Skip to main content

Stellar Cyber May 2026: Stellar Cyber 6.5.0s Release Note

Updated

Software Release Date: April 28, 2026
Release Note Updated: May 14, 2026

The Stellar Cyber 6.5.0s release delivers the following updates to the Stellar Cyber Open XDR platform.

Highlights

Early Access Program Features

  • Stellar Cyber MCP Server: Added an MCP server to connect AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP) to retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields.
  • Parser Studio: Added Parser Studio to create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production log ingestion.

Detections/Machine Learning

  • Successful Login After Brute Force: Added a detection for successful login activity from a new or previously unseen IP address shortly after brute-force login attempts targeting the same user account from different IP addresses, helping identify distributed or rotating-IP brute-force attacks.
  • Suspicious AWS Configuration: Added built-in detection coverage for AWS Config events so configuration changes and compliance evaluation events can generate alerts and correlate with other AWS telemetry.
  • Location-Based Detection Fidelity Scoring: Improved fidelity scoring for location-based detections by refining how new location, ASN, and user agent changes affect alert accuracy, helping reduce false positives and improve triage for User Login Location Anomaly and Impossible Travel Anomaly.

System

  • ATH Rules Import/Export: Added ATH rule import and export functionality so you can move rules between environments, include referenced queries and lookups, validate dependencies before import, and resolve naming conflicts with skip, overwrite, or rename options.
  • Query Execution Management: Enhanced ATH playbook status views with a Last Scheduled Run section that shows the most recent scheduled run attempt, including details about the input status, condition status, and action status.

Usability

  • Dashboard Landing Page: Added a dashboard landing page called Dashboard Hub to centralize access to existing dashboards and charts so you can browse, open, and edit them from one place based on your current permissions.
  • Alert Filters for a Fixed Period of Time: Added expiration settings for alert filters so you can apply filter actions temporarily during maintenance windows, planned changes, or other short-term events and have them deactivate automatically when the specified time period ends.

Integrations

  • New Integrations: Expanded third-party integration coverage across network security, cloud and SaaS security, cyber asset and exposure monitoring, and XDR response platforms to improve data ingestion, broaden security visibility, and support more coordinated detection and response workflows.

Actions Required

There are no actions required in this release.

Behavior Changes

Changes that affect the way users interact with the product or interpret results are listed below.

  • AELDEV-67120: Updated the login flow to avoid revealing whether a user exists before authentication completes. Failed login attempts now return the same result whether the username, password, or both are incorrect. All login flows also display the Continue with SSO button, and the tenant-specific logo that previously appeared after a user entered an email address now only appears after login. These changes help prevent attackers from using the login flow to identify valid accounts.
  • DATA-3291: Updated the Trend Micro Interscan Messaging parser to use port 5684 instead of port 5678. Deployments that previously sent logs to port 5678 must be updated to send traffic on port 5684, including any related firewall policy changes. Logs that continue to arrive on port 5678 will no longer be ingested by the Trend Micro Interscan Messaging parser.

Deprecated Features

  • Office 365 Reporting Web Service connector – Microsoft deprecated the Reporting Web Service for message trace collection on April 8, 2026. Stellar Cyber provides the Microsoft Graph Message Trace connector as the replacement for message trace collection. Migrate existing Reporting Web Service configurations to the new connector.
  • Netskope Connector (API V1) – API V1 support was removed from the Netskope connector. API V2 is now the default option.

Detection/ML

New Features

  • AELDEV-67369: Added App ID and App Display Name to Key Fields of the User Login Location Anomaly.
  • AELDEV-66509: Added alert type for Successful Login After Brute Force.
  • AELDEV-64779: Moved alert suppression settings in the Detection Management System.
  • AELDEV-64159: Added Sigma rules for AWS Config events.
  • AELDEV-63312: Added Check Point Harmony Email alert integration.
  • AELDEV-53689: Added Group-IB alert integration.
  • AELDEV-38459: Added Darktrace alert integration.
  • AELDEV-38445: Added ExtraHop Reveal(x) 360 alert integration.
  • AELDEV-35521: Added FortiEDR alert integration. 

