CiscoISE - Command executed with the highest privileges by new user

let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

version: 1.0.4
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
status: Available
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
relevantTechniques:
- T1133
- T1548
- T1059
queryFrequency: 5m
severity: Medium
name: CiscoISE - Command executed with the highest privileges by new user
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
kind: Scheduled
queryPeriod: 5m
triggerOperator: gt
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398