Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager New critical notifications appeared

UniFi Site Manager New critical notifications appeared

Back
Ide4b75722-7239-f247-558f-d2e851ea0b38
RulenameUniFi Site Manager: New critical notifications appeared
DescriptionIdentifies when the UniFi critical-notification count increases since the previous poll, signaling at least one new critical-severity alarm has appeared.
SeverityMedium
TacticsImpact
TechniquesT1499
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period45m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewcriticalnotificationsappeared.yaml
Version1.0.1
Arm templatee4b75722-7239-f247-558f-d2e851ea0b38.json
Deploy To Azure
let prev = Unifi_SiteManager_Sites_CL
    | where TimeGenerated between (ago(30m) .. ago(15m))
    | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
    | project siteId_s = tostring(SiteId), prevCritical = CriticalNotifications;
Unifi_SiteManager_Sites_CL
| where TimeGenerated > ago(15m)
| summarize arg_max(TimeGenerated, *) by tostring(SiteId)
| extend siteId_s = tostring(SiteId), CriticalCount = CriticalNotifications
| join kind=inner prev on siteId_s
| where CriticalCount > prevCritical
| extend NewCriticals = CriticalCount - prevCritical
| extend Activity = strcat(NewCriticals, ' new critical notification(s) - count went ', prevCritical, ' -> ', CriticalCount)
| project TimeGenerated, SiteId, SiteName, Activity, prevCritical, CriticalCount, NewCriticals

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteId
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: e4b75722-7239-f247-558f-d2e851ea0b38
severity: Medium
subTechniques:
- T1499.002
status: Available
query: |
  let prev = Unifi_SiteManager_Sites_CL
      | where TimeGenerated between (ago(30m) .. ago(15m))
      | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
      | project siteId_s = tostring(SiteId), prevCritical = CriticalNotifications;
  Unifi_SiteManager_Sites_CL
  | where TimeGenerated > ago(15m)
  | summarize arg_max(TimeGenerated, *) by tostring(SiteId)
  | extend siteId_s = tostring(SiteId), CriticalCount = CriticalNotifications
  | join kind=inner prev on siteId_s
  | where CriticalCount > prevCritical
  | extend NewCriticals = CriticalCount - prevCritical
  | extend Activity = strcat(NewCriticals, ' new critical notification(s) - count went ', prevCritical, ' -> ', CriticalCount)
  | project TimeGenerated, SiteId, SiteName, Activity, prevCritical, CriticalCount, NewCriticals  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewcriticalnotificationsappeared.yaml
kind: Scheduled
queryPeriod: 45m
version: 1.0.1
name: 'UniFi Site Manager: New critical notifications appeared'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1499
description: |
    Identifies when the UniFi critical-notification count increases since the previous poll, signaling at least one new critical-severity alarm has appeared.
triggerOperator: gt