Improvements

  • AELDEV-68034: Improved SentinelOne threat event deduplication by using the alert creation time.
  • AELDEV-65821: Improved firewall and WAF detection to normalize policy rule action values.
  • AELDEV-65757: Improved correlation when the same user is identified in different fields.
  • AELDEV-65755: Added automatic case score updates when alert filters change alert scores.
  • AELDEV-65754: Extended process-creation detections to include Windows event 4688.
  • AELDEV-64761: Improved case score calculation and graph-building performance.
  • AELDEV-64414: Added configurable suppression of platform alert creation for Microsoft Defender ATP alerts based on third-party status.
  • AELDEV-63693: Improved User Login Location Anomaly fidelity scoring with ASN and user-agent signals. 

Stellar Cyber Platform

New Features

  • AELDEV-67615: Improved configuration synchronization from the Stellar Cyber Platform to sensors in SaaS deployments.
  • AELDEV-66369: Added metrics and error reporting for the Snowflake data sink.
  • AELDEV-66233: Added alerts when detections from a data source are delayed.
  • AELDEV-64816: Added alerts for decreases in licensed device and user counts in the System Action Center.
  • AELDEV-64778: Added indexing status to alert details for Automated Threat Hunting alerts.

Improvements

  • AELDEV-65662: Improved correlation rule reliability for Automated Threat Hunting.
  • AELDEV-65301: Added a deployment script for the Stellar Cyber Platform on Ubuntu 24.04 KVM hosts.
  • AELDEV-40606: Added support for alert filters that expire automatically.

Sensors

New Features

  • AELDEV-68440:Validated and documented steps to use Modular Sensor with Azure VTAP
  • AELDEV-66767: Added SMB session IDs to deep packet inspection output.
  • AELDEV-63846: Added NFS file assembly for malware inspection.

Improvements

  • AELDEV-69059: Defined the minimum Linux kernel version for large traffic filters.
  • AELDEV-68180: Added Linux Server Sensor support for Alma Linux 9 and Oracle Linux 7, 8, and 9.
  • AELDEV-67641: Added Linux Server Sensor support for SUSE Linux Enterprise Server 16.
  • AELDEV-67371:Added eBPF fallback for large packet filter expressions on Modular Sensors.
  • AELDEV-67050: Added the ability to reset the UUID of Tenable Nessus scanners installed on Modular Sensors.
  • AELDEV-65742: Improved sensor uninstallation status and error handling.

Connectors

New Features

  • AELDEV-68345: Introduced the Microsoft Graph Message Trace connector due to deprecation of Office 365 Reporting Web Service.
  • AELDEV-65334: Introduced the NordStellar connector.
  • AELDEV-63122: Introduced the Manage Engine Endpoint Central connector.
  • AELDEV-62839: Introduced the Firewalla Managed Security Portal connector.

Improvements

  • AELDEV-70604: Updated the Azure Event Hub connector to send structured Azure Firewall logs to the Traffic index.
  • AELDEV-67051: Added the Asset Wise Vulnerabilities content type to the ConnectSecure V4 connector.
  • AELDEV-66439: Improved Trend Micro Cloud App Security ingestion to populate observables with the filename.
  • AELDEV-66284: Enhanced the Generic S3 connector to support AWS Config (JSON).
  • AELDEV-65427: Removed the V1 API option from Netskope due to deprecation.
  • AELDEV-64883: Added Oracle Cloud Infrastructure SIP record normalization.
  • AELDEV-64813: Enhanced the Netskope connector with responders that use webhook templates.
  • AELDEV-64495: Added the Incident content type to the Netskope connector.
  • AELDEV-64156: Enhanced the Trend Micro Vision One connector with responders that use webhook templates.
  • AELDEV-63690: Added normalization for the Mimecast recipient field.
  • AELDEV-61660: Improved normalization for Microsoft Defender for Endpoint.
  • AELDEV-57413: Added multi-tenant management for generic webhook ingestion.
  • AELDEV-56379: Added an optional timestamp to the XDR Connector.
  • AELDEV-55710: Improved Generic S3 connector handling of missing objects.
  • AELDEV-53408: Improved AWS GuardDuty connector testing for empty Findings.
  • AELDEV-52318: Improved Active Directory connector testing.

