Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Site Health Critical

UniFi Site Manager Site Health Critical

Back
Idc8875ebb-cc6e-14e4-4216-d8b06fd92c90
RulenameUniFi Site Manager: Site Health Critical
DescriptionIdentifies when a site has multiple offline devices, indicating significant site-level issues such as a power outage, network failure, or infrastructure problem.
SeverityHigh
TacticsImpact
TechniquesT1489
T1499
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSiteHealthCritical.yaml
Version1.0.1
Arm templatec8875ebb-cc6e-14e4-4216-d8b06fd92c90.json
Deploy To Azure
// UniFi Site Health Critical Detection
let OfflineThreshold = 3;
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(30m)
| summarize arg_max(TimeGenerated, *) by SiteId
| where OfflineDevices >= OfflineThreshold
| extend
    AvailabilityPct = round(100.0 * (TotalDevices - OfflineDevices) / TotalDevices, 1),
    TotalClients = WifiClients + WiredClients
| project
    TimeGenerated,
    SiteId = SiteId,
    SiteName = SiteName,
    TotalDevices = TotalDevices,
    OfflineDevices = OfflineDevices,
    OnlineDevices = TotalDevices - OfflineDevices,
    AvailabilityPct,
    TotalClients,
    WiFiClients = WifiClients,
    WiredClients = WiredClients,
    Timezone = Timezone

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: true
    matchingMethod: AllEntities
  createIncident: true
id: c8875ebb-cc6e-14e4-4216-d8b06fd92c90
severity: High
subTechniques:
- T1499.002
status: Available
query: |
  // UniFi Site Health Critical Detection
  let OfflineThreshold = 3;
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(30m)
  | summarize arg_max(TimeGenerated, *) by SiteId
  | where OfflineDevices >= OfflineThreshold
  | extend
      AvailabilityPct = round(100.0 * (TotalDevices - OfflineDevices) / TotalDevices, 1),
      TotalClients = WifiClients + WiredClients
  | project
      TimeGenerated,
      SiteId = SiteId,
      SiteName = SiteName,
      TotalDevices = TotalDevices,
      OfflineDevices = OfflineDevices,
      OnlineDevices = TotalDevices - OfflineDevices,
      AvailabilityPct,
      TotalClients,
      WiFiClients = WifiClients,
      WiredClients = WiredClients,
      Timezone = Timezone  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSiteHealthCritical.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.1
name: 'UniFi Site Manager: Site Health Critical'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1489
- T1499
description: |
    Identifies when a site has multiple offline devices, indicating significant site-level issues such as a power outage, network failure, or infrastructure problem.
triggerOperator: gt