Stellar Cyber 6.6.0s Release Notes

Software Release Date:
Release Note Updated:

The Stellar Cyber 6.6.0s release delivers the following updates to the Stellar Cyber Open XDR platform.

The release notes are organized into the following sections:

Highlights

Autonomous SOC / Auto Triage

  • AI Assistant (Early Access Program): Added AI Assistant to every automatically triaged case so you can investigate cases and alerts in plain language, asking why a case received its verdict, clarifying alert details, and exploring follow-up hypotheses against the case data and Verdict Signal Check (VSC) context that Auto Triage has already assembled.

  • Auto Triage Verdict Visibility: Auto Triage verdicts now appear as filterable columns in the Alert Table and Threat Hunting views. In addition, a response action panel was added to the Auto Triage alert page (including phishing email alerts) so analysts can see and act on triage outcomes without opening individual cases.

System / Platform

  • Platform Health Monitoring in the System Action Center (Early Access Program): Centralized platform health monitoring alerts in the System Action Center for improved visibility and faster response to platform issues.

  • License Enforcement and Usage Notifications: Added API actions for license enforcement and usage notifications.

Detections/Machine Learning

  • Improved Login Anomaly Fidelity: Alert suppression for Impossible Travel Anomaly and User Login Location Anomaly is now customizable, Impossible Travel prioritizes records with usernames, and ASN enrichment fields were added to Impossible Travel Anomaly alerts.

  • Improved User Counting Accuracy: Improved the accuracy of license user counting by integrating external data sources for Microsoft Entra ID.

Integrations

Usability

  • Watchlists for All Alert Fields: Enabled Add to Watchlistfor all alert fields.

  • Selective Parser Port Activation: Parser ingestion ports can now be enabled on-demand and parsers added after 6.5.0 are inactive by default, reducing false alerts from unused listeners.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-3412: The totalbytes field in the Fortinet FortiAnalyzer parser is now calculated as the sum of inbytes_total and outbytes_total, consistent with how other parsers calculate this field. Previously, the FortiAnalyzer parser calculated totalbytes as the sum of inbytes_delta and outbytes_delta, which significantly underreported session volume when delta values differed from totals. Dashboards, detections, or queries that rely on totalbytes from FortiAnalyzer data may return different values after this change.

  • AELDEV-71104: Built-in legacy parsers added in 6.5.0 and later releases are now inactive by default for new tenants and must be explicitly activated in Parser Studio before use. Previously added legacy parsers retain their existing active status and are not affected by this change. You can activate or deactivate any individual parser at any time from Parser Studio, and the configuration is applied to sensors on the next deployment.

  • AELDEV-64683: The Google Workspace log collector no longer maps the metadata.customerId field to user.id. The customerId value is a Google account identifier for the organization, not a user identifier, so this mapping was incorrect and caused confusion in alert context. Existing events already indexed with this normalization are not affected. Newly ingested Google Workspace events no longer populate user.id from this field.

Deprecated Features

There are no deprecated features in this release.

Autonomous SOC

Improvements

Detection/ML

Improvements

Stellar Cyber Platform

New Features

Improvements

Sensors

New Features

Improvements

Connectors

New Features

Improvements

Parsers

New Features

Improvements

Usability

New Features

Improvements

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP features are in this release:

AI Assistant

AI Assistant is a natural-language investigation workbench built into every automatically triaged case. It converts your plain-language questions into answers grounded in the specific case data, alert details, and Verdict Signal Check (VSC) context that Auto Triage has already gathered. While the automated verdict tells you what Stellar Cyber concluded, AI Assistant explains why, and it supports follow-up questions in your own words, with no query syntax to learn. AI Assistant is included with every Auto Triage license at no additional cost and is available on SaaS deployments only.

Exportable Dashboards — Report Integration

Exportable Dashboards lets you schedule dashboards created with the Dashboard Builder as recurring PDF reports. The schedule form includes a new Default PDF type that renders the dashboard as it appears in the Dashboard Builder, along with options to control table row counts, chart color palettes, and optional CSV exports. This capability lets you generate consistent, configurable reports from new dashboards while preserving the settings and PDF types used by existing scheduled reports.

MCP Server

The Stellar Cyber MCP Server connects supported AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP). The MCP server lets AI clients retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields. This capability helps teams extend AI-assisted investigations by giving approved clients structured access to operational security data and workflows.

Parser Studio

Parser Studio lets you create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production use. This capability helps you accelerate onboarding of custom log sources while reducing parser development effort and improving validation before live ingestion.

XDR Connector Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.

  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.

  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the Early Access Program and begin testing these features, contact your Stellar Cyber Customer Success representative.

Resolved Issues

The following issues have been resolved in this release.

Known Issues

Upgrading Sensors

Depending on the type of server sensor, you can upgrade your sensors directly to version 6.6.0 from these previous versions:

  • Linux Server Sensors: 6.4.0 or 6.5.0

  • Windows Server Sensors: 5.1.0 through 6.5.0

Upgrade the sensors to version 6.6.0 using the following process:

  1. Prepare for the upgrade.

  2. Upgrade the sensors.

  3. Verify the upgrade.

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:

    yum list installed curl

    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7

  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:

    yum makecache

    yum install curl

  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:

    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.6.0 release from any 6.4.x or 6.5.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.

    The Sensor List appears.

  2. Select Manage | Software Upgrade.

    The Sensor Software Upgrade page appears.

  3. Choose the target software version.

  4. Choose the target sensors.

  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.