Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - ISE administrator password has been reset

Back
Ide63b4d90-d0a8-4609-b187-babfcc7f86d7
RulenameCiscoISE - ISE administrator password has been reset
DescriptionDetects when the ISE administrator password has been reset.
SeverityMedium
TacticsPersistence
PrivilegeEscalation
TechniquesT1098
Required data connectorsSyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
Version1.0.3
Arm templatee63b4d90-d0a8-4609-b187-babfcc7f86d7.json
Deploy To Azure
let lbtime = 5m;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where EventId == '58019'
| project TimeGenerated, SrcIpAddr, DstUserName
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml
version: 1.0.3
relevantTechniques:
- T1098
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryPeriod: 5m
status: Available
tactics:
- Persistence
- PrivilegeEscalation
kind: Scheduled
triggerOperator: gt
query: |
  let lbtime = 5m;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where EventId == '58019'
  | project TimeGenerated, SrcIpAddr, DstUserName
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
name: CiscoISE - ISE administrator password has been reset
severity: Medium
id: e63b4d90-d0a8-4609-b187-babfcc7f86d7
queryFrequency: 5m
description: |
    'Detects when the ISE administrator password has been reset.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e63b4d90-d0a8-4609-b187-babfcc7f86d7')]",
      "properties": {
        "alertRuleTemplateName": "e63b4d90-d0a8-4609-b187-babfcc7f86d7",
        "customDetails": null,
        "description": "'Detects when the ISE administrator password has been reset.'\n",
        "displayName": "CiscoISE - ISE administrator password has been reset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEAdminPasswordReset.yaml",
        "query": "let lbtime = 5m;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where EventId == '58019'\n| project TimeGenerated, SrcIpAddr, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}