Release/v11.1.5 (#1536)

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: update version info handling and clean up community module display

Signed-off-by: Manuel Abascal <[email protected]>

* Update frontend/src/app/shared/components/auth/login/login.component.ts

Co-authored-by: Copilot <[email protected]>

* Update frontend/src/app/shared/components/auth/login-providers/login-providers.component.ts

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/config/SecurityConfiguration.java

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/service/idp_provider/IdentityProviderService.java

Co-authored-by: Copilot <[email protected]>

* Update frontend/src/app/app-management/identity-provider/shared/components/provider-form/provider-form.component.ts

Co-authored-by: Copilot <[email protected]>

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* refactor: simplify request structure and improve provider toggle logic

Signed-off-by: Manuel Abascal <[email protected]>

* feat(oauth2): implement enterprise version handling for identity providers

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary view menu and associated authorities to database

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: remove deprecated standalone plugin architecture

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: implement adversary alerts graph and service for data retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance timezone handling by dynamically generating timezone list

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance timezone handling by dynamically generating timezone list

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary view menu and associated authorities to database

* feat: implement adversary alerts graph and service for data retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* fix[bitdefender-plugin]: make StartServer blocking and remove retry loop

* update macos guide

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* fix: adjust TFA expiration time to use configurable constant

* feat: conditionally render module card based on module name

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add application version info retrieval functionality

* feat: add application version info retrieval functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: compliance report view component

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(saml): implement SAML authentication support with identity provider configuration

* feat(saml): implement SAML authentication support with identity provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add application version info retrieval functionality

* fix: remove conditional rendering for AS_400 module and filter out in module retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat(saml): enhance SAML authentication success handler to include role-based authorities

* feat(o365-plugin): add multi-cloud environment support for Microsoft Cloud (Commercial, GCC, GCC High, DoD)

* feat: add exception handling for MethodArgumentNotValidException and update UtmModuleConfigValidator logic

* fix(o365-plugin): Remove invalid field check and add multi-cloud support

- Implement cloud-aware connection checking per authority
- Use correct endpoints and scopes for each cloud environment

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(o365-plugin): add Office 365 cloud environment configuration options

* Update backend/src/main/resources/config/liquibase/changelog/20251125001_add_environment_o365_integration.xml

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/domain/application_modules/factory/impl/ModuleO365.java

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/domain/application_modules/UtmModuleGroupConfiguration.java

Co-authored-by: Copilot <[email protected]>

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* fix: update file permissions from 777 to 755 for security improvements

* feat(azure plugin): enhance Azure cloud detection and connection validation

* feat(o365_validation-modules-config): add Management API validation and multi-cloud endpoint support

* feat(header): integrate version info display and update logic

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: rename UtmStackConnectionService to ModuleConfigurationValidationService and enhance validation logic

* feat(exception-handling): add ApiException class and global exception handler

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(int-generic-group-config): improve searchable option based on config options length

Signed-off-by: Manuel Abascal <[email protected]>

* feat(int-generic-group-config): improve searchable option based on config options length

Signed-off-by: Manuel Abascal <[email protected]>

* fix(modules-config): disable CROWDSTRIKE module not implemented in backend.

* refactor(plugins): standardize logging with catcher

* feat(saml): update identity provider configuration to include metadata URL and remove deprecated fields

* style(dashboard): adjust padding and layout for improved UI consistency

Signed-off-by: Manuel Abascal <[email protected]>

* fix: optimize cloud detection logic in connection string parsing

* feat(elastic-filter-time): enhance time filter functionality and update UI interactions

Signed-off-by: Manuel Abascal <[email protected]>

* feat(azure): extract individual records from Azure Event Hub logs

Parse Azure logs with 'records' array structure and send each record
as a separate log entry for better indexing and security analysis.
Maintains backward compatibility for logs without records array.

* fix(modules-config): remove gin default logger middleware to eliminate non-standardized HTTP logs while maintaining catcher logging standard and panic protection.

