Stellar Cyber 6.1.0 Release Notes

Highlights

• Aggregations and Grouping in Queries: Enabled data summarization and statistical analysis directly in the Query Builder, simplifying the process of uncovering trends and insights.

• Expanded Identity Threat Detection: Added new Sigma-based rules for Active Directory (AD) attack detections and geo-anomaly alerts to combat credential theft and privilege escalation.

• ServiceNow Integration Enhancements: Added support for filtering and syncing cases and alerts by multiple tenants or tenant groups to streamline ticketing workflows. This enhancement improves flexibility for MSSPs and multi-tenant environments by ensuring only relevant tenant data is synchronized.

• On-Demand ServiceNow Sync: Added a button so you can immediately synchronize alerts or cases, giving you more control over ticketing workflows.

• Customizable ML Detections: Implemented configuration options for Impossible Travel Anomaly and User Login Location Anomaly alert types, allowing you to align anomaly rules with organizational patterns and reduce false positives.

• CrowdStrike Premium Threat Intelligence: Integrated real-time, high-fidelity Indicators of Compromise (IOCs) directly into Stellar Cyber for faster, more accurate threat detections.

• Advanced Network-Based Detection: Introduced high-fidelity Command and Control (C2) beaconing detection and visibility into new or rare Top-Level Domains (TLDs) to identify stealthy threats earlier.

• Seamless Integrations: Enhanced third-party alert ingestion and new connectors to unify your operations.

• IDS Rule Support: Addressed rule dependencies to ensure Emerging Threats Professional (ETPro) exploit rules function correctly.

• ICMP Tunneling Detection: Implemented a machine-learning (ML) model to improve accuracy and reduce noise in ICMP tunneling alerts.

• Tenant-Level License Visibility: Added views to track license allocations and consumption at the tenant level, providing clear insight into usage per tenant

Actions Required

• Improved the Zscaler Deception parser to categorize events with msg_origin.category set to honeypot. If you use parser-based workflows, dashboards, or rules that depend on this field, verify that they reflect the updated value to ensure uninterrupted data handling.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

• DATA-2749: Updated the WatchGuard VPN parser so syslog messages are no longer discarded when they cannot be fully parsed. The raw message is now retained in log.event_description, with fields such as user.name and srcip extracted where available. You might now see more raw WatchGuard VPN syslog events than before, even if not all fields are normalized, which can affect alerts, queries, and storage volume.

• DATA-2731: Updated field mappings in the Relianoid WAF parser, which parses logs from a Relianoid application delivery controller (ADC) with integrated web application firewall (WAF) capabilities. The relianoid_waf.custom_value_3 field was renamed to relianoid_waf.target_name, and a new relianoid_waf.custom_value_3 now captures ModSecurity message values. (ModSecurity is an open-source web application firewall engine.) This update corrects an issue where only metadata was parsed and the remainder of the WAF message was left in JSON. You might now see more parsed fields and different field names in Relianoid WAF logs. This change can affect saved queries, dashboards, or integrations that relied on the old field name, so you might need to adjust filters or reports accordingly. At the same time, the update increases visibility into ModSecurity activity and gives you more complete information for analysis.

• DATA-2708: Refined category and class values in the ColorTokens parser for Gatekeeper (Xshield 3.0) and Xprotect logs to ensure accurate classification.

  • For Gatekeeper, msg_origin.category has changed from endpoint to firewall, and dev_class (msg_class) has changed from colortokens_gatekeeper to firewall.

  • For Xprotect, msg_origin.category has chanfged from xdr to endpoint, while dev_class (msg_class) remains colortokens_xprotect.

  You might now see different categories and classes in parsed ColorTokens logs, which can affect saved queries, dashboards, or integrations that rely on the old values.

Deprecated Features

No features have been deprecated in this release.

Detection/ML

New Features

• AELDEV-59697: Added an Identity Detection tag to ITDR alert types.

  Applied the Identity Detection tag to all existing Identity Threat Detection and Response (ITDR) alert types. The tag now appears in xdr_event.tags for alerts, making it easier to identify and filter identity-related threats during investigations. See Machine Learning Alert Type Details.

• AELDEV-58352: Added support for downloading raw reported phishing email files for deeper analysis.

  Added an option to the Observables section of phishing email alert details to download a raw reported phishing email file. To support phishing investigations more effectively, the download provides complete message content such as headers, embedded URLs, and attachments. The file is password-encrypted when retrieved to prevent accidental execution of malicious content.

• AELDEV-56600: Introduced an alert type for OCI cloud cross-tenancy communications.

  Added the Suspicious OCI Cross Tenancy Communication alert type, which implements an ATH rule to detect cross-tenancy communications in Oracle Cloud Infrastructure (OCI) by comparing tenantId fields in audit logs. The rule flags requests targeting resources in different tenancies, providing accurate identification of cross-tenancy interactions based on OCI audit metadata. This capability strengthens oversight in Oracle Cloud environments by surfacing activity that might indicate unauthorized access or improper cross-tenancy use. The OCI alert type is Early Access Program (EAP). See Machine Learning Alert Type Details.

• AELDEV-56596: Added new Sigma rules for Active Directory detections.

  Added Sigma rules for key Active Directory (AD) threats, including unconstrained delegation, Group Policy Preferences password compromise, one-way domain trust bypass, ntds.dit dumping, Active Directory Certificate Services compromise, Silver Ticket, and Kerberoasting. These rules enable broader integration and standardized rule sharing across detection tools. See Rule-Based Alert Types.

• AELDEV-56249: Enabled rule-based UBA and WAF detections for OCI.

  Enabled existing rule-based User Behavior Analytics (UBA) and Web Application Firewall (WAF) detections for Oracle Cloud Infrastructure (OCI) audit logs. These detections expand coverage for OCI data sources and enhance threat visibility when customers ingest OCI logs into the platform.

• AELDEV-55411: Introduced an alert type to improve ICMP tunneling detection.

  Added the ICMP Based Exfiltration or Tunneling alert type by creating a machine learning (ML) model to strengthen the detection of ICMP tunneling, building on earlier improvements for DNS tunneling. By combining Sigma rule logic with ML-based insights, the model reduces false positives and increases accuracy in identifying ICMP-based exfiltration and tunneling activity. See Machine Learning Alert Type Details.

• AELDEV-55410: Introduced an alert type for user login attempts from multiple geolocations within a 24-hour period.

  Added the Login Attempt Location Count alert type, which is a detection that tracks the number of unique locations from which logins are attempted for a given user within a 24-hour period. The rule identifies login failure patterns where attackers try to disguise activity by switching locations and alerts when a user’s login pattern deviates significantly from their baseline behavior. This feature incorporates all data sources already used in User Login Location Anomaly and Impossible Travel Anomaly alert types and supports more effective monitoring. See Machine Learning Alert Type Details.

• AELDEV-54350: Integrated Broadcom Symantec Endpoint Security third-party alerts.

  Added alert integration for Broadcom Symantec Endpoint Security (SES) incidents, excluding those of type INCIDENT_CLOSURE. Generated alerts use the prefix Broadcom SES Incident followed by the corresponding MITRE technique, for example, Broadcom SES Incident: Data Destruction. See Integration of Third Party Native Alerts.

• AELDEV-53745: Implemented a premium threat intelligence feed for CrowdStrike IOCs.

  Implemented a premium feed for CrowdStrike Indicators of Compromise (IOCs) with integration in Threat Intelligence Platform (TIP). The feed connects to the CrowdStrike Falcon Intel service collection through API-based retrieval using customer credentials, ensuring secure access to curated threat intelligence. By bringing CrowdStrike data directly into the platform, the integration expands coverage of threat intelligence use cases and enhances detection and response capabilities. See Configuring Feeds in the Threat Intelligence Platform.

• AELDEV-53495: Enhanced InSyncs ServiceNow integration to filter cases and alerts by multiple tenants or tenant groups.

