Overview
UTMStack’s Threat Detection system identifies and responds to security threats in real-time by correlating log data, threat intelligence, and malware activity patterns from multiple sources. This unified approach enables detection of complex threats that use stealthy techniques to evade traditional security controls.UTMStack can swiftly analyze log data to identify and halt threats at their source in real-time, even if the threat was not directly detected on the server itself.
Detection Capabilities
Real-Time Correlation
Correlate events from multiple sources before data ingestion to detect complex attack patterns instantly.
Advanced Persistent Threats
Identify APTs that use multi-stage attacks and lateral movement across your infrastructure.
Behavioral Analysis
Detect anomalous behavior that deviates from established baselines and normal patterns.
MITRE ATT&CK Mapping
Alerts are mapped to MITRE ATT&CK techniques for standardized threat classification.
Alert Severity Levels
Alerts are classified into three severity levels to prioritize security response:- High (3): Critical threats requiring immediate attention
- Medium (2): Significant security events that should be investigated promptly
- Low (1): Informational alerts for awareness and trend analysis
Alert Lifecycle
Every alert in UTMStack goes through a defined lifecycle:- Generation: Alert created by correlation rules or threat intelligence matches
- Automatic Review: Initial status when alert is first generated (
status: 1) - Investigation: Security analyst reviews alert details and context
- Resolution: Alert is closed with appropriate disposition (true positive, false positive, etc.)
Correlation Rules
Manage detection rules through the Alerting Rules module (/alerting-rules):
- Pre-built Rules: Hundreds of out-of-the-box rules for common threats
- Custom Rules: Create organization-specific detection logic
- Rule Testing: Validate rules against historical data before deployment
- Rule Tuning: Adjust thresholds and conditions to reduce false positives
Alert Categories
Alerts are organized into categories for efficient triage:- Malware Activity: Virus, trojan, ransomware detections
- Network Attacks: Port scans, DDoS, network intrusions
- Authentication Failures: Brute force, credential stuffing
- Data Exfiltration: Unusual outbound traffic, large data transfers
- Policy Violations: Configuration changes, unauthorized access
- Lateral Movement: Internal reconnaissance, privilege escalation
Detection Data Sources
Threat detection leverages multiple data sources:- Endpoint Logs: Process execution, file access, registry changes
- Network Traffic: Flow data, packet captures, DNS queries
- Authentication Logs: Login attempts, privilege escalations
- Application Logs: Web server access, database queries
- Cloud Activity: API calls, resource modifications
The more diverse your data sources, the better UTMStack can correlate events and detect sophisticated attacks.
Alert Enrichment
Alerts are automatically enriched with contextual information:- Target Information: User accounts, IP addresses, hostnames affected
- Adversary Details: Source IPs, threat actor attribution when available
- Data Source Context: Which integration or agent generated the alert
- Threat Intelligence: IOC matches, reputation scores, threat feeds
- MITRE Techniques: Tactics, techniques, and procedures (TTPs) mapped to the alert
Integration Points
Threat Detection integrates with:- Threat Intelligence: Enrich alerts with external threat context
- Alert Investigation: Detailed investigation workflows for security analysts
- SOC AI: AI-powered alert analysis and prioritization
- File Classification: Malware detection for file-based threats
Best Practices
Technical Implementation
References:- Alert Management Module:
frontend/src/app/data-management/alert-management/ - Alert Types:
frontend/src/app/shared/types/alert/utm-alert.type.ts - Alert Severity Constants:
frontend/src/app/shared/constants/alert/alert-severity.constant.ts:1-8 - Rule Management Route:
frontend/src/app/app-routing.module.ts:150