CiscoISE - Command executed with the highest privileges from new IP

let lbperiod = 14d;
let lbtime = 15m;
let knownAdminIpList =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(SrcIpAddr)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where SrcIpAddr !in (knownAdminIpList)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

status: Available
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownAdminIpList =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(SrcIpAddr)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where SrcIpAddr !in (knownAdminIpList)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
version: 1.0.4
name: CiscoISE -  Command executed with the highest privileges from new IP
queryPeriod: 5m
kind: Scheduled
id: 1fa0da3e-ec99-484f-aadb-93f59764e158
triggerOperator: gt
relevantTechniques:
- T1133
- T1548
- T1059
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewIP.yaml
queryFrequency: 5m
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
description: |
    'Detects command execution with PrivilegeLevel - 15 from new source.'