Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager WAN external IP geographic deviation

UniFi Site Manager WAN external IP geographic deviation

Back
Id9c0a7304-287e-f1b2-8b4f-c7444b8511ea
RulenameUniFi Site Manager: WAN external IP geographic deviation
DescriptionSites where the WAN external IP changed ASN or ISP within the last 30 days. Routine DHCP renewal stays within the same ISP; an ASN/ISP change suggests provider switch, BGP hijack, or routing anomaly that warrants verification.
TacticsReconnaissance
TechniquesT1590
Required data connectorsUniFiSiteManagerConnectorDefinition
KindHuntingQuery
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudWANIPGeoDeviation.yaml
Version1.0.0
Arm template9c0a7304-287e-f1b2-8b4f-c7444b8511ea.json
Deploy To Azure
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(30d)
| extend Site = tostring(Meta.name),
         WanIp = tostring(SiteStatistics.wans.WAN.externalIp),
         Asn = toint(SiteStatistics.ispInfo.asn),
         Isp = tostring(SiteStatistics.ispInfo.name)
| where isnotempty(WanIp)
| summarize ['Distinct ASNs'] = make_set(Asn),
            ['Distinct ISPs'] = make_set(Isp),
            ['WAN IPs']      = make_set(WanIp),
            ['First seen']   = min(TimeGenerated),
            ['Last seen']    = max(TimeGenerated) by HostName = Site
| extend ['ASN count'] = array_length(['Distinct ASNs']),
         ['ISP count'] = array_length(['Distinct ISPs']),
         IPAddress = tostring(['WAN IPs'][0])
| where ['ASN count'] > 1 or ['ISP count'] > 1
| order by ['ASN count'] desc, ['ISP count'] desc

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudWANIPGeoDeviation.yaml
description: |
    Sites where the WAN external IP changed ASN or ISP within the last 30 days. Routine DHCP renewal stays within the same ISP; an ASN/ISP change suggests provider switch, BGP hijack, or routing anomaly that warrants verification.
id: 9c0a7304-287e-f1b2-8b4f-c7444b8511ea
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
kind: HuntingQuery
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
query: |
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(30d)
  | extend Site = tostring(Meta.name),
           WanIp = tostring(SiteStatistics.wans.WAN.externalIp),
           Asn = toint(SiteStatistics.ispInfo.asn),
           Isp = tostring(SiteStatistics.ispInfo.name)
  | where isnotempty(WanIp)
  | summarize ['Distinct ASNs'] = make_set(Asn),
              ['Distinct ISPs'] = make_set(Isp),
              ['WAN IPs']      = make_set(WanIp),
              ['First seen']   = min(TimeGenerated),
              ['Last seen']    = max(TimeGenerated) by HostName = Site
  | extend ['ASN count'] = array_length(['Distinct ASNs']),
           ['ISP count'] = array_length(['Distinct ISPs']),
           IPAddress = tostring(['WAN IPs'][0])
  | where ['ASN count'] > 1 or ['ISP count'] > 1
  | order by ['ASN count'] desc, ['ISP count'] desc  
relevantTechniques:
- T1590
tactics:
- Reconnaissance
name: 'UniFi Site Manager: WAN external IP geographic deviation'