Skip to main content

Stellar Cyber February 2026: Stellar Cyber 6.3.0s Release Notes

Updated

Software Release Date: December 18, 2025
Release Note Updated: February 27, 2026

The Stellar Cyber 6.3.0s release deepens autonomous decision-making by enriching context, empowering analysts, and improving triage precision across identity, detections, and workflows.

Highlights

Autonomous SOC (Early Access Program)

  • Case Summary: Automatically analyzes cases and generates concise, structured case summaries with supporting evidence that explain what occurred and its significance.
  • Automated Triage of Alerts: Automatically evaluates alerts using contextual signals to provide an initial verdict and reduce analyst workload.
  • Automated Triage of Email Phishing: Extends automated email phishing triage with deeper analysis and early diagnosis for participating preview customers.

Usability and UX Enhancements

  • Query Manager Import/Export: Adds import and export support to share and reuse queries easily across instances and tenants.
  • “Add to Watchlist” Experience: Simplifies adding entities to watchlists directly from investigation workflows, improving speed and usability.

Detections and Machine Learning

  • User Login Location Anomaly Enrichment: Enhances login anomaly detections with ASN and User Agent data for greater triage accuracy.
  • Fortinet UTM Enhancements: Expands and refines Fortinet UTM detection coverage for improved visibility into network-based threats.

Integrations

  • XDR Connect Webhook: Enables streamlined ingestion of third-party alerts through a flexible, webhook-based integration framework.
  • Domain Service: Introduces centralized domain management for connectors to improve scalability and reliability.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • DATA-3110: Updated the Forcepoint Data Loss Prevention (CEF) parser to align field mappings with the normalized data model. The parser now maps duser to dstip_username and sourceHost to srcip_host, ensuring Forcepoint DLP logs conform to the standard naming convention used across normalized data sources. The existing mapping from destinationHosts to dstip_host remains available. These changes improve field consistency for correlation and reporting. Saved queries, dashboards, or detections that referenced the legacy field names now display values under the updated normalized fields. No configuration changes are required, and the new fields populate automatically when present in incoming CEF messages.
  • DATA-2986: Corrected event category mapping in the Cynet 360 (CEF) parser. The msg_origin.category field now maps to endpoint instead of xdr to align with the standardized taxonomy used across Stellar Cyber parsers. This correction ensures consistent classification for filtering, dashboards, and correlation across endpoint and detection data sources. Saved searches, reports, or dashboards that reference msg_origin.category:xdr should be updated to use endpoint. Existing detections and automated workflows are unaffected.
  • DATA-2966: Normalized vendor-derived identifiers in Common Event Format (CEF) parser output. The default values for msg_origin.source, msg_class, dev_type, and dev_class now apply stricter normalization rules derived from cef_device_vendor. Normalization allows only lowercase letters, digits, and underscores, removes invalid characters, and prefixes values beginning with a digit with cef. These changes ensure consistent and valid field naming across correlated data and prevent ingestion errors. Saved filters, queries, or dashboards that reference vendor-derived field values containing invalid characters may display updated normalized values. 

Deprecated Features

The following feature is planned for deprecation in a future version.

Upcoming Deprecation: Netskope Connector (API V1) – The Netskope connector supports API V1 and V2, but Netskope has deprecated API V1 so Stellar Cyber will retire the V1 API in a future release. Begin planning to migrate to the V2 API.

Detection/ML

New Features

  • AELDEV-61068: Added alert integration for SonicWall Endpoint Security.
  • AELDEV-58576: Added alert integration for Cyble.
  • AELDEV-58171: Introduced an API endpoint for link safety verification.
  • AELDEV-58034: Added alert integration for SentinelOne Singularity Identity.
  • AELDEV-56598: Added Sigma rules for Active Directory attack patterns.
  • AELDEV-54976: Added alert integration for Hoxhunt.
  • AELDEV-54021: Added alert integration for WithSecure Elements.
  • AELDEV-53159: Added alert integration for SOCRadar.
  • AELDEV-33299: Added alert integration for Duo Security.
     

