Is your feature request related to a problem? Please describe.
Users currently do not receive a prompt to configure essential server email settings and email distribution lists for alerts and incidents during the initial setup. This lack of guidance can lead to operational delays, as users might only set up these crucial settings once they need to receive alerts or incident reports.

Describe the solution you'd like
I propose adding a specific step in the 'Getting Started' process to configure the server email settings and set up the email distribution list. This step will guide users through entering and validating their server email information and defining recipients for alerts and incidents. It must be intuitive and integrate smoothly with the existing setup flow, ensuring users are ready to receive alerts and incident reports from the start.

Is your feature request related to a problem? Please describe.
These two integrations were available on 9.x but were removed on 10.x. Please bring them back. Te agent already supports them but it is not present as an official integration.

Describe the solution you'd like
Add filter and integration guide to utmstack 10.x

Describe alternatives you've considered
Using filebeat

Describe the bug
There is a typo in license information.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Seetings->License'
2. See typo in Activation description

Screenshots

Possible solution
Change 'thr' to 'the'.

Describe the bug
Users should not be able to enable MFA without configuring an email server and verifying their email address.

Expected behavior
Users must verify their email address by clicking a verification link or entering a verification code sent by email. After this, they can enable multi-factor authentication (MFA) without risk of being locked out because it is not properly configured or their email address is incorrect.

Environment

• OS: Ubuntu 22.04
• Version v10.1.n

Sometimes when you try to uninstall the linux agent, the UTMStack services are removed but they are not stopped, so logs continue to be sent

Is your feature request related to a problem? Please describe.
There is no dashboard that allows specific and more advanced monitoring of Active Directory events.

Describe the solution you'd like
Crear un modulo de monitoreo de eventos de Active Directory

Describe the bug
When you go to the correlation rules manager view and upload a file/folder the screen stays gray even if the upload was terminated

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Manage correlation rules' from the lateral right menu
2. Try to upload or download a file/folder
3. See the gray screen

Expected behavior
After the upload or download the screen must be white as the begins

Screenshots

Environment

• UTMStack v10 dev

I have installed the linux agent on one of our linux servers and made the config changes so that it would listen on 7006 and set Mikrotik to true. I then pointed the MikroTik syslogs to the IP of the linux agent. The connection shows up under Data Sources but it's showing as generic. Also, when using log explorer, the logs are all under Generic and nothing shows up under MikroTik.

Is your feature request related to a problem? Please describe.
The correlation engine is not aware of rules coming from a folder upload, you have to modify one by one to take efect

Describe the solution you'd like
Correlation takes care of rules from folder uploads

Describe the bug
If you type something like :something: the endpoint call returns 500 Internal error under some conditions, maybe related with the amount of data in the cluster.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Log explorer' menu
2. Type ':something:' in query search box
3. See error

Screenshots


New image 12-01-2023

Environment

• UTMStack 10.2.0 QA

Possible solution
May be, adding scape character for some special chars as : ; . \ | <>

Describe the bug
If there are multiple instances with the agent service installed and the service is stopped in all instances, only one alert is registered for this event. However, the correct operation should be to log an alert for each instance where the agent service was stopped.

To Reproduce
Steps to reproduce the behavior:

1. Stop the agent service in more than one instance
2. Wait for the alert "UTMStackAgent service has been stopped" to appear.
3. You will see just one alert registered.

Expected behavior
The correct operation should be to log an alert for each instance where the agent service was stopped.

I have installed the windows agent on a few servers and when the alerts come through, for example Windows: Probable Password guessing, the Source Details in the GUI shows my server's hostname and IP and the destination shows the username that was attempted. However, shouldn't the source show the info for the person that was trying to guess the password and the destination show my server info? In the log, under event_data, it has the IpAddress of the person attempting to login. I don't see in the log where it shows the port though, although we know it was RDP since we opened RDP for testing.

Describe the bug
If installing an agent, you detect that the agent manager has already registered one with the same hostname, you have to abort the agent installation, notifying the error.

Is your feature request related to a problem?
Configure the agent modules by editing configuration files and using the cli.

