Ubiquiti - Unknown MAC Joined AP

Back


Id	9757cee3-1a6c-4d8e-a968-3b7e48ded690
Rulename	Ubiquiti - Unknown MAC Joined AP
Description	Detects when device with unseen MAC Address joined AP.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
Version	1.0.2
Arm template	9757cee3-1a6c-4d8e-a968-3b7e48ded690.json

KQL

let lbperiod = 14d;
let lbperiod_24h = 24h;
let known_macs = UbiquitiAuditEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
| where DvcAction =~ 'JOIN'
| summarize makeset(SrcMacAddr);
UbiquitiAuditEvent
| where DvcAction =~ 'JOIN'
| where SrcMacAddr !in (known_macs)
| extend Device = SrcMacAddr
| extend HostCustomEntity = Device

YAML

query: |
  let lbperiod = 14d;
  let lbperiod_24h = 24h;
  let known_macs = UbiquitiAuditEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
  | where DvcAction =~ 'JOIN'
  | summarize makeset(SrcMacAddr);
  UbiquitiAuditEvent
  | where DvcAction =~ 'JOIN'
  | where SrcMacAddr !in (known_macs)
  | extend Device = SrcMacAddr
  | extend HostCustomEntity = Device  
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
status: Available
description: |
    'Detects when device with unseen MAC Address joined AP.'
queryFrequency: 1h
name: Ubiquiti - Unknown MAC Joined AP
kind: Scheduled
triggerThreshold: 0
id: 9757cee3-1a6c-4d8e-a968-3b7e48ded690
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
severity: Medium
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
relevantTechniques:
- T1133
tactics:
- InitialAccess

ARM