Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Unknown MAC Joined AP

Back
Id9757cee3-1a6c-4d8e-a968-3b7e48ded690
RulenameUbiquiti - Unknown MAC Joined AP
DescriptionDetects when device with unseen MAC Address joined AP.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
UbiquitiUnifi
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
Version1.0.1
Arm template9757cee3-1a6c-4d8e-a968-3b7e48ded690.json
Deploy To Azure
let lbperiod = 14d;
let lbperiod_24h = 24h;
let known_macs = UbiquitiAuditEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
| where DvcAction =~ 'JOIN'
| summarize makeset(SrcMacAddr);
UbiquitiAuditEvent
| where DvcAction =~ 'JOIN'
| where SrcMacAddr !in (known_macs)
| extend Device = SrcMacAddr
| extend HostCustomEntity = Device
kind: Scheduled
relevantTechniques:
- T1133
description: |
    'Detects when device with unseen MAC Address joined AP.'
queryPeriod: 14d
queryFrequency: 1h
tactics:
- InitialAccess
name: Ubiquiti - Unknown MAC Joined AP
requiredDataConnectors:
- connectorId: UbiquitiUnifi
  dataTypes:
  - UbiquitiAuditEvent
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
triggerThreshold: 0
version: 1.0.1
id: 9757cee3-1a6c-4d8e-a968-3b7e48ded690
query: |
  let lbperiod = 14d;
  let lbperiod_24h = 24h;
  let known_macs = UbiquitiAuditEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
  | where DvcAction =~ 'JOIN'
  | summarize makeset(SrcMacAddr);
  UbiquitiAuditEvent
  | where DvcAction =~ 'JOIN'
  | where SrcMacAddr !in (known_macs)
  | extend Device = SrcMacAddr
  | extend HostCustomEntity = Device  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9757cee3-1a6c-4d8e-a968-3b7e48ded690')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9757cee3-1a6c-4d8e-a968-3b7e48ded690')]",
      "properties": {
        "alertRuleTemplateName": "9757cee3-1a6c-4d8e-a968-3b7e48ded690",
        "customDetails": null,
        "description": "'Detects when device with unseen MAC Address joined AP.'\n",
        "displayName": "Ubiquiti - Unknown MAC Joined AP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml",
        "query": "let lbperiod = 14d;\nlet lbperiod_24h = 24h;\nlet known_macs = UbiquitiAuditEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))\n| where DvcAction =~ 'JOIN'\n| summarize makeset(SrcMacAddr);\nUbiquitiAuditEvent\n| where DvcAction =~ 'JOIN'\n| where SrcMacAddr !in (known_macs)\n| extend Device = SrcMacAddr\n| extend HostCustomEntity = Device\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}