing password anonymization to mask LDAP passwords in the metadata.request.auth_simple field, replacing clear text with asterisks. Credential masking now applies consistently across all authentication types, strengthening both security and privacy.

  • Updated AWS CloudTrail enrichment to adjust for the deprecation of userIdentity.principalId and userIdentity.userName. The enrichment now prioritizes userIdentity.onBehalfOf.userId and responseElements.user.meta.createdBy for user IDs, and additionalEventData.UserName for user names. These changes ensure reliable processing and maintain enrichment accuracy without relying on deprecated attributes.

Sensors

New Features

There are no new Sensor features in this release.

Improvements

  • Enhanced sensor efficiency to increase event throughput over UDP by as much as one-third. With this improvement, sensors can handle larger data volumes more reliably, reducing the risk of dropped events in high-traffic environments and giving you more capacity headroom to accommodate traffic spikes.

  • Resolved package dependency issues that caused upgrades from version 5.5.0 to 6.0.0 to fail on dark site management data sensors running Ubuntu 22.04. With this fix, upgrades now complete successfully and align with the supported Suricata version. The change improves reliability and ensures a smoother upgrade path for dark site deployments, reducing the risk of downtime during version transitions.

  • Enhanced the Windows Server Sensor to parse and display the failure reason for logon failures recorded as event ID 4625. The parsed value appears in a new FailureReasonString field, providing a human-readable explanation such as Unknown user name or bad password. This improvement makes it easier to understand and investigate failed logon attempts.

  • Updated the Standard Sensor profile to include the AD FS/Admin log channel in the Other Channels list, increasing visibility into authentication activity from Active Directory Federation Services (ADFS). The parser now normalizes ADFS logs so they integrate seamlessly with existing Windows Event Log categories, eliminating the need for third-party tools and simplifying investigations.

  • Corrected the Service Status field in the Sensor Details page (System | DATA SOURCE MANAGEMENT | Sensors | Sensors |sensor-name) so it accurately reflects whether the Malware Sandbox is enabled or disabled. The fix aligns the UI with the results of the show module command, giving you a consistent view of the sandbox status in environments running a Modular Sensor version of 5.2.0 or later.

  • Enhanced sensor reliability to ensure continued packet processing during network spikes or overload conditions. The improvement eliminates a limitation observed on Ubuntu 16.04, which could cause sensors to stop processing traffic under stress. For the best performance, upgrade sensors to Ubuntu 22.04 and use PCI passthrough to reduce CPU utilization on ESXi hosts. These measures help prevent service disruption during high-traffic scenarios.

  • Added functionality to copy captured PCAP files from the CLI of a Modular Sensor directly to a Data Processor (DP) or other remote destination. You can use the copy captured_pcap <source> <destination> command to transfer PCAP files efficiently, reducing manual steps and accelerating data handling for analysis.

  • Converted all Windows Server Sensor binaries to 64-bit to improve compatibility and performance in modern Windows environments.

  • Improved the responsiveness of remote CLI operations on sensors that run on Linux, including Linux Server Sensors, Modular Sensors, and Device Sensors. With shorter polling intervals and streamlined handling, commands return results more quickly and reliably across these sensor types. This enhancement reduces timeouts and helps you manage sensors more efficiently from the command line.

  • Added CLI commands that let you configure Maximum Transmission Unit (MTU) values on sensor interfaces. By default, sensors use an MTU of 1500, but you can now set values up to 9000 to support environments such as Oracle Cloud Infrastructure (OCI) and FortiGate firewalls. This flexibility helps you prevent traffic drops and adapt sensor networking to match your deployment requirements.

Connectors

New Features

  • Added the WatchGuard connector to support response actions that let you block sites and create blocked sites exceptions directly through the WatchGuard Firebox API. By automating these actions, you can enforce security policies more quickly and reduce reliance on manual configurations. The integration uses dedicated webhook templates that align with WatchGuard Fireware v12.5.3 or later, improving efficiency in firewall response management. These new response actions are available when you create Automated Threat Hunting playbooks under System | Automation | Automation. See Configuring WatchGuard Firebox Responder Connectors.

  • Added the CODA Footprint connector to ingest device and alert data, including vulnerability scan results. The integration supports multi-tenant environments making it easier to adopt for existing users. Scan data is ingested every eight hours, helping you quickly identify exposed devices, correlate them with alerts, and improve the efficiency of threat detection workflows. See Configuring CODA Footprint Connectors.