Improvements

  • AELDEV-61942: Display all user accounts in Golden Certificate alerts.
  • AELDEV-61553: Expanded login-related detections to include VPN events.
  • AELDEV-61488: Introduced evidence tracking for detections suppressed by silent mode.
  • AELDEV-61031: Improved Fortinet log normalization for failed-login detection.
  • AELDEV-60643: Enhanced severity mapping in the Bitdefender (Syslog JSON) parser.
  • AELDEV-59017: Prioritized user-based correlation for Microsoft identity alerts and normalized email addresses.
  • AELDEV-57657: Improved destination IP aggregation for OCI SSH scanner alerts.
  • AELDEV-55998: User Login Location and Impossible Travel alert types using ASNs and user agents.
  • AELDEV-55990: Adjusted ESET alert severity scoring.
  • AELDEV-53909: Prioritized Sysmon Event ID 1 over Event ID 4688 for Suspicious Windows Process Creation alerts.
     

Stellar Cyber Platform

New Features

  • AELDEV-57780, AELDEV-57624: Added support for defining a range of values in query conditions.
     

Improvements

  • AELDEV-64265: Fixed inaccurate heartbeat security detection counts.
  • AELDEV-55420: Enforced the automatic deletion of tenant-associated sensors on tenant removal.
  • AELDEV-55207: Expanded the tenant name field to 256 characters.
     

Sensors

New Features

  • AELDEV-61968: Introduced parsing for Netskope user and site identifiers in GENEVE tunnels.
     

Improvements

  • AELDEV-61369: Introduced a CLI command to reapply custom parsers for the Sensor log forwarder.
  • AELDEV-58444: Added SSL connectivity status to the show receiver debug command in the Sensor CLI.
  • AELDEV-57663: Added list of available Sensor CLI commands to the local CLI.
  • AELDEV-56974: Introduced configuration change logging in a dedicated log for settings received from Configuration Manager.
  • AELDEV-55789: Added timestamped logging for CLI commands that execute actions.
  • AELDEV-55739: Added Windows Server Sensor support for Microsoft Windows Server 2025.
  • AELDEV-49775: Added Oracle Linux 9 support to the Linux Server Sensor.
     

Connectors

New Features

  • AELDEV-61070: Introduced the Wiz connector.
  • AELDEV-60305: Introduced the SonicWall Endpoint Security connector.
  • AELDEV-59374: Introduced the Halcyon connector.
  • AELDEV-58704: Introduced the iManage Threat Manager connector.
  • AELDEV-58698: Introduced the Memcyco connector.
  • AELDEV-41995: Introduced the ConnectSecure V4 connector.
     

Improvements

  • AELDEV-63506: Fixed an issue in the CODA Footprint connector that occurred when processing records without the last-seen timestamp.
  • AELDEV-61348: Added new content types to the Trend Micro Cloud App Security connector.
  • AELDEV-60191: Added a response action configuration schema for the Palo Alto Networks CORTEX XDR connector.
  • AELDEV-60188: Added Microsoft Entra ID response actions to UI.
  • AELDEV-59981: Improved normalization for Microsoft Defender for Endpoint alerts.
  • AELDEV-59870: Added a new content type to the Azure Event Hub connector.
  • AELDEV-59862: Added Base URL to the Cisco Meraki Firewall configuration.
  • AELDEV-59685: Added Last Updated Comment field to InSyncs ServiceNow.
  • AELDEV-55063: Added support for Service Principal Sign-in Logs in the Microsoft Entra ID connector.
     

Parsers

New Features

  • DATA-3096: Introduced a parser for ingesting ManageEngine PAM360 logs.
  • DATA-3095: Introduced a parser for ingesting NetScout Omnis Cyber Intelligence logs.
  • DATA-3092: Introduced a parser for ingesting SonicWall NSa logs.
  • DATA-3091: Introduced a parser for ingesting Akamai WAF logs.
  • DATA-3085: Introduced a parser for ingesting KVH CommBox Edge Gateway logs.
  • DATA-3080: Introduced a parser for ingesting PCI MVApp logs.
  • DATA-3045: Introduced a parser for ingesting Hisun Global Core Banking logs.
  • DATA-3002: Introduced a parser for ingesting Tenable AD logs.
  • DATA-2881: Introduced a parser for ingesting Trend Micro Deep Security logs.
  • DATA-2548, DATA-3018: Introduced a parser for ingesting Fortinet FortiGate Firewall (Windows Agent Filebeats) logs.
     

