⚠️ UniFi Site Manager (CCF)
⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | UniFi Site Manager (CCF) |
| Support Tier | Community |
| Support Link | https://github.com/Azure/Azure-Sentinel/issues |
| Categories | Networking,Security - Network |
| Version | 3.0.0 |
| Author | noodlemctwoodle - ccfconnectors.county118@passmail.com |
| First Published | 2026-05-11 |
| Last Updated | 2026-05-11 |
| Solution Folder | UniFi Site Manager (CCF) |
The UniFi Site Manager solution for Microsoft Sentinel provides cloud-side telemetry ingestion via the Site Manager API for sites, devices, hosts and ISP metrics. Ships analytics rules covering ISP downtime, WAN issues, IPS/IDS posture, firmware drift, device offline events, configuration changes and security signals, plus an operations workbook for at-a-glance estate health.
Data Connector: UniFi Site Manager (CCF) — single Connect deploys 4 polling rules with a single API key.
Underlying API tier: the Site Manager API is available on all UniFi cloud plans. The Audit log endpoint requires Pro+; this solution does not depend on it.
Pre-requisites: A UniFi Site Manager API key is required. Generate one at https://unifi.ui.com/api.
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 4 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
Unifi_SiteManager_Devices_CL |
UniFi Site Manager (CCF) | Analytics, Hunting, Workbooks |
Unifi_SiteManager_Hosts_CL |
UniFi Site Manager (CCF) | Analytics, Hunting, Workbooks |
Unifi_SiteManager_ISPMetrics_CL |
UniFi Site Manager (CCF) | Analytics, Hunting, Workbooks |
Unifi_SiteManager_Sites_CL |
UniFi Site Manager (CCF) | Analytics, Hunting, Workbooks |
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityIncident |
- | Workbooks |
Content Items
This solution includes 31 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 22 |
| Hunting Queries | 8 |
| Workbooks | 1 |
Analytic Rules
Hunting Queries
Workbooks
| Name | Tables Used |
|---|---|
| UnifiSiteManager | Unifi_SiteManager_Devices_CLUnifi_SiteManager_Hosts_CLUnifi_SiteManager_ISPMetrics_CLUnifi_SiteManager_Sites_CLInternal use: SecurityIncident |
Additional Documentation
📄 Source: UniFi Site Manager (CCF)/README.md
UniFi Site Manager
The UniFi Site Manager solution for Microsoft Sentinel ingests cloud-side telemetry from the UniFi Site Manager API and ships analytics rules + a workbook for monitoring UniFi-managed networks.
Contents
- Data Connector — single Sentinel UI card ("UniFi Site Manager (CCF)") that deploys four polling rules from one API key. Polls Sites, Devices, Hosts and ISP Metrics every 5 minutes.
- Custom tables —
Unifi_SiteManager_Sites_CL,Unifi_SiteManager_Devices_CL,Unifi_SiteManager_Hosts_CL,Unifi_SiteManager_ISPMetrics_CL - 21 analytics rules — covering ISP downtime, latency, packet loss, SLA breach, WAN issues (incl. WAN2/secondary failover), IPS/IDS posture changes, firmware drift, device offline events, controller connection state, critical notifications (delta-based), external WAN IP rotation, system-log shipping disabled (defense-evasion), and data connector health.
- 8 hunting queries — firmware-drift hotspots, long-tail latency, device flapping, WAN IP geographic deviation, firmware version diversity, persistent WAN issues, off-hours device adoption, console group membership churn.
- Workbook — Operations dashboard with 6 tabs: Overview, Sites, ISP Performance, Devices, Security, Operations. Includes open-incident view, multi-WAN status panels, severity-classified incident feed, and color-coded latency thresholds.
Pre-requisites
- A Microsoft Sentinel-enabled Log Analytics workspace.
- A Data Collection Endpoint (DCE) in the same region.
- A UniFi Site Manager API key. Generate one at https://unifi.ui.com/api (Site Manager → Account → API → Create API Key). Required scope: Audit Logs - Read is optional; the four ingestion endpoints used here do not require it.
Connect
- Microsoft Sentinel → Content hub → install the UniFi Site Manager solution.
- Sentinel → Data connectors → search "UniFi Site Manager (CCF)" → Open connector page.
- Paste your API key → Connect. All four poll rules instantiate from a single click.
Tier requirements
Site Manager API endpoints used by this connector are available on all UniFi cloud plans. The connector does not depend on UniFi network flow logs or the audit log API, both of which require Pro+.
Analytics rule strategy
State-based rules (IPS/IDS disabled, WAN issues, critical notifications, system-log shipping disabled) fire only on state transitions — they detect the change from enabled → disabled, not the persistent state. This keeps incident volume proportional to actual events and avoids alert storms during sustained outages.
ISP performance rules (downtime, latency, packet loss, SLA) operate on rolling windows of the Unifi_SiteManager_ISPMetrics_CL table.
Support
This is a community-supported solution maintained by Fetch Labs. File issues at https://github.com/noodlemctwoodle/Azure-Sentinel/issues.
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.0 | 22-05-2026 | Initial Solution Release - UniFi Site Manager (CCF) with single-card multi-poller (sites, hosts, devices, ISP metrics), 22 analytic rules, 8 hunting queries, operations workbook and Unifi_SiteManager_* custom tables |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