CiscoISE - Command executed with the highest privileges from new IP

let lbperiod = 14d;
let lbtime = 15m;
let knownAdminIpList =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(SrcIpAddr)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where SrcIpAddr !in (knownAdminIpList)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

relevantTechniques:
- T1133
- T1548
- T1059
name: CiscoISE -  Command executed with the highest privileges from new IP
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
severity: Medium
id: 1fa0da3e-ec99-484f-aadb-93f59764e158
status: Available
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
kind: Scheduled
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownAdminIpList =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(SrcIpAddr)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where SrcIpAddr !in (knownAdminIpList)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects command execution with PrivilegeLevel - 15 from new source.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewIP.yaml
triggerOperator: gt
queryPeriod: 5m
queryFrequency: 5m
version: 1.0.4
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address