* refactor(azure-filter): deleted 'Expand log.records' data to improve parsing

* refactor(gcp-filter): deleted 'Expand jsonPayload.structuredRdata' data to improve parsing

* update the version of the Azure and GCP filters

* feat(saml): update identity provider configuration to include metadata URL and remove deprecated fields

* feat(provider): add SAML 2.0 support with metadata URL and service provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat(saml): enhance identity provider creation with multipart form data and encryption for private key

* feat(provider): add SAML 2.0 support with metadata URL and service provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* fix(totp): prevent potential error by checking subscription before unsubscribe

Signed-off-by: Manuel Abascal <[email protected]>

* style(totp): comment out unused email resend container for cleaner code

Signed-off-by: Manuel Abascal <[email protected]>

* style(utm-code-view): add word-break class to code element for better text handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat(filters): add Azure and GCP filters with updated field mappings and severity handling

* refactor(ModuleSocAi): remove unused getName method for cleaner code

* fix(deployment-pipeline): update tag pattern for v10 to support semantic versioning

* chore(changelog): update release notes for UTMStack v11.0.3 with fixed issues and performance improvements

* chore(changelog): update release notes for UTMStack v11.0.3 with fixed issues and performance improvements

* feat(authentication): add SAML and OIDC support with validation for private keys and certificates

* chore(master.xml): remove outdated environment integration and filter update changelogs

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* feat(authentication): enhance SAML and OIDC support with file validation and metadata URL checks

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* Refactor adversary alerts graph component and update no data display

Signed-off-by: Manuel Abascal <[email protected]>

* Remove redundant getName() method override in ModuleSocAi

* Update frontend/src/app/data-management/alert-management/shared/components/filters/alert-generic-filter/alert-generic-filter.component.ts

Co-authored-by: Copilot <[email protected]>

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: enhance LogExplorer with SQL query support and custom keyword suggestions

* Update backend/src/main/java/com/park/utmstack/service/dto/elastic/SqlSearchDto.java

Co-authored-by: Copilot <[email protected]>

* feat: enhance identity provider management with role requirements and UI improvements

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update login components for improved styling and provider text

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add loading screen with spinner and enhance app initialization

Signed-off-by: Manuel Abascal <[email protected]>

* feat(agents): update agent guide with Kali Linux tab and enhance installation command structure

* feat: add SAML OIDC corporate authentication configuration fields

* feat: add SAML OIDC corporate authentication support with SP entity ID and ACS URL

Signed-off-by: Manuel Abascal <[email protected]>

* feat(api-keys): implement API key management with creation, retrieval, update, and deletion functionalities

* feat: integrate app version management and enterprise feature directive

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance SAML2 login handlers with role validation and logging

* feat: enhance SAML2 login handlers with role validation and logging

* feat: enhance SAML2 login handlers with role validation and logging

* feat: integrate app version management and enterprise feature directive

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update API route for version checking to check-for-updates

Signed-off-by: Manuel Abascal <[email protected]>

* feat: remove client secret display from provider details

Signed-off-by: Manuel Abascal <[email protected]>

* fix: update application version file path and improve pagination offset calculation

* fix: update application version file path and improve pagination offset calculation

* fix: update opensearch-connector version to 1.0.4

* feat: enhance enterprise module directive to support dynamic menu names and icons

Signed-off-by: Manuel Abascal <[email protected]>

* fix: streamline loading state management in playbook service and clean up filter parameters in playbooks component

Signed-off-by: Manuel Abascal <[email protected]>

* fix: update UtmModuleRepository and UtmModuleService to use Optional for findByServerIdAndModuleName method

* feat: add detail view for alerts in echoes component and improve alert display

Signed-off-by: Manuel Abascal <[email protected]>

* fix: improve error handling in CleanCountedLogs to create default data retention file if retrieval fails

* feat: enhance adversary alerts graph with dynamic graphic elements and improved chart container styling

Signed-off-by: Manuel Abascal <[email protected]>

* Update frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.html

Co-authored-by: Copilot <[email protected]>

* Update frontend/src/app/data-management/alert-management/shared/components/alert-echoes/alert-echoes.component.html

Co-authored-by: Copilot <[email protected]>

* feat: enhance detail view for alerts in echoes component and improve data handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph with dynamic graphic elements and improved chart container styling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph with dynamic graphic elements and improved chart container styling

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: reorganize imports in adversary alerts graph component for improved readability

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: reorganize imports in adversary alerts graph component for improved readability

Signed-off-by: Manuel Abascal <[email protected]>

* chore: update changelog for UTMStack v11.1.1 release, add fixes and features

* fix: handle version info loading error gracefully

Signed-off-by: Manuel Abascal <[email protected]>

* feat: refactor module update process to use ModuleDTO and enhance decryption handling

* feat: enhance adversary alerts graph with improved event handling and child alert metadata

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add SAML2 login endpoint to front-end configuration

* fix: ensure getPatternStoredFields returns an empty array if no fields are found

Signed-off-by: Manuel Abascal <[email protected]>

* chore: update CHANGELOG for UTMStack v11.1.2 release

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement authentication styles and restructure login components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance two-factor authentication UI and improve user experience

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add SAML2 login configuration and update Dockerfile

