Cisco Identity Services Engine Problem
Create Filter/Threshold to generate a notification in ICE. System generated Email
- Failed Authentication for any given device produces duplicate alerts in the database.
A given device can have 3 to 7 duplicate alerts.
- Last week there were approximately 50 Failed authentication reports. This provides several 100
alerts in the database. Out of these failed reports, 90% are false positives.
I would like to know how to preform the following:
1. Remove duplicate alerts on the same device. Cisco generates multiple alerts for the same device.
2. Clear the false positives generated by the "Failed Authentication" alert.
3. The goal is to have a filter alert that is trigged when a given threshold of validated events meet a given criteria.
When the system computes more than 100 failed authentications (automatic removal of the duplicates). Filtering criteria to compensate for
pensate for false positives.
I would like to know the procedure and configuration required to produced the desired results. The current filters does not remove duplicates.
The system does not compensate for false positives that report an Authentication failure and later become Authentication successful. I would like to generated alerts that are at least 80% accurate.