CiscoISE - Command executed with the highest privileges by new user

let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

relevantTechniques:
- T1133
- T1548
- T1059
queryPeriod: 5m
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
kind: Scheduled
triggerThreshold: 0
version: 1.0.4
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398
severity: Medium
name: CiscoISE - Command executed with the highest privileges by new user
status: Available
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
queryFrequency: 5m
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml