From 6a203563b5f8c12504d8d2965e5e62d87c2645b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alayn=20Sanchez=20Nu=C3=B1ez?= Date: Tue, 6 Feb 2024 15:36:42 -0300 Subject: [PATCH] Add dataTypes in examples --- Correlation Rules/README.md | 1 + _site/Installation/FederationServiceInstallation.html | 2 +- _site/assets/js/search-data.json | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Correlation Rules/README.md b/Correlation Rules/README.md index 0c49286..7240104 100644 --- a/Correlation Rules/README.md +++ b/Correlation Rules/README.md @@ -339,6 +339,7 @@ We recommend using search when the analysis period exceeds 1h or the rule's comp solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. category: User Account Authentication tactic: "Brute Force: Password Guessing" + dataTypes: ["wineventlog"] reference: - "https://attack.mitre.org/techniques/T1110/001/" frequency: 10 diff --git a/_site/Installation/FederationServiceInstallation.html b/_site/Installation/FederationServiceInstallation.html index 4ac297e..55b1a69 100644 --- a/_site/Installation/FederationServiceInstallation.html +++ b/_site/Installation/FederationServiceInstallation.html @@ -1,6 +1,6 @@ Federation Service Installation | Documentation Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Documentation
This site uses Just the Docs, a documentation theme for Jekyll.

UTMStack Federation Service Installation Guide

Welcome to the installation page for the Federated Master Deployment of UTMStack! If you’re an MSP (Managed Service Provider) with the mission of managing multiple instances of UTMStack across various customer networks, you’re in the right place. Our federated master deployment model is meticulously designed to provide a streamlined management experience, presenting a holistic view of activities across multiple clients and organizations.

This guide will walk you through the process of installing the UTMStack Federation Service (UTMStackFS) on an Ubuntu 20.04 LTS system. Please follow the steps below to ensure a successful installation.

For more details contact Customer Service.

Preparing for Installation

  1. Update the package list on your system:
sudo apt update
  1. Install the necessary dependencies, including wget and net-tools:
sudo apt install wget net-tools
-
  1. Download the latest version of the UTMStackFS installer from the official GitHub repository. You can use the following command to retrieve the installer:
wget https://github.com/AtlasInsideCorp/UTMStackFSInstaller/releases/latest/download/UTMStackFSInstaller.zip
+
  1. Download the latest version of the UTMStackFS installer from the official GitHub repository. You can use the following command to retrieve the installer:
wget https://github.com/utmstack/UTMStackFSInstaller/releases/download/v10.0.0/UTMStackFSInstaller.zip
  1. Unzip the installer package using the following command. If you don’t have the unzip tool installed, you can do so by running sudo apt-get install zip unzip:
unzip UTMStackFSInstaller*.zip
  1. Set execution permissions for the installer script:
cd UTMStackFSInstaller
 sudo chmod +x utm_fs_installer.sh
diff --git a/_site/assets/js/search-data.json b/_site/assets/js/search-data.json
index 166799b..a3e8603 100644
--- a/_site/assets/js/search-data.json
+++ b/_site/assets/js/search-data.json
@@ -295,7 +295,7 @@
   },"42": {
     "doc": "Federation Service Installation",
     "title": "Preparing for Installation",
-    "content": ". | Update the package list on your system: | . sudo apt update . | Install the necessary dependencies, including wget and net-tools: | . sudo apt install wget net-tools . | Download the latest version of the UTMStackFS installer from the official GitHub repository. You can use the following command to retrieve the installer: | . wget https://github.com/AtlasInsideCorp/UTMStackFSInstaller/releases/latest/download/UTMStackFSInstaller.zip . | Unzip the installer package using the following command. If you don’t have the unzip tool installed, you can do so by running sudo apt-get install zip unzip: | . unzip UTMStackFSInstaller*.zip . | Set execution permissions for the installer script: | . cd UTMStackFSInstaller sudo chmod +x utm_fs_installer.sh . ",
