Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager System log shipping disabled

UniFi Site Manager System log shipping disabled

Back
Idf32950bc-6553-4c03-2686-a9c29ef318e8
RulenameUniFi Site Manager: System log shipping disabled
DescriptionIdentifies when a UniFi host transitions cloudSystemLogState from enabled to disabled. This defense-evasion signal may indicate an attacker silencing audit trails.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period45m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSystemlogshippingdisabled.yaml
Version1.0.1
Arm templatef32950bc-6553-4c03-2686-a9c29ef318e8.json
Deploy To Azure
let prev = Unifi_SiteManager_Hosts_CL
          | where TimeGenerated between (ago(30m) .. ago(15m))
          | summarize arg_max(TimeGenerated, *) by Id
          | project id_s = Id, prevState = tostring(ReportedState.cloudSystemLogState);
      Unifi_SiteManager_Hosts_CL
      | where TimeGenerated > ago(15m)
      | summarize arg_max(TimeGenerated, *) by Id
      | extend id_s = Id,
               SiteName = tostring(ReportedState.name),
               currentState = tostring(ReportedState.cloudSystemLogState)
      | join kind=inner prev on id_s
      | where currentState == 'disabled' and prevState == 'enabled'
      | extend Activity = strcat('Cloud system log shipping was disabled on host ', SiteName, ' (', prevState, ' -> ', currentState, ')')
      | project TimeGenerated, Id, SiteName, Activity, prevState, currentState

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Id
  - identifier: DnsDomain
    columnName: SiteName
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Hosts_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT12H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: f32950bc-6553-4c03-2686-a9c29ef318e8
severity: High
subTechniques:
- T1562.006
- T1562.008
status: Available
query: |
  let prev = Unifi_SiteManager_Hosts_CL
            | where TimeGenerated between (ago(30m) .. ago(15m))
            | summarize arg_max(TimeGenerated, *) by Id
            | project id_s = Id, prevState = tostring(ReportedState.cloudSystemLogState);
        Unifi_SiteManager_Hosts_CL
        | where TimeGenerated > ago(15m)
        | summarize arg_max(TimeGenerated, *) by Id
        | extend id_s = Id,
                 SiteName = tostring(ReportedState.name),
                 currentState = tostring(ReportedState.cloudSystemLogState)
        | join kind=inner prev on id_s
        | where currentState == 'disabled' and prevState == 'enabled'
        | extend Activity = strcat('Cloud system log shipping was disabled on host ', SiteName, ' (', prevState, ' -> ', currentState, ')')
        | project TimeGenerated, Id, SiteName, Activity, prevState, currentState  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSystemlogshippingdisabled.yaml
kind: Scheduled
queryPeriod: 45m
version: 1.0.1
name: 'UniFi Site Manager: System log shipping disabled'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1562
description: |
    Identifies when a UniFi host transitions cloudSystemLogState from enabled to disabled. This defense-evasion signal may indicate an attacker silencing audit trails.
triggerOperator: gt