Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager New WAN issue index recorded

UniFi Site Manager New WAN issue index recorded

Back
Id17d09e1b-8a3f-776b-6981-dbe2cc74d097
RulenameUniFi Site Manager: New WAN issue index recorded
DescriptionIdentifies a newly-recorded UniFi WAN issue index. May indicate ISP problems, hardware fault, or active denial-of-service pressure on the gateway.
SeverityMedium
TacticsImpact
TechniquesT1498
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period45m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWANissueindexrecorded.yaml
Version1.0.1
Arm template17d09e1b-8a3f-776b-6981-dbe2cc74d097.json
Deploy To Azure
// UniFi reports a monotonically-rising wanIssues.count rather than discrete events.
// Detect a NEW occurrence by checking whether the per-site max(count) has grown
// in the most recent 15-min window vs the prior 15-min window.
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(45m)
| extend siteId_s = tostring(SiteId)
| where isnotempty(tostring(SiteStatistics.wans.WAN))
| mv-expand issue = todynamic(tostring(SiteStatistics.wans.WAN.wanIssues))
| extend issueCount = tolong(issue.count), idx = tolong(issue.index)
| summarize
    PrevMaxCount = maxif(issueCount, TimeGenerated < ago(15m)),
    CurrentMaxCount = maxif(issueCount, TimeGenerated >= ago(15m)),
    LatestIndex = maxif(idx, TimeGenerated >= ago(15m))
    by siteId_s, SiteName
| extend PrevMaxCount = coalesce(PrevMaxCount, tolong(0))
| where CurrentMaxCount > PrevMaxCount
| extend
    TimeGenerated = now(),
    Delta = CurrentMaxCount - PrevMaxCount,
    Activity = strcat('New WAN issue: count rose from ', PrevMaxCount, ' to ', CurrentMaxCount)
| project TimeGenerated, SiteId = siteId_s, SiteName, Activity, IssueIndex = LatestIndex, PrevMaxCount, CurrentMaxCount, Delta

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 17d09e1b-8a3f-776b-6981-dbe2cc74d097
severity: Medium
subTechniques:
- T1498.001
status: Available
query: |
  // UniFi reports a monotonically-rising wanIssues.count rather than discrete events.
  // Detect a NEW occurrence by checking whether the per-site max(count) has grown
  // in the most recent 15-min window vs the prior 15-min window.
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(45m)
  | extend siteId_s = tostring(SiteId)
  | where isnotempty(tostring(SiteStatistics.wans.WAN))
  | mv-expand issue = todynamic(tostring(SiteStatistics.wans.WAN.wanIssues))
  | extend issueCount = tolong(issue.count), idx = tolong(issue.index)
  | summarize
      PrevMaxCount = maxif(issueCount, TimeGenerated < ago(15m)),
      CurrentMaxCount = maxif(issueCount, TimeGenerated >= ago(15m)),
      LatestIndex = maxif(idx, TimeGenerated >= ago(15m))
      by siteId_s, SiteName
  | extend PrevMaxCount = coalesce(PrevMaxCount, tolong(0))
  | where CurrentMaxCount > PrevMaxCount
  | extend
      TimeGenerated = now(),
      Delta = CurrentMaxCount - PrevMaxCount,
      Activity = strcat('New WAN issue: count rose from ', PrevMaxCount, ' to ', CurrentMaxCount)
  | project TimeGenerated, SiteId = siteId_s, SiteName, Activity, IssueIndex = LatestIndex, PrevMaxCount, CurrentMaxCount, Delta  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWANissueindexrecorded.yaml
kind: Scheduled
queryPeriod: 45m
version: 1.0.1
name: 'UniFi Site Manager: New WAN issue index recorded'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1498
description: |
    Identifies a newly-recorded UniFi WAN issue index. May indicate ISP problems, hardware fault, or active denial-of-service pressure on the gateway.
triggerOperator: gt