cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Configured KQL not working properly - CiscoISE event 60095 and 60098

halosec
Copper Contributor

‎Aug 28 2023 03:31 PM

‎Aug 28 2023 03:31 PM

Configured KQL not working properly - CiscoISE event 60095 and 60098

Hi beloved community,

 

I have a default KQL below which is used to detect when Cisco ISE failed backup, it fires an alert in Sentinel.
But it is not working as expected - it does fire an alert, but with a timestamp only.

Nonetheless, I can see it is also supposed to return the hostname and IP of the device that actually triggered the '60095', '60098' events (failed backup).

CiscoISEEvent | where TimeGenerated > ago(lbtime) | where EventId in ('60095', '60098') | project TimeGenerated, DvcHostname, DvcIpAddr | extend HostCustomEntity = DvcHostname | extend IPCustomEntity = DvcIpAddr

 

I have further escalated this to our outsourced SOC where their engineers had a look and they had advised: We suspect that it has something to do with the Event ID that's been captured in the raw logs which are not giving enough information and I believe we don't have visibility on this. We suggest filing a ticket to Microsoft for further troubleshooting on the mentioned Event IDs.

I have tried some other KQL configs but none of them worked out in this regard. 

I guess my question at this point would be is it still a KQL issue, or is it more of the actual log issue? (Coz those Cisco devices are managed by our MSPs, and we dont have visibility into them either)

Much appreciated for any directions so that I could dig further, as I am still a bit green on Sentinel.

Thanks in advance!


Below are from Cisco websites which elaborates their definition of the eventsIDs:
Message Code: 60095

Severity: ERROR

Message Text: ISE Backup has failed

Message Description: ISE Backup has failed

Local Target Message Format: <timestamp> <seq_num> 60095 ERROR System-Management: ISE Backup has failed, <log details>

Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 60095 ERROR System-Management: ISE Backup has failed, <log details>

 

Message Code: 60098

Severity: ERROR

Message Text: ISE Log Backup has failed

Message Description: ISE Log Backup has failed

Local Target Message Format: <timestamp> <seq_num> 60098 ERROR System-Management: ISE Log Backup has failed, <log details>

Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 60098 ERROR System-Management: ISE Log Backup has failed, <log details>

 

Labels:
564 Views
0 Likes
4 Replies
Reply
4 Replies
BillClarksonAntill

‎Sep 14 2023 09:43 PM

‎Sep 14 2023 09:43 PM

Re: Configured KQL not working properly - CiscoISE event 60095 and 60098

can you do me a favor and dump out the schema for CiscoISEEvent to do this type the following

CiscoISEEvent
| getschema

There could have been changes to the CiscoISEEvent table without any notifications this will give a dump of whats available in terms of columns to filter on
2 Likes
Reply
best response confirmed by halosec (Copper Contributor)
Christian_Bartsch

‎Sep 17 2023 04:07 PM

‎Sep 17 2023 04:07 PM

Solution

Re: Configured KQL not working properly - CiscoISE event 60095 and 60098

I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.

Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.

Hope that helps!
0 Likes
Reply
halosec

‎Sep 17 2023 05:12 PM

‎Sep 17 2023 05:12 PM

Re: Configured KQL not working properly - CiscoISE event 60095 and 60098

Thanks Christian, issue resolved by vendor eventually :) I am helping them reconfig the logs
1 Like
Reply
halosec

‎Sep 17 2023 05:13 PM

‎Sep 17 2023 05:13 PM

Re: Configured KQL not working properly - CiscoISE event 60095 and 60098

Thanks Bill. Vendor resolved it, reconfig logs are required due to mapping issue :)
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by halosec (Copper Contributor)
Christian_Bartsch

‎Sep 17 2023 04:07 PM

‎Sep 17 2023 04:07 PM

Solution

Re: Configured KQL not working properly - CiscoISE event 60095 and 60098

I guess either the entity mapping of the Analytics Rule is missing or the field mapping fails because the logs changed.

Try to manually query the KQL and see if the desired fields are present and map them in the Analytics Rule or change the query to extract the desired fields beforehand.

Hope that helps!

View solution in original post

0 Likes
Reply