UniFi Site Manager Multiple Devices Offline

let prev_offline_ids = Unifi_SiteManager_Devices_CL
    | where TimeGenerated between (ago(45m) .. ago(15m))
    | summarize arg_max(TimeGenerated, *) by Id
    | where Status == "offline"
    | distinct Id;
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(15m)
| summarize arg_max(TimeGenerated, *) by Id
| where Status == "offline"
| extend IsNew = Id !in (prev_offline_ids)
| summarize
    OfflineDeviceCount = count(),
    NewlyOfflineCount = countif(IsNew),
    OfflineDevices = make_list(coalesce(Name, Id)),
    NewlyOfflineDevices = make_list_if(coalesce(Name, Id), IsNew),
    ProductLines = make_set(ProductLine)
| where OfflineDeviceCount >= 3
| where NewlyOfflineCount > 0
| extend
    TimeGenerated = now(),
    OfflineDeviceList = strcat_array(OfflineDevices, ", "),
    NewlyOfflineList = strcat_array(NewlyOfflineDevices, ", "),
    AffectedProductLines = strcat_array(ProductLines, ", ")
| extend Activity = strcat(NewlyOfflineCount, ' device(s) newly offline (', OfflineDeviceCount, ' total offline): ', NewlyOfflineList)
| project
    TimeGenerated,
    OfflineDeviceCount,
    NewlyOfflineCount,
    OfflineDeviceList,
    NewlyOfflineList,
    AffectedProductLines,
    Activity

entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AffectedProductLines
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: true
    matchingMethod: AllEntities
  createIncident: true
id: 9283b576-5350-fca1-3979-dacb6acd1d16
severity: High
subTechniques:
- T1499.002
status: Available
query: |
  let prev_offline_ids = Unifi_SiteManager_Devices_CL
      | where TimeGenerated between (ago(45m) .. ago(15m))
      | summarize arg_max(TimeGenerated, *) by Id
      | where Status == "offline"
      | distinct Id;
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(15m)
  | summarize arg_max(TimeGenerated, *) by Id
  | where Status == "offline"
  | extend IsNew = Id !in (prev_offline_ids)
  | summarize
      OfflineDeviceCount = count(),
      NewlyOfflineCount = countif(IsNew),
      OfflineDevices = make_list(coalesce(Name, Id)),
      NewlyOfflineDevices = make_list_if(coalesce(Name, Id), IsNew),
      ProductLines = make_set(ProductLine)
  | where OfflineDeviceCount >= 3
  | where NewlyOfflineCount > 0
  | extend
      TimeGenerated = now(),
      OfflineDeviceList = strcat_array(OfflineDevices, ", "),
      NewlyOfflineList = strcat_array(NewlyOfflineDevices, ", "),
      AffectedProductLines = strcat_array(ProductLines, ", ")
  | extend Activity = strcat(NewlyOfflineCount, ' device(s) newly offline (', OfflineDeviceCount, ' total offline): ', NewlyOfflineList)
  | project
      TimeGenerated,
      OfflineDeviceCount,
      NewlyOfflineCount,
      OfflineDeviceList,
      NewlyOfflineList,
      AffectedProductLines,
      Activity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudMultipleDevicesOffline.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.3
name: 'UniFi Site Manager: Multiple Devices Offline'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1489
- T1499
description: |
    Identifies when multiple UniFi devices go offline simultaneously, typically signaling a power outage, upstream connectivity failure, or infrastructure issue requiring investigation.
triggerOperator: gt