+    "content": ". | Update the package list on your system: | . sudo apt update . | Install the necessary dependencies, including wget and net-tools: | . sudo apt install wget net-tools . | Download the latest version of the UTMStackFS installer from the official GitHub repository. You can use the following command to retrieve the installer: | . wget https://github.com/utmstack/UTMStackFSInstaller/releases/download/v10.0.0/UTMStackFSInstaller.zip . | Unzip the installer package using the following command. If you don’t have the unzip tool installed, you can do so by running sudo apt-get install zip unzip: | . unzip UTMStackFSInstaller*.zip . | Set execution permissions for the installer script: | . cd UTMStackFSInstaller sudo chmod +x utm_fs_installer.sh . ",
     "url": "/Installation/FederationServiceInstallation.html#preparing-for-installation",
     
     "relUrl": "/Installation/FederationServiceInstallation.html#preparing-for-installation"
@@ -1142,7 +1142,7 @@
   },"163": {
     "doc": "Correlation Rules",
     "title": "Fields Reference",
-    "content": "name . This is the name that we will use for the alerts of the current rule. severity . The severity of the alerts for this rule. Use the majuscule initial. Possible values: Low, Medium, High. description . The description that will appear in the alerts. solution . If there is a known solution for this incident, specify here. category . If there is any category in which the alert can be grouped. tactic . If there is an incident detected by this rule fits into any of the attack tactics. dataTypes . Group of datatypes applied to a rule, means that only the logs with dataType field matching with at least one of these values will be processed by this rule. This field is an array of string values, so, you can place more than one value separated by comma. Reference . A list of URLs where you can get more information about the attack. frequency . How often in seconds the alert should be checked. cache . This field declares that the iterations will occur on the cache of the correlation engine and contains the definition of said iterations. When this field is used, the search field is not used and vice versa. cache -> allOff . All comparisons within this field must be met for the rule to generate an alert. cache -> oneOff . Any comparison within this field must be met for the rule to generate an alert. | **cache -> [allOff | oneOff] -> field** | . The field on which the comparison will be applied. A field is a series of keys separated by dots. It can contain special wildcard characters ‘*’ and ‘?’. To access a slice value, use the index as the key. To get the number of elements in a slice or to access a child path, use the ‘#’ character. Dot and wildcard characters can be escaped with ‘\\’. You can also query a slice for the first match using # (…), or find all matches with # (…) #. You can use the comparison operators (==,!=, <, <=,>,>=) and the simple pattern matching operators (% and !%). | This description also applies to [cache | search] -> save -> field | . { \"name\": {\"first\": \"Tom\", \"last\": \"Anderson\"}, \"age\":37, \"children\": [\"Sara\",\"Alex\",\"Jack\"], \"fav.movie\": \"Deer Hunter\", \"friends\": [ {\"first\": \"Dale\", \"last\": \"Murphy\", \"age\": 44, \"nets\": [\"ig\", \"fb\", \"tw\"]}, {\"first\": \"Roger\", \"last\": \"Craig\", \"age\": 68, \"nets\": [\"fb\", \"tw\"]}, {\"first\": \"Jane\", \"last\": \"Murphy\", \"age\": 47, \"nets\": [\"ig\", \"tw\"]} ] } \"name.last\" >> \"Anderson\" \"age\" >> 37 \"children\" >> [\"Sara\",\"Alex\",\"Jack\"] \"children.#\" >> 3 \"children.1\" >> \"Alex\" \"child*.2\" >> \"Jack\" \"c?ildren.0\" >> \"Sara\" \"fav\\.movie\" >> \"Deer Hunter\" \"friends.#.first\" >> [\"Dale\",\"Roger\",\"Jane\"] \"friends.1.last\" >> \"Craig\" \"friends.#(last==\"Murphy\").first\" >> \"Dale\" \"friends.#(last==\"Murphy\")#.first\" >> [\"Dale\",\"Jane\"] \"friends.#(age>45)#.last\" >> [\"Craig\",\"Murphy\"] \"friends.#(first%\"D*\").last\" >> \"Murphy\" \"friends.#(first!%\"D*\").last\" >> \"Craig\" \"friends.#(nets.