  • Added the BeyondTrust connector to retrieve remote support session logs from the SupportSession endpoint. The connector parses and normalizes the data for real-time monitoring and anomaly detection, helping you identify unusual remote access activity. See Configuring BeyondTrust Connectors.

  • Added the Microsoft Graph Intune connector to support Intune API endpoints, including devices, compliance policies, and audit events. The connector uses the Microsoft Graph API for authentication and data collection, giving you broader visibility into Intune-managed assets and policy enforcement. See Configuring Microsoft Graph Intune Connectors.

  • Added the Group-IB connector to ingest alerts, incidents, and assets from Group-IB, a global cybersecurity company specializing in threat intelligence and fraud protection. The connector integrates data from the Group-IB Alerts and Incidents APIs, giving you greater visibility into threats and asset activity and enabling stronger correlation with other security data sources. See Configuring Group-IB Connectors.

  • Added the Coro connector to ingest security ticket data. The integration centralizes Coro incidents alongside other security events, providing enriched visibility, stronger threat detection, and streamlined incident management. By consolidating Coro ticket data with other sources, you gain a more complete view of user activity, compliance issues, and security alerts, helping reduce alert fatigue and improve SOC efficiency. See Configuring Coro Connectors.

  • Added the Azure Network Security Group (NSG) connector to support response actions to automatically block or unblock IP addresses. These actions dynamically update NSG firewall rules in your Azure environment, giving you faster, automated control to contain threats or restore access when needed. See Configuring Azure NSG Connectors.

  • Added a connector for Hoxhunt to ingest email incidents, threats, and user data. The connector collects and normalizes logs, giving you comprehensive visibility into Hoxhunt-provided security events and enabling more effective monitoring and threat analysis. See Configuring Hoxhunt Connectors.

  • Added a connector for Tenable Cloud Security to retrieve vulnerability findings. The connector collects scan results, similar to other Tenable connectors. With this integration, you can centralize Tenable Cloud Security findings in the Stellar Cyber Platform for unified visibility and streamlined threat detection. See Configuring Tenable Cloud Security Connectors.

  • Added a connector for VadeSecure, a cloud-based antispam and email security solution, to ingest email logs into the Stellar Cyber Platform. With this integration, you can monitor emails flagged as malicious or quarantined in VadeSecure and correlate them with other data sources to strengthen phishing and malware detection. The connector requires admin permissions in VadeSecure for configuration. See Configuring VadeSecure Connectors.

  • Added a connector for Aruba Central that ingests audit logs and monitoring events through the Aruba Central API. The integration provides visibility into administrative activity and device monitoring data, helping you track configuration changes and monitor network health in the Stellar Cyber Platform. See Configuring Aruba Central Connectors.

  • Added a connector for Verkada to ingest device information, camera data, audit logs, and access events. The integration provides visibility into Verkada-managed physical security systems, enabling you to monitor cameras and sensors, track administrative activity, and correlate access events with other security data for improved threat detection and response. See Configuring Verkada Connectors.

Improvements

Parsers

New Features

Improvements

  • Corrected the Cynet 360 (CEF) parser to properly interpret the rt field, which represents the receipt time, in syslog events. The parser previously misread dates in the format 08/05/2025 10:32:00 as May 8 instead of August 5, because it defaulted to a day–month–year order instead of month–day–year. This improvement ensures that timestamps are now parsed according to the intended format, producing accurate event timelines in Interflow records and eliminating inconsistencies between event_time and other time fields.

  • Corrected the Symantec Endpoint Manager parser to handle Virus Found events properly. This fix ensures that virus detection events now extract and normalize the correct virus name, and the srcip_host field consistently reflects valid host information. These improvements prevent misleading values in Interflow records and improve the accuracy of investigations based on endpoint data.

  • Expanded the VMware UAG (Unified Access Gateway) parser to support additional log formats introduced in version 23.12. The update extracts key network fields, including srcip, srcport, dstip, and dstport, and stores other new fields under the vmware namespace. The parser also now tolerates cases where a space is missing between the syslog_appname and thread_id fields, preventing parsing errors. In addition, the store_raw_msg parameter is set to false, reducing unnecessary data storage. These improvements increase parser reliability and ensure accurate normalization of network events from VMware UAG logs.