  Enhanced InSyncs ServiceNow integration to support filtering of cases and alerts by multiple tenants or tenant groups. This update gives you fine-grained control over synchronization by allowing you to target active tenants or defined tenant groups. By excluding inactive or non-onboarded tenants, the feature reduces resource overhead and improves the efficiency of ServiceNow ticketing workflows. See Using InSyncs.

• AELDEV-53400: Integrated Recorded Future third-party alerts.

  Added alert integration for Recorded Future using the Alert API and Playbook Alert API, covering playbook alert types such as Domain Abuse, Novel Identity Exposure, Data Leakage on Code Repository, Cyber Vulnerability, and Third-Party Risk. The integration adds native alert mapping and improves key field identification so that both standard and playbook alerts from Recorded Future are accurately represented within native alerts, expanding visibility into external threat activity. See Integration of Third Party Native Alerts.

• AELDEV-53334: Enhanced email attachment analysis for auto triage phishing.

  The phishing email auto triage process now leverages a sandbox to automatically analyze the attachments found within the reported phishing emails. The analysis results obtained are used to contribute the final verdict of the phishing email triage.

• AELDEV-53330: Added language model–assisted phishing email content analysis.

  Added language model–assisted content analysis to phishing email auto triage. The analysis now examines reported phishing emails for suspicious content and contributes its findings to the overall verdict along with attachment, domain, and authentication header detections. It produces additional findings when suspicious content is present in the email and classifies the phishing attempt category for clearer context in the alert panel.

• AELDEV-53328: Enhanced the alert summary for phishing email auto triage results.

  Improved the alert summary generation by dynamically integrating the large language model with auto-triage verdict results and related evidence. The alert summary now contains more immediate and important information for review.

• AELDEV-53199: Enabled the manual synchronization of alerts or cases from Stellar Cyber to ServiceNow with a single button push.

  Added a Sync to ServiceNow button on alert and case detail pages to allow manual, one-click synchronization to ServiceNow for otherwise filtered alerts or cases that are not automatically synchronized due to InSyncs ServiceNow configurations. See Using InSyncs.

• AELDEV-52969: Implemented customization options for Impossible Travel Anomaly and User Login Location Anomaly.

  Implemented customization options for Impossible Travel Anomaly and User Login Location Anomaly alert types through the Customization tab on Detections | Detection Management | Impossible Travel Anomaly or User Login Location Anomaly. You can now adjust thresholds and settings to align the alerts with your environment and reduce unnecessary noise. See Using the Detection Management System.

• AELDEV-52877: Integrated Microsoft Defender XDR third-party alerts.

  Added alert integration for Microsoft Defender XDR, limited to alerts with serviceSource: microsoft365Defender. Integrated alerts now appear as native alerts in the format Microsoft Defender XDR: {microsoft_graph_security_api.title}, ensuring consistent representation and easier correlation with other detections in the Stellar Cyber Platform. See Integration of Third Party Native Alerts.

• AELDEV-45296: Introduced an alert type for C2 beaconing traffic patterns.

  Added the Suspected Network Beaconing Activities alert type, which is a new detection mechanism to identify Command and Control (C2) beaconing activities characterized by traffic patterns with fixed intervals. The alert type analyzes regular connection intervals to detect potential C2 activities within a specified period range. See Machine Learning Alert Type Details.

• AELDEV-43556: Introduced an alert type for new and uncommon top-level domains (TLDs) in DNS traffic.

  Added the Uncommon Top-Level Domain Anomaly alert type to detect newly encountered top-level domains (TLDs) within DNS traffic data. This alert type identifies potentially suspicious domains that have not been previously observed, enhancing threat alert capabilities by flagging uncommon TLDs that may indicate malicious activity. See Machine Learning Alert Type Details.

• AELDEV-40061: Integrated Palo Alto CORTEX XDR third-party alerts.

  Added alert integration for Palo Alto CORTEX XDR, including the following sources and alert type formats:

  • PAN NGFW – Palo Alto Networks Cortex XDR (PAN NGFW): palo_alto_networks.name
  • XDR Agent – Palo Alto Networks Cortex XDR (XDR Agent): palo_alto_networks.name
  • XDR Analytics BIOC – Palo Alto Networks Cortex XDR (XDR Analytics BIOC): palo_alto_networks.name
  • XDR BIOC – Palo Alto Networks Cortex XDR (XDR BIOC): palo_alto_networks.name
  • XDR IOC – Palo Alto Networks Cortex XDR (XDR IOC): palo_alto_networks.name

  See Integration of Third Party Native Alerts.

Improvements

• AELDEV-57303: Addressed an IDS rule dependency issue that affected ETPro exploit rules.

  Added and enabled shadow IDS rules to fulfill Suricata flowbits dependencies in certain Emerging Threats Professional (ETPro) exploit rules. These shadow rules are included in the aelladata.rules file, which is enabled by default, and restore proper functioning of affected rules. The fix requires that this rule file remain enabled in the sensor profile.

• AELDEV-45302: Enhanced case correlation to include summarized observables in alerts.

  Enhanced case correlation logic to incorporate summarized users, hosts, and other observables from alerts with event summaries. This improvement increases correlation accuracy and provides more comprehensive context in case management. Case graphs now display observables from event summaries, offering a more complete view of each case.

Usability

New Features

• AELDEV-61469: Added ITDR and NDR Alert Dashboards.

  Added new dashboards for Identity Threat Detection and Response (ITDR) and Network Detection and Response (NDR) in the General Reports category. These dashboards highlight trends and statistics across ITDR and NDR alerts, providing analysts with a consolidated view of notable activity and supporting faster investigations.

• AELDEV-59216: Enabled display of tenant logos in PDF reports.

  Extended tenant logo functionality so that uploaded tenant logos can appear on Executive Summary and Case reports. This change replaces the single system logo set at the root level, allowing each tenant to present its own branding.

• AELDEV-58316: Added link to Coverage Analyzer under Detections in navigation.

  Added a link to the Coverage Analyzer app under Detections in the main navigation. The link opens the external coverage analysis tool in a new tab.

• AELDEV-57155: Enabled 2-byte character support in chart names across UI and API.

  Enabled 2-byte character support in chart names through updated UI and API validations. This enhancement improves internationalization by allowing you to name charts using characters from languages such as Japanese, Chinese, or Korean.

• AELDEV-56353: Added support for downloading raw email files from the user interface.

  Implemented a feature that lets you download original email files (.eml) for a suspected phishing email directly from the Alert view for further analysis. Select the Download Raw Email button in the Observables section.

• AELDEV-56166: Implemented the automatic retry of UI requests with 502 errors.

  Implemented an automatic retry mechanism for requests that encounter temporary bad gateway errors (HTTP 502) when you're accessing the Stellar Cyber UI. By attempting several retries before showing an error, Stellar Cyber helps you avoid interruptions from transient network issues that often resolve quickly. Because the retry logic applies across the entire UI, you benefit from smoother performance without disruption from short-lived server errors.

• AELDEV-55345: Supported TLS 1.3 for mail server connections on port 465.

  Enhanced the mail server connection to support the TLS 1.3 protocol for increased security on configurations using port 465 and SSL/TLS connection security settings. This update allows seamless integration for systems configured with TLS 1.3, ensuring compatibility and maintaining secure email communications.

• AELDEV-54965: Introduced new API endpoints for sensor management.

  Introduced multiple API endpoints to /sensors that let you initiate upgrades to the latest sensor software version, list available sensor profiles, and manage sensor assignment, authorization, and deauthorization. Through these APIs, you can automate routine sensor management tasks and integrate them more easily into external workflows. Refer to the 6.1.0 section in the API Reference (Swagger) for usage details.

• AELDEV-54276: Added Group-By and Aggregations in Query Builder

  Introduced aggregation capabilities in the Query Builder, allowing users to apply functions like COUNT, DISTINCT COUNT, SUM, AVG, MIN, and MAX. Users can now group by multiple fields and filter aggregated values. The results are displayed in a structured table format, supporting both multiple group-by fields and aggregated metrics. These enhancements enable efficient analysis of event counts, averages, and trends within the data, facilitating better insight extraction and statistical summaries.

