Merge branch 'release/v11.2.3' of https://github.com/utmstack/UTMStack into release/v11.2.3

osmontero · osmontero · commit 33a0c516e745 · 2026-02-10T13:55:37.000Z
diff --git a/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml b/backend/src/main/resources/config/liquibase/changelog/20260209024_update_filter_utmstack.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20260209024" author="JocLRojas">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE public.utm_logstash_filter
+            SET filter_version='3.0.5',
+                updated_at=now(),
+            logstash_filter=$$ # UTMStack filter, version 1.0.1
+
+pipeline:
+  - dataTypes:
+      - utmstack
+    steps:
+      # Only parse as JSON if it contains the standard schema with "msg": and "args":
+                - json:
+                source: raw
+            where: 'contains("raw", "\"msg\":") && contains("raw", "\"args\":")'
+
+                # If it doesn't have the standard schema, just store the content in log.message using grok
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.message
+              pattern: '{{.greedy}}'
+          where: '!contains("raw", "\"msg\":") || !contains("raw", "\"args\":")' $$
+	WHERE id=1531;
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>
diff --git a/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql b/backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql
@@ -11530,7 +11530,6 @@ Next Steps:
   )
 )
 ', '2026-02-09 16:55:35.727202', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');
-insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (665, 'Windows: Control Panel Process with Unusual Arguments', 1, 3, 1, 'Defense Evasion', 'T1218.002 - System Binary Proxy Execution: Control Panel Items', 'Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1218/002/"]', 'regexMatch("log.winlogEventDataProcessName", "(:\Windows\SysWOW64\control.exe|:\Windows\System32\control.exe)") && regexMatch("log.message", "(.jpg|.png|.gif|.bmp|.jpeg|.TIFF|.inf|.cpl:(.+)/|../../..|/AppData/Local/|:\Users\Public\|\AppData\Local\)")', '2026-02-09 16:57:24.456810', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (629, 'Suspicious Service Installation Detection', 3, 3, 2, 'Persistence', 'T1543.003 - Create or Modify System Process: Windows Service', 'Detects installation of suspicious Windows services matching patterns from Cobalt Strike, Metasploit,
 Impacket PSExec, and Meterpreter payloads. Attackers commonly install malicious services for persistence,
 privilege escalation (getsystem), and lateral movement. The rule monitors Event ID 4697 for service
diff --git a/backend/src/main/resources/config/liquibase/data/20260209/utm_group_rules_data_type.sql b/backend/src/main/resources/config/liquibase/data/20260209/utm_group_rules_data_type.sql
@@ -674,7 +674,6 @@ insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (662, 1, null);
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (663, 1, null);
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (664, 1, null);
-insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (665, 1, null);
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (666, 1, null);
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (667, 1, null);
 insert into public.utm_group_rules_data_type (rule_id, data_type_id, last_update) values (668, 1, null);
diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml
@@ -385,6 +385,8 @@
 
     <include file="/config/liquibase/changelog/20260209023_update_system_owner_correlation_rules.xml" relativeToChangelogFile="false"/>
 
+    <include file="/config/liquibase/changelog/20260209024_update_filter_utmstack.xml" relativeToChangelogFile="false"/>
+
 
 
 </databaseChangeLog>

Original file line number	Diff line number	Diff line change
`@@ -11530,7 +11530,6 @@ Next Steps:`
`11530`	`11530`	`)`
`11531`	`11531`	`)`
`11532`	`11532`	`', '2026-02-09 16:55:35.727202', true, false, 'origin', null, '[]', '["adversary.host","adversary.user"]');`
`11533`		-insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (665, 'Windows: Control Panel Process with Unusual Arguments', 1, 3, 1, 'Defense Evasion', 'T1218.002 - System Binary Proxy Execution: Control Panel Items', 'Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.', '["https://attack.mitre.org/tactics/TA0005/","https://attack.mitre.org/techniques/T1218/002/"]', 'regexMatch("log.winlogEventDataProcessName", "(:\Windows\SysWOW64\control.exe\|:\Windows\System32\control.exe)") && regexMatch("log.message", "(.jpg\|.png\|.gif\|.bmp\|.jpeg\|.TIFF\|.inf\|.cpl:(.+)/\|../../..\|/AppData/Local/\|:\Users\Public\\|\AppData\Local\)")', '2026-02-09 16:57:24.456810', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
`11534`	`11533`	insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (629, 'Suspicious Service Installation Detection', 3, 3, 2, 'Persistence', 'T1543.003 - Create or Modify System Process: Windows Service', 'Detects installation of suspicious Windows services matching patterns from Cobalt Strike, Metasploit,
`11535`	`11534`	`Impacket PSExec, and Meterpreter payloads. Attackers commonly install malicious services for persistence,`
`11536`	`11535`	`privilege escalation (getsystem), and lateral movement. The rule monitors Event ID 4697 for service`