CiscoISE - Command executed with the highest privileges by new user

Back


Id	e71890a2-5f61-4790-b1ed-cf1d92d3e398
Rulename	CiscoISE - Command executed with the highest privileges by new user
Description	Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.
Severity	Medium
Tactics	InitialAccess Persistence PrivilegeEscalation DefenseEvasion Execution
Required data connectors	CiscoISE
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
Version	1.0.0
Arm template	e71890a2-5f61-4790-b1ed-cf1d92d3e398.json

KQL

let lbperiod = 60d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where PrivilegeLevel == '15'
| summarize makelist(DstUserName)
;
CiscoISEEvent
| where TimeGenerated > ago(lbtime)
| where PrivilegeLevel == '15'
| where DstUserName !in (knownPrivUsers)
| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr

YAML

triggerThreshold: 0
queryFrequency: 5m
requiredDataConnectors:
- connectorId: CiscoISE
  dataTypes:
  - Syslog
id: e71890a2-5f61-4790-b1ed-cf1d92d3e398
version: 1.0.0
name: CiscoISE - Command executed with the highest privileges by new user
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
queryPeriod: 5m
severity: Medium
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- Execution
query: |
  let lbperiod = 60d;
  let lbtime = 15m;
  let knownPrivUsers =
  CiscoISEEvent
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where PrivilegeLevel == '15'
  | summarize makelist(DstUserName)
  ;
  CiscoISEEvent
  | where TimeGenerated > ago(lbtime)
  | where PrivilegeLevel == '15'
  | where DstUserName !in (knownPrivUsers)
  | project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
description: |
    'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e71890a2-5f61-4790-b1ed-cf1d92d3e398')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "CiscoISE - Command executed with the highest privileges by new user",
        "description": "'Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lbperiod = 60d;\nlet lbtime = 15m;\nlet knownPrivUsers =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(DstUserName)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where DstUserName !in (knownPrivUsers)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation",
          "DefenseEvasion",
          "Execution"
        ],
        "alertRuleTemplateName": "e71890a2-5f61-4790-b1ed-cf1d92d3e398",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}