• AELDEV-54206: Introduced CrowdStrike IOC premium connector for threat intelligence integration.

  Implemented the CrowdStrike Indicators of Compromise (IOC) premium connector to integrate external threat intelligence into the Stellar Cyber Platform. You can configure the connector with a backfill range of 1–14 days (default 3 days) and a polling frequency of 1–24 hours (default 4 hours). Through these options, you can set the volume and freshness of threat intelligence data, ensuring a secure and customizable feed that aligns with your operational needs.

• AELDEV-53422: Added a test button for the Remote Host connector type.

  Added a test button to the Remote Host connector type so you can verify connection status directly from the Stellar Cyber user interface. The UI also displays the most recent connection status, giving you immediate feedback on connector health.

• AELDEV-53362: Enhanced ServiceNow integration to filter cases and alerts by multiple tenants or tenant groups.

  Enabled the selection of multiple tenants or tenant groups for case and alert synchronization in ServiceNow integrations. This enhancement gives you finer control over ticketing workflows, letting you target only active tenants and reduce unnecessary synchronization during onboarding or resource allocation.

• AELDEV-53051: Added a feature to sync alerts or cases manually to ServiceNow with a button click.

  Introduced a Sync to ServiceNow button on alert and case detail pages in the Stellar Cyber Platform. The feature lets you send alerts or cases to ServiceNow manually with mapped fields, synchronized status updates, and feedback on success or error. You can also retry failed syncs, making it easier to ensure tickets are properly transferred when needed.

• AELDEV-48115: Added tenant-level license visibility.

  Added tenant-level views for license allocations and consumption. These views mirror existing root tenant functionality, but show statistics specific to a single tenant, enabling clearer insight into license usage.

• AELDEV-44915: Added a public API endpoint for daily entity usage reporting with tenant filtering.

  Implemented a public API endpoint (/entity_usages/daily_count/{scope}) that provides daily entity usage counts with filtering by tenant ID. You can request historical daily counts in a format similar to the Asset Usage UI and integrate the data with automated reporting systems. The API supports retrieving both maximum and per-day entity counts for each tenant, giving you more flexibility in analyzing usage patterns. Refer to the 6.1.0 section in the API Reference (Swagger) for usage details.

Improvements

• AELDEV-58081: Noted in the UI that capturing raw logs only works with built-in log parsers.

  Updated the Modular Sensor profile to display Built in parsers only next to the Raw Log Capture setting. The note clarifies that Raw Log Capture is supported only for built-in log parsers and prevents confusion about when this option takes effect.

• AELDEV-57960: Added flexible scheduling options for monthly report generation.

  Enhanced the monthly report scheduling feature by introducing flexible options. You can now schedule reports for a specific day of the month and on the Nth weekday within a month. These options provide greater control and adaptability in your report scheduling.

• AELDEV-54966: Added Case ID to available columns of the query builder results table

  Enhanced the query builder results table by adding Case ID as an available column when viewing test results for case filters. This update helps in uniquely identifying cases, addressing confusion from duplicate case names. This column is visible by default.

• AELDEV-54551: Removed an unused column from the Sensor Profiles page.

  Removed a column labeled Dev Conf Pre Dpi Traffic Filtering Ipranges from System | DATA SOURCE MANAGEMENT | Sensors | Sensor Profiles, improving display clarity.

• AELDEV-54481: Renamed the Agent tab as Linux in the standard sensor profile configuration.

  Renamed the Agent tab as Linux in the standard sensor profile configuration panel to distinguish Linux and Windows sensor configurations more clearly. The update changes only the display label and does not affect APIs or sensor functionality.

Stellar Cyber Platform

New Features

• AELDEV-55033: Enabled configuration backup using S3-compatible storage.

  Added support for configuration backup using S3-compatible storage solutions such as Wasabi and MinIO. This capability provides a secure, long-term backup option for on-premises environments and aligns configuration management with existing data storage methods.

• AELDEV-45039: Added a public API endpoint for creating connector monitoring actions in the System Action Center.

  Added a public API endpoint (/rules/connector-monitoring) to create and manage connector monitoring actions in the System Action Center. This enhancement enables programmatic workflows and integration with external systems, giving advanced users more flexibility to automate monitoring and streamline operations. Refer to the API Reference (Swagger) for usage details.

Improvements

• AELDEV-58569: Implemented credential masking for LDAP passwords in log fields.

  Extended existing password anonymization to mask LDAP passwords in the metadata.request.auth_simple field, replacing clear text with asterisks. Credential masking now applies consistently across all authentication types, strengthening both security and privacy.

• AELDEV-58411: Updated AWS CloudTrail enrichment for deprecated fields.

  Updated AWS CloudTrail enrichment to adjust for the deprecation of userIdentity.principalId and userIdentity.userName. The enrichment now prioritizes userIdentity.onBehalfOf.userId and responseElements.user.meta.createdBy for user IDs, and additionalEventData.UserName for user names. These changes ensure reliable processing and maintain enrichment accuracy without relying on deprecated attributes.

Sensors

New Features

There are no new Sensor features in this release.

Improvements

• AELDEV-59042: Improved sensor performance for UDP log forwarding.

  Enhanced sensor efficiency to increase event throughput over UDP by as much as one-third. With this improvement, sensors can handle larger data volumes more reliably, reducing the risk of dropped events in high-traffic environments and giving you more capacity headroom to accommodate traffic spikes.

• AELDEV-58940: Improved dark site package support for upgrades on Ubuntu 22.04.

  Resolved package dependency issues that caused upgrades from version 5.5.0 to 6.0.0 to fail on dark site management data sensors running Ubuntu 22.04. With this fix, upgrades now complete successfully and align with the supported Suricata version. The change improves reliability and ensures a smoother upgrade path for dark site deployments, reducing the risk of downtime during version transitions.

• AELDEV-55517: Added parsing for FailureReason in Windows event ID 4625.

  Enhanced the Windows Server Sensor to parse and display the failure reason for logon failures recorded as event ID 4625. The parsed value appears in a new FailureReasonString field, providing a human-readable explanation such as Unknown user name or bad password. This improvement makes it easier to understand and investigate failed logon attempts.

• AELDEV-55481: Enhanced support for ADFS log collection in the sensor profile configuration.

  Updated the Standard Sensor profile to include the AD FS/Admin log channel in the Other Channels list, increasing visibility into authentication activity from Active Directory Federation Services (ADFS). The parser now normalizes ADFS logs so they integrate seamlessly with existing Windows Event Log categories, eliminating the need for third-party tools and simplifying investigations.

• AELDEV-54961: Corrected service status display in the Sensor Details page.

  Corrected the Service Status field in the Sensor Details page (System | DATA SOURCE MANAGEMENT | Sensors | Sensors |sensor-name) so it accurately reflects whether the Malware Sandbox is enabled or disabled. The fix aligns the UI with the results of the show module command, giving you a consistent view of the sandbox status in environments running a Modular Sensor version of 5.2.0 or later.

• AELDEV-54203: Improved sensor stability under heavy network traffic.

  Enhanced sensor reliability to ensure continued packet processing during network spikes or overload conditions. The improvement eliminates a limitation observed on Ubuntu 16.04, which could cause sensors to stop processing traffic under stress. For the best performance, upgrade sensors to Ubuntu 22.04 and use PCI passthrough to reduce CPU utilization on ESXi hosts. These measures help prevent service disruption during high-traffic scenarios.

• AELDEV-54066: Added support for copying captured PCAP files from a Modular Sensor to the Data Processor.

  Added functionality to copy captured PCAP files from the CLI of a Modular Sensor directly to a Data Processor (DP) or other remote destination. You can use the copy captured_pcap <source> <destination> command to transfer PCAP files efficiently, reducing manual steps and accelerating data handling for analysis.

• AELDEV-53711: Updated Windows Server Sensor to 64-bit binaries.

  Converted all Windows Server Sensor binaries to 64-bit to improve compatibility and performance in modern Windows environments.

