Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Sites with persistent WAN issues

UniFi Site Manager Sites with persistent WAN issues

Back
Id2dbe3bb8-1522-e491-2eac-72bb0923c5eb
RulenameUniFi Site Manager: Sites with persistent WAN issues
DescriptionSites that have recorded WAN issues in the majority of polls over the last 24 hours. Indicates chronic ISP problems versus transient blips - escalate to provider.
TacticsImpact
TechniquesT1498
Required data connectorsUniFiSiteManagerConnectorDefinition
KindHuntingQuery
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudPersistentWANIssues.yaml
Version1.0.0
Arm template2dbe3bb8-1522-e491-2eac-72bb0923c5eb.json
Deploy To Azure
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(24h)
| extend Site = tostring(Meta.name),
         IssueCount = array_length(parse_json(tostring(SiteStatistics.wans.WAN.wanIssues)))
| summarize TotalPolls = count(),
            PollsWithIssues = countif(IssueCount > 0) by HostName = Site
| extend ['Issue rate %'] = round(100.0 * PollsWithIssues / TotalPolls, 1)
| where ['Issue rate %'] > 50 and TotalPolls > 12
| order by ['Issue rate %'] desc

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudPersistentWANIssues.yaml
description: |
    Sites that have recorded WAN issues in the majority of polls over the last 24 hours. Indicates chronic ISP problems versus transient blips - escalate to provider.
id: 2dbe3bb8-1522-e491-2eac-72bb0923c5eb
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
kind: HuntingQuery
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
query: |
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(24h)
  | extend Site = tostring(Meta.name),
           IssueCount = array_length(parse_json(tostring(SiteStatistics.wans.WAN.wanIssues)))
  | summarize TotalPolls = count(),
              PollsWithIssues = countif(IssueCount > 0) by HostName = Site
  | extend ['Issue rate %'] = round(100.0 * PollsWithIssues / TotalPolls, 1)
  | where ['Issue rate %'] > 50 and TotalPolls > 12
  | order by ['Issue rate %'] desc  
relevantTechniques:
- T1498
tactics:
- Impact
name: 'UniFi Site Manager: Sites with persistent WAN issues'