Stellar Cyber 4.1.5 Release Notes

Stellar Cyber 4.1.5 is offered primarily as a stepping-stone release to the 4.2.0 release. You can upgrade to 4.1.5 from the 4.1.0, 4.1.1, and 4.1.2 releases and from there to 4.2.0. Refer to the upgrade instructions for details.

Note: As of the 4.1.0 release, the following data model terminology is standardized in Stellar Cyber products and documentation:

• Raw Events: Raw or enriched records from traffic or log ingestion.

• Alert Types and Alerts: Alert Types categorize security alerts generated by a set of analytics or machine learning algorithms. An alert is a triggered instance of an alert type. Alert Types can be classified by XDR Kill Chain Stage > ATT&CK Tactic > ATT&CK Technique..

• Incidents: Multiple alerts grouped into an incident for efficient and effective SoC investigation.

Platform Enhancements

• Updated Kubernetes to address a certificate expiration issue.

Known Issues

• When multiple traffic filters are defined for a tenant with the same combination of ip, port, protocol, and layer 7 rules, the filter may fail to take effect. Administrators should review the defined traffic filters and make sure there are no duplicate definitions among filters.

• Files may not be assembled by Security Data Sensors for traffic mirrored from physical interfaces on Cisco Nexus 9K models. As a workaround, configure VLAN mirroring on the Cisco switch.

• Sensor installation on Linux servers running CentOS 6 fails because the official CentOS 6 package download link is no longer available.

• If you change the network interface configuration of a sensor’s VM after deployment, the eth0 interface may be remapped to a new interface. If this happens, the management network is disconnected. Contact Technical Support for assistance.

• The stellar_syswatcher service may be missing after a new installation or upgrade of a Windows agent sensor for Windows Server 2008 R2. This is due to a required patch from Microsoft . Patch target Windows Server 2008 R2 hosts before you install or upgrade so you can leverage traffic information from the Windows agent sensor.

Upgrading

Upgrades of the DP to 4.1.5 are supported from 4.1.0, 4.1.1, and 4.1.2. Once you have upgraded the DP to 4.1.5, you can then upgrade to 4.2.0.

Sensors other than the Windows Server Sensor can be upgraded directly to 4.2.0 from 4.1.0, 4.1.1, and 4.1.2.

Refer to the Stellar Cyber 4.2.0 Release Notes for details on supported upgrade paths.

You must:

• Prepare for the upgrade

• Upgrade the DP

• Verify the upgrade

Preparing for the Upgrade

To prepare for the upgrade:

• Back up the data and configuration
• Make sure the sensors are up and running
• Take note of the ingestion rate
• Take note of the number of alerts
• Make sure the system health indicator shows
• Run the pre-upgrade check

Upgrading the DP to 4.1.5

To upgrade to 4.1.5 from 4.1.0, 4.1.1, or 4.1.2:

1. Click Admin | Software Upgrade.

2. Choose 4.1.5.

3. Click Start Upgrade.

Review Alert/Machine Learning Training Time for guidance on training time of updated ML models.

The Collect | Sensor Overview | Software Upgrade page will not show a Windows upgrade package because of this non-support. Also, you cannot download the .msi installation file from the Configure | Agents | Windows tab in this release; only the links above are supported for the download of Windows Server Sensor installation files.

Verifying the Upgrade

To verify that the upgrade was successful:

• Check the Current Software Version on the Admin | Software Upgrade page.
• Make sure the sensors are up and running.
• Check the ingestion rate and make sure it is as expected.
• Check the number of alerts and make sure it is as expected.
• Check the system health indicator:
  • indicates a perfectly healthy system.
  • indicates minor issues. Monitor the system for 30 minutes. If the issues remain, investigate further.
  • indicates major issues. Contact Technical Support.