Parsers

New Features

  • AELDEV-63567: Introduced a modular built-in parser for ingesting NetScout Omnis logs in Parser Studio.
  • AELDEV-33182: Added Parser Studio for creating and managing custom parsers.
  • DATA-3380: Expanded field coverage for the Zscaler ZIA Firewall parser.
  • DATA-3363: Introduced a parser for ingesting Cato Networks Cato Security logs.
  • DATA-3358: Introduced a parser for ingesting Citrix ADC logs.
  • DATA-3349: Introduced a parser for ingesting Palo Alto Networks Prisma Access logs.
  • DATA-3325: Introduced a parser for ingesting WordPress logs.
  • DATA-3318: Introduced a modular built-in parser for ingesting Fortinet Fortigate logs in Parser Studio.
  • DATA-3316: Introduced a parser for ingesting Salt Security logs.
  • DATA-3314: Introduced a parser for ingesting DefensX logs.
  • DATA-3305: Introduced a parser for ingesting Fortra GoAnywhere MFT logs.
  • DATA-3304: Introduced a parser for ingesting Zecurion - DLP (CEF) logs.
  • DATA-3303: Introduced a parser for ingesting OpenText - Open Enterprise Server logs.
  • DATA-3300: Introduced a parser for ingesting ManageEngine OpManager Plus logs.
  • DATA-3299: Introduced a parser for ingesting SoftEther VPN Server logs.
  • DATA-3296: Introduced a parser for ingesting Devolutions Remote Desktop Manager logs.
  • DATA-3295: Introduced a parser for ingesting Spica Access Control logs.
  • DATA-3293: Introduced a parser for ingesting IIJ SWG logs.
  • DATA-3276: Introduced a parser for ingesting Trend Micro - Deep Discovery Email Inspector logs and expanded parsing for all Trend Micro CEF logs.

Improvements

  • AELDEV-70804: Reduced sensor memory usage by setting additional built-in parsers to disabled by default.
  • AELDEV-67025: Improved parser configuration redeployment when tenant assignment changes.
  • AELDEV-66370: Added support for mapping a single raw field to multiple Stellar Cyber schema fields.
  • DATA-3357: Updated the Fortinet FortiAnalyzer parser to populate additional Fortinet virus and file fields.
  • DATA-3356: Expanded log format support for the BlueCoat Proxy SG parser.
  • DATA-3347: Added JSON-format support to the Zscaler ZIA firewall parser.
  • DATA-3336: Expanded field coverage for the F5 BIG-IP ASM parser.
  • DATA-3330: Added TCP multi-line support to the Fortinet FortiAnalyzer parser.
  • DATA-3328: Extended the ESET parser to interpret the event timezone.
  • DATA-3322: Extended the ThreatER Enforce parser for syslog timestamps without a timezone.
  • DATA-3317: Extended the BIG-IP i2600 parser to handle XML-formatted requests.
  • DATA-3315: Improved the Fortinet Fortigate (CEF) parser to extract the username from IPSec VPN events.
  • DATA-3309: Improved parsing for Tait Communications RFSS Controller audit logs.
  • DATA-3306: Extended FortiAnalyzer parsing for forwarded FortiMail, FortiGuard, and FortiWeb logs.
  • DATA-3302: Improved FortiADC and FortiWeb parser field coverage.
  • DATA-3301: Added RFC 5424 syslog header support for the Citrix NetScaler parser.
  • DATA-3291: Reassigned the Trend Micro Interscan Messaging parser to port 5684.
  • DATA-3289: Expanded log format support for the Zscaler ZIA Web parser.
  • DATA-3283: Added source and destination IP address normalization for Sysmon Event ID 3.
  • DATA-3282: Expanded log coverage for the Ubiquiti UDM Pro parser.
  • DATA-3281: Expanded the ESET parser to handle recent heartbeat and status messages.
  • DATA-3276: Broadened field coverage for the Trend Micro Deep Discovery Email Inspector CEF parser.
  • DATA-3258: Added normalization for the CrowdStrike (CEF) alert integration.
  • DATA-3225: Expanded structured field extraction for the Fortinet FortiEDR parser.
  • DATA-3041: Added parsing for the Deciso OPNsense filterlog parser.

