Ubiquiti UniFi with Microsoft Sentinel
Introduction
So I just needed to try out this solution available in Microsoft Sentinel, or as it called now - Content Hub. The Ubiquiti UniFi solution will give us:
- 10 Analytic Rules
- 10 Hunting Queries
- 1 Workbook
- 1 Parser
- 1 Data Connector
| The parser are very interesting thing and we will take another deep dive in that topic later. But this ready-to-go solution have a parser to help us normalize our data into a function. You can then use function alias from any other queries (e.g. **UbiquitiAuditEvent | take 10**) |
Syslog
But first of all we need to have a Syslog server. I did choose to install a Ubuntu 20.04 VM inside of Azure with a B2s SKU and with a public IP address. Make sure to really use a secure way to send up your logs. An Azure Site-to-Site VPN should maybe be a more secure way.
So, install the solution and then go to Data Connectors blade, and search for Ubiquiti UniFi (Preview)
Select the VM you just installed and connect the Log Analytics agent.
During the installtion for the Log Analytics agent on the VM we can log in to our Unifi Controller and make the change for Syslog.
With the new GUI for the controller: Go to Settings -> System -> Application Configuration -> Remote Logging
The URL will be like: network/default/settings/system/controller
Enable Syslog, then set the Syslog Host (name or IP) and Syslog Port.
In the instructions we are then asked to access this link: https://aka.ms/sentinel-UbiquitiUnifi-conf
Save the file or copy the text, but we need to make some changes.
Change Line 4 to the Syslog port you have specified in the UniFi Controller. Change Line 14, 15, 16, 19 to the workspace ID you have for your Log Analytics Workspace. (You will find your Workspace ID at the buttom of the connectors page)
<source>
type udp
format none
port 22022
bind 0.0.0.0
delimiter "\n"
tag oms.api.Ubiquiti
</source>
<match oms.api.Ubiquiti>
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent/workspace_id/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/workspace_id/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/workspace_id/certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/workspace_id/state/out_oms_api_ubiquiti*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>
Copy the file or text and connect (SSH) with Putty, or your choice of tooling, to the machine. In my case I did copy the final text above and created a new file at the path location specified below.
Change the path to the workpace ID you have.
Path: /etc/opt/microsoft/omsagent/
File Name: Ubiquiti.conf
After you have done above, you need to restart the service:
sudo /opt/microsoft/omsagent/bin/service_control restart
Data ingestion
After a short while you will find your new table Ubiquiti_CL and the great function called UbiquitiAuditEvent.
Summary
In the next post about Microsoft Sentinel and Ubiquiti UniFi we will look at the parser and the hunting mechanisms we got from the Content Hub.
I see you at the next post!
Happy hunting!
