UTMStack SIEM & SOAR

An overview of the UTMStack threat‑management platform.

What is UTMStack?

UTMStack is an open‑source Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platform. It features a real‑time intelligence platform, remote command execution, and real‑time correlation of ingested data. UTMStack is a versatile and capable tool for any home‑lab enthusiast looking for a security solution! It has a wide array of logging support, and integrates very easily with third‑party applications and log sources. Oh did I mention it’s free and open source? So what exactly are we getting in UTMStack?

Broad list of capabilities

• Unified Threat Management
• Identity Management
• Vulnerability Management
• Compliance Reporting
• Incident Response

Functionality

UTMStack has a lot of features for students learning about SIEMs and SOAR platforms, or home‑lab enthusiasts. In my journey, trying to emulate enterprise capabilities with UTMStack certainly has some comparable functionality. Though platforms like Wazuh exist, I find Wazuh to be less conducive for security detection and response research. Granted, Wazuh log correlation is more developed; I think UTMStack covers a wider range of use cases and provides functions that allow for more creativity in security research. Let’s look at some example use cases:

XDR

UTMStack boasts a fairly function‑rich XDR platform, with a full alert management suite that lets you create cases and track multiple detections into one unified incident. These detections

Through this we also have the ability to either define our own, or use the provided incident response commands, built to help isolate and contain incidents that are detected. For instance, in the image below, you can see an example execution of a network isolation command and the subsequent release. In the initial execution, it was triggered by a self‑created SOAR workflow to isolate any host with a detection. While such a workflow may not be ideal for a production environment, it is a good learning exercise for automating response actions.

This provides a great framework for students and new professionals looking to become more familiar with tools and, putting into practice processes geared towards incident response. This functionality can be expanded and customized with some depth to tailor the needs of your learning objectives, but endpoint detection‑response is only where UTMStack starts to shine.

Identity Platform

Perhaps the biggest perk I give UTMStack over Wazuh is the identity detection and correlation arena, especially in a time where identity‑based attacks of all kinds are rising as the primary form of initial access. In UTMStack, user‑account events on a given endpoint can be reviewed for a list of behaviours or account events that would warrant investigation. This also pairs nicely with the incident response/XDR capabilities giving us another piece of the picture while we’re triaging detections.

This may be especially valuable to learners, as many university programs and entry‑level concept courses, somewhat skim over the important methods of investigating identities of users in my experience.

Correlation Rules

None of this would be possible without UTMStack’s detection engine, which is quite powerful. Correlating events in real time, for free in a home lab hasn’t quite been this easy in some time. Huge shout‑out to the UTMStack team for developing over 158,000 rules for users from the get‑go. The engine uses heuristic and rule‑based metrics to identify activity, though some features require external subscriptions. i.e. the SOC AI requires a ChatGPT API key, there is still plenty to play with as a security test bed. I may explore writing custom correlation rules in another post but for now, below is their correlation rule library.

[-] Correlation Rule GitHub Repo

Should you use it?

UTMStack may not be for everyone and that’s okay. However, if you have a spare computer on hand or some free resources for a virtual machine, UTMStack is definitely worth the time. UTMStack enabled me to dive head‑long into attack life cycle research in my own home lab, and gain experience with some security engineering side of things. If you want to get some hands on time before you dive in, check out their cloud hosted demo which is free to use!

If you’re using something else or have a cool Wazuh configuration, drop me an email & let me know!

‑SlowLoris