Improvements

  • DATA-3110: Improved field normalization in the Forcepoint Data Loss Prevention (CEF) parser.
  • DATA-3097: Improved parsing for Infoblox Data Connector (CEF) logs.
  • DATA-3090, DATA-3089: Added CSV format support for Zscaler Internet Access Firewall and Web logs.
  • DATA-3086: Added normalization for Sophos firewall connection events.
  • DATA-3074: Expanded field extraction in the Infoblox CEF parser.
  • DATA-3073: Improved the Fortinet FortiClient EMS Cloud log parser to support additional formats.
  • DATA-3047: Enhanced parsing for Ubiquiti UniFi Dream Machine Pro logs.
  • DATA-3040: Standardized sequence field normalization across network and firewall parsers.
  • DATA-3029: Expanded normalization for Forcepoint DLP events.
  • DATA-2986: Corrected event category mapping in the Cynet 360 (CEF) parser.
  • DATA-2966: Normalized vendor-derived identifiers in Common Event Format (CEF) parser output.
     

Usability

New Features

  • AELDEV-57302: Added a Show All control in the Tasks widget.
  • AELDEV-49273: Introduced an option to add IP addresses, file hashes, URLs, and domain names to watchlists from the Alert Details page.
  • AELDEV-36890: Added cross-instance exports and imports of saved queries.
     

Improvements

  • AELDEV-62269: Improved reliability and performance of CSV exports for reports and dashboards.
  • AELDEV-61668: Enabled user-scoped API token support for data retrieval API endpoints.
  • AELDEV-60765: Improved report generation accuracy for time range handling.
  • AELDEV-59550, AELDEV-57666: Introduced a historical listing of previously run reports per-tenant with the option to rerun them.
     

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following are the EAP features in this release:

AI Case Analysis & Summary

This release includes AI-generated narratives within the Case Detail view to accelerate investigations. New AI-generated sections automatically summarize alerts into a case-level story, reconstruct timelines, explain relationships between entities, and provide tailored response recommendations. Analysts gain faster context and clearer next steps without manually stitching alerts together.

Automated Triage of Alerts

The automated triage of alerts is available for SaaS deployments only. It automatically evaluates alerts using contextual signals to provide an initial verdict and reduce analyst workload. This capability applies AI-driven context analysis across alert data to classify incidents by risk and confidence. It helps analysts prioritize actions by automatically dismissing low-risk events and elevating likely true positives for review.

Automated Triage of Phishing Email

The automated triage of suspected phishing email is available for SaaS deployments only. It classifies user-reported email messages through built-in threat intelligence, optional external threat intelligence, and AI-powered analysis. This feature provides an automated triage agent that analyzes reported emails, offering detailed analysis and AI-generated insights. As a result of automated processing, Stellar Cyber reduces manual workloads, enables faster response times, and ensures consistent, transparent alerting in the UI.

XDR Connect Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Operational Notes

There are no operational notes in this release.

Resolved Issues

  • AELDEV-65612: Fixed the numeric threshold in the Condition Configuration section of an ATH playbook.
  • AELDEV-65320: Resolved inability to remove Saved query in Threat Hunting filters.
  • AELDEV-65319: Fixed query testing and save behavior for specific filter conditions.
  • AELDEV-65293: Corrected button text in confirmation dialog boxes for unsaved changes .
  • AELDEV-65160: Resolved upgrade failures on low-memory Modular Sensor nodes.
  • AELDEV-65155: Improved the Alert Filters page responsiveness for large datasets.
  • AELDEV-64594: Fixed incorrect distance values in Login Location Anomaly alerts.
  • AELDEV-64346: Added the per-organization retention of user records in the Activity Log.
  • AELDEV-63841: Fixed asset counting in multi-tenant environments.
  • AELDEV-63745: Fixed asset ID enrichment for alerts.
  • AELDEV-59772: Resolved an intermittent display failure on the Stellar Cyber API Reference page.
  • AELDEV-57408: Fixed an issue where ATH rules failed to generate alerts when conditions were met.
     

Upgrading Sensors

You can upgrade Stellar Cyber Sensors from 6.1.0 or later to 6.3.0. You must:

  • Prepare for the upgrade
  • Upgrade the sensors
  • Verify the upgrade

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:
    yum list installed curl
    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7
  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:
    yum makecache
    yum install curl
  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:
    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.3.0 release from any 6.1.x or 6.2.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.
    The Sensor List appears.
  2. Select Manage | Software Upgrade.
    The Sensor Software Upgrade page appears.
  3. Choose the target software version.
  4. Choose the target sensors.
  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.

For more details about this release, please read here.

 

Powered by Zendesk