Antivirus Detected an Infected File

Syslog
| where SyslogMessage contains "found an infected file"
| extend 
    EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
    DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
    Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
    FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
    Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

kind: NRT
status: Available
version: 1.0.0
tactics:
- Impact
alertDetailsOverride:
  alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.
  alertnameFormat: Antivirus Detected an Infected File
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
suppressionDuration: PT5H
suppressionEnabled: false
id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1203
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
customDetails:
  EdgeFiler: EdgeFiler
  Portal: Portal
  Virus: Virus
  FilePath: FilePath
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: EdgeFiler
    identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
name: Antivirus Detected an Infected File
severity: High
query: |
  Syslog
  | where SyslogMessage contains "found an infected file"
  | extend 
      EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
      DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
      Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
      FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
      Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
  | project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus