Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(7d)
| extend pendingUpdates = PendingUpdateDevices
| summarize MinPending = min(pendingUpdates), MaxPending = max(pendingUpdates), arg_max(TimeGenerated, pendingUpdates) by SiteId, SiteName
| where MinPending > 0
| extend Activity = strcat('Pending updates sustained - current ', pendingUpdates, ' device(s)')
| project TimeGenerated, SiteId, SiteName, Activity, PendingDevices = pendingUpdates
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SiteId
- identifier: DnsDomain
columnName: SiteName
tactics:
- Reconnaissance
requiredDataConnectors:
- dataTypes:
- Unifi_SiteManager_Sites_CL
connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
groupingConfiguration:
enabled: true
lookbackDuration: P1D
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: d943d401-861e-7186-d42c-c505fbf7c619
severity: Low
subTechniques: []
status: Available
query: |
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(7d)
| extend pendingUpdates = PendingUpdateDevices
| summarize MinPending = min(pendingUpdates), MaxPending = max(pendingUpdates), arg_max(TimeGenerated, pendingUpdates) by SiteId, SiteName
| where MinPending > 0
| extend Activity = strcat('Pending updates sustained - current ', pendingUpdates, ' device(s)')
| project TimeGenerated, SiteId, SiteName, Activity, PendingDevices = pendingUpdates
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudPendingfirmwareupdatesoutstandingfor7d.yaml
kind: Scheduled
queryPeriod: 7d
version: 1.0.1
name: 'UniFi Site Manager: Pending firmware updates outstanding for 7d+'
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1595
description: |
Identifies sites with pending firmware updates outstanding continuously for the last 7 days, indicating patch debt that should be scheduled.
triggerOperator: gt