#(==\"fb\"))#.first\" >> [\"Dale\",\"Roger\"] . | **cache -> [allOff | oneOff] -> operator** | . Operator to use in the comparison. See information about the operators in Operators . | **cache -> [allOff | oneOff] -> value** | . | Value to compare the content of “cache -> [allOff | oneOff] -> field”. In the second iteration case or onwards, you can use an alias to use the content of that alias as a value. | . cache -> timeLapse . How much time backward in seconds will be checked in the logs. | **[cache | search] -> minCount** | . How many minimum logs must be obtained as a result for this rule to be met. | **[cache | search] -> save** | . Required fields to save to use in the next cycle iteration or to complete the information of the alerts. | **[cache | search] -> save -> field** | . The original name of the field to store. | **[cache | search] -> save -> alias** | . The alias or name to access the field. There cannot be two or more aliases with the same name within the same iteration. In the last iteration, the system will use the following aliases to fill in the alert details: . | Protocol | SourceUser | SourceHost | SourceIP | SourcePort | DestinationUser | DestinationHost | DestinationIP | DestinationPort | . The geolocation will be filled automatically from the SourceIP and DestinationIP aliases. If the SourceIP or DestinationIP aliases do not exist, the system will generate them using SourceHost and DestinationHost, and vice versa. If any field is saved with the aliases AlertName and AlertCategory in the last iteration, the alert name or category will be overwritten with those aliases’ content as appropriate. search . This field declares that the iterations will occur on Elasticsearch and contains the said iterations definition. When this field is used, the cache field is not used, and vice versa. search -> query . The elasticsearch or opensearch query in json format. Remember to enclose the query in simple quotation marks. Operators . == . It’s true if the field’s content is exactly equal to “value” content. It is sensitive to capital letters. | hello == Hello //False | hello == hello //True | . :: . It’s true if the field’s content is equal to “value” content. It is not sensitive to capital letters. | hello :: Hello //True | hello :: hello //True | . != y <> . It’s true if the field’s content is unequal to “value” content. It is sensitive to capital letters. | hello != Hello //True | hello != hello //False | . !! . It’s true if the field’s content is unequal to “value” content. It is not sensitive to capital letters. | hello !! Hello //False | hello !! hello //False | . contains . It’s true if the “value” content is part of the field content. | “hello world” contains “world” //True | “hello world” contains “worlds” //False | . not contain . It’s true if the “value” content is not part of the field content. | ” hello world “ not contain “ world “ //False | ” hello world “ not contain “ worlds” //True | . in . It’s true if the field content is part of the “value” content. | ” world “ in “hello, world, this, is, a, test” //True | ” worlds” in “hello, world, this, is, a, test” //False | . not in . It’s true if the field content is not part of the “value” content. | ” world” not in “hello, world, this, is, a, test “ //False | ” worlds” not in “hello, world, this, is, a, test “ //True | . start with . It’s true if the “value” content is a prefix of the field content. | ” hello world “ start with “ world “ //False | ” hello world “ start with “hello” //True | . not start with . It’s true if the “value” content is not a prefix of the field content. | ” hello world “ not start with “ world “ //True | ” hello world “ not start with “ hello “ //False | . end with . It’s true if the “value” content is a suffix of the field content. | ” hello world “ end with “ world “ //True | ” hello world “ end with “hello” //False | . not end with . It’s true if the “value” content is not a suffix of the field content. | ” hello world “ not end with “ world “ //False | ” hello world “ not end with “ hello “ //True | . regexp . It’s true if the field content matches the regular expression of “value”. | “adam[23]” regexp “^[a-z]+\\[[0-9]+\\]$” //True | ” hello world “ regexp “^[a-z]+\\[[0-9]+\\]$” //False | . not regexp . It’s true if the field content does not match the regular expression of “value”. | “adam[23]” not regexp “^[a-z]+\\[[0-9]+\\]$” //False | ” hello world “ not regexp “^[a-z]+\\[[0-9]+\\]$” //True | . exist . It’s true if the field exists. The value must leave empty, as it must exist, but it will not be used. not exist . It’s true if the field does not exist. The value must leave empty, as it must exist, but it will not be used. in cidr . It’s true if the IP in the field is within the value range. not in cidr . It’s true if the IP