Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(24h)
| extend StatusBin = bin(TimeGenerated, 30m)
| summarize Statuses = make_set(Status) by Id, Name, Model, ProductLine, StatusBin
| where array_length(Statuses) > 1
| summarize Flaps = count() by Id, HostName = Name, Model, ProductLine
| where Flaps > 4
| order by Flaps desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudDeviceFlapping.yaml
description: |
Devices that transitioned between online and offline more than 4 times in 24 hours. Flapping can indicate intermittent connectivity, hardware failure, environmental issues, or active interference targeting the device.
id: 0f489145-b472-a821-a166-a6c68e346ad2
version: 1.0.0
requiredDataConnectors:
- dataTypes:
- Unifi_SiteManager_Devices_CL
connectorId: UniFiSiteManagerConnectorDefinition
kind: HuntingQuery
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
query: |
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(24h)
| extend StatusBin = bin(TimeGenerated, 30m)
| summarize Statuses = make_set(Status) by Id, Name, Model, ProductLine, StatusBin
| where array_length(Statuses) > 1
| summarize Flaps = count() by Id, HostName = Name, Model, ProductLine
| where Flaps > 4
| order by Flaps desc
relevantTechniques:
- T1498
tactics:
- Impact
name: 'UniFi Site Manager: Devices flapping online/offline'
