2 minute read


So I just needed to try out this solution available in Microsoft Sentinel, or as it called now - Content Hub. The Ubiquiti UniFi solution will give us:

  • 10 Analytic Rules
  • 10 Hunting Queries
  • 1 Workbook
  • 1 Parser
  • 1 Data Connector
The parser are very interesting thing and we will take another deep dive in that topic later. But this ready-to-go solution have a parser to help us normalize our data into a function. You can then use function alias from any other queries (e.g. **UbiquitiAuditEvent take 10**)


But first of all we need to have a Syslog server. I did choose to install a Ubuntu 20.04 VM inside of Azure with a B2s SKU and with a public IP address. Make sure to really use a secure way to send up your logs. An Azure Site-to-Site VPN should maybe be a more secure way.

So, install the solution and then go to Data Connectors blade, and search for Ubiquiti UniFi (Preview)

Select the VM you just installed and connect the Log Analytics agent.

During the installtion for the Log Analytics agent on the VM we can log in to our Unifi Controller and make the change for Syslog.
With the new GUI for the controller: Go to Settings -> System -> Application Configuration -> Remote Logging
The URL will be like: network/default/settings/system/controller

Enable Syslog, then set the Syslog Host (name or IP) and Syslog Port.

In the instructions we are then asked to access this link: https://aka.ms/sentinel-UbiquitiUnifi-conf

Save the file or copy the text, but we need to make some changes.

Change Line 4 to the Syslog port you have specified in the UniFi Controller. Change Line 14, 15, 16, 19 to the workspace ID you have for your Log Analytics Workspace. (You will find your Workspace ID at the buttom of the connectors page)

  type udp
  format none
  port 22022
  delimiter "\n"
  tag oms.api.Ubiquiti

<match oms.api.Ubiquiti>
  type out_oms_api
  log_level info
  num_threads 5
  omsadmin_conf_path /etc/opt/microsoft/omsagent/workspace_id/conf/omsadmin.conf
  cert_path /etc/opt/microsoft/omsagent/workspace_id/certs/oms.crt
  key_path /etc/opt/microsoft/omsagent/workspace_id/certs/oms.key
  buffer_chunk_limit 10m
  buffer_type file
  buffer_path /var/opt/microsoft/omsagent/workspace_id/state/out_oms_api_ubiquiti*.buffer
  buffer_queue_limit 10
  buffer_queue_full_action drop_oldest_chunk
  flush_interval 30s
  retry_limit 10
  retry_wait 30s
  max_retry_wait 9m

Copy the file or text and connect (SSH) with Putty, or your choice of tooling, to the machine. In my case I did copy the final text above and created a new file at the path location specified below.

Change the path to the workpace ID you have.

Path: /etc/opt/microsoft/omsagent//conf/omsagent.d/

File Name: Ubiquiti.conf

After you have done above, you need to restart the service:

sudo /opt/microsoft/omsagent/bin/service_control restart

Data ingestion

After a short while you will find your new table Ubiquiti_CL and the great function called UbiquitiAuditEvent.


In the next post about Microsoft Sentinel and Ubiquiti UniFi we will look at the parser and the hunting mechanisms we got from the Content Hub.

I see you at the next post!

Happy hunting!

Ninja Cat