• AELDEV-53567: Improved remote CLI responsiveness for Linux-based sensors.

  Improved the responsiveness of remote CLI operations on sensors that run on Linux, including Linux Server Sensors, Modular Sensors, and Device Sensors. With shorter polling intervals and streamlined handling, commands return results more quickly and reliably across these sensor types. This enhancement reduces timeouts and helps you manage sensors more efficiently from the command line.

• AELDEV-51171: Added CLI support of MTU configurations on sensors.

  Added CLI commands that let you configure Maximum Transmission Unit (MTU) values on sensor interfaces. By default, sensors use an MTU of 1500, but you can now set values up to 9000 to support environments such as Oracle Cloud Infrastructure (OCI) and FortiGate firewalls. This flexibility helps you prevent traffic drops and adapt sensor networking to match your deployment requirements.

Connectors

New Features

• AELDEV-58039: Introduced the WatchGuard connector.

  Added the WatchGuard connector to support response actions that let you block sites and create blocked sites exceptions directly through the WatchGuard Firebox API. By automating these actions, you can enforce security policies more quickly and reduce reliance on manual configurations. The integration uses dedicated webhook templates that align with WatchGuard Fireware v12.5.3 or later, improving efficiency in firewall response management. These new response actions are available when you create Automated Threat Hunting playbooks under System | Automation | Automation. See Configuring WatchGuard Firebox Responder Connectors.

• AELDEV-55936: Introduced the CODA Footprint connector.

  Added the CODA Footprint connector to ingest device and alert data, including vulnerability scan results. The integration supports multi-tenant environments making it easier to adopt for existing users. Scan data is ingested every eight hours, helping you quickly identify exposed devices, correlate them with alerts, and improve the efficiency of threat detection workflows. See Configuring CODA Footprint Connectors.

• AELDEV-55067: Introduced the BeyondTrust connector.

  Added the BeyondTrust connector to retrieve remote support session logs from the SupportSession endpoint. The connector parses and normalizes the data for real-time monitoring and anomaly detection, helping you identify unusual remote access activity. See Configuring BeyondTrust Connectors.

• AELDEV-54798: Introduced the Microsoft Graph Intune connector.

  Added the Microsoft Graph Intune connector to support Intune API endpoints, including devices, compliance policies, and audit events. The connector uses the Microsoft Graph API for authentication and data collection, giving you broader visibility into Intune-managed assets and policy enforcement. See Configuring Microsoft Graph Intune Connectors.

• AELDEV-53687: Introduced the Group-IB connector.

  Added the Group-IB connector to ingest alerts, incidents, and assets from Group-IB, a global cybersecurity company specializing in threat intelligence and fraud protection. The connector integrates data from the Group-IB Alerts and Incidents APIs, giving you greater visibility into threats and asset activity and enabling stronger correlation with other security data sources. See Configuring Group-IB Connectors.

• AELDEV-53493: Introduced the Coro connector.

  Added the Coro connector to ingest security ticket data. The integration centralizes Coro incidents alongside other security events, providing enriched visibility, stronger threat detection, and streamlined incident management. By consolidating Coro ticket data with other sources, you gain a more complete view of user activity, compliance issues, and security alerts, helping reduce alert fatigue and improve SOC efficiency. See Configuring Coro Connectors.

• AELDEV-53058: Introduced the Azure NSG connector.

  Added the Azure Network Security Group (NSG) connector to support response actions to automatically block or unblock IP addresses. These actions dynamically update NSG firewall rules in your Azure environment, giving you faster, automated control to contain threats or restore access when needed. See Configuring Azure NSG Connectors.

• AELDEV-52836: Introduced the Hoxhunt connector.

  Added a connector for Hoxhunt to ingest email incidents, threats, and user data. The connector collects and normalizes logs, giving you comprehensive visibility into Hoxhunt-provided security events and enabling more effective monitoring and threat analysis. See Configuring Hoxhunt Connectors.

• AELDEV-45664: Introduced the Tenable Cloud Security connector.

  Added a connector for Tenable Cloud Security to retrieve vulnerability findings. The connector collects scan results, similar to other Tenable connectors. With this integration, you can centralize Tenable Cloud Security findings in the Stellar Cyber Platform for unified visibility and streamlined threat detection. See Configuring Tenable Cloud Security Connectors.

• AELDEV-45086: Introduced the VadeSecure connector.

  Added a connector for VadeSecure, a cloud-based antispam and email security solution, to ingest email logs into the Stellar Cyber Platform. With this integration, you can monitor emails flagged as malicious or quarantined in VadeSecure and correlate them with other data sources to strengthen phishing and malware detection. The connector requires admin permissions in VadeSecure for configuration. See Configuring VadeSecure Connectors.

• AELDEV-43453: Introduced the Aruba Central connector.

  Added a connector for Aruba Central that ingests audit logs and monitoring events through the Aruba Central API. The integration provides visibility into administrative activity and device monitoring data, helping you track configuration changes and monitor network health in the Stellar Cyber Platform. See Configuring Aruba Central Connectors.

• AELDEV-31741: Introduced the Verkada connector.

  Added a connector for Verkada to ingest device information, camera data, audit logs, and access events. The integration provides visibility into Verkada-managed physical security systems, enabling you to monitor cameras and sensors, track administrative activity, and correlate access events with other security data for improved threat detection and response. See Configuring Verkada Connectors.

Improvements

• AELDEV-58427: Updated the Cato Networks connector to add the Stories content type.

  Updated the Cato Networks connector to collect and ingest the Stories content type, which represents correlated security incidents identified within the Cato Networks platform. By bringing these incident stories into the Stellar Cyber Platform, you gain additional context for threat analysis, helping you track multi-step attacks and prioritize response actions more effectively. See Configuring Cato Networks Connectors.

• AELDEV-57855: Enhanced the processing of vpcflow logs in the Amazon Security Lake connector.

  Optimized data handling for vpcflow logs, which are detailed network flow records generated within AWS virtual private clouds. This improvement reduces ingestion delays and processing overhead in the Amazon Security Lake connector, giving you smoother visibility into cloud traffic patterns and faster access to high-volume flow data for threat detection and compliance monitoring. See Configuring Amazon Security Lake Connectors.

• AELDEV-57416: Standardized source attribution for msgtype 99 entries in Sophos Central logs.

  Implemented explicit tagging of msgtype 99 data entries in Sophos logs so that the msg_origin.source field is consistently set to sophos. Msgtype 99 entries are specialized log records generated by Sophos devices, and without this adjustment they could create duplicate or misattributed asset records. With the correction, you gain more accurate source identification, which simplifies log management and strengthens reliability in asset detail reporting. See Configuring Sophos Central Connectors.

• AELDEV-57304: Updated the Malwarebytes OneView connector name to ThreatDown OneView.

  Replaced occurrences of the connector name Malwarebytes OneView with ThreatDown OneView across the user interface, including the connector list, configuration screen, and related documentation. This update aligns the Stellar Cyber Platform with the vendor’s current branding but does not affect how the connector functions, so you can continue using it without making any configuration changes. See Configuring ThreatDown OneView Connectors.

• AELDEV-57288: Enhanced InSyncs ServiceNow integration to support multi-tenant case and alert filtering.

  Introduced enhancements in the InSyncs ServiceNow integration to enable users to select multiple tenants or tenant groups for case and alert synchronization. This update allows more granular control over which tenant data is synchronized, specifically addressing the needs during client onboarding by preventing unnecessary resource usage. The implementation includes the ability to create and manage tenant groups and an improved user interface for managing synchronization settings, ensuring only selected tenant or group data is processed. See Using InSyncs.

• AELDEV-57230: Improved routing and normalization for Cato Networks connector.

  Changed the index from Syslog to Traffic for Cato Networks connector. The logs are now routed to the Traffic index. Updated parsing and routing logic for Cato Networks WAN and Internet Firewall events to align with standard firewall detection features. Logs are now correctly normalized with fields such as srcip, dstip, dport, action, and proto, ensuring consistency in detection capabilities. Support for srcport and protocol fields was also added to meet the five-tuple requirement. Country information is now parsed into normalized fields, improving alignment with existing firewall logic and enhancing overall detectability. See Configuring Cato Networks Connectors.

