Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ubiquiti-index

Ubiquiti UniFi integration

Log collector Firewall

You can integrate Ubiquiti UniFi with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Ubiquiti UniFi overview

Ubiquiti UniFi Gateway operates by managing and monitoring network traffic, and applying predefined rules and policies to enhance the security perimeter of organisational networks. Through a centralized platform, Ubiquiti Firewall facilitates the efficient administration of network security configurations, ensuring that connected devices and transmitted data are protected against potential vulnerabilities and attacks.

Sophos documents

What we ingest

Syslog security-detection-uuid messages generated from Ubiquiti UniFi gateway devices, including the following models:

  • USG
  • UXG
  • UDM

Filtering

We filter alerts as follows:

  • Drop alerts that are not in valid CEF format.
  • Drop alerts that do not come from the IDS/IPS feature (Intrusion detection and prevention).

Sample threat mappings

{"alertType": "ET SCAN MS Terminal Server Traffic on Non-standard Port", "threatId": "T1571", "threatName": "Non-Standard Port"}
{"alertType": "USERNAME made changes to DEVICENAME DEVICE.", "threatId": "T1562.004", "threatName": "Impair Defenses: Disable or Modify System Firewall"}
{"alertType": "ET DROP Dshield Block Listed Source group 1", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "ET SCAN Zmap User-Agent (Inbound)", "threatId": "T1046", "threatName": "Network Service Scanning"}

Vendor documentation

More information

UniFi Syslog Configuration