Describe the solution you'd like
Allow configuring agent modules from the UTMStack server user interface

Describe alternatives you've considered
Ansible

Describe the bug
Agent installer doesn't complete the installation

To Reproduce
./utmstack_agent_installer install
panic: runtime error: index out of range [2] with length 2

goroutine 1 [running]:
main.main()
D:/Trabajo_programacion/go/src/github.com/KbaYero/UTMStack/agent/installer/main.go:51 +0xdbf

Expected behavior
Successfully installation

Environment

• OS: Ubuntu 22.04
• Version v10.1.0-202312131645

Describe the bug
Currently SMS configuration is not used by any module

Possible solution
Disable the configuration

Describe the bug
I have enabled "Sophos XG" integration like UTMStack v9 and it doesn't work because I don't see any firewall source.

To Reproduce
I have simply enabled the "Sophos XG" integration and firewall sends udp packet on port 514 to UTMStack.
The setting of Sophos firewall is:
UDP port 514
Daemon
Debug
Legacy mode (because native mode doesn't work on UTMStack)

Environment

• UTMStack 10 is on Ubuntu 22.04
• Sophos Firewall 19.5.3 MR3

Describe the bug
When attempting to associate or create an incident for an individual alert, the action modal fails to close, leading to the possibility of multiple instances of the Create Instance and Add Instance components being opened concurrently

To Reproduce
Steps to reproduce the behavior:

1. Go to Thread Management / Alerts
2. Click on row action Create/Add to incident
3. Click on either of the two options. (Create Incident or Add to incident)
4. One of the two components opens, and the action modal remains open

Expected behavior
It should close the modal that allows creating or associating an incident with an alert.

Screenshots

Describe the bug
Export to CSV button stuck while "Generating..."

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Log Explorer'
2. Add few columns
3. Click on 'Export to CSV'

Screenshots

Environment

• OS: Ubuntu 22.04
• Browser: Chrome
• Version: v10.2.0 Beta

Additional context
QA Environment

Describe the bug
Agents should display the console label indicating that datasource is an agent. However, when clicking on the datasource it does show the agent data and allows commands to be executed.

To Reproduce
Steps to reproduce the behavior:

1. Go to Data Sources
2. Click on an Agent Details

Screenshots

Environment

• Version v10.2.0

Problem:
UTMStack wastes resources by starting containers that are not essential.

Proposed solution:
Start containers only when the integration for which they are used is enabled.

Additional context:
There are containers that are strictly necessary and must continue to be launched regardless of the integration configurations.

GCP User Activity has only one Visualization and the counter cannot be at 0 because there are logs

Improve output when trying to install an agent and the registered hostname already exists

Describe the bug
I have tried to upgrade my installation from previous release but the authentication falied so I have made a fresh installation and the issue doesn't go away.

To Reproduce
Upgrade installation with script v10.1.0-202310301515 or fresh installation of script v10.1.0-202310301515.

Expected behavior
All docker images are up and running and installation is completed without error. When you try to login with admin and password in /root/utmstack.yml, webserver returns authentication failed.

Environment

• OS: Windows 11, Ubuntu 22.04]
• Browser Firefox, Chrome
• Version v.10.1.0

Describe the bug
The sorts in the MANAGE ALERT view filters are not working, when you go to the filters section of the view and change any sort condition, nothing happens

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Threat Management -> Alerts'
2. Click on 'Sort' options from Alert name section
3. See that the table view values and values from the section are the same order as before

Expected behavior
The values of the filters has to change

Screenshots

Environment

• UTMStack v10 QA

Describe the bug

• The UTMStack version label is not being displayed, although the endpoint is correctly returning the information

Screenshots

Environment

• Version v10.2.0

Describe the bug
Because of a mutate bug, when a pipeline has more than one filter, the dataType can end with the value of the default filter's dataType. So, the default filter must check if has a dataType, if not then apply default.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Data parsing'
2. Click on 'Syslog' pipeline
3. Add a new valid filter

Expected behavior
Final dataType must be the one of the new filter added

Environment

• UTMStack QA

Possible solution
Modify JSON, Syslog and generic filters

Describe the solution you'd like
Please add support to Sophos XG native mode logs.

