Cisco SE - Connection to known C2 server

CiscoSecureEndpoint
| where EventMessage has 'Suspected botnet connection'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
relevantTechniques:
- T1071
status: Available
tactics:
- CommandAndControl
name: Cisco SE - Connection to known C2 server
queryFrequency: 15m
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected botnet connection'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
id: 0f788a93-dc88-4f80-89ef-bef7cd0fef05
severity: High
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml
version: 1.0.0
description: |
    'This rule is triggered when connection to known C2 is detected from host.'
triggerThreshold: 0
triggerOperator: gt