CiscoISE - Command executed with the highest privileges from new IP

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Detects command execution with PrivilegeLevel - 15 from new source.

Attribute	Value
Type	Analytic Rule
Solution	Cisco ISE
ID	1fa0da3e-ec99-484f-aadb-93f59764e158
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion, Execution
Techniques	T1133, T1548, T1059
Required Connectors	SyslogAma
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
Syslog	ProcessName has_any "CISE,CSCO"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Cisco ISE