in the field is not within the value range. Classic mathematical operators that only apply to numbers. Use only when the field content and the “value” are numeric. | < | > | <= | >= | . When to use cache or search . We recommend using the cache for the rules that will analyze logs in a maximum of 1h. We recommend using search when the analysis period exceeds 1h or the rule’s complexity is very high, and there is no way to do it using the cache. Examples . - name: Windows authentication failure severity: Low description: A Windows user was unable to authenticate with the server or workstation more than 5 times. solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. category: User Account Authentication tactic: \"Brute Force: Password Guessing\" dataTypes: [\"wineventlog\"] reference: - \"https://attack.mitre.org/techniques/T1110/001/\" frequency: 10 cache: - allOf: - field: logx.wineventlog.event_id operator: \"==\" value: 4625 minCount: 1 timeLapse: 15 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - allOf: - field: logx.wineventlog.event_id operator: \"==\" value: 4625 - field: logx.wineventlog.event_data.TargetUserName operator: \"==\" value: \"\" - field: logx.wineventlog.host.name operator: \"==\" value: \"\" minCount: 5 timeLapse: 60 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - field: logx.wineventlog.event_data.WorkstationName alias: SourceHost - field: logx.wineventlog.event_data.IpAddress alias: SourceIP . - name: Windows authentication failure severity: Low description: A Windows user was unable to authenticate with the server or workstation more than 5 times. solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. category: User Account Authentication tactic: \"Brute Force: Password Guessing\" reference: - \"https://attack.mitre.org/techniques/T1110/001/\" frequency: 10 search: - query: '{\"size\": 500, \"query\": {\"bool\": {\"must\": [{\"match_phrase\": {\"logx.wineventlog.event_id\": 4625}}], \"filter\": [{\"range\": {\"@timestamp\": {\"gte\": \"now-15s\", \"lte\": \"now\"}}}], \"should\": [], \"must_not\": []}}}' minCount: 1 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - query: '{\"size\": 500, \"query\": {\"bool\": {\"must\": [{\"match_phrase\": {\"logx.wineventlog.event_id\": 4625}}, {\"match_phrase\": {\"logx.wineventlog.event_data.TargetUserName\": \"\"}}], \"filter\": [{\"range\": {\"@timestamp\": {\"gte\": \"now-60s\", \"lte\": \"now\"}}}], \"should\": [], \"must_not\": [{\"match_phrase\": {\"logx.wineventlog.event_data.TargetUserName\": \"$\"}}]}}}' minCount: 5 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - field: logx.wineventlog.event_data.WorkstationName alias: SourceHost - field: logx.wineventlog.event_data.IpAddress alias: SourceIP . ",
+    "content": "name . This is the name that we will use for the alerts of the current rule. severity . The severity of the alerts for this rule. Use the majuscule initial. Possible values: Low, Medium, High. description . The description that will appear in the alerts. solution . If there is a known solution for this incident, specify here. category . If there is any category in which the alert can be grouped. tactic . If there is an incident detected by this rule fits into any of the attack tactics. dataTypes . Group of datatypes applied to a rule, means that only the logs with dataType field matching with at least one of these values will be processed by this rule. This field is an array of string values, so, you can place more than one value separated by comma. Reference . A list of URLs where you can get more information about the attack. frequency . How often in seconds the alert should be checked. cache . This field declares that the iterations will occur on the cache of the correlation engine and contains the definition of said iterations. When this field is used, the search field is not used and vice versa. cache -> allOff . All comparisons within this field must be met for the rule to generate an alert. cache -> oneOff . Any comparison within this field must be met for the rule to generate an alert. | **cache -> [allOff | oneOff] -> field** | . The field on which the comparison will be applied. A field is a series of keys separated by dots. It can contain special wildcard characters ‘*’ and ‘?’