  • Expanded the Zimbra Email parser to support additional Postfix log formats, which are generated by the Postfix Mail Transfer Agent (MTA) responsible for routing and delivering email. The update parses SMTP status codes, including status_code defined in RFC 5321 and enhanced_status_code defined in RFC 3463, under the zimbra_email namespace.

    The parser also extracts destination server, user, and queue details, along with additional fields such as sasl_username, now normalized to user.name. Values like warning and statistics are mapped to the tag field, while queue identifiers such as NOQUEUE are normalized to the queue field.

    In addition, the event.description field is shortened when key-value pairs are extracted, reducing redundancy. These enhancements provide fuller visibility into email delivery activity and improve the accuracy of investigations.

  • Enhanced the Perception Point X-Ray parser, which processes logs from the cloud-based email security platform, to support a new syslog header format. The update improves field mapping and normalization for email security events, preventing logs from being rejected with an Unsupported format message. These changes ensure that supported event types are correctly parsed and reflected in Interflow records, providing more accurate reporting across both on-premises and SaaS deployments.

  • Expanded the F5 Big-IP Local Traffic Manager (LTM) parser to add detailed handling for messages with 01490007 (user authentication variable) and 01490549 (PPP dynamic IP assignment) IDs. The update ensures that critical values, such as assigned PPP dynamic IPv4 addresses, client IP addresses, session variables, and user names, are extracted into structured fields such as f5_ltm.ssl_cert, f5_ltm.partition, f5_ltm.session_id, and user.name. This improvement provides clearer visibility into load balancer operations and user authentication events, making investigations more accurate and efficient.

  • Expanded the Cisco Wireless LAN Controller parser to handle additional log formats and a new syslog header structure. The update ensures that key fields are extracted consistently across different WLC deployments, so events are normalized correctly even when log formats vary. These improvements provide more reliable visibility into wireless network activity and reduce the risk of missed or misclassified events during investigations.

  • Expanded the Palo Alto Networks Prisma Cloud (Compute Edition) parser to handle new JSON log formats. The parser now supports logs that do not include a header and those that omit the syslog_priority field, ensuring consistent ingestion across different Prisma Cloud deployments. Events are accurately extracted and normalized into Interflow records, improving visibility into container and workload activity within Prisma Cloud environments.

    Expanded the Palo Alto Networks Prisma Cloud (Compute Edition) parser to handle new JSON log formats. The parser now supports logs that do not include a header and those that omit the syslog_priority field, ensuring consistent ingestion across different Prisma Cloud deployments. Events are accurately extracted and normalized into Interflow records, improving visibility into container and workload activity within Prisma Cloud environments.

  • Enhanced the Fortinet FortiGate parser to prevent performance slowdowns during log ingestion. The update ensures faster processing of FortiGate logs and reduced latency when events are normalized into Interflow records. These improvements give you quicker access to parsed firewall data and make investigations more responsive, even in high-volume environments.

  • Enhanced the Linux syslog parser to better handle privilege escalation events recorded by sudo (short for “superuser do”). These events are defined by the sudoers configuration file, which specifies how privileged access is granted and logged. The update improves extraction and normalization of fields such as username, tty, pwd, command, group, and linux_syslog.target_user. These improvements give you more accurate audit trails for monitoring administrator actions and investigating unauthorized or unexpected use of elevated privileges.

  • Updated the F5 Big-IP Local Traffic Manager (LTM) parser to recognize and normalize logs with message ID 01310053, which records ASM (Application Security Manager) configuration changes. The parser now extracts key details such as incident IDs, incident types, affected components, and support IDs, providing you with fuller visibility into web application firewall changes. These improvements strengthen audit trails and help you track and investigate modifications to security policies on F5 devices.

  • Updated the Linux syslog parser to capture Secure Shell (SSH) login and connection events in greater detail. The parser now reliably extracts fields such as user name, source IP address, port, connection status, and protocol version. These improvements provide you with clearer audit trails of privileged user access, making it easier to monitor login activity and investigate potential unauthorized connections.

