Forum Discussion
Solved
Configured KQL not working properly - CiscoISE event 60095 and 60098
Hi beloved community, I have a default KQL below which is used to detect when Cisco ISE failed backup, it fires an alert in Sentinel. But it is not working as expected - it does fire an alert, b...
- I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!
can you do me a favor and dump out the schema for CiscoISEEvent to do this type the following
CiscoISEEvent
| getschema
There could have been changes to the CiscoISEEvent table without any notifications this will give a dump of whats available in terms of columns to filter on
CiscoISEEvent
| getschema
There could have been changes to the CiscoISEEvent table without any notifications this will give a dump of whats available in terms of columns to filter on
- Thanks Bill. Vendor resolved it, reconfig logs are required due to mapping issue 🙂
