CiscoISE - Command executed with the highest privileges by new user

let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

queryPeriod: 5m
queryFrequency: 5m
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398
status: Available
triggerOperator: gt
version: 1.0.4
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
name: CiscoISE - Command executed with the highest privileges by new user
relevantTechniques:
- T1133
- T1548
- T1059
severity: Medium