Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(2h)
| summarize arg_max(TimeGenerated, *) by Id
| summarize Devices = count(),
SampleDevice = take_any(Name),
['Distinct versions'] = make_set(Version),
['Up-to-date count'] = countif(FirmwareStatus =~ "upToDate")
by Model = Model
| extend ['Version count'] = array_length(['Distinct versions'])
| where ['Version count'] > 1
| order by ['Version count'] desc, Devices desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudFirmwareVersionDiversity.yaml
description: |
Models running multiple distinct firmware versions across the estate. Indicates inconsistent patch management - some units are forgotten or excluded from update windows.
id: 2b0ca272-72fd-c2c2-6728-7f287c22e275
version: 1.0.0
requiredDataConnectors:
- dataTypes:
- Unifi_SiteManager_Devices_CL
connectorId: UniFiSiteManagerConnectorDefinition
kind: HuntingQuery
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SampleDevice
query: |
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(2h)
| summarize arg_max(TimeGenerated, *) by Id
| summarize Devices = count(),
SampleDevice = take_any(Name),
['Distinct versions'] = make_set(Version),
['Up-to-date count'] = countif(FirmwareStatus =~ "upToDate")
by Model = Model
| extend ['Version count'] = array_length(['Distinct versions'])
| where ['Version count'] > 1
| order by ['Version count'] desc, Devices desc
relevantTechniques:
- T1595
tactics:
- Reconnaissance
name: 'UniFi Site Manager: Firmware version diversity within a model'
