CiscoISE - Command executed with the highest privileges by new user

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.

Attribute	Value
Type	Analytic Rule
Solution	Cisco ISE
ID	e71890a2-5f61-4790-b1ed-cf1d92d3e398
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion, Execution
Techniques	T1133, T1548, T1059
Required Connectors	SyslogAma
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
Syslog	ProcessName has_any "CISE,CSCO"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Cisco ISE