• AELDEV-56676: Enhanced Broadcom SES normalization for improved alert integration.

  Extended normalization capabilities for Broadcom SES to improve how alerts are correlated and displayed. File details such as hashes (SHA1, SHA2, MD5) and file paths, which previously appeared inconsistently within process.file and parent.file records, are now standardized into normalized fields. This adjustment ensures that file information is attributed correctly in alerts, giving you more accurate visibility into process activity and strengthening compatibility with detection and investigation workflows. See Configuring Broadcom Symantec Endpoint Security (SES) Connectors.

• AELDEV-56606: Normalized OCI fields for WAF detection in log entries.

  Normalized Oracle Cloud Infrastructure (OCI) log entries by updating msg_origin.category from paas to waf and changing msg_class to oracle_cloud_waf for WAF logs. In addition, an accurate mapping of fields like action and requestProtection.matchedRules were aligned with standard WAF log requirements. These changes facilitate enhanced detection capabilities for Web Application Firewall (WAF) activity by standardizing log data format according to the WAF data normalization guidelines. See Configuring Oracle Cloud Infrastructure (OCI) Streaming Connectors.

• AELDEV-56604: Normalized OCI fields to enhance UBA detection.

  Normalized Oracle Cloud Infrastructure (OCI) fields for improved User Behavior Analytics (UBA) detection. Event IDs were mapped to login outcomes to ensure seamless integration through the alignment of actor names, IDs, and client IP addresses for log analysis. See Configuring Oracle Cloud Infrastructure (OCI) Streaming Connectors.

• AELDEV-55902: Enhanced the Cisco FMC respond connector to run on sensors.

  Enhanced the Cisco FMC respond connector to run on sensors in addition to the Data Processor, improving security by avoiding exposure of firewall management to public networks. This change supports private network requirements by localizing the execution environment, minimizing network vulnerabilities, and keeping configuration and management processes strictly within the secure boundary of each sensor deployment. See Configuring Cisco Firewall Management Center (FMC) Connectors.

• AELDEV-55900: Enhanced the Trend Micro Vision One connector to collect Audit Logs.

  Enhanced the Trend Micro Vision One connector to add the Audit Logs content type. These logs record user actions and system configuration changes. This enhancement gives you greater visibility into administrative activities, stronger accountability, and improved forensic investigations. See Configuring Trend Micro Vision One Connectors.

• AELDEV-54869: Enhanced the Qualys Connector to collect Activity Logs.

  Enhanced the Qualys connector to add the Activity Logs content type. These logs capture audit activities within Qualys, giving you clearer visibility into system operations and helping you detect potential issues more quickly. See Configuring Qualys Connectors.

• AELDEV-51008: Updated Trend Micro Email Security normalization

  Adjusted normalization in the Trend Micro Email Security connector so the srcip field is now populated from the original senderIP field. This change affects the Mail Tracking Logs - Accepted Traffic and Mail Tracking Logs - Blocked Traffic content types, ensuring consistent source IP address attribution across email tracking logs and improving accuracy in detection and analysis. See Configuring Trend Micro Email Security Connectors.

• AELDEV-48062: Enhanced vulnerability data integration for the Microsoft Defender for Endpoint connector.

  Enhanced the Microsoft Defender for Endpoint connector to collect and parse vulnerability data into the Scan index instead of the Syslog index. Vulnerability records are now enriched with machine details through machine ID lookups, ensuring host information is consistently included. These changes strengthen asset correlation and reporting, giving you more accurate tracking and association of vulnerabilities with specific endpoints. See Configuring Microsoft Defender for Endpoint Connectors.

• AELDEV-38089: Enhanced Palo Alto Networks CORTEX XDR connector with endpoint response actions.

  Enhanced the Palo Alto Networks CORTEX XDR connector to support isolating endpoints and releasing them from isolation. The responder lets you contain compromised hosts directly from the Stellar Cyber Platform and then restore normal connectivity once remediation is complete. See Configuring Palo Alto Networks CORTEX XDR Connectors.

Parsers

New Features

• DATA-2896: Introduced a parser for ingesting SECUi Bluemax NGF logs.

  Added a built-in parser for ingesting SECUi Bluemax NGF logs in regex (header) + CSV (body) format on port 5938. The parser uses regex to capture the header information and CSV parsing for the payload. It correctly interprets timestamps and normalizes firewall event fields, enabling accurate mapping into Interflow records. Well-documented log types, such as ha_status_cnt, ha_traffic_cnt, nat_traffic, and nat_rule_traffic, are fully parsed, while undocumented or mismatched formats are partially parsed, with unrecognized content stored in the log.event_description field. This approach ensures stable ingestion even when customer log formats deviate from available documentation, while still providing actionable analytics for supported event types.

• DATA-2875: Introduced a parser for ingesting Seqrite Endpoint Security logs.

  Added a built-in parser for ingesting Seqrite Endpoint Security logs in custom CEF format on port 5943.

• DATA-2874: Introduced a parser for ingesting Fortinet FortiDeceptor logs.

  Added a built-in parser for ingesting Fortinet FortiDeceptor logs in key-value pair (KVP) format on port 5944.

• DATA-2873: Introduced a parser for ingesting Cohesity logs.

  Added a built-in parser for ingesting Cohesity logs formatted with an RFC 3164 syslog header and an RFC 5424 syslog timestamp on port 5942.

• DATA-2870: Introduced a parser for ingesting Tait Communications Tait Dynamic Analysis logs.

  Added a built-in parser for ingesting Tait Communications Tait Dynamic Analysis logs in RFC 5424 syslog format on port 5940.

• DATA-2859: Introduced a parser for ingesting Tait Communications RFSS Controller logs.

  Added a built-in parser for ingesting Tait Communications RFSS Controller logs in RFC 3164 syslog format on port 5941.

• DATA-2853: Introduced a parser for ingesting Dell EMC PowerScale Isilon logs.

  Added a built-in parser for ingesting Dell EMC PowerScale Isilon logs in PSV format on port 5937.

• DATA-2851: Introduced a parser for ingesting Link11 WAAP logs.

  Added a built-in parser for ingesting Link11 WAAP logs in RFC 5424 syslog format on port 5934.

• DATA-2844: Introduced a parser for ingesting GHX Exchange logs.

  Added a built-in parser for ingesting GHX Exchange logs in RFC 3164 syslog format on port 5932.

• DATA-2834: Introduced a parser for ingesting F5 WAAP logs.

  Added a built-in parser for ingesting F5 WAAP logs in JSON format on port 5930.

• DATA-2825: Introduced a parser for ingesting Gigamon logs.

  Added a built-in parser for ingesting Gigamon logs in CEF format on port 5929.

• DATA-2810: Introduced a parser for ingesting HTTP Datto EDR logs.

  Added a built-in parser for ingesting HTTP Datto EDR logs in JSON format on port 5927.

• DATA-2803: Introduced a parser for ingesting Ubiquiti UDM Pro logs.

  Added a built-in parser for ingesting Ubiquiti UDM Pro logs in RFC 3164 syslog + KVP format on port 5926.

• DATA-2777: Introduced a parser for ingesting AIONCLOUD WAF logs.

  Added a built-in parser for ingesting AIONCLOUD WAF logs in pipe-separated-values (PSV) format on port 5933.

• DATA-2766: Introduced a parser for ingesting Nextcloud logs.

  Added a built-in parser for ingesting Nextcloud logs in RFC 3164 syslog + JSON format on port 5935.

• DATA-2760: Introduced a parser for ingesting BullWall RansomCare logs.

  Added a built-in parser for ingesting BullWall RansomCare logs in timestamp + HTML format on port 5928.

• DATA-2600: Introduced a parser for ingesting Cisco Meraki logs.

  Added a built-in parser for ingesting Cisco Meraki logs in a custom syslog format on port 5931.

