Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Console firmware likely security-relevant

UniFi Site Manager Console firmware likely security-relevant

Back
Id4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d
RulenameUniFi Site Manager: Console firmware likely security-relevant
DescriptionIdentifies UniFi console / gateway devices (UDM, Cloud Key, USG, UXG, gateway) running firmware behind a major or minor version of the available release. Major/minor firmware jumps on consoles routinely include security advisory fixes (e.g. UniFi Security Advisory Bulletins). Patch-level updates are excluded since those are typically minor non-security bug fixes covered by the lower-severity FirmwareUpdateAvailable rule.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudConsoleSecurityFirmwareGap.yaml
Version1.0.0
Arm template4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d.json
Deploy To Azure
// Detects consoles/gateways with a major-or-minor firmware Version gap vs the available release.
// Patch-level gaps (e.g. 5.1.11 -> 5.1.12) are excluded - covered by FirmwareUpdateAvailable at Low severity.
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(6h)
| summarize arg_max(TimeGenerated, *) by Id
| where IsConsole == true
| where FirmwareStatus == "updateAvailable"
| where isnotempty(Version) and isnotempty(UpdateAvailable)
| extend
    currentMajor = toint(extract(@"^(\d+)\.", 1, Version)),
    currentMinor = toint(extract(@"^\d+\.(\d+)", 1, Version)),
    availableMajor = toint(extract(@"^(\d+)\.", 1, UpdateAvailable)),
    availableMinor = toint(extract(@"^\d+\.(\d+)", 1, UpdateAvailable))
| where isnotnull(currentMajor) and isnotnull(availableMajor)
| where (availableMajor > currentMajor) or (availableMajor == currentMajor and availableMinor > currentMinor)
| extend GapType = iff(availableMajor > currentMajor, "major", "minor")
| extend
    TimeGenerated = now(),
    Activity = strcat('Console ', Name, ' running ', Version, ' - likely security-relevant ', GapType, ' update available to ', UpdateAvailable)
| project
    TimeGenerated,
    DeviceId = Id,
    DeviceName = Name,
    Model = Model,
    ProductLine = ProductLine,
    CurrentVersion = Version,
    AvailableVersion = UpdateAvailable,
    GapType,
    Activity

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
  - identifier: NetBiosName
    columnName: DeviceId
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: P1D
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d
severity: High
subTechniques: []
status: Available
query: |
  // Detects consoles/gateways with a major-or-minor firmware Version gap vs the available release.
  // Patch-level gaps (e.g. 5.1.11 -> 5.1.12) are excluded - covered by FirmwareUpdateAvailable at Low severity.
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(6h)
  | summarize arg_max(TimeGenerated, *) by Id
  | where IsConsole == true
  | where FirmwareStatus == "updateAvailable"
  | where isnotempty(Version) and isnotempty(UpdateAvailable)
  | extend
      currentMajor = toint(extract(@"^(\d+)\.", 1, Version)),
      currentMinor = toint(extract(@"^\d+\.(\d+)", 1, Version)),
      availableMajor = toint(extract(@"^(\d+)\.", 1, UpdateAvailable)),
      availableMinor = toint(extract(@"^\d+\.(\d+)", 1, UpdateAvailable))
  | where isnotnull(currentMajor) and isnotnull(availableMajor)
  | where (availableMajor > currentMajor) or (availableMajor == currentMajor and availableMinor > currentMinor)
  | extend GapType = iff(availableMajor > currentMajor, "major", "minor")
  | extend
      TimeGenerated = now(),
      Activity = strcat('Console ', Name, ' running ', Version, ' - likely security-relevant ', GapType, ' update available to ', UpdateAvailable)
  | project
      TimeGenerated,
      DeviceId = Id,
      DeviceName = Name,
      Model = Model,
      ProductLine = ProductLine,
      CurrentVersion = Version,
      AvailableVersion = UpdateAvailable,
      GapType,
      Activity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudConsoleSecurityFirmwareGap.yaml
kind: Scheduled
queryPeriod: 6h
version: 1.0.0
name: 'UniFi Site Manager: Console firmware likely security-relevant'
queryFrequency: 6h
triggerThreshold: 0
relevantTechniques:
- T1190
description: |
    Identifies UniFi console / gateway devices (UDM, Cloud Key, USG, UXG, gateway) running firmware behind a major or minor version of the available release. Major/minor firmware jumps on consoles routinely include security advisory fixes (e.g. UniFi Security Advisory Bulletins). Patch-level updates are excluded since those are typically minor non-security bug fixes covered by the lower-severity FirmwareUpdateAvailable rule.
triggerOperator: gt