Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Controller Connection State Change

UniFi Site Manager Controller Connection State Change

Back
Idac1efe0f-654e-264e-07be-c1b60e698343
RulenameUniFi Site Manager: Controller Connection State Change
DescriptionIdentifies when a UniFi controller (Cloud Key, Dream Machine, etc.) experiences a connection state change, which may indicate a network outage, power loss, or device failure.
SeverityMedium
TacticsImpact
CommandAndControl
TechniquesT1489
T1071
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudControllerConnectionStateChange.yaml
Version1.0.1
Arm templateac1efe0f-654e-264e-07be-c1b60e698343.json
Deploy To Azure
// UniFi Controller Connection State Change Detection
// Only fire when LastConnectionStateChange has changed since the prior 15-min cycle
// to avoid 4-5 alerts per actual state change (rule runs every 15m, change visible for 1h).
let prev = Unifi_SiteManager_Hosts_CL
    | where TimeGenerated between (ago(30m) .. ago(15m))
    | summarize arg_max(TimeGenerated, *) by Id
    | project id_s = Id, prevChange = todatetime(LastConnectionStateChange);
Unifi_SiteManager_Hosts_CL
| where TimeGenerated > ago(15m)
| where isnotempty(LastConnectionStateChange)
| summarize arg_max(TimeGenerated, *) by Id
| extend
    ConnectionChange = todatetime(LastConnectionStateChange),
    id_s = Id
| join kind=leftouter prev on id_s
| where ConnectionChange != prevChange or isnull(prevChange)
| where ConnectionChange > ago(30m)
| extend
    HostTypeDisplay = case(
        HostType == "ucore", "UniFi OS Console",
        HostType == "uck", "Cloud Key",
        HostType == "uckp", "Cloud Key+",
        HostType == "udm", "Dream Machine",
        HostType == "udmpro", "Dream Machine Pro",
        HostType == "udmse", "Dream Machine SE",
        HostType == "self-hosted", "Self-Hosted",
        HostType
    )
| project
    TimeGenerated,
    ConnectionChangeTime = ConnectionChange,
    PreviousChangeTime = prevChange,
    HostId = Id,
    HostType = HostType,
    HostTypeDisplay,
    IPAddress = IpAddress,
    IsBlocked = IsBlocked,
    IsOwner = Owner

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
tactics:
- Impact
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Hosts_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: ac1efe0f-654e-264e-07be-c1b60e698343
severity: Medium
subTechniques:
- T1071.001
status: Available
query: |
  // UniFi Controller Connection State Change Detection
  // Only fire when LastConnectionStateChange has changed since the prior 15-min cycle
  // to avoid 4-5 alerts per actual state change (rule runs every 15m, change visible for 1h).
  let prev = Unifi_SiteManager_Hosts_CL
      | where TimeGenerated between (ago(30m) .. ago(15m))
      | summarize arg_max(TimeGenerated, *) by Id
      | project id_s = Id, prevChange = todatetime(LastConnectionStateChange);
  Unifi_SiteManager_Hosts_CL
  | where TimeGenerated > ago(15m)
  | where isnotempty(LastConnectionStateChange)
  | summarize arg_max(TimeGenerated, *) by Id
  | extend
      ConnectionChange = todatetime(LastConnectionStateChange),
      id_s = Id
  | join kind=leftouter prev on id_s
  | where ConnectionChange != prevChange or isnull(prevChange)
  | where ConnectionChange > ago(30m)
  | extend
      HostTypeDisplay = case(
          HostType == "ucore", "UniFi OS Console",
          HostType == "uck", "Cloud Key",
          HostType == "uckp", "Cloud Key+",
          HostType == "udm", "Dream Machine",
          HostType == "udmpro", "Dream Machine Pro",
          HostType == "udmse", "Dream Machine SE",
          HostType == "self-hosted", "Self-Hosted",
          HostType
      )
  | project
      TimeGenerated,
      ConnectionChangeTime = ConnectionChange,
      PreviousChangeTime = prevChange,
      HostId = Id,
      HostType = HostType,
      HostTypeDisplay,
      IPAddress = IpAddress,
      IsBlocked = IsBlocked,
      IsOwner = Owner  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudControllerConnectionStateChange.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: 'UniFi Site Manager: Controller Connection State Change'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1489
- T1071
description: |
    Identifies when a UniFi controller (Cloud Key, Dream Machine, etc.) experiences a connection state change, which may indicate a network outage, power loss, or device failure.
triggerOperator: gt