Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager New WAN2 secondary issue recorded

UniFi Site Manager New WAN2 secondary issue recorded

Back
Idb16f13ae-343b-9513-e684-469cdf9471b2
RulenameUniFi Site Manager: New WAN2 (secondary) issue recorded
DescriptionIdentifies a new issue index on the secondary WAN failover link. Fires only on newly-recorded issue indexes, not while existing issues persist.
SeverityMedium
TacticsImpact
TechniquesT1498
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period45m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWAN2secondaryissuerecorded.yaml
Version1.0.1
Arm templateb16f13ae-343b-9513-e684-469cdf9471b2.json
Deploy To Azure
// UniFi reports a monotonically-rising wanIssues.count rather than discrete events.
// Detect a NEW occurrence by checking whether the per-site max(count) has grown
// in the most recent 15-min window vs the prior 15-min window.
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(45m)
| extend siteId_s = tostring(SiteId)
| where isnotempty(tostring(SiteStatistics.wans.WAN2))
| mv-expand issue = todynamic(tostring(SiteStatistics.wans.WAN2.wanIssues))
| extend issueCount = tolong(issue.count), idx = tolong(issue.index)
| summarize
    PrevMaxCount = maxif(issueCount, TimeGenerated < ago(15m)),
    CurrentMaxCount = maxif(issueCount, TimeGenerated >= ago(15m)),
    LatestIndex = maxif(idx, TimeGenerated >= ago(15m))
    by siteId_s, SiteName
| extend PrevMaxCount = coalesce(PrevMaxCount, tolong(0))
| where CurrentMaxCount > PrevMaxCount
| extend
    TimeGenerated = now(),
    Delta = CurrentMaxCount - PrevMaxCount,
    Activity = strcat('New WAN2 issue: count rose from ', PrevMaxCount, ' to ', CurrentMaxCount)
| project TimeGenerated, SiteId = siteId_s, SiteName, Activity, IssueIndex = LatestIndex, PrevMaxCount, CurrentMaxCount, Delta

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: b16f13ae-343b-9513-e684-469cdf9471b2
severity: Medium
subTechniques:
- T1498.001
status: Available
query: |
  // UniFi reports a monotonically-rising wanIssues.count rather than discrete events.
  // Detect a NEW occurrence by checking whether the per-site max(count) has grown
  // in the most recent 15-min window vs the prior 15-min window.
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(45m)
  | extend siteId_s = tostring(SiteId)
  | where isnotempty(tostring(SiteStatistics.wans.WAN2))
  | mv-expand issue = todynamic(tostring(SiteStatistics.wans.WAN2.wanIssues))
  | extend issueCount = tolong(issue.count), idx = tolong(issue.index)
  | summarize
      PrevMaxCount = maxif(issueCount, TimeGenerated < ago(15m)),
      CurrentMaxCount = maxif(issueCount, TimeGenerated >= ago(15m)),
      LatestIndex = maxif(idx, TimeGenerated >= ago(15m))
      by siteId_s, SiteName
  | extend PrevMaxCount = coalesce(PrevMaxCount, tolong(0))
  | where CurrentMaxCount > PrevMaxCount
  | extend
      TimeGenerated = now(),
      Delta = CurrentMaxCount - PrevMaxCount,
      Activity = strcat('New WAN2 issue: count rose from ', PrevMaxCount, ' to ', CurrentMaxCount)
  | project TimeGenerated, SiteId = siteId_s, SiteName, Activity, IssueIndex = LatestIndex, PrevMaxCount, CurrentMaxCount, Delta  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWAN2secondaryissuerecorded.yaml
kind: Scheduled
queryPeriod: 45m
version: 1.0.1
name: 'UniFi Site Manager: New WAN2 (secondary) issue recorded'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1498
description: |
    Identifies a new issue index on the secondary WAN failover link. Fires only on newly-recorded issue indexes, not while existing issues persist.
triggerOperator: gt