  • Enhanced the Linux Audit parser to capture account creation, deletion, and authentication changes more consistently. The update improves extraction and normalization of fields including username, uid, auid, op, and id, ensuring reliable visibility across events such as ADD_USER, DEL_USER, and USER_CHAUTHTOK (when a user successfully changes their authentication token). These improvements give you clearer audit trails for monitoring system-level changes, strengthening your ability to investigate administrative activity and validate compliance requirements.

  • Updated the Squid Proxy parser to handle an additional syslog header format and normalize fields more consistently. The update ensures that the http_response_size field is correctly mapped to inbytes_total, giving you clearer insight into network traffic volumes. With these improvements, you can reliably track access and connection events across a wider range of Squid deployments, ensuring consistent visibility for monitoring and investigations.

  • Expanded the Dell Switch parser to handle logs in RFC 3164 format, in addition to the previously supported RFC 5424 format. The update ensures that fields such as host.ip are parsed correctly, preventing dropped events and incomplete records. These improvements provide you with consistent visibility into switch activity across different Dell models and firmware versions, so device monitoring remains reliable even when log formats vary.

  • Updated the VMware ESXi parser to recognize and normalize authentication failures reported by Pluggable Authentication Modules (PAM), the Linux framework that lets different authentication methods be “plugged in” without modifying applications. The parser now extracts details such as the user name, source IP address, and reason for failure when login attempts are blocked. These improvements provide you with clearer visibility into failed login activity, making it easier to detect unauthorized access attempts and strengthen audit trails on VMware hosts.

  • Enhanced the Cisco Firepower Intrusion Prevention System (IPS) parser to ensure that intrusion events are routed to the ML-IDS index. This includes events such as those with message ID 430001, which indicates that traffic matching an intrusion signature was dropped. The parser also enriches events with an ids.severity value even when the original priority field is missing, using the severity field as a fallback. The ML-IDS index is used for machine learning–based intrusion detection, so this improvement ensures that all IPS events are available for advanced threat analytics. As a result, you gain more reliable visibility into detected threats and more consistent intrusion detection outcomes.

  • Updated the NXLog parser to recognize a TenantID value in incoming logs and normalize it into a top-level field. This support applies to both Windows and Linux event formats. The improvement allows you to separate and analyze logs by tenant, ensuring proper field mapping and clearer log segregation in multi-tenant environments.

  • Expanded the Zscaler ZIA (Zscaler Internet Access) Web parser to extract additional fields from web traffic logs, including threat_class, threat_name, app_name, url_category, and rule_label. The parser also improves normalization of these events, ensuring that security detections are consistently represented in Interflow records. These improvements give you deeper visibility into web traffic and threats, making it easier to analyze browsing activity, identify risky applications, and track enforcement of security policies.

  • Updated the Dragos parser to normalize fields such as src_asset_ip and dst_asset_ip into standard IP address fields. This ensures that intrusion and communication events are forwarded to the proper indices and can be fully leveraged in detection workflows. With this improvement, you gain clearer visibility into asset-to-asset communication and suspicious file transfer activity, making Dragos logs more actionable for threat hunting and reporting.

  • Updated the Ericsson Cradlepoint Router parser to support additional fields that appear in certain logs that Cradlepoint routers send. While continuing to support logs in RFC 3164 syslog format, the parser now also supports an extended key-value log format used in some router messages, such as firewall events. This format introduces fields like descr, in, and out.

  • Updated the Ericsson Cradlepoint Router parser to support additional fields that appear in certain logs that Cradlepoint routers send. While continuing to support logs in RFC 3164 syslog format, the parser now also supports an extended key-value log format used in some router messages, such as firewall events. This format introduces fields like descr, in, and out.

    Updated the F5 Big-IP Local Traffic Manager (LTM) parser to support additional message IDs (01490500, 01490004, and 01490010). These messages record session creation and user login activity. The parser now extracts details such as client IP address, virtual IP (VIP) address of a load-balanced service, session ID, and SSL certificate values, giving you more complete visibility into user sessions and authentication behavior on F5 devices.

  • Enhanced the NXLog parser to better handle Windows DNS Server logs. The update moved SourceModuleType and SourceModuleName under the nxlog field, added normalization rules for DNS events, and ensured these logs are routed to the Windows Events index instead of Syslog. With these adjustments, DNS activity appears in the same index as other Windows event data, making it easier to correlate events, run targeted queries, and build consistent reports.