Improvements

• DATA-2914: Fixed a date parsing issue in the Cynet syslog parser.

  Corrected the Cynet 360 (CEF) parser to properly interpret the rt field, which represents the receipt time, in syslog events. The parser previously misread dates in the format 08/05/2025 10:32:00 as May 8 instead of August 5, because it defaulted to a day–month–year order instead of month–day–year. This improvement ensures that timestamps are now parsed according to the intended format, producing accurate event timelines in Interflow records and eliminating inconsistencies between event_time and other time fields.

• DATA-2887: Resolved an issue with the Symantec Endpoint Manager parser.

  Corrected the Symantec Endpoint Manager parser to handle Virus Found events properly. This fix ensures that virus detection events now extract and normalize the correct virus name, and the srcip_host field consistently reflects valid host information. These improvements prevent misleading values in Interflow records and improve the accuracy of investigations based on endpoint data.

• DATA-2885: Improved the VMware UAG parser for unsupported formats.

  Expanded the VMware UAG (Unified Access Gateway) parser to support additional log formats introduced in version 23.12. The update extracts key network fields, including srcip, srcport, dstip, and dstport, and stores other new fields under the vmware namespace. The parser also now tolerates cases where a space is missing between the syslog_appname and thread_id fields, preventing parsing errors. In addition, the store_raw_msg parameter is set to false, reducing unnecessary data storage. These improvements increase parser reliability and ensure accurate normalization of network events from VMware UAG logs.

• DATA-2884: Enhanced the parser for Zimbra Email Postfix logs.

  Expanded the Zimbra Email parser to support additional Postfix log formats, which are generated by the Postfix Mail Transfer Agent (MTA) responsible for routing and delivering email. The update parses SMTP status codes, including status_code defined in RFC 5321 and enhanced_status_code defined in RFC 3463, under the zimbra_email namespace.

  The parser also extracts destination server, user, and queue details, along with additional fields such as sasl_username, now normalized to user.name. Values like warning and statistics are mapped to the tag field, while queue identifiers such as NOQUEUE are normalized to the queue field.

  In addition, the event.description field is shortened when key-value pairs are extracted, reducing redundancy. These enhancements provide fuller visibility into email delivery activity and improve the accuracy of investigations.

• DATA-2878: Updated the Perception Point X-Ray parser for a new syslog header.

  Enhanced the Perception Point X-Ray parser, which processes logs from the cloud-based email security platform, to support a new syslog header format. The update improves field mapping and normalization for email security events, preventing logs from being rejected with an Unsupported format message. These changes ensure that supported event types are correctly parsed and reflected in Interflow records, providing more accurate reporting across both on-premises and SaaS deployments.

• DATA-2876: Added a more detailed handling of specific message IDs in F5 Big-IP LTM parser logs.

  Expanded the F5 Big-IP Local Traffic Manager (LTM) parser to add detailed handling for messages with 01490007 (user authentication variable) and 01490549 (PPP dynamic IP assignment) IDs. The update ensures that critical values, such as assigned PPP dynamic IPv4 addresses, client IP addresses, session variables, and user names, are extracted into structured fields such as f5_ltm.ssl_cert, f5_ltm.partition, f5_ltm.session_id, and user.name. This improvement provides clearer visibility into load balancer operations and user authentication events, making investigations more accurate and efficient.

• DATA-2872: Enhanced the Cisco WLC parser to support new log headers and formats.

  Expanded the Cisco Wireless LAN Controller parser to handle additional log formats and a new syslog header structure. The update ensures that key fields are extracted consistently across different WLC deployments, so events are normalized correctly even when log formats vary. These improvements provide more reliable visibility into wireless network activity and reduce the risk of missed or misclassified events during investigations.

• DATA-2866: Expanded the Palo Alto Networks Prisma Cloud (Compute Edition) parser to support additional JSON log formats.

  Expanded the Palo Alto Networks Prisma Cloud (Compute Edition) parser to handle new JSON log formats. The parser now supports logs that do not include a header and those that omit the syslog_priority field, ensuring consistent ingestion across different Prisma Cloud deployments. Events are accurately extracted and normalized into Interflow records, improving visibility into container and workload activity within Prisma Cloud environments.

  DATA-2865: Improved the Cisco AnyConnect parser to extract more VPN connection details.

  Expanded the Palo Alto Networks Prisma Cloud (Compute Edition) parser to handle new JSON log formats. The parser now supports logs that do not include a header and those that omit the syslog_priority field, ensuring consistent ingestion across different Prisma Cloud deployments. Events are accurately extracted and normalized into Interflow records, improving visibility into container and workload activity within Prisma Cloud environments.

• DATA-2862: Improved the performance of the Fortinet FortiGate parser.

  Enhanced the Fortinet FortiGate parser to prevent performance slowdowns during log ingestion. The update ensures faster processing of FortiGate logs and reduced latency when events are normalized into Interflow records. These improvements give you quicker access to parsed firewall data and make investigations more responsive, even in high-volume environments.

• DATA-2861: Improved the parsing of Linux Privileged User Activity logs.

  Enhanced the Linux syslog parser to better handle privilege escalation events recorded by sudo (short for “superuser do”). These events are defined by the sudoers configuration file, which specifies how privileged access is granted and logged. The update improves extraction and normalization of fields such as username, tty, pwd, command, group, and linux_syslog.target_user. These improvements give you more accurate audit trails for monitoring administrator actions and investigating unauthorized or unexpected use of elevated privileges.

• DATA-2855: Expanded the F5 Big-IP LTM parser to support ASM configuration change events.

  Updated the F5 Big-IP Local Traffic Manager (LTM) parser to recognize and normalize logs with message ID 01310053, which records ASM (Application Security Manager) configuration changes. The parser now extracts key details such as incident IDs, incident types, affected components, and support IDs, providing you with fuller visibility into web application firewall changes. These improvements strengthen audit trails and help you track and investigate modifications to security policies on F5 devices.

• DATA-2848: Improved visibility into SSH login and connection activity in Linux syslog.

  Updated the Linux syslog parser to capture Secure Shell (SSH) login and connection events in greater detail. The parser now reliably extracts fields such as user name, source IP address, port, connection status, and protocol version. These improvements provide you with clearer audit trails of privileged user access, making it easier to monitor login activity and investigate potential unauthorized connections.

• DATA-2847: Updated the parsing of Linux Audit logs to better capture key system events.

  Enhanced the Linux Audit parser to capture account creation, deletion, and authentication changes more consistently. The update improves extraction and normalization of fields including username, uid, auid, op, and id, ensuring reliable visibility across events such as ADD_USER, DEL_USER, and USER_CHAUTHTOK (when a user successfully changes their authentication token). These improvements give you clearer audit trails for monitoring system-level changes, strengthening your ability to investigate administrative activity and validate compliance requirements.

• DATA-2827: Improved the Squid Proxy parser to support new log formats.

  Updated the Squid Proxy parser to handle an additional syslog header format and normalize fields more consistently. The update ensures that the http_response_size field is correctly mapped to inbytes_total, giving you clearer insight into network traffic volumes. With these improvements, you can reliably track access and connection events across a wider range of Squid deployments, ensuring consistent visibility for monitoring and investigations.

• DATA-2820: Expanded the Dell Switch parser to support RFC 3164 log formats.

  Expanded the Dell Switch parser to handle logs in RFC 3164 format, in addition to the previously supported RFC 5424 format. The update ensures that fields such as host.ip are parsed correctly, preventing dropped events and incomplete records. These improvements provide you with consistent visibility into switch activity across different Dell models and firmware versions, so device monitoring remains reliable even when log formats vary.

• DATA-2816: Expanded the VMware ESXi parser to capture PAM authentication events.

  Updated the VMware ESXi parser to recognize and normalize authentication failures reported by Pluggable Authentication Modules (PAM), the Linux framework that lets different authentication methods be “plugged in” without modifying applications. The parser now extracts details such as the user name, source IP address, and reason for failure when login attempts are blocked. These improvements provide you with clearer visibility into failed login activity, making it easier to detect unauthorized access attempts and strengthen audit trails on VMware hosts.