Usability

New Features

  • AELDEV-67008: Added a Cortex XDR endpoint isolation action in Cases.
  • AELDEV-66793: Added the ability to import and export ATH playbooks.
  • AELDEV-66353: Extended the System Action Center public API with tenant exclusions.
  • AELDEV-65817: Expanded the System Action Center public API with full rule management support.
  • AELDEV-65541: Added a Sensor Profile option to retain raw Windows Event Log messages.
  • AELDEV-64392: Added Early Access support for the Stellar Cyber MCP Server.
  • AELDEV-64220: Added the ability to insert watchlist entries from Key Fields in Alert Details.
  • AELDEV-63296: Added API token management to the User Profile panel.
  • AELDEV-61809: Added the Dashboard Hub as a central landing page for dashboards.
  • AELDEV-60428: Added quick filters to the Sensor Management page.
  • AELDEV-54199: Added the ability to build a query from active filters.

Improvements

  • AELDEV-69094: Updated Cases bulk action messaging for asynchronous status changes.
  • AELDEV-68718: Expanded date range options and queue behavior for case queues.
  • AELDEV-68496: Extended the default Case Queue evaluation range to one year.
  • AELDEV-67540: Improved the identification of ASN enrichment fields in the UI.
  • AELDEV-67120: Updated the login flow to avoid revealing if a user account exists.
  • AELDEV-66899: Enabled the configuration of alert filter actions in Alert Details.
  • AELDEV-65797: Added real-time triage status updates in Cases.
  • AELDEV-64013: Added the option to disable automatic query execution in Threat Hunting.
  • AELDEV-63617: Added last run details to ATH playbook status views.
  • AELDEV-63604: Replaced sensor platform lists in downloads with a Knowledge Base link.
  • AELDEV-62723: Added support for sending separate ATH email notifications for each matching record.
  • AELDEV-62339: Improved tenant selection in InSyncs.
  • AELDEV-58895: Improved homepage selection based on role-based access checks.

Early Access Program

If you're interested in testing out new features ahead of general availability, consider joining the Early Access Program (EAP) by contacting your Stellar Cyber Customer Success representative and telling them which EAP feature you want to test. Once you've agreed to the EAP terms and signed up, the EAP feature is unlocked for you.

The purpose of this program is to boost performance and reliability through real-world customer insights, giving you a hands-on role in shaping a Stellar Cyber feature. In return, you'll receive early access to upcoming releases and the chance to guide product development.

The following EAP features are in this release:

MCP Server

The Stellar Cyber MCP Server connects supported AI clients to the Stellar Cyber Platform through the Model Context Protocol (MCP). The MCP server lets AI clients retrieve case and alert data, review investigation context, perform tenant-aware operations, and update selected case fields. This capability helps teams extend AI-assisted investigations by giving approved clients structured access to operational security data and workflows.

Parser Studio

Parser Studio lets you create and manage custom log parsers for data ingestion by cloning existing parsers, testing parser behavior before deployment, and activating parsers for production use. This capability helps you accelerate onboarding of custom log sources while reducing parser development effort and improving validation before live ingestion.

XDR Connector Webhook Ingestion

This is a simple webhook framework that lets you post JSON data directly from any external system into Stellar Cyber, accelerating custom integrations and expanding your visibility across the entire security stack. The XDR Connector is in Public Preview in this release.

Customizable Case Correlation Strategies

This EAP feature introduces support for multiple case correlation strategies, allowing teams to evaluate and experiment with different approaches to grouping alerts into cases. Each strategy provides a distinct investigative perspective:

  • Attacker-Centric Correlation groups alerts by the source (attacker) host, making it easier to track adversary behavior across multiple targets.
  • Victim-Centric Correlation organizes alerts by the destination (victim) host, enabling focused protection and visibility on high-value assets.
  • Multi-Entity Correlation links alerts across interconnected hosts and actions to form a single case, offering a holistic view of extended or lateral attack campaigns.

This flexibility enables security teams to tailor investigations based on their operational priorities—whether that’s identifying persistently targeted endpoints, tracing threat actor movements, or capturing full-scale intrusion campaigns.

Alert for Suspicious OCI Tenant-to-Tenant Communication

This EAP feature introduces a new alert type that detects cross-tenancy communications in the Oracle Cloud Infrastructure (OCI). By analyzing tenantId fields in audit logs, the feature identifies requests that target resources in a different tenancy. This provides accurate visibility into potentially unauthorized cross-tenancy activity and strengthens oversight in OCI environments.

To join the Early Access Program and begin testing these features, contact your Stellar Cyber Customer Success representative.

Resolved Issues

The following issues have been resolved in this release.