  • Expanded the NXLog parser to handle additional Windows DNS Server log formats and updated normalization rules for greater consistency. The parser now routes DNS events to the Windows Events index, ensuring accurate field extraction and proper separation from syslog data. These improvements give you clearer visibility into DNS activity and more reliable results when investigating network and name resolution issues.

  • Enhanced the Relianoid WAF parser, which ingests logs from a Relianoid application delivery controller (ADC) with integrated web application firewall (WAF) capabilities. The relianoid_waf.custom_value_3 field was renamed to relianoid_waf.target_name, and a new relianoid_waf.custom_value_3 now captures values from ModSecurity messages. These updates resolve cases where only metadata was parsed and the rest of the WAF message was left in JSON.

  • Expanded the Fortimail parser to extract and enrich more information from email logs. The update added fields in the fortinet namespace, parsed email session details (from, to, subject), and enriched email_authentication values. It also promoted network-related fields such as srcip and dstip to the top level and added support for parsing values like checksum. These improvements provide richer context for Fortimail events, making it easier to analyze email activity and security outcomes..

  • Updated the parser so Gatekeeper (Xshield 3.0) logs are categorized under firewall instead of endpoint, with dev_class (msg_class) also set to firewall. Xprotect logs are now categorized under endpoint instead of xdr, while dev_class (msg_class) remains colortokens_xprotect. These adjustments provide consistent classification for ColorTokens products, ensuring queries and reports reflect their correct roles.

  • Updated the Checkpoint Harmony EP parser to increase syslog_appname size, handle escaped JSON format, parse mail session details, and support multiple files parsed into file_ list. These enhancements provide broader coverage of Harmony EP logs and make related events easier to analyze.

  • Updated the Fortinet FortiGate parser to normalize the remip field (the Fortinet label for the remote IP address of the client) into the standard srcip field. The parser also now maps SSL VPN login outcomes more clearly, setting login_result=fail when action=ssl-login-fail and login_result=success when action=ssl-new-con. These improvements give you more accurate and consistent records of VPN login activity, making it easier to monitor remote access attempts and investigate authentication issues.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following features are available in the Early Access Program in this release:

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns. To join the EAP and begin testing these correlation strategies, contact your Stellar Cyber Customer Success representative.

Reports

This release expands reporting capabilities with several options available in the Early Access Program.

  • To increase scheduling flexibility, reports can now be set to run on the Nth Day of the Month (for example, the 30th) or the Nth Weekday of the Month (for example, the third Thursday). These options ensure reports align more precisely with business and compliance requirements.

  • In addition, a new cover theme capability enables customizable report covers. You can apply background images, set color palettes, choose whether to display a logo, and add optional footer text such as confidentiality notices. In multi-tenant environments, separate cover themes can be maintained for different tenants to support branding needs.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the EAP and begin testing this alert type, contact your Stellar Cyber Customer Success representative.

Resolved Issues

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

  • Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

  • You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Deployment Type Resource Host DL DA MDS
Recommended (Production)
(DL and DA VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 40 44 -
RAM (GB) 256 136 64 -
OS SSD Disk Space 1 TB 500 GB 500 GB -
Data Lake SSD Disk Space 16 TB 12+ TB - -
Integrated Data Processor
(DL, DA, and MDS VMs)		 CPU/vCPU 44 physical (88 cores/hyperthreads) 28 28 28
RAM (GB) 256 136 64 32
OS SSD Disk Space 1 TB 500 GB 500 GB 500 GB
Data Lake SSD Disk Space 16 TB 12+ TB - -
Minimum Configuration for Separate DP VMs
You can still deploy separate DL and DA VMs so long as the ESXi host is provisioned with sufficient CPUs to support the following minimum configuration:		 CPU/vCPU 16 16 -
RAM (GB) 128 64 -
OS SSD Disk Space 500 GB 500 GB -
Data Lake Disk Space 2+ TB - -

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

 

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 5.5.0 or later to 6.1.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 6.1.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Due to additional functionality and features, resource utilization (CPU and memory) might increase depending on your usage patterns.

Important Note for Air-Gapped Environments: The 6.1.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.1.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.1.0

To upgrade the Stellar Cyber Platform to 6.1.0 from a version earlier than 5.5.0, first upgrade to 5.5.0.

  1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

  2. Choose 6.1.0.

  3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.1.0 release from any 5.5.x or 6.0.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.