Ubiquiti - Unknown MAC Joined AP

Back


Id	9757cee3-1a6c-4d8e-a968-3b7e48ded690
Rulename	Ubiquiti - Unknown MAC Joined AP
Description	Detects when device with unseen MAC Address joined AP.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
Version	1.0.2
Arm template	9757cee3-1a6c-4d8e-a968-3b7e48ded690.json

KQL

let lbperiod = 14d;
let lbperiod_24h = 24h;
let known_macs = UbiquitiAuditEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
| where DvcAction =~ 'JOIN'
| summarize makeset(SrcMacAddr);
UbiquitiAuditEvent
| where DvcAction =~ 'JOIN'
| where SrcMacAddr !in (known_macs)
| extend Device = SrcMacAddr
| extend HostCustomEntity = Device

YAML

queryPeriod: 14d
queryFrequency: 1h
description: |
    'Detects when device with unseen MAC Address joined AP.'
query: |
  let lbperiod = 14d;
  let lbperiod_24h = 24h;
  let known_macs = UbiquitiAuditEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
  | where DvcAction =~ 'JOIN'
  | summarize makeset(SrcMacAddr);
  UbiquitiAuditEvent
  | where DvcAction =~ 'JOIN'
  | where SrcMacAddr !in (known_macs)
  | extend Device = SrcMacAddr
  | extend HostCustomEntity = Device  
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
id: 9757cee3-1a6c-4d8e-a968-3b7e48ded690
status: Available
triggerOperator: gt
version: 1.0.2
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
tactics:
- InitialAccess
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
name: Ubiquiti - Unknown MAC Joined AP
relevantTechniques:
- T1133
severity: Medium

ARM