Post

UTMStack

Posted Updated
By Sean Closson
2 min read
UTMStack

Overview

UTMStack is an all‑in‑one threat management platform that integrates SIEM (Security Information and Event Management) with XDR (Extended Detection and Response). By correlating log data, threat intelligence, and malware behavior in real time across multiple sources, it uncovers and stops sophisticated, stealth‑based attacks that traditional tools often miss. It accomplishes this via agents, log ingestion, and threat intelligence feeds.

This post is part of my research on open-source SOC systems.

Installation

Following the instructions from the official documentation wasn’t perfectly smooth. The first attempt failed due to me ignoring the system requirements (I had only provisioned 4GB of RAM and a 80GB HDD). After provisioning 16GB of RAM and 150GB HDD, I was able to follow the prompts and get the core system installed. I could SSH to it, but the web interface was not responding. Running tail -n 50 /var/log/utmstack/installer.log showed me that installation failed due to a download being interrupted.

  1. Created a VM with “small deployment” specifications and booted from installation ISO image
    • Configure the VM
      • Uncheck “proceed with unattended installation”
      • Set boot order to have “Optical” first
      • In my environment, I want UTMStack to be on the same network as the host, so I changed the NIC to “Bridged Adapter”
    • OS install takes about 10 minutes
    • Finished and logged in
    • Rebooted; be sure to boot from CDROM again to start UTMStack install wizard
    • The wizard will prompt you for
      • Your name
      • The name to call your UTMStack server
      • A username and password
    • Takes about 20 minutes to install UTMStack
    • Remove CDROM (image) and Reboot
    • Upon reboot, docker will start to pull various containers, which took 45 minutes on my VM, but will vary based on your VM specs and internet bandwidth
  2. In the VM console:
    • sudo tail /var/log/utmstack/installer.log
    • You’re watching for the message “UTMStack installation completed successfully!”
    • Once it finally finishes run the final setup for timezone
      • cd /opt/utmstack && sudo ./finish-install-setup.sh
    • Update the entire system:
      • sudo su
      • apt update && apt upgrade -y

I am able to log into the admin portal at https://192.168.8.144:9090, but not able to create a user that can log into the front end.

Logging Into the Front End

  • username: admin
  • password is found in the file /root/utmstack.yml, so run sudo cat /root/utmstack.yml and copy/paste that password in. The next step is to configure 2FA. Use Google or Microsoft Authenticator. I used Google Authenticator to scan the QR code displayed on the screen. After keying in the 6 digit code, I was authenticated and taken to the next steps in the wizard.
  • It wanted
    • Organization Name
    • Country
    • Contact Email
  • The next screen welcoms you to UTMStack. It gives you two choices:
    1. Wizard-driven configuration
    2. Manual configuration
  • I followed the wizard
    • A window pops up asking for your email. This email is for the admin user you just logged in as.
    • Paste the password you got from the utmstack.yml file and set a new password.
  • Then it takes you to Application Settings.
    • This is where you configure the SMTP server
    • I used Brevo as my SMTP relay - just give it 5 minutes to configure before testing
    • Be sure to save your changes!
security
projects security soc
This post is licensed under CC BY 4.0 by the author.