  • AELDEV-70605: Fixed an issue that caused Huntress incident report records to be dropped during ingestion.
  • AELDEV-70315: Fixed an issue that caused forwarded Windows events to show the collector as the event source.
  • AELDEV-69771: Fixed an issue that made tenant data inaccessible after tenant deletion when no data was selected for purging.
  • AELDEV-69389: Corrected an issue that prevented typed tags from being applied in bulk case actions.
  • AELDEV-68959: Corrected an issue that prevented the Cases page from loading when opened directly by URL.
  • AELDEV-68819: Fixed an issue that left sensors in a broken state when a sensor upgrade failed mid-process.
  • AELDEV-68028: Fixed a Linux Server Sensor failure to start on Debian 13 due to a missing LDAP runtime library.
  • AELDEV-65965: Fixed an issue that changed the original casing of Sysmon command line fields.
  • DATA-3313: Fixed an issue that caused the CEF parser to drop user agent information from Check Point logs.
  • DATA-3312: Resolved incorrect quote handling by the Netscaler parser.

Upgrading Sensors

Depending on the type of server sensor, you can upgrade your sensors directly to version 6.5.0 from these previous versions:

  • Linux Server Sensors: 6.3.0 or 6.4.0
  • Windows Server Sensors: 5.1.0 through 6.4.0

Upgrade the sensors to version 6.5.0 using the following process:

  1. Prepare for the upgrade.
  2. Upgrade the sensors.
  3. Verify the upgrade.

Prepare for the Upgrade

To prepare for the upgrade:

  • Make sure the sensors are up and running
  • Take note of the ingestion rate for the sensors to be upgraded in the Sensor Details page
  • Make sure the system health indicators in the Sensor Details page all show green.

Upgrade the Sensors

New features, updated ML algorithms, and enhanced configurations may change ingestion and detection patterns. We recommend the following to ensure a smooth upgrade:

  • Upgrade sensors with the Sandbox and IDS features enabled before sensors with the only the Network Traffic feature enabled. Sensors with Network Traffic enabled send data to sensors with Sandbox and IDS enabled for additional processing.
  • Upgrade sensors in batches instead of all at once.
  • For server sensors (agents):
    • Upgrade a small set of sensors that cover non-critical assets.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade a larger set.
    • After 24 hours, ensure that your ingestion is as expected, then upgrade the remaining server sensors.

CentOS 7.1 Prerequisite – Update curl to 7.29.0-59.el7_9.2 or Higher

Before upgrading any Linux Server Sensors running in CentOS 7.1, you must check your curl version and update it to 7.29.0-59.el7_9.2 or higher to use the strong encryption required by the Stellar Cyber Platform.

  1. Check your curl version as shown below:
    yum list installed curl
    \* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages curl.x86_64 7.29.0-19.el7
  2. If the listed version is lower than 7.29.0-59.el7_9.2 (as it is in the example above), use the following commands to update the curl package:
    yum makecache
    yum install curl
  3. If installation of the curl package fails, it is most likely because CentOS is trying to use a repo that has reached its end of life. Try updating the base URL and then reinstall curl. The following sed command makes the necessary changes for most environments to ensure that the updated curl package can be installed:
    sudo sed -i.bak -e 's|^mirrorlist=|#mirrorlist=|' -e 's|^#baseurl=http://mirror.centos.org/centos/\$releasever|baseurl=http://archive.kernel.org/centos-vault/7.9.2009|' /etc/yum.repos.d/CentOS-Base.repo

To upgrade sensors:

You can upgrade a sensor to the most recent release from the two previous releases. This means that you can upgrade a sensor to the 6.5.0 release from any 6.3.x or 6.4.x release.

If you are upgrading a Windows Server Sensor, complete any pending updates for the host Windows machine before upgrading the Server Sensor.

  1. Select System | DATA SOURCE MANAGEMENT | Sensors | Sensors.
    The Sensor List appears.
  2. Select Manage | Software Upgrade.
    The Sensor Software Upgrade page appears.
  3. Choose the target software version.
  4. Choose the target sensors.
  5. Select Submit.

Verify the Upgrade

To verify that the upgrade was successful:

  • Check the Software Version in the Sensor List.
  • Check the Sensor Status LED in the Sensor List.
  • Check the ingestion rate in the Sensor Details page for upgraded sensors and make sure it is as expected.

 

Powered by Zendesk