Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Firmware Update Available

UniFi Site Manager Firmware Update Available

Back
Id83b88ab5-21ca-5dd2-df91-6db4354f9360
RulenameUniFi Site Manager: Firmware Update Available
DescriptionIdentifies UniFi devices with firmware updates available. Keeping firmware patched is critical as updates often include security vulnerability fixes.
SeverityLow
TacticsInitialAccess
TechniquesT1190
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudFirmwareUpdateAvailable.yaml
Version1.0.2
Arm template83b88ab5-21ca-5dd2-df91-6db4354f9360.json
Deploy To Azure
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(1d)
| summarize arg_max(TimeGenerated, *) by Id
| where isnotempty(UpdateAvailable)
| extend DeviceDetail = strcat(coalesce(Name, "Unnamed"), " (", Model, ") ", Version, " -> ", UpdateAvailable, " @", Ip)
| summarize
    DevicesNeedingUpdate = count(),
    DeviceList = make_list(DeviceDetail),
    Models = make_set(Model),
    ProductLines = make_set(ProductLine)
| where DevicesNeedingUpdate >= 1
| extend
    TimeGenerated = now(),
    AffectedModels = strcat_array(Models, ", "),
    AffectedProductLines = strcat_array(ProductLines, ", "),
    DeviceListString = strcat_array(DeviceList, "; ")
| extend Activity = strcat(DevicesNeedingUpdate, ' device(s) have firmware updates available: ', AffectedModels)
| project
    TimeGenerated,
    DevicesNeedingUpdate,
    AffectedModels,
    AffectedProductLines,
    Activity,
    DeviceListString

entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AffectedProductLines
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: P7D
    reopenClosedIncident: false
    matchingMethod: AnyAlert
  createIncident: true
id: 83b88ab5-21ca-5dd2-df91-6db4354f9360
severity: Low
subTechniques: []
status: Available
query: |
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(1d)
  | summarize arg_max(TimeGenerated, *) by Id
  | where isnotempty(UpdateAvailable)
  | extend DeviceDetail = strcat(coalesce(Name, "Unnamed"), " (", Model, ") ", Version, " -> ", UpdateAvailable, " @", Ip)
  | summarize
      DevicesNeedingUpdate = count(),
      DeviceList = make_list(DeviceDetail),
      Models = make_set(Model),
      ProductLines = make_set(ProductLine)
  | where DevicesNeedingUpdate >= 1
  | extend
      TimeGenerated = now(),
      AffectedModels = strcat_array(Models, ", "),
      AffectedProductLines = strcat_array(ProductLines, ", "),
      DeviceListString = strcat_array(DeviceList, "; ")
  | extend Activity = strcat(DevicesNeedingUpdate, ' device(s) have firmware updates available: ', AffectedModels)
  | project
      TimeGenerated,
      DevicesNeedingUpdate,
      AffectedModels,
      AffectedProductLines,
      Activity,
      DeviceListString  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudFirmwareUpdateAvailable.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.2
name: 'UniFi Site Manager: Firmware Update Available'
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1190
description: |
    Identifies UniFi devices with firmware updates available. Keeping firmware patched is critical as updates often include security vulnerability fixes.
triggerOperator: gt