UniFi Site Manager ISP Packet Loss

// UniFi ISP Packet Loss Detection
let PacketLossThreshold = 5;
let MinTotalPacketLoss = 10;
Unifi_SiteManager_ISPMetrics_CL
| where TimeGenerated > ago(30m)
| mv-expand period = Periods
| extend
    metricTime = todatetime(period.metricTime),
    packetLoss = toint(period.data.wan.packetLoss),
    ispName = tostring(period.data.wan.ispName),
    ispAsn = tostring(period.data.wan.ispAsn),
    avgLatency = toint(period.data.wan.avgLatency)
// De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
| summarize arg_max(TimeGenerated, packetLoss, avgLatency, ispAsn) by tostring(SiteId), ispName, metricTime
| where metricTime > ago(30m)
| where packetLoss >= PacketLossThreshold
| summarize
    TotalPacketLoss = sum(packetLoss),
    EventCount = count(),
    AvgLatency = avg(avgLatency),
    FirstSeen = min(metricTime),
    LastSeen = max(metricTime)
    by SiteId, ispName, ispAsn
| where TotalPacketLoss >= MinTotalPacketLoss
| extend TimeGenerated = now()
| project
    TimeGenerated,
    SiteId = SiteId,
    ISPName = ispName,
    ISPAsn = ispAsn,
    TotalPacketLoss,
    EventCount,
    AvgLatencyMs = round(AvgLatency, 1),
    FirstSeen,
    LastSeen

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ISPName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_ISPMetrics_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 6f2d71d6-e6c4-0da4-91da-e8192dc5b12c
severity: Medium
subTechniques:
- T1498.001
- T1499.002
status: Available
query: |
  // UniFi ISP Packet Loss Detection
  let PacketLossThreshold = 5;
  let MinTotalPacketLoss = 10;
  Unifi_SiteManager_ISPMetrics_CL
  | where TimeGenerated > ago(30m)
  | mv-expand period = Periods
  | extend
      metricTime = todatetime(period.metricTime),
      packetLoss = toint(period.data.wan.packetLoss),
      ispName = tostring(period.data.wan.ispName),
      ispAsn = tostring(period.data.wan.ispAsn),
      avgLatency = toint(period.data.wan.avgLatency)
  // De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
  | summarize arg_max(TimeGenerated, packetLoss, avgLatency, ispAsn) by tostring(SiteId), ispName, metricTime
  | where metricTime > ago(30m)
  | where packetLoss >= PacketLossThreshold
  | summarize
      TotalPacketLoss = sum(packetLoss),
      EventCount = count(),
      AvgLatency = avg(avgLatency),
      FirstSeen = min(metricTime),
      LastSeen = max(metricTime)
      by SiteId, ispName, ispAsn
  | where TotalPacketLoss >= MinTotalPacketLoss
  | extend TimeGenerated = now()
  | project
      TimeGenerated,
      SiteId = SiteId,
      ISPName = ispName,
      ISPAsn = ispAsn,
      TotalPacketLoss,
      EventCount,
      AvgLatencyMs = round(AvgLatency, 1),
      FirstSeen,
      LastSeen  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPPacketLoss.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.1
name: 'UniFi Site Manager: ISP Packet Loss'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1498
- T1499
description: |
    Identifies when WAN packet loss occurs. Even small loss percentages can significantly degrade VoIP calls and video conferencing quality.
triggerOperator: gt