let lbperiod = 14d;
let lbperiod_24h = 24h;
let known_macs = UbiquitiAuditEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
| where DvcAction =~ 'JOIN'
| summarize makeset(SrcMacAddr);
UbiquitiAuditEvent
| where DvcAction =~ 'JOIN'
| where SrcMacAddr !in (known_macs)
| extend Device = SrcMacAddr
| extend HostCustomEntity = Device
relevantTechniques:
- T1133
queryFrequency: 1h
description: |
'Detects when device with unseen MAC Address joined AP.'
severity: Medium
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
triggerThreshold: 0
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- Ubiquiti_CL
connectorId: CustomLogsAma
queryPeriod: 14d
id: 9757cee3-1a6c-4d8e-a968-3b7e48ded690
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml
query: |
let lbperiod = 14d;
let lbperiod_24h = 24h;
let known_macs = UbiquitiAuditEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbperiod_24h))
| where DvcAction =~ 'JOIN'
| summarize makeset(SrcMacAddr);
UbiquitiAuditEvent
| where DvcAction =~ 'JOIN'
| where SrcMacAddr !in (known_macs)
| extend Device = SrcMacAddr
| extend HostCustomEntity = Device
name: Ubiquiti - Unknown MAC Joined AP
version: 1.0.2
kind: Scheduled
status: Available