* feat: enhance two-factor authentication UI and improve user experience

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance two-factor authentication UI and improve user experience

Signed-off-by: Manuel Abascal <[email protected]>

* feat: remove unnecessary Nginx configuration copy from Dockerfile

Signed-off-by: Manuel Abascal <[email protected]>

* feat: refactor UtmLogstashPipeline class to use Lombok annotations and improve default value handling

* feat: update component labels for clarity in UI

Signed-off-by: Manuel Abascal <[email protected]>

* fix: correct command syntax in UTM stack installer scripts

Signed-off-by: Manuel Abascal <[email protected]>

* fix: correct syntax error in UTM stack installation command

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance download link styling for macOS agent guide

Signed-off-by: Manuel Abascal <[email protected]>

* chore: update release notes for UTMStack v11.1.4 and modify server API URL

* style: update styling for login image and setup completion text

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement schedule configuration component for time and day selection

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement schedule configuration component with time and day selection

Signed-off-by: Manuel Abascal <[email protected]>

* fix: improve context handling in getLogs function for AWSProcessor

* feat: add Liquibase changelog for renaming O365 fields in utm_visualization

* chore: update release notes for UTMStack v11.1.5 and standardize utm_visualization field names

* fix: adjust layout for log analyzer view in SQL mode

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add Liquibase changelog for renaming filter fields in utm_dashboard

* refactor: remove redundant user access roles section from provider form

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance SAML2 login handling by validating user existence and roles

* feat(pt-pentest-detail): add pentest detail component with download and open detail functionalities

* fix: handle case when Elasticsearch index does not exist in alerts fetching

* fix: change log level for com.zaxxer from WARN to ERROR

* feat(elastic-filter): add clear filter selection functionality

Signed-off-by: Manuel Abascal <[email protected]>

* fix(environment): revert local changes

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add changelog for updating instance update frequency configuration

* style: enhance responsive design for various components based on viewport height

Signed-off-by: Manuel Abascal <[email protected]>

* style: enhance responsive design for various components based on viewport height

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add admin email constant and first login flag to response DTO

* chore: update changelog for version 11.1.5

* feat: add first login flag to authentication flow and update related components

Signed-off-by: Manuel Abascal <[email protected]>

* style: remove top padding from auth cover for improved layout

Signed-off-by: Manuel Abascal <[email protected]>

* style: update layout and visibility of security notice in TFA setup

Signed-off-by: Manuel Abascal <[email protected]>

* feat: deserialize configuration values for improved data handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: deserialize configuration values for improved data handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance writeValue method to support string input for schedule configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance writeValue method to support string input for schedule configuration

Signed-off-by: Manuel Abascal <[email protected]>

---------

Signed-off-by: Manuel Abascal <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: JocLRojas <[email protected]>
Co-authored-by: Elena Lopez Milan <[email protected]>
Co-authored-by: Yorjander Hernandez Vergara <[email protected]>
Co-authored-by: Osmany Montero <[email protected]>
Co-authored-by: Yadian Llada Lopez <[email protected]>

Author: 7 people

CHANGELOG.md

@@ -1,8 +1,8 @@
-# UTMStack 11.1.4 – Release Notes
+# UTMStack 11.1.5 – Release Notes
 
-The **UTMStack v11.1.4** update delivers important fixes and usability improvements to enhance stability and user experience.
+The **UTMStack v11.1.5** update delivers important fixes and usability improvements to enhance stability and user experience.
 
 ## Improvements & Fixes
-- Refined the styling of download links to improve clarity and accessibility.
-- Resolved a syntax error in the UTMStack installation command, ensuring smoother setup.
-- Corrected the display of pipeline card statuses and improved accuracy of event processing counts.
+- Standardized `utm_visualization` field names by replacing legacy O365 keys with new conventions.
+- Enhanced responsive behavior for TFA enrollment components based on viewport height.
+

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -166,6 +166,9 @@ public final class Constants {
     // Application version file
     public static final String APP_VERSION_FILE = "/updates/version.json";
 
+    public static final String ADMIN_EMAIL = "admin@localhost";
+
+
     private Constants() {
     }
 }

backend/src/main/java/com/park/utmstack/security/jwt/TokenProvider.java

@@ -121,13 +121,10 @@ public boolean validateToken(String authToken) {
     }
 
     public boolean shouldBypassTfa(HttpServletRequest request) {
-        boolean bypassSwagger = Boolean.parseBoolean(request.getHeader(Constants.TFA_EXEMPTION_HEADER));
-
         boolean forceTfaAuth = Boolean.parseBoolean(
                 Optional.ofNullable(System.getenv(Constants.ENV_TFA_ENABLE)).orElse("true")
         );
-
-        return bypassSwagger || !forceTfaAuth;
+        return !forceTfaAuth;
     }
 
