Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager IPS signature count dropped 50

UniFi Site Manager IPS signature count dropped 50

Back
Idaa188a24-783a-76a1-cd11-3bcac0e97de9
RulenameUniFi Site Manager: IPS signature count dropped >50%
DescriptionIdentifies when the IPS signature ruleset count drops by more than half versus the 7-day maximum, indicating broken threat-intel feeds or rollback.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency6h
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSsignaturecountdropped50.yaml
Version1.0.1
Arm templateaa188a24-783a-76a1-cd11-3bcac0e97de9.json
Deploy To Azure
Unifi_SiteManager_Sites_CL
      | where TimeGenerated > ago(7d)
| extend rulesCount = toint(SiteStatistics.gateway.ipsSignature.rulesCount)
      | where isnotnull(rulesCount)
      | summarize MaxCount = max(rulesCount), arg_max(TimeGenerated, rulesCount) by SiteId, SiteName
      | where MaxCount > 100 and toreal(rulesCount) / MaxCount < 0.5
      | extend DropPct = round(100.0 * (1 - toreal(rulesCount) / MaxCount), 1)
      | extend Activity = strcat('IPS rules dropped to ', rulesCount, ' (from ', MaxCount, ', -', DropPct, '%)')
      | project TimeGenerated, SiteId, SiteName, Activity, CurrentRules = rulesCount, PeakRules = MaxCount, DropPct

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT12H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: aa188a24-783a-76a1-cd11-3bcac0e97de9
severity: Medium
subTechniques:
- T1562.001
status: Available
query: |
  Unifi_SiteManager_Sites_CL
        | where TimeGenerated > ago(7d)
  | extend rulesCount = toint(SiteStatistics.gateway.ipsSignature.rulesCount)
        | where isnotnull(rulesCount)
        | summarize MaxCount = max(rulesCount), arg_max(TimeGenerated, rulesCount) by SiteId, SiteName
        | where MaxCount > 100 and toreal(rulesCount) / MaxCount < 0.5
        | extend DropPct = round(100.0 * (1 - toreal(rulesCount) / MaxCount), 1)
        | extend Activity = strcat('IPS rules dropped to ', rulesCount, ' (from ', MaxCount, ', -', DropPct, '%)')
        | project TimeGenerated, SiteId, SiteName, Activity, CurrentRules = rulesCount, PeakRules = MaxCount, DropPct  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSsignaturecountdropped50.yaml
kind: Scheduled
queryPeriod: 7d
version: 1.0.1
name: 'UniFi Site Manager: IPS signature count dropped >50%'
queryFrequency: 6h
triggerThreshold: 0
relevantTechniques:
- T1562
description: |
    Identifies when the IPS signature ruleset count drops by more than half versus the 7-day maximum, indicating broken threat-intel feeds or rollback.
triggerOperator: gt