Forum Discussion
Solved
Configured KQL not working properly - CiscoISE event 60095 and 60098
Hi beloved community, I have a default KQL below which is used to detect when Cisco ISE failed backup, it fires an alert in Sentinel. But it is not working as expected - it does fire an alert, b...
- I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!
I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!
Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.
Hope that helps!
Thanks Christian, issue resolved by vendor eventually 🙂 I am helping them reconfig the logs