 }

backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginSuccessHandler.java

@@ -1,5 +1,6 @@
 package com.park.utmstack.security.saml;
 
+import com.park.utmstack.domain.User;
 import com.park.utmstack.repository.UserRepository;
 import com.park.utmstack.security.jwt.TokenProvider;
 import lombok.RequiredArgsConstructor;
@@ -21,6 +22,7 @@
 import java.net.URI;
 import java.util.Collection;
 import java.util.Objects;
+import java.util.Optional;
 
 import static com.park.utmstack.config.Constants.FRONT_BASE_URL;
 
@@ -50,33 +52,25 @@ public void onAuthenticationSuccess(HttpServletRequest request,
         String frontBaseUrl = scheme + "://" + host;
 
         Saml2AuthenticatedPrincipal samlUser = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
-        var roles = samlUser.getAttribute("roles");
-
         String username = samlUser.getName();
 
-        if (roles == null || ((Collection<?>) roles).isEmpty() || userRepository.findOneByLogin(username).isEmpty()) {
-            log.error("{}: Attempted SAML2 login with invalid roles or non-existing user account.", username);
-            failureHandler.onAuthenticationFailure(request, response,
-                    new BadCredentialsException("The provided credentials do not match any active user account or the account lacks required roles."));
-            return;
-        }
+        User user = userRepository.findOneByLogin(username)
+                .orElseThrow(() -> new BadCredentialsException("The provided credentials do not match any active user account."));
 
-        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(samlUser.getAttribute("roles"))
+        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(user.getAuthorities())
                 .stream()
                 .map(Objects::toString)
                 .filter(r -> r.startsWith("ROLE_"))
                 .map(SimpleGrantedAuthority::new)
                 .toList();
 
         UsernamePasswordAuthenticationToken auth =
-                new UsernamePasswordAuthenticationToken(username, null, authorities);
+                new UsernamePasswordAuthenticationToken((Object) username, null, authorities);
 
         SecurityContextHolder.getContext().setAuthentication(auth);
 
-        // Generate JWT
         String token = tokenProvider.createToken(auth, false, true);
 
-        // Redirect to frontend with token
         URI redirectUri = UriComponentsBuilder.fromUriString(frontBaseUrl)
                 .path("/")
                 .queryParam("token", token)

backend/src/main/java/com/park/utmstack/service/dto/jwt/LoginResponseDTO.java

@@ -14,5 +14,6 @@ public class LoginResponseDTO {
     private String method;
     private String token;
     private long tfaExpiresInSeconds;
+    boolean firstLogin;
 }
 

backend/src/main/java/com/park/utmstack/service/threat_management/AdversaryAlertsService.java

@@ -27,6 +27,11 @@ public class AdversaryAlertsService {
     private final ElasticsearchService elasticsearchService;
 
     public List<AdversaryAlertsResponseDto> fetchAdversaryAlerts(List<FilterType> filters){
+
+        if(!elasticsearchService.indexExist(V11_ALERTS_INDEX_PATTERN)) {
+            return Collections.emptyList();
+        }
+
         SearchRequest request = SearchRequest.of(s -> s
                 .index(V11_ALERTS_INDEX_PATTERN)
                 .query(SearchUtil.toQuery(filters))

backend/src/main/java/com/park/utmstack/web/rest/UserJWTController.java

@@ -42,6 +42,8 @@
 import javax.validation.Valid;
 import java.util.Map;
 
+import static com.park.utmstack.config.Constants.ADMIN_EMAIL;
+
 /**
  * Controller to authenticate users.
  */
@@ -94,7 +96,7 @@ public ResponseEntity<LoginResponseDTO> authorize(@Valid @RequestBody LoginVM lo
 
         boolean isTfaSetup = isTfaEnabled && user.getTfaMethod() != null && !user.getTfaMethod().isEmpty() && !isAuth;
         Map<String, Object> args = logContextBuilder.buildArgs(request);
-        Long tfaExpiresInSeconds = 0L;
+        long tfaExpiresInSeconds = 0L;
 
         if (isTfaSetup) {
             tfaExpiresInSeconds = tfaService.generateChallenge(user);
@@ -120,6 +122,7 @@ public ResponseEntity<LoginResponseDTO> authorize(@Valid @RequestBody LoginVM lo
                 .tfaConfigured(isTfaSetup)
                 .forceTfa(!isAuth)
                 .tfaExpiresInSeconds(tfaExpiresInSeconds)
+                .firstLogin(user.getEmail().equals(ADMIN_EMAIL))
                 .build();
 
         return ResponseEntity.ok(response);

backend/src/main/java/com/park/utmstack/web/rest/threat_management/AdversaryAlertsResource.java

