Stellar Cyber 6.1.0 Release Notes

Software Release Date:
Release Note Updated:

These release notes list and describe the new features and improvements in the 6.1.0 release for the Stellar Cyber Open XDR Platform.

The release notes are organized into the following sections:

Highlights

  • Aggregations and Grouping in Queries: Enabled data summarization and statistical analysis directly in the Query Builder, simplifying the process of uncovering trends and insights.

  • Expanded Identity Threat Detection: Added new Sigma-based rules for Active Directory (AD) attack detections and geo-anomaly alerts to combat credential theft and privilege escalation.

  • ServiceNow Integration Enhancements: Added support for filtering and syncing cases and alerts by multiple tenants or tenant groups to streamline ticketing workflows. This enhancement improves flexibility for MSSPs and multi-tenant environments by ensuring only relevant tenant data is synchronized.

  • On-Demand ServiceNow Sync: Added a button so you can immediately synchronize alerts or cases, giving you more control over ticketing workflows.

  • Customizable ML Detections: Implemented configuration options for Impossible Travel Anomaly and User Login Location Anomaly alert types, allowing you to align anomaly rules with organizational patterns and reduce false positives.

  • CrowdStrike Premium Threat Intelligence: Integrated real-time, high-fidelity Indicators of Compromise (IOCs) directly into Stellar Cyber for faster, more accurate threat detections.

  • Advanced Network-Based Detection: Introduced high-fidelity Command and Control (C2) beaconing detection and visibility into new or rare Top-Level Domains (TLDs) to identify stealthy threats earlier.

  • Seamless Integrations: Enhanced third-party alert ingestion and new connectors to unify your operations.

  • IDS Rule Support: Addressed rule dependencies to ensure Emerging Threats Professional (ETPro) exploit rules function correctly.

  • ICMP Tunneling Detection: Implemented a machine-learning (ML) model to improve accuracy and reduce noise in ICMP tunneling alerts.

  • Tenant-Level License Visibility: Added views to track license allocations and consumption at the tenant level, providing clear insight into usage per tenant

Actions Required

  • Improved the Zscaler Deception parser to categorize events with msg_origin.category set to honeypot. If you use parser-based workflows, dashboards, or rules that depend on this field, verify that they reflect the updated value to ensure uninterrupted data handling.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-2749: Updated the WatchGuard VPN parser so syslog messages are no longer discarded when they cannot be fully parsed. The raw message is now retained in log.event_description, with fields such as user.name and srcip extracted where available. You might now see more raw WatchGuard VPN syslog events than before, even if not all fields are normalized, which can affect alerts, queries, and storage volume.

  • DATA-2731: Updated field mappings in the Relianoid WAF parser, which parses logs from a Relianoid application delivery controller (ADC) with integrated web application firewall (WAF) capabilities. The relianoid_waf.custom_value_3 field was renamed to relianoid_waf.target_name, and a new relianoid_waf.custom_value_3 now captures ModSecurity message values. (ModSecurity is an open-source web application firewall engine.) This update corrects an issue where only metadata was parsed and the remainder of the WAF message was left in JSON. You might now see more parsed fields and different field names in Relianoid WAF logs. This change can affect saved queries, dashboards, or integrations that relied on the old field name, so you might need to adjust filters or reports accordingly. At the same time, the update increases visibility into ModSecurity activity and gives you more complete information for analysis.

  • DATA-2708: Refined category and class values in the ColorTokens parser for Gatekeeper (Xshield 3.0) and Xprotect logs to ensure accurate classification.

    • For Gatekeeper, msg_origin.category has changed from endpoint to firewall, and dev_class (msg_class) has changed from colortokens_gatekeeper to firewall.

    • For Xprotect, msg_origin.category has chanfged from xdr to endpoint, while dev_class (msg_class) remains colortokens_xprotect.

    You might now see different categories and classes in parsed ColorTokens logs, which can affect saved queries, dashboards, or integrations that rely on the old values.

Deprecated Features

No features have been deprecated in this release.

Detection/ML

New Features

Improvements

Usability

New Features

Improvements

Stellar Cyber Platform

New Features

Improvements

Sensors

New Features

There are no new Sensor features in this release.

Improvements

Connectors

New Features

Improvements

Parsers

New Features

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following features are available in the Early Access Program in this release:

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns. To join the EAP and begin testing these correlation strategies, contact your Stellar Cyber Customer Success representative.

Reports

This release expands reporting capabilities with several options available in the Early Access Program.

  • To increase scheduling flexibility, reports can now be set to run on the Nth Day of the Month (for example, the 30th) or the Nth Weekday of the Month (for example, the third Thursday). These options ensure reports align more precisely with business and compliance requirements.

