UniFi Site Manager ISP High Latency

// UniFi ISP High Latency Detection
let AvgLatencyThreshold = 200;
let MaxLatencyThreshold = 1000;
let SustainedPeriodCount = 2;
Unifi_SiteManager_ISPMetrics_CL
| where TimeGenerated > ago(30m)
| mv-expand period = Periods
| extend
    metricTime = todatetime(period.metricTime),
    avgLatency = toint(period.data.wan.avgLatency),
    maxLatency = toint(period.data.wan.maxLatency),
    ispName = tostring(period.data.wan.ispName),
    ispAsn = tostring(period.data.wan.ispAsn)
// De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
| summarize arg_max(TimeGenerated, avgLatency, maxLatency, ispAsn) by tostring(SiteId), ispName, metricTime
| where metricTime > ago(30m)
| where avgLatency > AvgLatencyThreshold or maxLatency > MaxLatencyThreshold
| summarize
    EventCount = count(),
    AvgLatency = avg(avgLatency),
    MaxLatency = max(maxLatency),
    FirstSeen = min(metricTime),
    LastSeen = max(metricTime)
    by SiteId, ispName, ispAsn
| where EventCount >= SustainedPeriodCount
| extend 
    TimeGenerated = now(),
    AvgLatencyRounded = round(AvgLatency, 1)
| project
    TimeGenerated,
    SiteId = SiteId,
    ISPName = ispName,
    ISPAsn = ispAsn,
    AvgLatencyMs = AvgLatencyRounded,
    MaxLatencyMs = MaxLatency,
    EventCount,
    FirstSeen,
    LastSeen

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ISPName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_ISPMetrics_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 77d8f6d0-b45c-ea6e-7c58-daac194a095f
severity: Medium
subTechniques:
- T1498.001
- T1499.002
status: Available
query: |
  // UniFi ISP High Latency Detection
  let AvgLatencyThreshold = 200;
  let MaxLatencyThreshold = 1000;
  let SustainedPeriodCount = 2;
  Unifi_SiteManager_ISPMetrics_CL
  | where TimeGenerated > ago(30m)
  | mv-expand period = Periods
  | extend
      metricTime = todatetime(period.metricTime),
      avgLatency = toint(period.data.wan.avgLatency),
      maxLatency = toint(period.data.wan.maxLatency),
      ispName = tostring(period.data.wan.ispName),
      ispAsn = tostring(period.data.wan.ispAsn)
  // De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
  | summarize arg_max(TimeGenerated, avgLatency, maxLatency, ispAsn) by tostring(SiteId), ispName, metricTime
  | where metricTime > ago(30m)
  | where avgLatency > AvgLatencyThreshold or maxLatency > MaxLatencyThreshold
  | summarize
      EventCount = count(),
      AvgLatency = avg(avgLatency),
      MaxLatency = max(maxLatency),
      FirstSeen = min(metricTime),
      LastSeen = max(metricTime)
      by SiteId, ispName, ispAsn
  | where EventCount >= SustainedPeriodCount
  | extend 
      TimeGenerated = now(),
      AvgLatencyRounded = round(AvgLatency, 1)
  | project
      TimeGenerated,
      SiteId = SiteId,
      ISPName = ispName,
      ISPAsn = ispAsn,
      AvgLatencyMs = AvgLatencyRounded,
      MaxLatencyMs = MaxLatency,
      EventCount,
      FirstSeen,
      LastSeen  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPHighLatency.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.1
name: 'UniFi Site Manager: ISP High Latency'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1498
- T1499
description: |
    Identifies when ISP latency exceeds acceptable thresholds, impacting VoIP quality, video conferencing, and overall application performance.
triggerOperator: gt