Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Firmware drift hotspots

UniFi Site Manager Firmware drift hotspots

Back
Id1d767977-460a-29c3-06f7-799a91a80daf
RulenameUniFi Site Manager: Firmware drift hotspots
DescriptionDevices behind on firmware updates - ranked by product line and model. Identifies models where firmware drift is concentrated, indicating either a vendor-side delay or operational neglect. Each unpatched device is a CVE attack surface.
TacticsReconnaissance
TechniquesT1595
Required data connectorsUniFiSiteManagerConnectorDefinition
KindHuntingQuery
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudFirmwareDriftHotspots.yaml
Version1.0.0
Arm template1d767977-460a-29c3-06f7-799a91a80daf.json
Deploy To Azure
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(2h)
| summarize arg_max(TimeGenerated, *) by Id
| where FirmwareStatus in ("UpdateAvailable", "updatePending")
| summarize Devices=count(),
            SampleDevice = take_any(Name),
            ['Pending updates'] = countif(FirmwareStatus =~ "updatePending"),
            ['Updates available'] = countif(FirmwareStatus =~ "UpdateAvailable")
            by Model = Model, ['Product line'] = ProductLine
| order by Devices desc

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudFirmwareDriftHotspots.yaml
description: |
    Devices behind on firmware updates - ranked by product line and model. Identifies models where firmware drift is concentrated, indicating either a vendor-side delay or operational neglect. Each unpatched device is a CVE attack surface.
id: 1d767977-460a-29c3-06f7-799a91a80daf
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
kind: HuntingQuery
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SampleDevice
query: |
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(2h)
  | summarize arg_max(TimeGenerated, *) by Id
  | where FirmwareStatus in ("UpdateAvailable", "updatePending")
  | summarize Devices=count(),
              SampleDevice = take_any(Name),
              ['Pending updates'] = countif(FirmwareStatus =~ "updatePending"),
              ['Updates available'] = countif(FirmwareStatus =~ "UpdateAvailable")
              by Model = Model, ['Product line'] = ProductLine
  | order by Devices desc  
relevantTechniques:
- T1595
tactics:
- Reconnaissance
name: 'UniFi Site Manager: Firmware drift hotspots'