Describe alternatives you've considered
Using legacy mode. (But it could be removed by Sophos in following versions)

Describe the bug
In the datasources view once you asign a group to a source, you can't remove it

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Data Sources -> Sources' menu
2. Click on the 'Yellow' marked option in the image below
3. Add a new or select existing group to a data source from the list
4. See that you can't remove by the same option, only gets removed if you delete the group

Expected behavior
You can remove the group associated to a specific datasource

Screenshots

Environment

• UTMStack QA

Additional context
Add any other context about the problem here.

Describe the bug
Image uploads are not currently validated for potential XSS attacks, posing a security risk. While we are using Angular 7, which has some mechanisms to control these attacks, there is a need to update to an external library for more robust protection.

Expected behavior
All uploaded images, particularly SVGs and images, should undergo rigorous validation to prevent any possibility of XSS (Cross-Site Scripting) attacks.

Possible solution

• Implement server-side validation to check and sanitize the SVG files being uploaded.
• Use a robust library like DOMPurify in the frontend to sanitize SVG content.
• Employ Content Security Policy (CSP) headers to add an extra layer of protection.
• Regularly audit and update security measures to address new potential threats.

Describe the bug
When trying to associate or create a group for a source, the modal doesn't close, allowing multiple 'New Group' instances to open simultaneously.

To Reproduce
Steps to reproduce the behavior:

Go to Data Sources / Sources
Click on row action Group Source
Click on either of the two options. (Apply or Add to Group)
One of the two components opens, and the action modal remains open

Expected behavior
It should close the modal that allows creating a group for a source.

Screenshots

Describe the bug
Tag name appears as 'undefined' when deleting from the Thread Management.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Threat Management->Alerts' menu
2. Click on Manage Tag
3. Create a tag and try to delete it

Expected behavior
It should display the following message: Are you sure that you want to delete the tag: [name of the created tag]?

Screenshots
If applicable, add screenshots to help explain your problem.

Describe the bug
The table shows only 5 matches in the index pattern when there are more indexes that match the pattern.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Log Explorer'
2. Click on '+ Add Source'
3. Input 'log-o365-2023.*'
4. Result only matches 5 indices while there are more.

Screenshots

Environment

• OS: Ubuntu 22.04
• Browser: Chrome
• Version: v10.0.0

Is your feature request related to a problem? Please describe.
Managing snapshots and index rotation via API or CLI is uncomfortable for non-advanced users.

Describe the solution you'd like
There should be an option in the GUI to handle snapshots and index rotation.

Describe alternatives you've considered
Using Cerebro.

Describe the bug
When navigating to the details of an alert and clicking on the Alert History tab, the timeline component does not render correctly.

To Reproduce
Steps to reproduce the behavior:

1. Go to Thread Management / Alerts
2. Click on any alert that contains information in the Alert History tab.
3. See UX error. The vertical line in the component is extending above the date.

Screenshots

Describe the bug
Inside the incident response audit view, if you select an agent to filter for, it filters, but does not appear selected in the list.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Incidents -> Incident Response Audit' menu
2. Select an agent from the list
3. The table gets filtered, but the drop-down is not showing the value selected

Expected behavior
The selected value to filter is shown as selected in the drop down list.

Screenshots

Environment

• UTMStack v10 QA

Describe the bug
When a new filter definition is added to a pipeline, the "mutate" module duplicates the HTTP input definition in the 000-input.conf file into the container

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Data Processing'
2. Click on 'Sysolg'
3. Add a new valid filter
4. Connect to the instance via ssh
5. Execute bash into the container -> docker exec -it container_id bash
6. Type cd pipelines/syslog
7. Type cat 000-input.conf
8. Check the result

Expected behavior
When creating new filters, no new HTTP input must be generated. It is only one HTTP input definition by pipeline.

Screenshots

Environment

• UTMStack QA

Possible solution
Check the SQL query you are using, maybe is returning one input definition by every filter. You should create one input definition by input in the DB associated with the pipeline itself, not with the filter.

