Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager New Device Adopted

UniFi Site Manager New Device Adopted

Back
Ide69be544-9476-35bb-2533-fa8c650dcd46
RulenameUniFi Site Manager: New Device Adopted
DescriptionIdentifies when a new device is adopted into the UniFi network. While often legitimate, unexpected adoptions may indicate unauthorized hardware additions.
SeverityInformational
TacticsInitialAccess
Persistence
TechniquesT1200
T1133
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewDeviceAdopted.yaml
Version1.0.0
Arm templatee69be544-9476-35bb-2533-fa8c650dcd46.json
Deploy To Azure
// UniFi New Device Adopted Detection
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(1h)
| where isnotempty(AdoptionTime)
| extend AdoptionDateTime = todatetime(AdoptionTime)
| where AdoptionDateTime > ago(1h)
| summarize arg_max(TimeGenerated, *) by Id
| extend
    DeviceName = coalesce(Name, "Unnamed"),
    DeviceId = Id,
    Model = Model,
    IPAddress = Ip,
    MACAddress = Mac,
    ProductLine = ProductLine,
    FirmwareVersion = Version,
    Shortname = Shortname
| extend HostName = DeviceName
| project
    TimeGenerated,
    AdoptionTime = AdoptionDateTime,
    DeviceName,
    DeviceId,
    Model,
    IPAddress,
    MACAddress,
    ProductLine,
    Status = Status,
    FirmwareVersion,
    Shortname,
    HostName

entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
status: Available
queryFrequency: 1h
tactics:
- InitialAccess
- Persistence
triggerThreshold: 0
query: |
  // UniFi New Device Adopted Detection
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(AdoptionTime)
  | extend AdoptionDateTime = todatetime(AdoptionTime)
  | where AdoptionDateTime > ago(1h)
  | summarize arg_max(TimeGenerated, *) by Id
  | extend
      DeviceName = coalesce(Name, "Unnamed"),
      DeviceId = Id,
      Model = Model,
      IPAddress = Ip,
      MACAddress = Mac,
      ProductLine = ProductLine,
      FirmwareVersion = Version,
      Shortname = Shortname
  | extend HostName = DeviceName
  | project
      TimeGenerated,
      AdoptionTime = AdoptionDateTime,
      DeviceName,
      DeviceId,
      Model,
      IPAddress,
      MACAddress,
      ProductLine,
      Status = Status,
      FirmwareVersion,
      Shortname,
      HostName  
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewDeviceAdopted.yaml
relevantTechniques:
- T1200
- T1133
version: 1.0.0
subTechniques: []
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT24H
    enabled: true
    matchingMethod: AllEntities
severity: Informational
id: e69be544-9476-35bb-2533-fa8c650dcd46
description: |
    Identifies when a new device is adopted into the UniFi network. While often legitimate, unexpected adoptions may indicate unauthorized hardware additions.
name: 'UniFi Site Manager: New Device Adopted'