Azure-Sentinel/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopFirewallRules.yaml

id: c7bb439e-fb88-4ca2-bbc3-47779ac42a22
name: Ubiquiti - Top firewall rules
description: |
  'Query shows list of top triggered firewall rules.'  
severity: Medium
requiredDataConnectors:
  - connectorId: UbiquitiUnifi
    dataTypes:
      - UbiquitiAuditEvent
tactics:
  - CommandAndControl
  - Exfiltration
relevantTechniques:
  - T1572
  - T1571
  - T1071
query: |
  UbiquitiAuditEvent
  | where TimeGenerated > ago(24h)
  | where EventCategory =~ 'firewall'
  | summarize count() by NetworkRuleName
  | top 10 by count_