Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager IPSIDS disabled or misconfigured

UniFi Site Manager IPSIDS disabled or misconfigured

Back
Id36a64027-729e-51d7-16bf-8e926c03712a
RulenameUniFi Site Manager: IPS/IDS disabled or misconfigured
DescriptionIdentifies when a UniFi gateway threat-protection state transitions away from the expected IPS-active mode, which may indicate admin action or attacker tampering.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period45m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSIDSdisabledormisconfigured.yaml
Version1.0.1
Arm template36a64027-729e-51d7-16bf-8e926c03712a.json
Deploy To Azure
let prev = Unifi_SiteManager_Sites_CL
    | where TimeGenerated between (ago(30m) .. ago(15m))
    | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
    | project siteId_s = tostring(SiteId), prevIpsMode = IpsMode, prevInspection = InspectionState;
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(15m)
| summarize arg_max(TimeGenerated, *) by tostring(SiteId)
| extend siteId_s = tostring(SiteId)
| join kind=inner prev on siteId_s
| where (IpsMode != 'ips' and prevIpsMode == 'ips')
     or (InspectionState != 'on' and prevInspection == 'on')
| extend Activity = strcat('Threat protection degraded - IpsMode: ', prevIpsMode, ' -> ', IpsMode, ', inspection: ', prevInspection, ' -> ', InspectionState)
| project TimeGenerated, SiteId, SiteName, Activity, prevIpsMode, IpsMode, prevInspection, InspectionState

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 36a64027-729e-51d7-16bf-8e926c03712a
severity: High
subTechniques:
- T1562.001
status: Available
query: |
  let prev = Unifi_SiteManager_Sites_CL
      | where TimeGenerated between (ago(30m) .. ago(15m))
      | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
      | project siteId_s = tostring(SiteId), prevIpsMode = IpsMode, prevInspection = InspectionState;
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(15m)
  | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
  | extend siteId_s = tostring(SiteId)
  | join kind=inner prev on siteId_s
  | where (IpsMode != 'ips' and prevIpsMode == 'ips')
       or (InspectionState != 'on' and prevInspection == 'on')
  | extend Activity = strcat('Threat protection degraded - IpsMode: ', prevIpsMode, ' -> ', IpsMode, ', inspection: ', prevInspection, ' -> ', InspectionState)
  | project TimeGenerated, SiteId, SiteName, Activity, prevIpsMode, IpsMode, prevInspection, InspectionState  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSIDSdisabledormisconfigured.yaml
kind: Scheduled
queryPeriod: 45m
version: 1.0.1
name: 'UniFi Site Manager: IPS/IDS disabled or misconfigured'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1562
description: |
    Identifies when a UniFi gateway threat-protection state transitions away from the expected IPS-active mode, which may indicate admin action or attacker tampering.
triggerOperator: gt