• DATA-2815: Improved the parsing of Cisco IPS logs to send intrusion events to the proper index.

  Enhanced the Cisco Firepower Intrusion Prevention System (IPS) parser to ensure that intrusion events are routed to the ML-IDS index. This includes events such as those with message ID 430001, which indicates that traffic matching an intrusion signature was dropped. The parser also enriches events with an ids.severity value even when the original priority field is missing, using the severity field as a fallback. The ML-IDS index is used for machine learning–based intrusion detection, so this improvement ensures that all IPS events are available for advanced threat analytics. As a result, you gain more reliable visibility into detected threats and more consistent intrusion detection outcomes.

• DATA-2814: Added multi-tenant support for the NXLog parser.

  Updated the NXLog parser to recognize a TenantID value in incoming logs and normalize it into a top-level field. This support applies to both Windows and Linux event formats. The improvement allows you to separate and analyze logs by tenant, ensuring proper field mapping and clearer log segregation in multi-tenant environments.

• DATA-2797: Improved the Zscaler ZIA Web parser for richer traffic analysis.

  Expanded the Zscaler ZIA (Zscaler Internet Access) Web parser to extract additional fields from web traffic logs, including threat_class, threat_name, app_name, url_category, and rule_label. The parser also improves normalization of these events, ensuring that security detections are consistently represented in Interflow records. These improvements give you deeper visibility into web traffic and threats, making it easier to analyze browsing activity, identify risky applications, and track enforcement of security policies.

• DATA-2795: Improved the Dragos parser to normalize asset IP fields.

  Updated the Dragos parser to normalize fields such as src_asset_ip and dst_asset_ip into standard IP address fields. This ensures that intrusion and communication events are forwarded to the proper indices and can be fully leveraged in detection workflows. With this improvement, you gain clearer visibility into asset-to-asset communication and suspicious file transfer activity, making Dragos logs more actionable for threat hunting and reporting.

• DATA-2792: Added support for a new log format for the Ericsson Cradlepoint Router parser.

  Updated the Ericsson Cradlepoint Router parser to support additional fields that appear in certain logs that Cradlepoint routers send. While continuing to support logs in RFC 3164 syslog format, the parser now also supports an extended key-value log format used in some router messages, such as firewall events. This format introduces fields like descr, in, and out.

• DATA-2788: Added support for a new log format for the Ericsson Cradlepoint Router parser.

  Updated the Ericsson Cradlepoint Router parser to support additional fields that appear in certain logs that Cradlepoint routers send. While continuing to support logs in RFC 3164 syslog format, the parser now also supports an extended key-value log format used in some router messages, such as firewall events. This format introduces fields like descr, in, and out.

  DATA-2776: Expanded the F5 Big-IP LTM parser to capture session and login events.

  Updated the F5 Big-IP Local Traffic Manager (LTM) parser to support additional message IDs (01490500, 01490004, and 01490010). These messages record session creation and user login activity. The parser now extracts details such as client IP address, virtual IP (VIP) address of a load-balanced service, session ID, and SSL certificate values, giving you more complete visibility into user sessions and authentication behavior on F5 devices.

• DATA-2765: Added additional normalization for Windows DNS logs sent by NXLog parser.

  Enhanced the NXLog parser to better handle Windows DNS Server logs. The update moved SourceModuleType and SourceModuleName under the nxlog field, added normalization rules for DNS events, and ensured these logs are routed to the Windows Events index instead of Syslog. With these adjustments, DNS activity appears in the same index as other Windows event data, making it easier to correlate events, run targeted queries, and build consistent reports.

• DATA-2764: Improved the NXLog parser to support Windows DNS log formats.

  Expanded the NXLog parser to handle additional Windows DNS Server log formats and updated normalization rules for greater consistency. The parser now routes DNS events to the Windows Events index, ensuring accurate field extraction and proper separation from syslog data. These improvements give you clearer visibility into DNS activity and more reliable results when investigating network and name resolution issues.

• DATA-2731: Improved the Relianoid WAF parser to support additional formats.

  Enhanced the Relianoid WAF parser, which ingests logs from a Relianoid application delivery controller (ADC) with integrated web application firewall (WAF) capabilities. The relianoid_waf.custom_value_3 field was renamed to relianoid_waf.target_name, and a new relianoid_waf.custom_value_3 now captures values from ModSecurity messages. These updates resolve cases where only metadata was parsed and the rest of the WAF message was left in JSON.

• DATA-2721: Expanded the Fortimail parser to extract additional email and network data.

  Expanded the Fortimail parser to extract and enrich more information from email logs. The update added fields in the fortinet namespace, parsed email session details (from, to, subject), and enriched email_authentication values. It also promoted network-related fields such as srcip and dstip to the top level and added support for parsing values like checksum. These improvements provide richer context for Fortimail events, making it easier to analyze email activity and security outcomes..

• DATA-2708: Refined the ColorTokens parser to classify Gatekeeper and Xprotect logs accurately.

  Updated the parser so Gatekeeper (Xshield 3.0) logs are categorized under firewall instead of endpoint, with dev_class (msg_class) also set to firewall. Xprotect logs are now categorized under endpoint instead of xdr, while dev_class (msg_class) remains colortokens_xprotect. These adjustments provide consistent classification for ColorTokens products, ensuring queries and reports reflect their correct roles.

• DATA-2633: Enhanced the Checkpoint Harmony EP parser with expanded log support.

  Updated the Checkpoint Harmony EP parser to increase syslog_appname size, handle escaped JSON format, parse mail session details, and support multiple files parsed into file_ list. These enhancements provide broader coverage of Harmony EP logs and make related events easier to analyze.

• DATA-2544: Improved the Fortinet FortiGate parser for SSL VPN login events.

  Updated the Fortinet FortiGate parser to normalize the remip field (the Fortinet label for the remote IP address of the client) into the standard srcip field. The parser also now maps SSL VPN login outcomes more clearly, setting login_result=fail when action=ssl-login-fail and login_result=success when action=ssl-new-con. These improvements give you more accurate and consistent records of VPN login activity, making it easier to monitor remote access attempts and investigate authentication issues.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following features are available in the Early Access Program in this release:

Reports

This release expands reporting capabilities with several options available in the Early Access Program.

• To increase scheduling flexibility, reports can now be set to run on the Nth Day of the Month (for example, the 30th) or the Nth Weekday of the Month (for example, the third Thursday). These options ensure reports align more precisely with business and compliance requirements.

• In addition, a new cover theme capability enables customizable report covers. You can apply background images, set color palettes, choose whether to display a logo, and add optional footer text such as confidentiality notices. In multi-tenant environments, separate cover themes can be maintained for different tenants to support branding needs.

Resolved Issues

• AELDEV-61370: Resolved query display issues in ATH.

  Fixed issues that caused display inconsistencies when viewing queries in Automated Threat Hunting (ATH). Field mapping availability and form state were improved, and warnings and form inputs are now displayed correctly.

• AELDEV-61345: Corrected an inaccurate enrichment field for certain IP addresses.

  Updated the srcip_asn_org enrichment to correct incorrect ASN organization attributions for specific IP addresses, notably those previously misattributed to "AT&T Services, Inc." This correction reduces false positive alerts related to ASN identification. Accurate ASN data now properly identifies the correct organizations for affected IP addresses, ensuring reliable threat assessment and alerting.

• AELDEV-61296: Corrected the Tenant Group display in the Tenant List.

  Resolved an issue where the Tenant Group field appeared unpopulated on the Tenant List page. Enrichment logic was revised to ensure proper loading and display of Tenant Group information.

• AELDEV-61291: Resolved issue where user-created cases disappeared shortly after creation.

  Fixed a bug that caused some user-created cases not to appear after creation.

• AELDEV-61233: Restored refined descriptions in the Mimecast URL Protect alert integration.

