Forum Discussion
Configured KQL not working properly - CiscoISE event 60095 and 60098
Hi beloved community,
I have a default KQL below which is used to detect when Cisco ISE failed backup, it fires an alert in Sentinel.
But it is not working as expected - it does fire an alert, but with a timestamp only.
Nonetheless, I can see it is also supposed to return the hostname and IP of the device that actually triggered the '60095', '60098' events (failed backup).
CiscoISEEvent | where TimeGenerated > ago(lbtime) | where EventId in ('60095', '60098') | project TimeGenerated, DvcHostname, DvcIpAddr | extend HostCustomEntity = DvcHostname | extend IPCustomEntity = DvcIpAddr
I have further escalated this to our outsourced SOC where their engineers had a look and they had advised: We suspect that it has something to do with the Event ID that's been captured in the raw logs which are not giving enough information and I believe we don't have visibility on this. We suggest filing a ticket to Microsoft for further troubleshooting on the mentioned Event IDs.
I have tried some other KQL configs but none of them worked out in this regard.
I guess my question at this point would be is it still a KQL issue, or is it more of the actual log issue? (Coz those Cisco devices are managed by our MSPs, and we dont have visibility into them either)
Much appreciated for any directions so that I could dig further, as I am still a bit green on Sentinel.
Thanks in advance!
Below are from Cisco websites which elaborates their definition of the eventsIDs:
Message Code: 60095
Severity: ERROR
Message Text: ISE Backup has failed
Message Description: ISE Backup has failed
Local Target Message Format: <timestamp> <seq_num> 60095 ERROR System-Management: ISE Backup has failed, <log details>
Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 60095 ERROR System-Management: ISE Backup has failed, <log details>
Message Code: 60098
Severity: ERROR
Message Text: ISE Log Backup has failed
Message Description: ISE Log Backup has failed
Local Target Message Format: <timestamp> <seq_num> 60098 ERROR System-Management: ISE Log Backup has failed, <log details>
Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 60098 ERROR System-Management: ISE Log Backup has failed, <log details>
- I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!
4 Replies
- I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!- Thanks Christian, issue resolved by vendor eventually 🙂 I am helping them reconfig the logs
- can you do me a favor and dump out the schema for CiscoISEEvent to do this type the following
CiscoISEEvent
| getschema
There could have been changes to the CiscoISEEvent table without any notifications this will give a dump of whats available in terms of columns to filter on- Thanks Bill. Vendor resolved it, reconfig logs are required due to mapping issue 🙂
