CiscoISE - Command executed with the highest privileges by new user

Back


Id	e71890a2-5f61-4790-b1ed-cf1d92d3e398
Rulename	CiscoISE - Command executed with the highest privileges by new user
Description	Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.
Severity	Medium
Tactics	InitialAccess Persistence PrivilegeEscalation DefenseEvasion Execution
Techniques	T1133 T1548 T1059
Required data connectors	CiscoISE SyslogAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
Version	1.0.3
Arm template	e71890a2-5f61-4790-b1ed-cf1d92d3e398.json

KQL

let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

YAML

relevantTechniques:
- T1133
- T1548
- T1059
name: CiscoISE - Command executed with the highest privileges by new user
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CiscoISE
- datatypes:
  - Syslog
  connectorId: SyslogAma
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
queryPeriod: 5m
kind: Scheduled
queryFrequency: 5m
severity: Medium
status: Available
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "properties": {
        "alertRuleTemplateName": "e71890a2-5f61-4790-b1ed-cf1d92d3e398",
        "customDetails": null,
        "description": "'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'\n",
        "displayName": "CiscoISE - Command executed with the highest privileges by new user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml",
        "query": "let lbperiod = 14d;\nlet lbtime = 15m;\nlet knownPrivUsers =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(DstUserName)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where DstUserName !in (knownPrivUsers)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1133",
          "T1548"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}