Describe the bug
The error is thrown when parsing the document that represents the alert

To Reproduce
Steps to reproduce the behavior:

1. Start the application in debug mode
2. Wait for the execution of the method com.park.utmstack.service.UtmDataInputStatusService.checkDatasourceDown
3. You will get a JSON parsing exception by the Jackson library

Possible solution
Try to use a Map instead of the object AlertType to build the document to index.

Describe the bug
Update filebrowser image to get the last fixes

Describe the bug
On MANAGE ALERT screen, if you select an alert to create an incident, if the alert already has an incident associated, the "next" button doesn't activate and not say why.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Threat Management->Alerts' menu
2. Select the checkbox of an alert that already has an incident associated
3. Go to the option 'Report incident-> Create incident'
4. Fill the fields and check the button

Expected behavior
Show a message describing that the alert has an incident already associated and you can't associate another

Screenshots

Environment

• UTMStack Dev

Possible solution
Solution here is add the message to the button status disabled because the alert already has an incident.

Describe the bug
I don't see the data of alert and I don't receive any alert via email but view last log is ok. Sophos XG firewall is ok.

Screenshots

Environment

• OS: Ubuntu 22.04
• Browser Firefox, Chrome
• Version v10.1.0-202311061514

Windows Server 2019, domain controller, UTM Stack Agent
This file is 29.2GB in size
C:\Program Files\UTMStack\UTMStack Agent\logs_process\beats_windows_agent.txt

Describe the bug
The feature to add filters to a pipeline does not work, the message says that the filter was added but it does not create it in the pipeline nor does it appear in the integration's filter list

To Reproduce
Just try to add a filter in IIS integration.

Environment

• OS: Ubuntu 22.04
• Browser: Chrome
• Version: v10

Describe the bug
When you add a filter to an integration data processing, the filter is placed at random position of the filter file in the container, not at the top as expected

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Data processing'
2. Click on 'Azure'
3. Edit the default filter and copy its content
4. Add a new filter and paste the previously copied content
5. Change the dataType to azure-test to see it in the filter file
6. Give a name to the filter and Save

Expected behavior
The new filter must be always at the bottom of the filter file in the pipelines/cloud_azure 111-filter.conf inside Logstash container

Screenshots

Environment

• UTMStack v10

Possible solution
Order de filters using the id in the database, new filters always has bigger ids

Is your feature request related to a problem? Please describe.
Lack of visual elements to show attack elements and their relationships.

Describe the solution you'd like
Create a relationship diagram between related elements in the attack in the form of a tree

Is your feature request related to a problem? Please describe.
There are no automated email reports that summarize important events for a given period.

Describe the solution you'd like
Create a module that allows you to send groups of dashboards as reports recurrently.

This module is responsible for creating a schedule for compliance reports. It involves selecting a compliance report, loading all the filters associated with the dashboard that serves as the template for compliance, generating a cron statement, and saving it. This allows users to create as many schedules as they desire with a specific time configuration and filters.

In the process of saving a schedule for a compliance report, a URL is generated with the filters chosen by the user. This enables, at the time of exporting the report, the application of all filters selected by the user to the exported report.

During the process of saving a schedule for a compliance report, a URL is generated with parameters containing the filters chosen by the user. These filters will be applied at the time of generating the report.

Describe the bug
Can't save mail server settings without providing a username and password. Internal forwarding mail server is restricted by IP and does not use username/password authentication.

Expected behavior
Save mail server settings without requiring user and password

Environment
Ubuntu 22.04
Chrome, Safari
v10.0.0

Describe the solution you'd like
Fix this issue:
https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details

Describe alternatives you've considered
Install docker compatible with Ubuntu 22.04 and APT:

1. curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
   2)echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
2. apt update
3. apt upgrade
4. delete old configuration of docker in /etc/apt/source.list.d/
5. delete old apt key of docker: apt-key del 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88

Describe the bug
When you select an incident and go to its detailed view, you can select an agent but the list remains empty.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Incidents' menu
2. Click on 'View detail' action of any incident on the table
3. Go to 'Execute command' tab
4. Select an agent, the input remains empty

Expected behavior
The input showing the selected agent

Screenshots

Environment

• UTMStack DEV v10