UniFi Site Manager: New CCF Solution Adds Network Infrastructure Monitoring and Attack Surface Coverage

What Changed

New community solution that ingests telemetry from UniFi Site Manager cloud API into four custom tables (Unifi_SiteManager_Sites_CL, Unifi_SiteManager_Devices_CL, Unifi_SiteManager_Hosts_CL, Unifi_SiteManager_ISPMetrics_CL) via a single CCF connector with four polling rules.

Data Source

Product: Ubiquiti UniFi Site Manager cloud API
Log types: Sites metadata, device inventory, host discovery, ISP performance metrics
Polling frequency: 5 minutes across all four endpoints (/v1/sites, /v1/devices, /v1/hosts, /ea/isp-metrics/1h)
Requirements: UniFi cloud API key (all tier levels supported, no Pro+ dependency)

Detection Surface Unlocked

Network infrastructure monitoring with focus on security posture gaps and defense evasion:

Security Posture (8 rules)

IPS/IDS disabled or misconfigured — detects intrusion prevention being turned off (T1562.001, T1562.006)
Firmware security gaps — major/minor version drift on consoles/gateways where security advisories typically apply (T1190, T1200)
System log shipping disabled — defense evasion tactic to blind monitoring (T1562.008)
New device adoption — unauthorized network infrastructure expansion (T1200)
Controller connection state changes — potential compromise or availability impact

Infrastructure Resilience (9 rules)

ISP performance degradation — downtime, high latency, packet loss, SLA breaches affecting business continuity (T1498, T1499)
WAN failover events — secondary WAN activation indicating primary circuit issues (T1499.002)
Multiple devices offline — potential DoS or infrastructure attack (T1498.001)
External WAN IP rotation — network reconnaissance or infrastructure changes (T1590.005)

Operations (4 rules)

Firmware update availability — patch management visibility
Site health critical — overall infrastructure health alerting
WiFi quality degradation — wireless infrastructure performance
Data connector health — ingestion monitoring

Ingestion Mechanism

Single CCF connector card deploys four RestApiPoller instances from one API key entry. Uses DCR-based ingestion to four custom tables with structured JSON data from UniFi cloud endpoints.

MITRE Coverage

Primary techniques covered by included detections: T1071 (Application Layer Protocol), T1071.001 (Web Protocols), T1098 (Account Manipulation), T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1200 (Hardware Additions), T1489 (Service Stop), T1498 (Network Denial of Service), T1498.001 (Direct Network Flood), T1499 (Endpoint Denial of Service), T1499.002 (Service Exhaustion Flood), T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools), T1562.006 (Indicator Blocking), T1562.008 (Disable Cloud Logs), T1590 (Gather Victim Network Information), T1590.005 (IP Addresses), T1595 (Active Scanning).

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/Unifi_SiteManager_Devices_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Unifi_SiteManager_Hosts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Unifi_SiteManager_ISPMetrics_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Unifi_SiteManager_Sites_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/UnifiSiteManager.svg
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudConsoleSecurityFirmwareGap.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudControllerConnectionStateChange.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudDataConnectorHealth.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudDeviceOffline.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudExternalWANIPchanged.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudFirmwareUpdateAvailable.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSIDSdisabledormisconfigured.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudIPSsignaturecountdropped50.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPDowntime.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPHighLatency.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPPacketLoss.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudISPSLABreach.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudMultipleDevicesOffline.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewDeviceAdopted.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWAN2secondaryissuerecorded.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewWANissueindexrecorded.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudNewcriticalnotificationsappeared.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudPendingfirmwareupdatesoutstandingfor7d.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSiteHealthCritical.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudSystemlogshippingdisabled.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudWANuptimebelow99.yaml
Solutions/UniFi Site Manager (CCF)/Analytic Rules/UniFiCloudWiFiqualitydegradedhighTXretry.yaml
Solutions/UniFi Site Manager (CCF)/Data Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_ConnectorDefinition.json
Solutions/UniFi Site Manager (CCF)/Data Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_DCR.json
Solutions/UniFi Site Manager (CCF)/Data Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_PollerConfig.json
Solutions/UniFi Site Manager (CCF)/Data Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_tables.json
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudConsoleGroupChurn.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudDeviceFlapping.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudFirmwareDriftHotspots.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudFirmwareVersionDiversity.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudLongTailLatencyHotspots.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudOffHoursDeviceAdoption.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudPersistentWANIssues.yaml
Solutions/UniFi Site Manager (CCF)/Hunting Queries/UniFiCloudWANIPGeoDeviation.yaml
Solutions/UniFi Site Manager (CCF)/Package/testParameters.json
Solutions/UniFi Site Manager (CCF)/README.md
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerBlack1.png
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerBlack2.png
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerBlack3.png
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerWhite1.png
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerWhite2.png
Solutions/UniFi Site Manager (CCF)/Workbooks/Images/Preview/UnifiSiteManagerWhite3.png
Solutions/UniFi Site Manager (CCF)/Workbooks/UnifiSiteManager.json
Workbooks/Images/Logos/UnifiSiteManager.svg
Workbooks/Images/Preview/UnifiSiteManagerBlack1.png
Workbooks/Images/Preview/UnifiSiteManagerBlack2.png
Workbooks/Images/Preview/UnifiSiteManagerBlack3.png
Workbooks/Images/Preview/UnifiSiteManagerWhite1.png
Workbooks/Images/Preview/UnifiSiteManagerWhite2.png
Workbooks/Images/Preview/UnifiSiteManagerWhite3.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_UnifiSiteManager.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Detection Surface Unlocked#

Security Posture (8 rules)#

Infrastructure Resilience (9 rules)#

Operations (4 rules)#

Ingestion Mechanism#

MITRE Coverage#

Affected Files#