Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager External WAN IP changed

UniFi Site Manager External WAN IP changed

Back
Idef1a293a-9e2b-b087-7816-2610814ed2d4
RulenameUniFi Site Manager: External WAN IP changed
DescriptionIdentifies when a site reports more than one distinct WAN external IP within an hour, which may indicate ISP DHCP refresh, WAN reconfiguration, or routing hijack.
SeverityHigh
TacticsReconnaissance
TechniquesT1590
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudExternalWANIPchanged.yaml
Version1.0.0
Arm templateef1a293a-9e2b-b087-7816-2610814ed2d4.json
Deploy To Azure
Unifi_SiteManager_Sites_CL
      | where TimeGenerated > ago(1h)
      | extend SiteName = tostring(Meta.name),
               currentIp = tostring(SiteStatistics.wans.WAN.externalIp)
      | where isnotempty(currentIp)
      | summarize DistinctIps = make_set(currentIp), arg_max(TimeGenerated, currentIp) by SiteId, SiteName
      | where array_length(DistinctIps) > 1
      | extend Activity = strcat('WAN IP changed; observed: ', tostring(DistinctIps))
      | project TimeGenerated, SiteId, SiteName, Activity, CurrentIp = currentIp, ObservedIps = DistinctIps

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CurrentIp
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SiteName
tactics:
- Reconnaissance
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Sites_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: ef1a293a-9e2b-b087-7816-2610814ed2d4
severity: High
subTechniques:
- T1590.005
status: Available
query: |
  Unifi_SiteManager_Sites_CL
        | where TimeGenerated > ago(1h)
        | extend SiteName = tostring(Meta.name),
                 currentIp = tostring(SiteStatistics.wans.WAN.externalIp)
        | where isnotempty(currentIp)
        | summarize DistinctIps = make_set(currentIp), arg_max(TimeGenerated, currentIp) by SiteId, SiteName
        | where array_length(DistinctIps) > 1
        | extend Activity = strcat('WAN IP changed; observed: ', tostring(DistinctIps))
        | project TimeGenerated, SiteId, SiteName, Activity, CurrentIp = currentIp, ObservedIps = DistinctIps  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudExternalWANIPchanged.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: 'UniFi Site Manager: External WAN IP changed'
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1590
description: |
    Identifies when a site reports more than one distinct WAN external IP within an hour, which may indicate ISP DHCP refresh, WAN reconfiguration, or routing hijack.
triggerOperator: gt