  Stellar Cyber refined the descriptions in the Mimecast URL Protect alert integration to better explain the actions introduced in version 5.4.0. These refinements had been unintentionally reverted in the 6.0.0 release and were restored in this release.

• AELDEV-61203: Fixed the Set as Homepage function on custom dashboards.

  Resolved an issue where the Set as Homepage functionality did not work on custom dashboards. You can now successfully set any custom dashboard as their homepage without errors.

• AELDEV-61080: Resolved the loading speed of IDS Alerts by adding fallback default columns.

  Improved IDS Alerts page performance by adding Timestamp, Event Score, and Description as default fallback columns. This change prevents Stellar Cyber from rendering all columns if default fields are missing in detection configurations, which improves load times.

• AELDEV-60800: Fixed asset import failures that occurred after removing previously imported assets.

  Resolved an issue where importing assets from a CSV file after clearing previously imported assets could fail with an “Asset not found” error. You can now reliably import assets after the clearing process has completed.

• AELDEV-60701: Corrected enrichment to prevent the misclassification of private IP addresses as public.

  Resolved an issue where IP addresses previously enriched as private were misclassified as public in the alert system. This correction ensures consistent classification of source IP address types and properly applies enrichment rules to specific tenants without reverting to defaults when exceptions occur.

• AELDEV-60199: Improved CSV attachments in email actions.

  Enhanced the CSV attachment in email actions by introducing a new file format that includes only rows meeting the specified condition. This improvement makes report data more precise and easier to analyze.

• AELDEV-60180: Resolved a UI error when deploying custom security rules from Modular Sensors.

  Corrected an issue where a Custom Rules failed to deploy error appeared after importing security rules from a Modular Sensor, even though the deployment succeeded. With this fix, the UI now accurately reflects the deployment status.

• AELDEV-60095: Resolved a memory allocation issue causing sensor failures.

  Fixed a stability issue introduced in version 5.5.0 where sensors could fail due to memory allocation problems. The fix improves memory handling to prevent failures, ensuring stable sensor performance and preventing drops in input rates.

• AELDEV-59850: Resolved service failures and restarts under low memory conditions.

  Fixed an issue where modular sensors could experience repeated service failures and restarts when operating in low memory environments. The update improves stability by preventing interruptions in detection and analysis, ensuring consistent performance even under resource constraints.

• AELDEV-59804: Resolved an ATH deduplication issue in the Create Alert action.

  Resolved an issue where Autonomous Threat Hunting (ATH) did not honor the deduplication time interval override in the create alert action. This problem caused ATH to reduce the deduplication period and create new alerts instead of updating existing ones. For example, when the deduplication interval was set to one week, new alert records still appeared every day.

• AELDEV-59736: Fixed an issue where cases were not created for new deployments.

  Resolved an issue where cases were not created during new deployments. The fix ensures proper case creation when new deployments are made.

• AELDEV-59723: Ensured essential system paths are present during a Windows Server Sensor installation.

  Resolved an issue where a Windows Server Sensor installation could fail if required system paths were missing. The fix ensures all necessary paths are available so installation completes successfully.

• AELDEV-59703: Fixed a missing text display in index form fields when editing ATH rules.

  Resolved an issue where interval and index fields displayed no text when editing Autonomous Threat Hunting (ATH) rules, even though previously saved configurations were expected to appear. The fix ensures saved configurations are visible and editable, improving your experience when modifying ATH rules.

• AELDEV-59642: Revised the wording for External/Internal Firewall Policy Anomaly alert types.

  Updated the description of the External/Internal Firewall Policy Anomaly alert types to clarify that these involve unusual or rarely triggered firewall policies between internal IP addresses. The update replaces prior “violation” terminology for improved accuracy.

• AELDEV-59580: Resolved UI warnings for resource-intensive queries in the daily time interval option.

  Addressed an issue where UI warnings for resource-intensive queries appeared when using the daily time interval option after switching from an absolute time range exceeding three days. The fix ensures warnings appear only when appropriate and improves accuracy when you select daily time intervals across environments.

• AELDEV-59472: Corrected IP address normalization for Windows event 4769.

  Corrected the normalization process for the source IP address on Windows event ID 4769, ensuring srcip is enriched correctly from event_data.IpAddress. This aligns it with the existing correct behavior for event ID 4768 and improves consistency across Windows security events.

• AELDEV-59255: Improved search functionality in Kibana.

  Resolved an issue where some searches in Kibana could fail when working with large or complex data sets. The fix improves stability so you can run searches more smoothly and without unexpected interruptions.

• AELDEV-59229: Resolved an issue that could cause the Stellar Cyber Platform to use excessive storage.

  Fixed a problem where storage could grow too quickly and affect performance. The update prevents storage-related slowdowns, ensuring the platform continues to run efficiently.

• AELDEV-59227: Fixed alert filters not updating with modified lookups.

  Resolved an issue where alert filters did not update correctly after changes to lookups. The fix ensures alert filters now reflect the latest lookup values and recognize newly added data.

• AELDEV-59187: Fixed a synchronization failure for partner user roles in the InSyncs ServiceNow integration.

  Resolved an issue where assigning a case to an assignee with a partner user role caused the synchronization from ServiceNow to Stellar Cyber to fail. The fix ensures that cases assigned to such users now synchronize correctly.

• AELDEV-59091: Optimized CPU usage for zip processes on the Linux Server Sensor.

  Reduced CPU consumption by optimizing the log compression process on the Linux Server Sensor. The fix improves CPU allocation and prevents compression tasks from monopolizing a processor core, which ensures smoother performance when multiple processes run at the same time.

• AELDEV-59053: Resolved an issue with clearing DNS settings on DHCP-enabled Modular Sensors.

  Resolved an issue where attempts to clear DNS settings on the management interface of a Modular Sensor did not work correctly if DHCP was enabled. DNS server IP addresses that were unset (unset dns) could reappear after a DHCP refresh. With this fix, manual DNS unsets now function as expected on Modular Sensors, and a clear warning is provided when DHCP-assigned DNS entries cannot be removed.

• AELDEV-59011: Fixed Windows DHCP log issue causing missing logs in certain configurations.

  Resolved an issue where Windows DHCP logs were not collected under certain configurations. The fix ensures logs are captured reliably after reboots and prevents interruptions in DHCP log collection.

• AELDEV-58583: Fixed a data loading issue affecting large alert tables

  Resolved a problem where alert tables with a large number of alerts sometimes failed to load. The fix ensures consistent performance when you view large datasets.

• AELDEV-57662: Resolved an internal server error with the Microsoft EventHub connector.

  Fixed an issue where the Microsoft EventHub connector generated internal server errors when ingesting custom event sources such as Microsoft Grasph activity logs. The fix improves stability so connectors process valid patterns correctly and continue operating without reconfiguration or restarts.

• AELDEV-48235: Resolved an inconsistency in asset usage display on the License page.

  Fixed an issue where selecting View Assets from Usage Details on the Licenses page opened in a new tab, while selecting View Assets from Asset Usage displayed a pop-up panel. Both options now consistently open in a pop-up panel.

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

• Amazon Web Services

• Google Cloud Platform

• Oracle Cloud Infrastructure

• Dedicated VMware ESXi (see below)

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

• Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

• You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

• With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

• With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 5.5.0 or later to 6.1.0. You must:

• Prepare for the upgrade

• Upgrade the Stellar Cyber Platform to 6.1.0

• Upgrade the sensors

• Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Important Note for Air-Gapped Environments: The 6.1.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.1.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.1.0

1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

2. Choose 6.1.0.

3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

• Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
• Upgrade sensors in batches instead of all at once.
• For server sensors (agents):
  • Upgrade a small set of sensors that cover non-critical assets.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
  • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

1. Check your curl version as shown below:

   yum list installed curl

   \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

   yum makecache

   yum install curl

3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

   sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.1.0 release from any 5.5.x or 6.0.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

   The Sensor List appears.

2. Select Manage | Software Upgrade.

   The Sensor Software Upgrade page appears.

3. Choose the target software version.

4. Choose the target sensors.

5. Click Submit.

Verify the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.