  • In addition, a new cover theme capability enables customizable report covers. You can apply background images, set color palettes, choose whether to display a logo, and add optional footer text such as confidentiality notices. In multi-tenant environments, separate cover themes can be maintained for different tenants to support branding needs.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the EAP and begin testing this alert type, contact your Stellar Cyber Customer Success representative.

Resolved Issues

Stellar Cyber Platform System Requirements

You must install the Stellar Cyber Platform in an environment that meets or exceeds minimum system requirements. Refer to the following sections for the minimum system requirements for different target environments:

System Requirements for Cluster Installation in VMware ESXi

You can install the Stellar Cyber platform on a dedicated ESXi server running VMware ESXi 8.0, 7.0 or 6.7. The target ESXi server must have sufficient resources to support separate virtual machines for the Data Analyzer, Data Lake, and, if installing as an Integrated Data Processor, the Modular Sensor. The specifications in the table below are sufficient to support a Stellar Cyber deployment with up to 300GB of daily ingestion.

Keep in mind the following:

  • Each VM (DA, DL, and MDS) must be thick-provisioned and requires 500 GB of SSD disk space.

  • You can install all three of the VMs in the same datastore if there is sufficient space for both the VMs and the 12+ TB required for the Data Lake's ElasticSearch data. However, Stellar Cyber recommends that the Data Lake uses a dedicated datastore.

Deployment Type Resource Host DL DA MDS
Recommended (Production)
(DL and DA VMs)
CPU/vCPU 44 physical (88 cores/hyperthreads) 40 44 -
RAM (GB) 256 136 64 -
OS SSD Disk Space 1 TB 500 GB 500 GB -
Data Lake SSD Disk Space 16 TB 12+ TB - -
Integrated Data Processor
(DL, DA, and MDS VMs)
CPU/vCPU 44 physical (88 cores/hyperthreads) 28 28 28
RAM (GB) 256 136 64 32
OS SSD Disk Space 1 TB 500 GB 500 GB 500 GB
Data Lake SSD Disk Space 16 TB 12+ TB - -
Minimum Configuration for Separate DP VMs
You can still deploy separate DL and DA VMs so long as the ESXi host is provisioned with sufficient CPUs to support the following minimum configuration:
CPU/vCPU 16 16 -
RAM (GB) 128 64 -
OS SSD Disk Space 500 GB 500 GB -
Data Lake Disk Space 2+ TB - -

Stellar Cyber supports SSD disks for both the OS and Data Lake drives (SATA, SAS, or NVMe). HDD disks introduce latency and are not supported.

Scaling Up Performance with a DP Cluster

You can configure up to ten DP servers to operate in a cluster to achieve improved Stellar Cyber performance. Stellar Cyber cluster testing indicates the following performance guidelines when adding additional DPs to a cluster:

  • With data replication disabled, the aggregated ingestion throughput grows linearly with the number of DP servers.

  • With data replication enabled (the default), the aggregated ingestion throughput is about 30% lower than the throughput without data replication.

 

 

Upgrading the Stellar Cyber Platform

You can upgrade the Stellar Cyber Platform from 5.5.0 or later to 6.1.0. You must:

  • Prepare for the upgrade

  • Upgrade the Stellar Cyber Platform to 6.1.0

  • Upgrade the sensors

  • Verify the upgrade

For more detailed instructions, refer to Upgrading Software.

Important Note for Air-Gapped Environments: The 6.1.0 release requires connectivity to specific external URLs to enable components included in the installation image, such as Early Access Program functionality and various features and fixes. In air-gapped or dark site environments, where external network access is restricted, these components cannot be enabled after installation. Before upgrading to 6.1.0, confirm that the required connectivity to these URLs is available.

Prepare for the Upgrade

To prepare for the upgrade:

  • Back up the data and configuration
  • Make sure the sensors are up and running
  • Take note of the ingestion rate
  • Take note of the number of alerts
  • Make sure the system health indicator shows
  • Run the pre-upgrade check

Upgrade the Stellar Cyber Platform to 6.1.0

To upgrade the Stellar Cyber Platform to 6.1.0 from a version earlier than 5.5.0, first upgrade to 5.5.0.
  1. Select Settings | ORGANIZATION MANAGEMENT | Software Upgrade.

  2. Choose 6.1.0.

  3. Select START UPGRADE.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher in order to use the strong encryption required by the Stellar Cyber platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.1.0 release from any 5.5.x or 6.0.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Click Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Current Software Version on the System | ORGANIZATION MANAGEMENT | Software Upgrade page.
  • Make sure the sensors are up and running.
  • Check the ingestion rate and make sure it is as expected.
  • Check the number of alerts and make sure it is as expected.
  • Check the system health indicator:
    • indicates a perfectly healthy system.
    • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
    • indicates major issues. Contact Technical Support.