Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - ISE administrator password has been reset

Back
Ide63b4d90-d0a8-4609-b187-babfcc7f86d7
RulenameCiscoISE - ISE administrator password has been reset
DescriptionDetects when the ISE administrator password has been reset.
SeverityMedium
TacticsPersistence
PrivilegeEscalation
TechniquesT1098
Required data connectorsSyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
Version1.0.3
Arm templatee63b4d90-d0a8-4609-b187-babfcc7f86d7.json
Deploy To Azure
let lbtime = 5m;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where EventId == '58019'
| project TimeGenerated, SrcIpAddr, DstUserName
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
status: Available
id: e63b4d90-d0a8-4609-b187-babfcc7f86d7
query: |
  let lbtime = 5m;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where EventId == '58019'
  | project TimeGenerated, SrcIpAddr, DstUserName
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
description: |
    'Detects when the ISE administrator password has been reset.'
name: CiscoISE - ISE administrator password has been reset
relevantTechniques:
- T1098
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryFrequency: 5m
queryPeriod: 5m
version: 1.0.3
kind: Scheduled
tactics:
- Persistence
- PrivilegeEscalation
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "properties": {
        "alertRuleTemplateName": "e63b4d90-d0a8-4609-b187-babfcc7f86d7",
        "customDetails": null,
        "description": "'Detects when the ISE administrator password has been reset.'\n",
        "displayName": "CiscoISE - ISE administrator password has been reset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml",
        "query": "let lbtime = 5m;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where EventId == '58019'\n| project TimeGenerated, SrcIpAddr, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}