Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. UniFi Site Manager Device Offline

UniFi Site Manager Device Offline

Back
Idf3fa4f3f-c8db-ae35-ee06-04de2dfac511
RulenameUniFi Site Manager: Device Offline
DescriptionIdentifies when a UniFi device transitions to offline status, which may indicate a network outage, power loss, or hardware failure requiring attention.
SeverityMedium
TacticsImpact
TechniquesT1489
Required data connectorsUniFiSiteManagerConnectorDefinition
KindScheduled
Query frequency15m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudDeviceOffline.yaml
Version1.0.0
Arm templatef3fa4f3f-c8db-ae35-ee06-04de2dfac511.json
Deploy To Azure
// UniFi Device Offline Detection
Unifi_SiteManager_Devices_CL
| where TimeGenerated > ago(1h)
| summarize arg_max(TimeGenerated, *) by Id
| where Status == "offline"
| extend OfflineMinutes = datetime_diff('minute', now(), TimeGenerated)
| where OfflineMinutes >= 10
| extend
    DeviceName = coalesce(Name, "Unnamed"),
    DeviceId = Id,
    Model = Model,
    IPAddress = Ip,
    MACAddress = Mac,
    ProductLine = ProductLine,
    FirmwareVersion = Version
| extend HostName = DeviceName
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    Model,
    IPAddress,
    MACAddress,
    ProductLine,
    Status = Status,
    OfflineMinutes,
    FirmwareVersion,
    HostName

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - Unifi_SiteManager_Devices_CL
  connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: PT4H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: f3fa4f3f-c8db-ae35-ee06-04de2dfac511
severity: Medium
subTechniques: []
status: Available
query: |
  // UniFi Device Offline Detection
  Unifi_SiteManager_Devices_CL
  | where TimeGenerated > ago(1h)
  | summarize arg_max(TimeGenerated, *) by Id
  | where Status == "offline"
  | extend OfflineMinutes = datetime_diff('minute', now(), TimeGenerated)
  | where OfflineMinutes >= 10
  | extend
      DeviceName = coalesce(Name, "Unnamed"),
      DeviceId = Id,
      Model = Model,
      IPAddress = Ip,
      MACAddress = Mac,
      ProductLine = ProductLine,
      FirmwareVersion = Version
  | extend HostName = DeviceName
  | project
      TimeGenerated,
      DeviceName,
      DeviceId,
      Model,
      IPAddress,
      MACAddress,
      ProductLine,
      Status = Status,
      OfflineMinutes,
      FirmwareVersion,
      HostName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudDeviceOffline.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: 'UniFi Site Manager: Device Offline'
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1489
description: |
    Identifies when a UniFi device transitions to offline status, which may indicate a network outage, power loss, or hardware failure requiring attention.
triggerOperator: gt