// UniFi ISP SLA Breach Detection
let SLAThreshold = 99.9;
Unifi_SiteManager_ISPMetrics_CL
| where TimeGenerated > ago(1h)
| mv-expand period = Periods
| extend
metricTime = todatetime(period.metricTime),
uptime = todouble(period.data.wan.uptime),
downtime = toint(period.data.wan.downtime),
ispName = tostring(period.data.wan.ispName),
ispAsn = tostring(period.data.wan.ispAsn),
siteIdStr = tostring(SiteId)
// De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
| summarize arg_max(TimeGenerated, uptime, downtime, ispAsn) by siteIdStr, ispName, metricTime
| where metricTime > ago(1h)
| summarize
AvgUptime = round(avg(uptime), 3),
MinUptime = round(min(uptime), 3),
TotalDowntimeSeconds = sum(downtime),
MeasurementCount = count()
by SiteId = siteIdStr, ispName, ispAsn
| where AvgUptime < SLAThreshold
| extend
TimeGenerated = now(),
SLATarget = SLAThreshold,
UptimeGap = round(SLAThreshold - AvgUptime, 3)
| project
TimeGenerated,
SiteId = SiteId,
ISPName = ispName,
ISPAsn = ispAsn,
AvgUptimePct = AvgUptime,
MinUptimePct = MinUptime,
SLATargetPct = SLATarget,
UptimeGapPct = UptimeGap,
TotalDowntimeSeconds,
MeasurementCount
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SiteId
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: ISPName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
- Unifi_SiteManager_ISPMetrics_CL
connectorId: UniFiSiteManagerConnectorDefinition
incidentConfiguration:
groupingConfiguration:
enabled: true
lookbackDuration: P1D
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: fecd4ab1-b24e-8413-9164-e3621c8d7caa
severity: Medium
subTechniques:
- T1499.002
status: Available
query: |
// UniFi ISP SLA Breach Detection
let SLAThreshold = 99.9;
Unifi_SiteManager_ISPMetrics_CL
| where TimeGenerated > ago(1h)
| mv-expand period = Periods
| extend
metricTime = todatetime(period.metricTime),
uptime = todouble(period.data.wan.uptime),
downtime = toint(period.data.wan.downtime),
ispName = tostring(period.data.wan.ispName),
ispAsn = tostring(period.data.wan.ispAsn),
siteIdStr = tostring(SiteId)
// De-duplicate Periods: each poll returns the same hour buckets, so collapse to latest value per metricTime
| summarize arg_max(TimeGenerated, uptime, downtime, ispAsn) by siteIdStr, ispName, metricTime
| where metricTime > ago(1h)
| summarize
AvgUptime = round(avg(uptime), 3),
MinUptime = round(min(uptime), 3),
TotalDowntimeSeconds = sum(downtime),
MeasurementCount = count()
by SiteId = siteIdStr, ispName, ispAsn
| where AvgUptime < SLAThreshold
| extend
TimeGenerated = now(),
SLATarget = SLAThreshold,
UptimeGap = round(SLAThreshold - AvgUptime, 3)
| project
TimeGenerated,
SiteId = SiteId,
ISPName = ispName,
ISPAsn = ispAsn,
AvgUptimePct = AvgUptime,
MinUptimePct = MinUptime,
SLATargetPct = SLATarget,
UptimeGapPct = UptimeGap,
TotalDowntimeSeconds,
MeasurementCount
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPSLABreach.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: 'UniFi Site Manager: ISP SLA Breach'
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1499
description: |
Identifies when ISP uptime falls below the SLA threshold. Useful for tracking SLA compliance and supporting ISP accountability conversations.
triggerOperator: gt
