Ubiquiti UniFi

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-06-01
Last Updated	2026-01-12
Solution Folder	Ubiquiti UniFi
Marketplace	Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🟢 High (94%)
Pre-requisites	CustomLogsAma

The Ubiquiti UniFi solution provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.

This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

Contents

• Pre-requisites
• Data Connectors
• Tables Used
• Content Items

Pre-requisites

This solution depends on 1 other solution(s):

Solution
CustomLogsAma

Data Connectors

This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):

• [Deprecated] Ubiquiti UniFi ⚠️

Connectors from dependency solutions:

• Custom logs via AMA 🔶 (dependency on CustomLogsAma)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 17 table(s):

Table	Used By Connectors	Used By Content
ApacheHTTPServer_CL	Custom logs via AMA (dependency)	-
JBossEvent_CL	Custom logs via AMA (dependency)	-
JuniperIDP_CL	Custom logs via AMA (dependency)	-
MarkLogicAudit_CL	Custom logs via AMA (dependency)	-
MongoDBAudit_CL	Custom logs via AMA (dependency)	-
NGINX_CL	Custom logs via AMA (dependency)	-
OracleWebLogicServer_CL	Custom logs via AMA (dependency)	-
PostgreSQL_CL	Custom logs via AMA (dependency)	-
SecurityBridgeLogs_CL	Custom logs via AMA (dependency)	-
SquidProxy_CL 🔶	Custom logs via AMA (dependency)	-
ThreatIntelligenceIndicator	-	Analytics
Tomcat_CL	Custom logs via AMA (dependency)	-
Ubiquiti_CL	Custom logs via AMA (dependency), [Deprecated] Ubiquiti UniFi	Analytics, Hunting, Workbooks
VectraStream_CL 🔶	Custom logs via AMA (dependency)	-
ZPA_CL	Custom logs via AMA (dependency)	-
meraki_CL	Custom logs via AMA (dependency)	-
vcenter_CL	Custom logs via AMA (dependency)	-

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Ubiquiti - Connection to known malicious IP or C2	Medium	Exfiltration, CommandAndControl	ThreatIntelligenceIndicator Ubiquiti_CL
Ubiquiti - Large ICMP to external server	Medium	Exfiltration, CommandAndControl	Ubiquiti_CL
Ubiquiti - Possible connection to cryptominning pool	Medium	CommandAndControl	Ubiquiti_CL
Ubiquiti - RDP from external source	Medium	InitialAccess	Ubiquiti_CL
Ubiquiti - SSH from external source	Medium	InitialAccess	Ubiquiti_CL
Ubiquiti - Unknown MAC Joined AP	Medium	InitialAccess	Ubiquiti_CL
Ubiquiti - Unusual DNS connection	Medium	CommandAndControl	Ubiquiti_CL
Ubiquiti - Unusual FTP connection to external server	Medium	Exfiltration, CommandAndControl	Ubiquiti_CL
Ubiquiti - Unusual traffic	Medium	CommandAndControl	Ubiquiti_CL
Ubiquiti - connection to non-corporate DNS server	Medium	CommandAndControl, Exfiltration	Ubiquiti_CL

Hunting Queries

Name	Tactics	Tables Used
Ubiquiti - DNS requests timed out	CommandAndControl, Exfiltration	Ubiquiti_CL
Ubiquiti - Hidden internal DNS server	CommandAndControl	Ubiquiti_CL
Ubiquiti - Rare internal ports	CommandAndControl	Ubiquiti_CL
Ubiquiti - Top blocked destinations	CommandAndControl, Exfiltration	Ubiquiti_CL
Ubiquiti - Top blocked external services	CommandAndControl, Exfiltration	Ubiquiti_CL
Ubiquiti - Top blocked internal services	InitialAccess, CommandAndControl	Ubiquiti_CL
Ubiquiti - Top blocked sources	CommandAndControl, Exfiltration	Ubiquiti_CL
Ubiquiti - Top firewall rules	CommandAndControl, Exfiltration	Ubiquiti_CL
Ubiquiti - Unusual number of subdomains for top level domain (TLD)	CommandAndControl	Ubiquiti_CL
Ubiquiti - Vulnerable devices	InitialAccess	Ubiquiti_CL

Workbooks

Name	Tables Used
Ubiquiti	Ubiquiti_CL

Parsers

Name	Description	Tables Used
UbiquitiAuditEvent	-	Ubiquiti_CL (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	17-12-2025	Updated UbiquitiAuditEvent parser for new log format.
3.0.3	04-12-2024	Removed Deprecated Data Connector
3.0.2	09-08-2024	Deprecating data connectors
3.0.1	16-07-2024	Updated the Analytic rules for missing TTP
3.0.0	23-01-2024	Updated the Data Connector by removing preview-tag

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index