![]() It certainly looks a bit suspicious, so this is something I’ll need to hunt from my internal network to figure out if it’s a valid or invalid query.Ī quick look into my Unifi dashboard reveals that I have a wireless client, that fits the MAC address (that I’ve blurred out above).The hardware and software used to complete the steps outlined in this document include:īefore you begin these procedures, make sure that: Here’s a sample from timed out DNS requests in my internal network:Īpparently, there is a device – of type U7HD, trying to query for DNS zone. Once you start getting results, you can drill down by selecting a query, and viewing the results. Once enabled (and this partially confirms your logs are in place, otherwise the enable will fail), you can go to Azure Sentinel > Hunting, and again search for Ubiquiti and select Run selected queries for all of them: Select all, and click Enable: Step 5: Hunting for suspicious activity Looks promising! Now, go to Azure Sentinel > Analytics, and search for Ubiquiti. ![]() Open the Log Analytics Workspace in Azure Portal, select Logs and query for Ubiquiti_CL: And the OMS Agent is pushing those logs to Azure Sentinel’s Log Analytics Workspace. ![]() Your Unifi controller (Cloud Key, Cloud Key Gen 2, UDM-Pro) is sending logs to your Linux VM. You have a Linux VM with the OMS Agent running. The infrastructure configuration is now complete. Step 4: Verifying that logs are visible in your Log Analytics Workspace If you made a typo in your nf, then the logs will tell you that the omsagent instance could not bind to the port you’ve selected. Now, within /var/opt/microsoft/omsagent/log you can tail omsagent.log to see if your messages are being sent properly. Modify the config file with the port + workspace ID settings.Copy nf to the destination directory (/etc/opt/microsoft/omsagent//conf/omsagent.d/).SSH to the server, and do the rest of the deployment: If you chose to go with an Azure-based host, click the provisioning link to deploy the OMS-based agent to your Linux box: This will give you a link to nf that you have to deploy to your Linux-based Syslog server. Once installed, hop to Azure Sentinel > Data connectors and open the Unifi connector. Within Azure Sentinel, select Solutions (preview) and install Ubiquiti Unifi (Preview). Step 3: Initiating Unifi solution configuration in Azure Sentinelīefore we can complete the Syslog configuration, we need to configure Azure Sentinel next. In UDM-Pro, which I’m using, it’s as simple as logging in and under settings selecting the remote host.ĭesignate a port also. Next, we need to configure our Unifi controller to ship logs to the Linux remote host. Perhaps a good idea to configure the VM with a static (fixed) IP address also! Step 2: Configuring the Unifi controller The first rule allows me to fiddle with the server over SSH, and the other rule is that I will leave it in production. I then configured the networking rules to allow traffic from my home network in a custom port to the Linux VM. That is 2 vCPUs and 8 GB of RAM, costing me about ~55 € a month. I provisioned a single VM with the Ubuntu 20.04 LTS image and selected Standard B2ms for size. This way, I don’t have to worry about crucial logs getting lost if I choose to reboot or patch my Hyper-V hosts. I opted to build a Linux-based virtual machine and host it in Azure. You can choose to use a Windows or a Linux server – either hosted locally or in Azure. How it works is that your Unifi controller will ship all logs to a standard Syslog service, and that service will then relay the logs to Azure Sentinel. Step 1: Provisioning a Syslog serverįirst, we need a place to host our Syslog server. Until today, when Microsoft did the heavy-lifting for me. I’ve thought about building the connector between Azure Sentinel (the SIEM solution in Azure) and Unifi but never got around that. The devices gather plenty of logs via my Wi-Fi access points, switches, firewalls, threat management, and other services. As you might recall, I run an Unifi-based network at home. Today, Microsoft published a preview solution for connecting logs from Unifi hardware to Azure Sentinel. I’ve previously written about getting started with Azure Sentinel, so if you’re not familiar with the service yet, take a look! In essence, a SIEM solution pulls all relevant log data and events into a single place and allows you to identify possible risks, threats, and malicious activity. ![]() I run Azure Sentinel in all of my Azure environments – it’s a SIEM solution, which stands for Security Information and Event Management. This is one of the more enjoyable projects I’ve done recently during my spare time. Thanks for reading my blog! If you have any questions or need a second opinion with anything Microsoft Azure, security or Power Platform related, don't hesitate to contact me. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |