Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - ISE administrator password has been reset

Back
Ide63b4d90-d0a8-4609-b187-babfcc7f86d7
RulenameCiscoISE - ISE administrator password has been reset
DescriptionDetects when the ISE administrator password has been reset.
SeverityMedium
TacticsInitialAccess
Persistence
PrivilegeEscalation
DefenseEvasion
Required data connectorsCiscoISE
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
Version1.0.0
Arm templatee63b4d90-d0a8-4609-b187-babfcc7f86d7.json
Deploy To Azure
let lbtime = 5m;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where EventId == '58019'
| project TimeGenerated, SrcIpAddr, DstUserName
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 5m
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
description: |
    'Detects when the ISE administrator password has been reset.'
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CiscoISE
version: 1.0.0
triggerThreshold: 0
severity: Medium
triggerOperator: gt
id: e63b4d90-d0a8-4609-b187-babfcc7f86d7
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
name: CiscoISE - ISE administrator password has been reset
query: |
  let lbtime = 5m;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where EventId == '58019'
  | project TimeGenerated, SrcIpAddr, DstUserName
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "properties": {
        "alertRuleTemplateName": "e63b4d90-d0a8-4609-b187-babfcc7f86d7",
        "customDetails": null,
        "description": "'Detects when the ISE administrator password has been reset.'\n",
        "displayName": "CiscoISE - ISE administrator password has been reset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml",
        "query": "let lbtime = 5m;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where EventId == '58019'\n| project TimeGenerated, SrcIpAddr, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}