@@ -24,6 +24,7 @@ public class AdversaryAlertsResource {
 
     @PostMapping("/alerts")
     public ResponseEntity<List<AdversaryAlertsResponseDto>> search(@RequestBody(required = false) List<FilterType> filters) {
+
             List<AdversaryAlertsResponseDto> responseDto = adversaryAlertsService.fetchAdversaryAlerts(filters);
 
             if (responseDto.isEmpty())

backend/src/main/resources/config/liquibase/changelog/20251218001_rename_o365_fields.xml

@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20251218001" author="Manuel Abascal">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE utm_visualization
+            SET
+                filters = REPLACE(
+                        REPLACE(
+                                REPLACE(
+                                        REPLACE(
+                                                REPLACE(filters, 'log.o365.Operation.keyword', 'action.keyword'),
+                                                'log.o365.ClientIP.keyword', 'log.clientIP.keyword'
+                                        ),
+                                        'log.o365.UserId.keyword', 'origin.user.keyword'
+                                ),
+                                'log.o365.ResultStatus.keyword', 'actionResult.keyword'
+                        ),
+                        'log.o365.LogonError.keyword', 'log.logonError.keyword'
+                          )
+            WHERE filters IS NOT NULL;
+
+                UPDATE utm_visualization
+                SET
+                    aggregation = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(aggregation, 'log.o365.Operation.keyword', 'action.keyword'),
+                                                    'log.o365.ClientIP.keyword', 'log.clientIP.keyword'
+                                            ),
+                                            'log.o365.UserId.keyword', 'origin.user.keyword'
+                                    ),
+                                    'log.o365.ResultStatus.keyword', 'actionResult.keyword'
+                            ),
+                            'log.o365.LogonError.keyword', 'log.logonError.keyword'
+                                  )
+                WHERE aggregation IS NOT NULL;
+
+
+
+                UPDATE utm_visualization
+                SET
+                    filters = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(
+                                                            REPLACE(filters, 'log.o365.Workload.keyword', 'log.Workload.keyword'),
+                                                            'log.o365.Workload', 'log.Workload'
+                                                    ),
+                                                    'log.o365.Verdict.keyword', 'emailVerdict.keyword'
+                                            ),
+                                            'log.o365.SenderIp.keyword', 'origin.ip.keyword'
+                                    ),
+                                    'log.o365.Recipients.keyword', 'log.Recipients.keyword'
+                            ),
+                            'log.o365.Subject.keyword', 'log.Subject.keyword'
+                              )
+                WHERE filters IS NOT NULL;
+
+                UPDATE utm_visualization
+                SET
+                    aggregation = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(
+                                                            REPLACE(aggregation, 'log.o365.Workload.keyword', 'log.Workload.keyword'),
+                                                            'log.o365.Workload', 'log.Workload'
+                                                    ),
+                                                    'log.o365.Verdict.keyword', 'emailVerdict.keyword'
+                                            ),
+                                            'log.o365.SenderIp.keyword', 'origin.ip.keyword'
+                                    ),
+                                    'log.o365.Recipients.keyword', 'log.Recipients.keyword'
+                            ),
+                            'log.o365.Subject.keyword', 'log.Subject.keyword'
+                                  )
+                WHERE aggregation IS NOT NULL;
+
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/changelog/20251218002_rename_filter_fields_dashboard.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20251218002" author="Manuel Abascal">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-o365-', '"indexPattern":"v11-log-o365-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"alert-', '"indexPattern":"v11-alert-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-firewall-meraki-', '"indexPattern":"v11-log-firewall-meraki-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-wineventlog-', '"indexPattern":"v11-log-wineventlog-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-linux-', '"indexPattern":"v11-log-linux-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-cisco-switch-', '"indexPattern":"v11-log-cisco-switch-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-firewall-cisco-asa-', '"indexPattern":"v11-log-firewall-cisco-asa-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-aws-', '"indexPattern":"v11-log-aws-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"ogx.wineventlog.event_data.SubjectUserName.keyword"', '"field":"log.winlogEventDataSubjectUserName"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.tenant.keyword"', '"field":"tenantId.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.o365.UserId.keyword"', '"field":"origin.user.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.linux.host.name.keyword"', '"field":"origin.host.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.wineventlog.event_data.TargetUserName.keyword"', '"field":"target.user.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"log.winlogEventDataSubjectUserName"', '"field":"log.winlogEventDataSubjectUserName.keyword"');
+
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>