UniFi Site Manager ISP Downtime

// UniFi ISP Downtime Detection
let MinDowntimeSeconds = 60;
Unifi_SiteManager_ISPMetrics_CL
| where TimeGenerated > ago(30m)
| mv-expand period = Periods
| extend
    metricTime = todatetime(period.metricTime),
    downtime = toint(period.data.wan.downtime),
    uptime = todouble(period.data.wan.uptime),
    ispName = tostring(period.data.wan.ispName),
    ispAsn = tostring(period.data.wan.ispAsn)
// De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
| summarize arg_max(TimeGenerated, downtime, uptime, ispAsn) by tostring(SiteId), ispName, metricTime
| where metricTime > ago(30m)
| where downtime > 0
| summarize
    TotalDowntimeSeconds = sum(downtime),
    EventCount = count(),
    AvgUptime = round(avg(uptime), 2),
    FirstSeen = min(metricTime),
    LastSeen = max(metricTime)
    by SiteId, ispName, ispAsn
| where TotalDowntimeSeconds >= MinDowntimeSeconds
| extend
    TimeGenerated = now(),
    DowntimeMinutes = round(TotalDowntimeSeconds / 60.0, 2)
| project
    TimeGenerated,
    SiteId = SiteId,
    ISPName = ispName,
    ISPAsn = ispAsn,
    TotalDowntimeSeconds,
    DowntimeMinutes,
    AvgUptimePct = AvgUptime,
    EventCount,
    FirstSeen,
    LastSeen

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ISPName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_ISPMetrics_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: true
    matchingMethod: AllEntities
  createIncident: true
id: b54123ef-cfa7-769e-a959-f437404a1192
severity: High
subTechniques:
- T1499.002
status: Available
query: |
  // UniFi ISP Downtime Detection
  let MinDowntimeSeconds = 60;
  Unifi_SiteManager_ISPMetrics_CL
  | where TimeGenerated > ago(30m)
  | mv-expand period = Periods
  | extend
      metricTime = todatetime(period.metricTime),
      downtime = toint(period.data.wan.downtime),
      uptime = todouble(period.data.wan.uptime),
      ispName = tostring(period.data.wan.ispName),
      ispAsn = tostring(period.data.wan.ispAsn)
  // De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
  | summarize arg_max(TimeGenerated, downtime, uptime, ispAsn) by tostring(SiteId), ispName, metricTime
  | where metricTime > ago(30m)
  | where downtime > 0
  | summarize
      TotalDowntimeSeconds = sum(downtime),
      EventCount = count(),
      AvgUptime = round(avg(uptime), 2),
      FirstSeen = min(metricTime),
      LastSeen = max(metricTime)
      by SiteId, ispName, ispAsn
  | where TotalDowntimeSeconds >= MinDowntimeSeconds
  | extend
      TimeGenerated = now(),
      DowntimeMinutes = round(TotalDowntimeSeconds / 60.0, 2)
  | project
      TimeGenerated,
      SiteId = SiteId,
      ISPName = ispName,
      ISPAsn = ispAsn,
      TotalDowntimeSeconds,
      DowntimeMinutes,
      AvgUptimePct = AvgUptime,
      EventCount,
      FirstSeen,
      LastSeen  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPDowntime.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.1
name: 'UniFi Site Manager: ISP Downtime'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1489
- T1499
description: |
    Identifies when the ISP connection experiences downtime, impacting business operations and requiring documentation for SLA purposes.
triggerOperator: gt