. To access a slice value, use the index as the key. To get the number of elements in a slice or to access a child path, use the ‘#’ character. Dot and wildcard characters can be escaped with ‘\\’. You can also query a slice for the first match using # (…), or find all matches with # (…) #. You can use the comparison operators (==,!=, <, <=,>,>=) and the simple pattern matching operators (% and !%). | This description also applies to [cache | search] -> save -> field | . { \"name\": {\"first\": \"Tom\", \"last\": \"Anderson\"}, \"age\":37, \"children\": [\"Sara\",\"Alex\",\"Jack\"], \"fav.movie\": \"Deer Hunter\", \"friends\": [ {\"first\": \"Dale\", \"last\": \"Murphy\", \"age\": 44, \"nets\": [\"ig\", \"fb\", \"tw\"]}, {\"first\": \"Roger\", \"last\": \"Craig\", \"age\": 68, \"nets\": [\"fb\", \"tw\"]}, {\"first\": \"Jane\", \"last\": \"Murphy\", \"age\": 47, \"nets\": [\"ig\", \"tw\"]} ] } \"name.last\" >> \"Anderson\" \"age\" >> 37 \"children\" >> [\"Sara\",\"Alex\",\"Jack\"] \"children.#\" >> 3 \"children.1\" >> \"Alex\" \"child*.2\" >> \"Jack\" \"c?ildren.0\" >> \"Sara\" \"fav\\.movie\" >> \"Deer Hunter\" \"friends.#.first\" >> [\"Dale\",\"Roger\",\"Jane\"] \"friends.1.last\" >> \"Craig\" \"friends.#(last==\"Murphy\").first\" >> \"Dale\" \"friends.#(last==\"Murphy\")#.first\" >> [\"Dale\",\"Jane\"] \"friends.#(age>45)#.last\" >> [\"Craig\",\"Murphy\"] \"friends.#(first%\"D*\").last\" >> \"Murphy\" \"friends.#(first!%\"D*\").last\" >> \"Craig\" \"friends.#(nets.#(==\"fb\"))#.first\" >> [\"Dale\",\"Roger\"] . | **cache -> [allOff | oneOff] -> operator** | . Operator to use in the comparison. See information about the operators in Operators . | **cache -> [allOff | oneOff] -> value** | . | Value to compare the content of “cache -> [allOff | oneOff] -> field”. In the second iteration case or onwards, you can use an alias to use the content of that alias as a value. | . cache -> timeLapse . How much time backward in seconds will be checked in the logs. | **[cache | search] -> minCount** | . How many minimum logs must be obtained as a result for this rule to be met. | **[cache | search] -> save** | . Required fields to save to use in the next cycle iteration or to complete the information of the alerts. | **[cache | search] -> save -> field** | . The original name of the field to store. | **[cache | search] -> save -> alias** | . The alias or name to access the field. There cannot be two or more aliases with the same name within the same iteration. In the last iteration, the system will use the following aliases to fill in the alert details: . | Protocol | SourceUser | SourceHost | SourceIP | SourcePort | DestinationUser | DestinationHost | DestinationIP | DestinationPort | . The geolocation will be filled automatically from the SourceIP and DestinationIP aliases. If the SourceIP or DestinationIP aliases do not exist, the system will generate them using SourceHost and DestinationHost, and vice versa. If any field is saved with the aliases AlertName and AlertCategory in the last iteration, the alert name or category will be overwritten with those aliases’ content as appropriate. search . This field declares that the iterations will occur on Elasticsearch and contains the said iterations definition. When this field is used, the cache field is not used, and vice versa. search -> query . The elasticsearch or opensearch query in json format. Remember to enclose the query in simple quotation marks. Operators . == . It’s true if the field’s content is exactly equal to “value” content. It is sensitive to capital letters. | hello == Hello //False | hello == hello //True | . :: . It’s true if the field’s content is equal to “value” content. It is not sensitive to capital letters. | hello :: Hello //True | hello :: hello //True | . != y <> . It’s true if the field’s content is unequal to “value” content. It is sensitive to capital letters. | hello != Hello //True | hello != hello //False | . !! . It’s true if the field’s content is unequal to “value” content. It is not sensitive to capital letters. | hello !! Hello //False | hello !! hello //False | . contains . It’s true if the “value” content is part of the field content. | “hello world” contains “world” //True | “hello world” contains “worlds” //False | . not contain . It’s true if the “value” content is not part of the field content. | ” hello world “ not contain “ world “ //False | ” hello world “ not contain “ worlds” //True | . in . It’s true if