Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Devices adopted outside business hours

UniFi Site Manager Devices adopted outside business hours

Back
Id77bba2d0-92e1-408d-9e43-2d6e5e81538e
RulenameUniFi Site Manager: Devices adopted outside business hours
DescriptionNew devices adopted into a UniFi site outside business hours (10pm - 6am local time, or weekends). Legitimate admin work usually happens in hours; unattended adoption can be unauthorised hardware joining the network.
TacticsPersistence
TechniquesT1098
Required data connectorsUniFiSiteManagerConnectorDefinition
KindHuntingQuery
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudOffHoursDeviceAdoption.yaml
Version1.0.0
Arm template77bba2d0-92e1-408d-9e43-2d6e5e81538e.json
Deploy To Azure
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by Id
| where isnotempty(AdoptionTime)
| extend AdoptedAt = todatetime(AdoptionTime),
         AdoptedHour = hourofday(todatetime(AdoptionTime)),
         AdoptedDow = dayofweek(todatetime(AdoptionTime))
| where (AdoptedHour < 6 or AdoptedHour >= 22) or AdoptedDow in (0d, 6d)
| project HostName=Name, Model=Model, ['Product line']=ProductLine, AdoptedAt, AdoptedHour, IPAddress=Ip
| order by AdoptedAt desc

description: |
    New devices adopted into a UniFi site outside business hours (10pm - 6am local time, or weekends). Legitimate admin work usually happens in hours; unattended adoption can be unauthorised hardware joining the network.
id: 77bba2d0-92e1-408d-9e43-2d6e5e81538e
version: 1.0.0
tactics:
- Persistence
name: 'UniFi Site Manager: Devices adopted outside business hours'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudOffHoursDeviceAdoption.yaml
kind: HuntingQuery
query: |
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(30d)
  | summarize arg_max(TimeGenerated, *) by Id
  | where isnotempty(AdoptionTime)
  | extend AdoptedAt = todatetime(AdoptionTime),
           AdoptedHour = hourofday(todatetime(AdoptionTime)),
           AdoptedDow = dayofweek(todatetime(AdoptionTime))
  | where (AdoptedHour < 6 or AdoptedHour >= 22) or AdoptedDow in (0d, 6d)
  | project HostName=Name, Model=Model, ['Product line']=ProductLine, AdoptedAt, AdoptedHour, IPAddress=Ip
  | order by AdoptedAt desc  
relevantTechniques:
- T1098
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP