Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - Command executed with the highest privileges by new user

Back
Ide71890a2-5f61-4790-b1ed-cf1d92d3e398
RulenameCiscoISE - Command executed with the highest privileges by new user
DescriptionDetects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.
SeverityMedium
TacticsInitialAccess
Persistence
PrivilegeEscalation
DefenseEvasion
Execution
TechniquesT1133
T1548
T1059
Required data connectorsSyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
Version1.0.4
Arm templatee71890a2-5f61-4790-b1ed-cf1d92d3e398.json
Deploy To Azure
let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'
severity: Medium
queryPeriod: 5m
kind: Scheduled
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
queryFrequency: 5m
query: |
  let lbperiod = 14d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
version: 1.0.4
triggerThreshold: 0
name: CiscoISE - Command executed with the highest privileges by new user
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
relevantTechniques:
- T1133
- T1548
- T1059
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "properties": {
        "alertRuleTemplateName": "e71890a2-5f61-4790-b1ed-cf1d92d3e398",
        "customDetails": null,
        "description": "'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'\n",
        "displayName": "CiscoISE - Command executed with the highest privileges by new user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml",
        "query": "let lbperiod = 14d;\nlet lbtime = 15m;\nlet knownPrivUsers =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(DstUserName)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where DstUserName !in (knownPrivUsers)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1133",
          "T1548"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}