the field content is part of the “value” content. | ” world “ in “hello, world, this, is, a, test” //True | ” worlds” in “hello, world, this, is, a, test” //False | . not in . It’s true if the field content is not part of the “value” content. | ” world” not in “hello, world, this, is, a, test “ //False | ” worlds” not in “hello, world, this, is, a, test “ //True | . start with . It’s true if the “value” content is a prefix of the field content. | ” hello world “ start with “ world “ //False | ” hello world “ start with “hello” //True | . not start with . It’s true if the “value” content is not a prefix of the field content. | ” hello world “ not start with “ world “ //True | ” hello world “ not start with “ hello “ //False | . end with . It’s true if the “value” content is a suffix of the field content. | ” hello world “ end with “ world “ //True | ” hello world “ end with “hello” //False | . not end with . It’s true if the “value” content is not a suffix of the field content. | ” hello world “ not end with “ world “ //False | ” hello world “ not end with “ hello “ //True | . regexp . It’s true if the field content matches the regular expression of “value”. | “adam[23]” regexp “^[a-z]+\\[[0-9]+\\]$” //True | ” hello world “ regexp “^[a-z]+\\[[0-9]+\\]$” //False | . not regexp . It’s true if the field content does not match the regular expression of “value”. | “adam[23]” not regexp “^[a-z]+\\[[0-9]+\\]$” //False | ” hello world “ not regexp “^[a-z]+\\[[0-9]+\\]$” //True | . exist . It’s true if the field exists. The value must leave empty, as it must exist, but it will not be used. not exist . It’s true if the field does not exist. The value must leave empty, as it must exist, but it will not be used. in cidr . It’s true if the IP in the field is within the value range. not in cidr . It’s true if the IP in the field is not within the value range. Classic mathematical operators that only apply to numbers. Use only when the field content and the “value” are numeric. | < | > | <= | >= | . When to use cache or search . We recommend using the cache for the rules that will analyze logs in a maximum of 1h. We recommend using search when the analysis period exceeds 1h or the rule’s complexity is very high, and there is no way to do it using the cache. Examples . - name: Windows authentication failure severity: Low description: A Windows user was unable to authenticate with the server or workstation more than 5 times. solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. category: User Account Authentication tactic: \"Brute Force: Password Guessing\" dataTypes: [\"wineventlog\"] reference: - \"https://attack.mitre.org/techniques/T1110/001/\" frequency: 10 cache: - allOf: - field: logx.wineventlog.event_id operator: \"==\" value: 4625 minCount: 1 timeLapse: 15 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - allOf: - field: logx.wineventlog.event_id operator: \"==\" value: 4625 - field: logx.wineventlog.event_data.TargetUserName operator: \"==\" value: \"\" - field: logx.wineventlog.host.name operator: \"==\" value: \"\" minCount: 5 timeLapse: 60 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - field: logx.wineventlog.event_data.WorkstationName alias: SourceHost - field: logx.wineventlog.event_data.IpAddress alias: SourceIP . - name: Windows authentication failure severity: Low description: A Windows user was unable to authenticate with the server or workstation more than 5 times. solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. category: User Account Authentication tactic: \"Brute Force: Password Guessing\" dataTypes: [\"wineventlog\"] reference: - \"https://attack.mitre.org/techniques/T1110/001/\" frequency: 10 search: - query: '{\"size\": 500, \"query\": {\"bool\": {\"must\": [{\"match_phrase\": {\"logx.wineventlog.event_id\": 4625}}], \"filter\": [{\"range\": {\"@timestamp\": {\"gte\": \"now-15s\", \"lte\": \"now\"}}}], \"should\": [], \"must_not\": []}}}' minCount: 1 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - query: '{\"size\": 500, \"query\": {\"bool\": {\"must\": [{\"match_phrase\": {\"logx.wineventlog.event_id\": 4625}}, {\"match_phrase\": {\"logx.wineventlog.event_data.TargetUserName\": \"\"}}], \"filter\": [{\"range\": {\"@timestamp\": {\"gte\": \"now-60s\", \"lte\": \"now\"}}}], \"should\": [], \"must_not\": [{\"match_phrase\": {\"logx.wineventlog.event_data.TargetUserName\": \"$\"}}]}}}' minCount: 5 save: - field: logx.wineventlog.event_data.TargetUserName alias: DestinationUser - field: logx.wineventlog.host.name alias: DestinationHost - field: logx.wineventlog.event_data.WorkstationName alias: SourceHost - field: logx.wineventlog.event_data.IpAddress alias: SourceIP . ",
     "url": "/Correlation%20Rules/README.html#fields-reference",
     
     "relUrl": "/Correlation%20Rules/README.html#fields-reference"
@@ -1275,7 +1275,7 @@
   },"182": {
     "doc": "Integrations",
     "title": "UTMStack Integrations",
-    "content": "UTMStack comes out of the box with a wide range of built-in integrations for most mainstream technologies. Enabling an integration allows UTMStack to correlate logs coming from the corresponding data source on your network and detecting threats reliably. Each specific integration has its own guide. Our team is always working on a new integration, but here is the list of what we have developed so far: . | No. | Name |   | . | 1 | VMWare Syslog | | . | 2 | Windows Agent | | . | 3 | Syslog | | . | 4 | Linux Agent | | . | 5 | SOC AI | | . | 6 | ESET Endpoint Protection | | . | 7 | Kaspersky Security | | . | 8 | Bitdefender | | . | 9 | Traefik | | . | 10 | Google Cloud Platform | | . | 11 | AWS Cloudwatch | | . | 12 | Office365 | | . | 13 | Azure | | . | 14 | Logstash | | . | 15 | MongoDB | | . | 16 | MySQL | | . | 17 | Redis | | . | 18 | Kafka | | . | 19 | Elasticsearch | | . | 20 | PostgreSQL | | . | 21 | Kibana | | . | 22 | Cisco Switch | | . | 23 | Cisco ASA | | . | 24 | Cisco Meraki | | . | 25 | FortiGate | | . | 26 | Sophos XG | | . | 27 | Fire Power | | . | 28 | MikroTik | | . | 29 | Palo Alto | | . | 30 | SonicWall | | . | 31 | GitHub | | . | 32 | Nats | | . | 33 | Json Input | | . | 34 | MacOS | | . | 35 | OsQuery | | . | 36 | Linux Auditing Demon | | . | 37 | Deceptive Bytes | | . | 38 | High Availability Proxy | | . | 39 | File Classification | | . | 40 | Apache | | . | 41 | Internet Information Services | | . | 42 | Nginx | | . | 43 | Apache2 | | . | 44 | Sophos Central | | . | 45 | SentinelOne Endpoint Security | | . | 46 | IBM AS400 | | . | 47 | UFW | | . | 48 | Rsyslog | | . | 49 | Netflow | | . | 50 | Salesforce | | . | 51 | Suricata | | . | 52 | Wazuh | | . | 53 | ESET NOD32 | | . | 54 | FortiWeb | | . | 55 | IBM AIX | | . | 56 | Check Point | | . | 57 | pfSense | | . ",
+    "content": "UTMStack comes out of the box with a wide range of built-in integrations for most mainstream technologies. Enabling an integration allows UTMStack to correlate logs coming from the corresponding data source on your network and detecting threats reliably. Each specific integration has its own guide. Our team is always working on a new integration, but here is the list of what we have developed so far: . | No. | Name |   | . | 1 | VMWare Syslog | | . | 2 | Windows Agent | | . | 3 | Syslog | | . | 4 | Linux Agent | | . | 5 | SOC AI | | . | 6 | ESET Endpoint Protection | | . | 7 | Kaspersky Security | | . | 8 | Bitdefender | | . | 9 | Traefik | | . | 10 | Google Cloud Platform | | . | 11 | AWS Cloudwatch | | . | 12 | Office365 | | . | 13 | Azure | | . | 14 | Logstash | | . | 15 | MongoDB | | . | 16 | MySQL | | . | 17 | Redis | | . | 18 | Kafka | | . | 19 | Elasticsearch | | . | 20 | PostgreSQL | | . | 21 | Kibana | | . | 22 | Cisco Switch | | . | 23 | Cisco ASA | | . | 24 | Cisco Meraki | | . | 25 | FortiGate | | . | 26 | Sophos XG | | . | 27 | Fire Power | | . | 28 | MikroTik | | . | 29 | Palo Alto | | . | 30 | SonicWall | | . | 31 | GitHub | | . | 32 | Nats | | . | 33 | Json Input | | . | 34 | MacOS | | . | 35 | OsQuery | | . | 36 | Linux Auditing Demon | | . | 37 | Deceptive Bytes | | . | 38 | High Availability Proxy | | . | 39 | File Classification | | . | 40 | Apache | | . | 41 | Internet Information Services | | . | 42 | Nginx | | . | 43 | Sophos Central | | . | 44 | SentinelOne Endpoint Security | | . | 45 | IBM AS400 | | . | 46 | UFW | | . | 47 | Rsyslog | | . | 48 | Netflow | | . | 59 | Salesforce | | . | 50 | Suricata | | . | 51 | Wazuh | | . | 52 | ESET NOD32 | | . | 53 | FortiWeb | | . | 54 | IBM AIX | | . | 55 | Check Point | | . | 56 | pfSense | | . ",
     "url": "/Integrations/ThreatDetectionandResponse.html#utmstack-integrations",
     
     "relUrl": "/Integrations/ThreatDetectionandResponse.html#utmstack-integrations"